Privacy Policy

1. Introduction & Scope

Roots to Loft ("RTL", "we", "us", or "our") operates coworking spaces, business and digital services, events, and related programmes in India. RTL respects your privacy and is committed to protecting the personal data we collect and process in connection with our websites, mobile applications (if any), physical locations, membership services, franchise enquiries, events, and other business activities.

This Privacy Policy explains:

• what personal data we collect and why;
• how we use, store, share and protect that data;
• your rights concerning your data; and
• how to contact us with requests or complaints.

This Policy applies to all persons who interact with RTL within India (members, visitors, prospective franchisees, partners, vendors, website visitors). It does not apply to third-party websites or platforms linked from RTL's sites — those sites will have their own privacy notices.

RTL is the Data Fiduciary for processing described in this Policy for activities carried out by RTL in India.

2. Legal & Regulatory Framework

This Policy is drafted with reference to, and in compliance with, applicable Indian laws and rules, including (but not limited to):

• Information Technology Act, 2000 (Sections relevant to data protection);
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules);
• Digital Personal Data Protection Act, 2023 (DPDP Act) (and associated rules/regulations, as applicable);
• Applicable tax, accounting and labour laws; and
• International privacy standards such as GDPR (referenced for international data handling and user rights).

3. Key Definitions

• Personal Data / Personal Information — any information that identifies you or can reasonably identify you (e.g., name, email, phone, address).
• Sensitive Personal Data or Information (SPDI) — categories that include financial information, government IDs (PAN, Aadhaar), health data, biometric data, passwords, etc. SPDI is collected or processed only where strictly necessary and with explicit consent or lawful basis.
• Data Fiduciary — the entity (RTL) that determines the purpose and means of processing personal data.
• Data Principal — the person to whom the personal data relates (you).
• Processing — any operation performed on personal data (collecting, storing, using, transferring, deleting).

4. What personal data we collect & how

4.1 Data you provide to us directly

We collect personal data you give us when you:

• register for a membership;
• book desks, rooms, events, or services;
• apply for a franchise or vendor relationship;
• subscribe to newsletters or marketing communications;
• submit enquiries or contact forms;
• participate in workplace wellness programmes, surveys, or focus groups;
• apply for jobs; or
• interact with RTL staff in person, by phone or by email.

Typical items:

• Identity and contact information: name, email, phone, postal address, company name, job title;
• KYC / ID documents: PAN, GSTIN, Aadhaar, passport (collected only when legally required or for corporate compliance);
• Billing & payment data: billing name, GST details, invoicing information, bank/UPI details where necessary (note: payment card details are processed by PCI-DSS compliant third parties — RTL does not store card CVV);
• Membership details and preferences: chosen plan, booking history, access logs for workspace use;
• Communications: email exchanges, support tickets, feedback, recorded consent records;
• Health / wellness information: health questionnaire responses or medical details provided voluntarily for workplace wellness programmes (collected only with explicit consent and handled as SPDI).

4.2 Data collected automatically (technical / usage)

When you use our website or digital services we automatically collect:

• IP address, device and browser type, operating system;
• pages accessed, time spent, referring URL, clickstream and navigation behaviour;
• cookies and tracking identifiers (see Cookies section);
• analytics and performance data (e.g., Google Analytics or other analytics providers).

4.3 Data obtained from third parties

We may receive data from third-party sources, including:

• payment gateway confirmations;
• identity verification providers;
• public or commercial directories and databases;
• social networks if you use social login (Google, LinkedIn etc.);
• marketing partners or lead providers; and
• background verification providers for recruitment.

We will only use third-party data consistent with the purpose for which it was provided and subject to applicable contractual safeguards.

5. Why we collect & lawful bases for processing

We collect and process personal data for specific, explicit, and legitimate purposes only. We rely on one or more lawful bases to process personal data, such as:

• Consent: where you have given your clear consent (e.g., newsletter sign-up, wellness programme participation). You may withdraw consent at any time (see section on Rights).
• Contractual necessity: to perform services you asked for (membership provision, bookings, payments, franchise processing).
• Legal obligation: to comply with laws, tax and accounting regulations, court orders, or regulatory requests.
• Legitimate interests: to run our business (e.g., security, fraud prevention, service improvement), provided such interests do not override your rights.
• Public interest / vital interests: in exceptional, permitted cases.

Examples of purposes:

• Provide and manage RTL services (memberships, bookings, events);
• Process payments, invoices, refunds, and tax/GST compliance;
• Communicate service notices, confirmations, reminders, and updates;
• Maintain security, prevent and investigate fraud or misuse;
• Conduct analytics and improve our products and services;
• Organise, administer and measure Workplace Wellness projects (with explicit consent to collect health/wellness data);
• Comply with legal and regulatory requirements.

6. How we share personal data

RTL does not sell or rent your personal information. We disclose personal data only in limited circumstances, and always subject to contractual, security and legal protections:

6.1 Service providers & processors

We share data with trusted vendors who perform services on our behalf, e.g.:

• Payment gateways (Razorpay, Stripe, PayPal) for payment processing;
• CRM and marketing platforms (Zoho, Mailchimp, HubSpot);
• Cloud hosting and backup providers;
• Analytics providers (Google Analytics, etc.);
• Identity verification or KYC vendors;
• Event management, catering, security or facility service partners for events/onsite services;
• Professional advisors (lawyers, accountants, auditors).

Each processor acts under contractual obligations to use data only for specified purposes and to implement appropriate security safeguards.

6.2 Business transfers

If RTL is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred to the new owner or acquirer, subject to confidentiality and data protection obligations.

6.3 Legal & regulatory disclosures

We may disclose personal data to government agencies, courts, law enforcement or regulatory bodies where required by law, or to protect RTL's legal rights or the safety of its staff and members.

6.4 With your consent

We may share your data with third parties where you have given express consent (for example, when RTL introduces you to a partner vendor and you request direct contact).

7. Cookies & Tracking technologies

RTL uses cookies and similar technologies to operate and improve our website and services.

Categories used:

• Essential cookies — required for core site functionality and security (login sessions, booking flow).
• Performance / analytics cookies — to collect anonymous usage statistics (page visits, page speed).
• Functional cookies — to store user preferences (language, display).
• Advertising / marketing cookies (only with consent) — to enable remarketing and personalised communications.

You will be presented with a cookie consent banner when you first visit our site. You may manage cookie preferences via the banner or via your browser settings; blocking cookies may limit site functionality.

See our Cookies Policy page for full technical details and opt-out instructions.

8. Data retention & deletion

RTL retains personal data only as long as needed for the purposes described, subject to legal and business requirements.

Typical retention periods (indicative, may vary by case):

• Financial and tax records (invoices, payment proofs): 8 years (or as required by law).
• Membership and booking records: 3–6 years after termination/last activity.
• Marketing consents and opt-out records: as long as necessary to maintain consent history.
• Recruitment records: 1–3 years or as required for employment law.
• Workplace Wellness programme data (health responses): retained as consented and as necessary for programme measurement; health data is treated as SPDI and retention is minimised.

When personal data is no longer required or retention period lapses, we securely delete, anonymise or irreversibly destroy the data in accordance with our deletion procedures.

9. Cross-border transfers

RTL primarily stores and processes personal data in India. Where required for business operations (e.g., cloud services, international SaaS providers), personal data may be transferred to countries outside India.

We take appropriate safeguards for such transfers, including:

• Data Processing Agreements with processors;
• Contractual safeguards (Standard Contractual Clauses or equivalent); and
• Due diligence on transfer recipients to ensure adequate protection.

If you are located in a jurisdiction with specific transfer requirements, you may contact us for details of safeguards used.

10. Security measures

RTL implements reasonable and appropriate technical and organisational measures to protect personal data against unauthorised or unlawful access, alteration, disclosure, or destruction. These include (but are not limited to):

• TLS/SSL encryption for data in transit;
• Firewalls, hardened servers, and secure hosting;
• Role-based access controls and least-privilege principles;
• Multi-factor authentication for administrative access;
• Regular security patching, vulnerability scanning and periodic penetration testing by third parties;
• Encrypted backups and disaster recovery planning;
• Employee confidentiality agreements, background checks and periodic training;
• Incident response procedures and breach remediation plans.

Breach notification: In the unlikely event of a data breach affecting personal data, RTL will take prompt remedial measures, notify affected individuals and relevant authorities as required under applicable laws, and follow the obligations of the DPDP Act and other regulations.

11. Children & minors

RTL services are intended for persons aged 18 years or older. We do not knowingly collect personal information of children under 18. If we become aware that personal data of a child under 18 has been collected without parental/guardian consent, we will take steps to delete that data promptly. If you believe RTL holds such data, contact us immediately.

12. Your rights & how to exercise them (DSAR / Data Subject Requests)

Under Indian law (DPDP Act) and where relevant global principles (for international visitors), you have rights concerning your personal data, including:

• Right to access / confirm whether we process your personal data and obtain a copy.
• Right to correction of inaccurate or incomplete data.
• Right to erasure / restriction (subject to legal or contractual retention obligations).
• Right to data portability (receive data in a structured, machine-readable format).
• Right to withdraw consent where processing is based on consent.
• Right to object to certain processing (e.g., direct marketing).
• Right to lodge complaint with our Grievance Officer and, if unresolved, with the competent authority.

How to submit a request

To exercise your rights, submit a Data Subject Access Request (DSAR) by:

• completing our DSAR form at: [DSAR Form URL] (replace with actual link), or
• emailing: privacy@rootstoloft.com with subject line "DSAR Request – [Your Name]", or
• writing to our Grievance Officer at the postal address below.

Verification & response

For security, we will verify your identity before responding. We will acknowledge receipt of your request within 48 hours and aim to respond substantively within 45 business days. For complex requests an extension may be required; we will notify you of any extension and the reasons.

Note: Some requests may be refused or partially denied where permitted by law (e.g., where retention is required for tax/audit, fraud prevention, or legal proceedings). If we deny a request, we will explain the legal basis for refusal.

13. Marketing communications & opt-out

RTL may send promotional communications about services, events, offers and newsletters only where you have given consent or where we have a legitimate interest (and you have not objected). Every marketing email or SMS includes an unsubscribe or STOP mechanism. You may also opt out by contacting privacy@rootstoloft.com.

Transactional messages (booking confirmations, invoices, security alerts) are not classified as marketing and will not be unsubscribed by opt-outs.

14. Social login & third-party features

If you register or log in using a third-party social account (Google, LinkedIn etc.), we may receive personal data from that provider (name, email, profile picture). Use of social login is governed by the social provider's privacy settings. We recommend reviewing those providers' privacy notices.

Third-party widgets (e.g., Google Maps, social media plugins) may set cookies or collect your IP address. RTL is not responsible for third-party tracking; review their privacy policies for details.

15. Links to third-party sites

Our services may contain links to external websites. RTL is not responsible for the privacy practices of third parties and recommends you read their privacy notices before providing personal data.

16. Data retention schedule

Retention periods will vary by category and legal requirement; typical retention examples:

• Financial & tax records: minimum 8 years (or as required by law).
• Membership records & contact data: 3–6 years after termination/last activity.
• Marketing opt-ins: retained until consent is withdrawn + records for audit.
• Recruitment & HR records: 1–5 years or as per labour law requirements.
• Wellness programme health data: retained only as consented and needed for programme evaluation; anonymised where possible.

RTL will securely anonymise or delete data when no longer required.

17. Data breach & incident response

RTL maintains an incident response plan. In case of a personal data breach we will:

1. Contain the breach and mitigate harm;
2. Assess the likelihood and severity of risk to data principals;
3. Notify affected individuals and the relevant authority where required by law (DPDP Act / other applicable rules);
4. Take remedial steps and document the incident for regulatory and audit purposes.

18. Grievance officer & dispute resolution

In compliance with the IT (SPDI) Rules and DPDP Act obligations, RTL has appointed a Grievance Officer:

The Grievance Officer will acknowledge complaints within 48 hours and endeavour to resolve them within 30 days. If you are not satisfied with the resolution, you may escalate to the competent authority under applicable law.

19. International data subject rights & cross-border compliance

If you are an international user (e.g., EU resident), you may have additional rights under your local law (GDPR). RTL will endeavour to honour applicable rights; cross-border transfer safeguards will be implemented as noted in Section 9.

20. Changes to this Privacy Policy

We may update this Policy to reflect changes in law, technology, RTL services, or business operations. The "Last updated" date will be revised accordingly. Material changes will be notified by posting a prominent notice on our website or by direct communication where feasible.

21. Contact & how to exercise your rights

For privacy enquiries, DSARs or complaints:

• Email: privacy@rootstoloft.com
• DSAR Form (online): [DSAR Form URL] (replace with actual link)
• Mailing address: Rootstoloft Private limited, First Floor, Moonikkattil Towers, Kothamangalam, Ernakulam, Kerala, India

For legal escalation or requests by post, please address your letter to the Grievance Officer (see Section 18).

22. Jurisdiction & governing law

This Policy and any disputes arising out of it shall be governed by the laws of India. Exclusive jurisdiction for disputes is vested in the courts of Ernakulam, Kerala.

23. Miscellaneous

• No automated decision-making / profiling: RTL does not make significant decisions about you solely on automated processing that produces legal or similarly significant effects without your explicit consent.
• Third-party processors list: upon request, RTL can provide a list of third-party processors and sub-processors used for specific purposes.
• Contact for law enforcement: RTL will respond to lawful requests for data by authorised agencies consistent with applicable law and our legal obligations.

24. Acknowledgement & acceptance

By using RTL's website, services, or platforms you acknowledge that you have read and understood this Privacy Policy and consent to RTL's processing of your data as described herein.