Data Protection and Information Security Policy

Last Updated: November 9, 2025

        Scope: This Data Protection and Information Security Policy applies to synapseconclave.in and all digital platforms operated by Lucid Lines Productions Private Limited, including synapseconclave.com. This policy outlines our commitment to protecting your personal information and maintaining the highest standards of data security.
    

1. Purpose and Commitment

Our Uncompromising Commitment to Data Protection

Lucid Lines Productions Private Limited is committed to:

NEVER selling your personal data to third parties
NEVER sharing your information for marketing purposes without explicit consent
Maintaining strict confidentiality of all participant data
Implementing robust security measures to protect against unauthorized access
Ensuring transparency in all data processing activities
Respecting your privacy rights at all times

This policy demonstrates our adherence to:

The Information Technology Act, 2000 (as amended)
The Personal Data Protection Bill (DPDP Act, 2023)
Industry best practices for data security and privacy
International standards including ISO 27001 principles

2. Governance and Accountability

2.1 Data Protection Officer (DPO)

Lucid Lines Productions has designated a Data Protection Officer responsible for overseeing data protection strategy and implementation
Contact: privacy@synapseconclave.in

2.2 Organizational Responsibility

All employees, contractors, and partners are bound by confidentiality agreements
Regular training on data protection and security practices
Clear accountability structures for data handling
Annual data protection audits and assessments

3. Data Collection and Processing Principles

3.1 Lawfulness, Fairness, and Transparency

We collect data only for specified, explicit, and legitimate purposes
Data collection is transparent, with clear communication about what we collect and why
Processing is based on lawful grounds (consent, contract, legal obligation, or legitimate interest)

3.2 Data Minimization

We collect only the minimum data necessary for event registration and management
Unnecessary or excessive data collection is prohibited
Regular reviews to ensure we're not retaining data we don't need

3.3 Purpose Limitation

Data is collected for specific purposes and not used for incompatible purposes without additional consent
Clear documentation of processing purposes

3.4 Accuracy

We take reasonable steps to ensure personal data is accurate and up-to-date
Participants can update their information at any time
Inaccurate data is corrected or deleted promptly

4. Categories of Personal Data Processed

Data Category	Purpose	Legal Basis	Retention Period
Identity Data (name, title, ID)	Event registration, entry verification	Contract, Legal obligation	3 years post-event
Contact Data (email, phone)	Communication, updates	Contract, Consent	Until consent withdrawal
Financial Data (payment info)	Transaction processing	Contract, Legal obligation	7-10 years (tax law)
Professional Data (company, role)	Networking, event customization	Contract, Legitimate interest	3 years post-event
Health Data (dietary, accessibility)	Accommodation provision	Explicit consent	Deleted after event
Technical Data (IP, cookies)	Website functionality, analytics	Consent, Legitimate interest	Variable (see Cookie Policy)

5. Information Security Framework

5.1 Technical Security Measures

Encryption and Secure Transmission

All payment transactions encrypted using TLS 1.2+ protocol
Data at rest encrypted using AES-256 encryption
Secure Socket Layer (SSL) certificates on all web pages
End-to-end encryption for sensitive communications

Access Controls

Role-based access control (RBAC) limiting data access to authorized personnel only
Multi-factor authentication (MFA) for administrative access
Regular access reviews and user permission audits
Principle of least privilege enforced across systems

Infrastructure Security

Secure hosting with reputable cloud providers (AWS, Azure, or equivalent)
Regular security patches and system updates
Firewalls and intrusion detection systems (IDS)
DDoS protection and rate limiting
Regular vulnerability assessments and penetration testing

5.2 Organizational Security Measures

Data Protection Training: Mandatory training for all staff handling personal data
Confidentiality Agreements: All employees and contractors sign NDAs
Clear Desk/Clear Screen Policy: Physical and digital security protocols
Incident Response Plan: Documented procedures for security breaches
Regular Audits: Internal and external security audits

5.3 Network Security

Secure VPN access for remote work
Network segmentation to isolate sensitive systems
Regular monitoring and logging of network activity
Automated threat detection and response systems

5.4 Application Security

Secure coding practices following OWASP guidelines
Regular code reviews and security testing
Input validation and sanitization to prevent injection attacks
Session management and CSRF protection

6. Payment Security

6.1 PCI DSS Compliance

We use PCI DSS compliant payment gateways (Razorpay, Cashfree, Stripe)
We do NOT store complete credit card information on our servers
Payment data is tokenized and processed through secure third-party processors

6.2 Transaction Security

3D Secure authentication for card transactions
Real-time fraud detection and prevention
Encrypted payment pages with SSL certificates
Regular security audits of payment flows

7. Data Sharing and Third-Party Processing

7.1 No Sale of Data

Absolute Commitment: We will NEVER sell, rent, or trade your personal information to any third party for any purpose.

7.2 Limited Third-Party Sharing

We share data only with trusted service providers who assist in:

Payment processing (under strict contractual obligations)
Email delivery services (marketing platforms)
Website hosting and technical infrastructure
Analytics (anonymized data only)

7.3 Data Processing Agreements

All third-party processors sign Data Processing Agreements (DPAs)
Processors are contractually bound to protect data
Regular audits of processor security practices
Right to audit processor compliance

8. Data Retention and Disposal

8.1 Retention Principles

Data retained only as long as necessary for specified purposes
Clear retention schedules for different data categories
Annual reviews of retained data

8.2 Secure Disposal

Data deleted beyond retention period is permanently destroyed
Secure deletion methods preventing recovery
Physical media destruction for hardware disposal
Certificates of destruction maintained

9. Rights of Data Subjects

9.1 Right to Access

Request copies of personal data we hold
Understand how data is being processed
Response time: Within 30 days

9.2 Right to Rectification

Correct inaccurate or incomplete data
Update personal information

9.3 Right to Erasure (Right to be Forgotten)

Request deletion of personal data
Subject to legal retention requirements

9.4 Right to Restriction

Limit how we use your data
Temporarily suspend processing

9.5 Right to Data Portability

Receive data in structured, machine-readable format
Transfer data to another service provider

9.6 Right to Object

Object to certain processing activities
Opt out of marketing communications

9.7 Right to Withdraw Consent

Withdraw consent at any time
Does not affect lawfulness of processing before withdrawal

10. Data Breach Response

10.1 Incident Detection

24/7 monitoring systems for security incidents
Automated alerts for suspicious activities
Regular log analysis and threat detection

10.2 Breach Response Procedure

Containment: Immediate action to contain the breach
Assessment: Evaluate scope and impact
Notification: Notify affected individuals within 72 hours (if high risk)
Reporting: Report to relevant authorities as required
Remediation: Implement fixes and preventive measures
Documentation: Maintain detailed incident records

10.3 User Notification

Transparent communication about any breach affecting user data
Detailed information about what data was affected
Guidance on protective measures users can take

11. International Data Transfers

Primary data storage and processing in India
If data transferred internationally, appropriate safeguards in place
Compliance with cross-border data transfer regulations
Standard contractual clauses with international processors

12. Children's Data Protection

Services intended for adults 18 years and older
We do not knowingly collect data from minors
If we learn we've collected data from a minor, it's deleted immediately

13. Cookies and Tracking Technologies

Clear disclosure of cookie usage on website
Cookie consent mechanism before non-essential cookies are set
User control over cookie preferences
Regular review and minimization of tracking technologies

14. Vendor and Partner Security

Due diligence on all third-party vendors handling data
Contractual security requirements for vendors
Regular vendor security assessments
Right to audit vendor security practices

15. Physical Security

Restricted access to offices and data centers
Visitor logs and security badges
CCTV surveillance in sensitive areas
Secure disposal of physical documents

16. Business Continuity and Disaster Recovery

Regular data backups (daily and weekly)
Offsite backup storage
Disaster recovery plan with defined RTOs and RPOs
Regular testing of backup and recovery procedures

17. Monitoring and Compliance

Regular privacy impact assessments (PIAs)
Compliance monitoring and reporting
Internal audits and external certifications
Continuous improvement of security practices

18. Employee and Contractor Obligations

Background checks for employees with data access
Mandatory security and privacy training
Clear policies on acceptable use of systems
Consequences for policy violations

19. Transparency and Accountability

Public disclosure of privacy practices
Regular updates to this policy
Accessible contact information for privacy queries
Commitment to regulatory cooperation

20. Policy Review and Updates

Annual review of this policy
Updates in response to regulatory changes
Continuous improvement based on industry best practices
Communication of material changes to users

21. Contact Information

Data Protection Inquiries

Data Protection Officer
Lucid Lines Productions Private Limited

Email: privacy@synapseconclave.in
Security Issues: security@synapseconclave.in
Website: synapseconclave.in | synapseconclave.com

Response time: Within 30 days for all legitimate requests

22. Regulatory Compliance

This policy demonstrates our compliance with:

Information Technology Act, 2000 (and amendments)
Digital Personal Data Protection Act, 2023 (DPDP Act)
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
ISO 27001 Information Security Management principles

Our Promise: We are committed to maintaining the trust you place in us by protecting your personal information with the highest standards of security, transparency, and ethical data handling. Your privacy is not just our policy—it's our principle.