Privacy Policy
Ecoplug Energy India Limited

Ecoplug Energy India Limited ("Ecoplug," "Company," "We," "Us," or "Our"), a Public Limited Company incorporated under the Companies Act, 2013, and a registered Charge Point Operator (CPO) with the Ministry of Power, Bureau of Energy Efficiency, Government of India, is committed to the responsible stewardship of your personal data.

This Privacy Policy ("Policy") governs the collection, use, storage, processing, disclosure, and protection of personal data provided by or collected from any individual ("User," "You," "Your") who accesses or uses the Company's website (www.ecoplug.in), mobile applications, EV charging station network, CSMS platform, white-label solutions, or any other service offered by the Company (collectively, "Services").

This Policy is published in compliance with, and shall be construed in accordance with:

• •The Information Technology Act, 2000 and the Rules made thereunder, including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
• •The Digital Personal Data Protection Act, 2023 (DPDP Act);
• •All other applicable laws, regulations, and guidelines issued by competent authorities in India from time to time.

For the purposes of this Policy, the following terms shall bear the meanings assigned to them below. References to statutes include all amendments and subordinate legislation made thereunder.

In the event of any ambiguity or inconsistency in interpretation, the meaning that best advances the Company's lawful data processing objectives and compliance obligations shall prevail, subject to mandatory statutory requirements.

The Company collects only such personal data as is reasonably necessary for the purposes identified in this Policy. The categories of data collected include, but are not limited to, the following:

• •Full name, date of birth, gender, and photograph;
• •Email address, mobile number, and postal/billing address;
• •Government-issued identification for KYC/AML compliance (where required by law).

• •Username, encrypted password, and unique User ID;
• •Authentication tokens, session data, and device-linked identifiers.

• •Vehicle registration number, make, model, battery capacity, and connector type;
• •Charging session records including start/end time, energy dispensed (kWh), station ID, and tariff applied;
• •Charging preferences and historical usage patterns;
• •Telemetry data transmitted from charging stations via OCPP protocols.

• •Payment instrument details (credit/debit card, UPI, net banking) processed exclusively through PCI-DSS compliant payment gateways — the Company does not store raw card data;
• •Transaction history, invoices, refund records, and wallet balance;
• •GST identification number (where applicable for B2B Users).

• •Real-time GPS coordinates and general location when using the mobile application to locate charging stations (with explicit consent);
• •Charging station location data associated with your session records.

• •IP address, browser type, operating system, device type and identifiers;
• •Application log files, pages visited, session duration, click-path data;
• •Crash reports and performance diagnostics.

• •Records of interactions with Customer Support, including call recordings (where notice is given), emails, and chat transcripts;
• •Feedback, complaints, survey responses, and ratings submitted by the User.

• •Data received from payment gateway providers, vehicle manufacturers (with your consent), mapping services, and government databases used for identity verification;
• •Social media profile data where the User elects to connect a social account to the Platform.

The Company processes your personal data exclusively for the following purposes, each of which is supported by a lawful basis identified in Section 5:

• •Enabling access to and management of EV charging sessions across the Company's network;
• •Processing payments, managing prepaid wallet balances, generating invoices, and facilitating refunds where applicable;
• •Authenticating Users and securing accounts against unauthorised access;
• •Providing station location services, real-time availability data, and navigation assistance.

• •Maintaining financial records and conducting internal audits as required by law;
• •Detecting, investigating, and preventing fraud, cybercrime, and misuse of the Platform;
• •Complying with applicable statutes, regulations, court orders, and directives from government or regulatory authorities;
• •Enforcing the Company's Terms & Conditions, this Policy, and all ancillary agreements.

• •Analysing aggregated and anonymised usage data to improve service quality, reliability, and network efficiency;
• •Developing new features, products, and infrastructure optimisations;
• •Conducting research aligned with the Company's mandate as a CPO under applicable energy regulations.

• •Sending promotional offers, service updates, and newsletters — solely where you have provided separate, specific consent;
• •Personalised recommendations based on your usage history;
• •Conducting satisfaction surveys and feedback campaigns.

• •Responding to and cooperating with law enforcement, government authorities, and regulatory bodies;
• •Protecting the rights, property, and safety of the Company, its employees, Users, and the public;
• •Establishing, exercising, or defending legal claims in any jurisdiction.

All processing of personal data by the Company is founded upon one or more of the following lawful bases recognised under the DPDP Act, 2023 and the IT Act, 2000:

• 5.1Consent: Where you have provided free, specific, informed, and unambiguous consent prior to the collection or processing of your personal data for a stated purpose. Consent may be withdrawn at any time, subject to Section 9.5, but withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
• 5.2Contractual Necessity: Processing is necessary to perform the contract for Services between the Company and the User, including all transactions, account management, and service delivery obligations.
• 5.3Legal Obligation: Processing is required for the Company to comply with obligations imposed by Indian law, including tax statutes, energy regulations, and anti-money laundering requirements.
• 5.4Legitimate Interests: Processing is necessary for the Company's legitimate business interests — including fraud prevention, information security, network optimisation, and service improvement — provided such interests are not overridden by the User's fundamental rights and freedoms.
• 5.5Vital Interests / Public Interest: Where processing is necessary to protect the vital interests of a person or to perform tasks carried out in the public interest, including safety-related matters in the operation of public EV charging infrastructure.

The Company does not sell, rent, or trade your personal data to third parties for their independent marketing purposes. Personal data may, however, be shared with the following categories of recipients in the circumstances described below:

The Company engages third-party processors — including payment gateway operators, cloud infrastructure providers, SMS/email communication platforms, analytics services, and IT security providers — under binding data processing agreements that impose confidentiality and security obligations no less stringent than those adopted by the Company.

The Company shall disclose personal data to government bodies, regulatory authorities, law enforcement agencies, courts, or tribunals where it is legally obligated or otherwise authorised to do so. Such disclosures shall be made only to the extent required and shall not be contingent upon the User's consent where mandated by law.

In connection with any merger, acquisition, restructuring, asset sale, or similar corporate transaction, personal data may be transferred to the acquiring or successor entity. The Company shall ensure that any such transfer is accompanied by appropriate contractual protections and that the recipient is bound by data protection obligations equivalent to those in this Policy.

Personal data may be shared with the Company's subsidiaries, affiliates, or authorised franchise/operator partners where necessary to deliver the Services contracted by the User, or to fulfil regulatory reporting obligations in their jurisdictions.

The Company reserves the right to disclose personal data where it determines, in its sole discretion, that such disclosure is reasonably necessary to: (i) enforce this Policy or the Terms & Conditions; (ii) protect the rights, property, or safety of the Company, its personnel, Users, or third parties; or (iii) detect, prevent, or address fraud, security, or technical issues.

The Company retains personal data for the minimum period necessary to fulfil the purposes for which it was collected, subject to any longer period required by applicable law or regulation. The following indicative retention schedule applies:

Data Category	Retention Period	Basis
Account & Identity Information	Duration of account + 3 years after closure	Contractual / Legitimate Interest
Transaction & Financial Records	7 years from transaction date	Income Tax Act, 1961; GST Act
Charging Session Data	5 years from session date	Billing, audit & dispute resolution
Customer Support Records	3 years after resolution	Legal claims / Consumer Protection Act
KYC / Verification Documents	As required by applicable AML/KYC regulation	Legal Obligation
Marketing Consent Records	Until consent is withdrawn + 1 year	DPDP Act, 2023
CCTV / Station Footage	90 days (extendable if under active investigation)	Security / Legitimate Interest
Technical / Log Data	12 months	Security & fraud prevention

Upon expiry of the applicable retention period, personal data shall be securely deleted, anonymised, or pseudonymised in accordance with the Company's data disposal procedures and applicable statutory requirements. The Company is under no obligation to retain data beyond the periods specified above.

The Company implements technical and organisational measures commensurate with the sensitivity of the personal data processed and the risks presented by the processing activities. These measures include, without limitation:

• •SSL/TLS encryption for all data in transit; AES-256 encryption for data at rest;
• •Secure password hashing using bcrypt or Argon2; passwords are never stored in plaintext;
• •Multi-factor authentication (MFA) for administrative access and sensitive user operations;
• •Intrusion detection and prevention systems; DDoS mitigation; firewall and network segmentation;
• •Regular penetration testing, vulnerability assessments, and security audits by qualified professionals.

• •Role-based access controls limiting data access to authorised personnel on a need-to-know basis;
• •Mandatory data protection training for all employees handling personal data;
• •Confidentiality and non-disclosure agreements binding on all employees, contractors, and processors;
• •Documented incident response plan with breach notification protocols aligned with DPDP Act requirements.

Under the Digital Personal Data Protection Act, 2023, and other applicable Indian law, you have the following rights in relation to your personal data. The exercise of these rights is subject to the limitations, exceptions, and verification procedures set out below:

• 9.1Right to Access: You may request confirmation of whether the Company processes your personal data and obtain a summary of the data held and the purposes of processing. The Company shall respond within a reasonable period and in any event within the timeframe required by applicable law.
• 9.2Right to Correction: You may request correction of inaccurate, incomplete, or outdated personal data. The Company shall make corrections within a reasonable timeframe following verification of the request. The Company is not obligated to correct data that is accurate as per its records.
• 9.3Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, and where no legal retention obligation applies. The Company shall not be required to erase data that it is legally obligated to retain, or data that is necessary for the establishment, exercise, or defence of legal claims.
• 9.4Right to Data Portability: Where processing is based on consent or contractual necessity and carried out by automated means, you may request that your personal data be provided in a structured, machine-readable format, to the extent technically feasible and legally permitted.
• 9.5Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out prior to withdrawal. Withdrawal of consent may result in the Company being unable to provide certain Services that depend on such processing, and the Company shall bear no liability for any resulting service interruption.
• 9.6Right to Grievance Redressal: You may lodge a complaint with the Company's Grievance Officer (see Section 16). If unsatisfied with the Company's response, you may escalate to the Data Protection Board of India upon its establishment under the DPDP Act, 2023.
• 9.7Right to Nominate: You may nominate an individual to exercise your data rights in the event of your death or incapacity, in accordance with the procedure notified by the Company from time to time.

The Company uses cookies, web beacons, pixel tags, and similar tracking technologies on its website and mobile applications for the purposes described below. By continuing to use the Platform, you consent to the use of cookies in accordance with this Section.

• Ess.Essential Cookies: Strictly necessary for the operation of the Platform, including session management, authentication, and security. These cannot be disabled without materially impairing functionality.
• Perf.Performance Cookies: Collect anonymised or aggregated information on how Users interact with the Platform to enable continuous improvement. Includes third-party analytics services such as Google Analytics, which operate under their own privacy policies.
• Func.Functional Cookies: Remember your preferences, settings, and personalisation choices to enhance your experience.
• Targ.Targeting/Advertising Cookies: Used to deliver relevant advertising and measure campaign effectiveness. Deployed only where you have provided explicit consent.

You may manage cookie preferences through your browser or device settings. Disabling essential cookies will impair your ability to use the Platform. The Company bears no liability for reduced functionality resulting from the User's decision to restrict cookies.

The Company's Services are not directed at, and are not intended for use by, individuals under the age of 18 years. The Company does not knowingly collect personal data from minors. Access to and use of the Platform by a minor without verifiable parental or guardian consent is strictly prohibited.

If the Company becomes aware that it has inadvertently collected personal data from a minor, it shall take prompt steps to delete such data. If you are a parent or guardian and believe your child has provided personal data without your consent, please contact the Grievance Officer immediately using the details in Section 16. The Company accepts no liability for data provided by a User who falsely represents their age.

Your personal data is primarily processed and stored within the territory of India. Where the Company engages third-party service providers located outside India — such as cloud infrastructure, analytics, or communication platforms — personal data may be transferred internationally.

All cross-border transfers are conducted subject to: (i) the recipient country providing an adequate level of data protection as determined by competent Indian authorities; (ii) appropriate contractual safeguards, including Standard Contractual Clauses or equivalent mechanisms; and (iii) the Company's security and compliance requirements. The Company does not transfer personal data to jurisdictions that do not meet the requisite protection standards under applicable Indian law.

By using the Services and providing personal data, you acknowledge and consent to such transfers to the extent they are necessary for the delivery of the Services contracted by you.

The following provisions govern the Company's reserved rights in relation to data processing and User obligations:

• 13.1Right to Process Lawfully Without Consent: The Company reserves the right to process personal data without the User's consent where such processing is required or permitted by applicable law, including for tax compliance, fraud investigation, court orders, or regulatory reporting.
• 13.2Right to Retain Data for Legal Purposes: Notwithstanding a User's request for erasure, the Company reserves the right to retain personal data for such periods as are required by applicable statutes or as may be necessary to establish, exercise, or defend legal claims against or by the Company.
• 13.3Right to Suspend or Terminate Access: The Company reserves the right to restrict, suspend, or terminate a User's access to the Services where the User's exercise of data rights or actions in connection with their account are inconsistent with applicable law, this Policy, or the Terms & Conditions.
• 13.4Limitation of Liability: The Company's liability for any breach of this Policy or data protection obligations shall be limited to the maximum extent permitted by applicable Indian law. The Company shall not be liable for indirect, consequential, or speculative losses arising from any alleged breach of this Policy.
• 13.5User Responsibility: The User is solely responsible for the accuracy and completeness of personal data provided to the Company, for maintaining the security of their account credentials, and for promptly notifying the Company of any suspected unauthorised use of their account.
• 13.6Anonymised Data: The Company reserves the right to use anonymised, de-identified, or aggregated data derived from User information for any lawful purpose, including research, analytics, and commercial purposes, without restriction and without any obligation to the User, as such data does not constitute personal data.

The Company reserves the right to revise, update, or replace this Privacy Policy at any time, at its sole discretion, to reflect changes in applicable law, business practices, technology, or regulatory requirements. The Company is under no obligation to provide advance individual notice of such changes.

All revisions shall take effect upon publication of the updated Policy on the Company's website at www.ecoplug.in, identified by a revised "Last Updated" date. Where material changes are made, the Company shall endeavour to provide reasonable notice through one or more of the following channels: website notification, registered email address, or in-app alert.

By accessing or using any Service offered by the Company — whether through the website, mobile application, or physical charging infrastructure — you represent and warrant that:

• •You have read and understood this Privacy Policy in its entirety;
• •You are at least 18 years of age, or have obtained verifiable parental or guardian consent;
• •You freely and voluntarily consent to the collection, use, processing, and disclosure of your personal data as described herein;
• •Where you provide personal data of third parties, you confirm that you have obtained their valid consent and are authorised to do so.

Where the Company is required by law to obtain explicit, specific consent for a particular category of processing — including sensitive personal data — it shall obtain such consent through a separate, affirmative action (e.g., an opt-in checkbox or consent prompt) at the time of collection.

Consent for processing based on legitimate interests does not require the User's affirmative action but is subject to the User's right to object under Section 9 of this Policy. The Company shall balance its legitimate interests against the User's fundamental rights in all such cases.

The Company has designated a Grievance Officer in accordance with the requirements of the IT Act, 2000, the SPDI Rules, 2011, and the DPDP Act, 2023. Users may contact the Grievance Officer for any concern, query, or complaint relating to this Policy or the processing of their personal data.

1. Submit your written complaint to the Grievance Officer via email at support@ecoplug.in, clearly stating your registered contact details, the nature of your concern, and any supporting documentation.
2. The Grievance Officer shall acknowledge receipt of your complaint within 48 hours of receipt.
3. The Company shall investigate the matter and provide a substantive response within 30 days of acknowledgement, in accordance with applicable statutory timelines.
4. If you are not satisfied with the Company's resolution, you may escalate your complaint to the Data Protection Board of India upon its formal establishment under the DPDP Act, 2023, or to any other competent authority under applicable law.
5. Nothing in this process shall preclude a User from pursuing remedies available under the Consumer Protection Act, 2019, or any other applicable legislation.

This Privacy Policy and all matters arising out of or in connection with it — including any dispute as to its existence, validity, interpretation, breach, or termination — shall be governed by and construed exclusively in accordance with the laws of the Republic of India, without reference to any conflict of laws principles.

Subject to the grievance and redressal mechanism set out in Section 16, any dispute that cannot be resolved through the Company's internal process shall be subject to the exclusive jurisdiction of the courts of competent jurisdiction at Alwar, Rajasthan, India.