2. CAGlobal Privacy Policy

2.1 Introduction

CAGlobal (“we”, “us”, “our”) is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect, use, disclose, store and protect personal data, and describes the rights available to individuals under applicable laws (e.g., Indian data‑protection law, GDPR where applicable).

This Policy applies to:

• Visitors to CAGlobal websites, portals and digital platforms.

• Clients and their personnel, prospective clients, suppliers and business partners.

• Job applicants, interns, contractors and other individuals whose personal data we process in connection with our services.

2.2 Data Controller / Responsible Entity

The CAGlobal entity that determines the purposes and means of processing your personal data acts as the “data controller” for that processing. For cross‑border engagements, multiple CAGlobal entities may act as joint or independent controllers, in line with applicable law and client contracts.

2.3 What Personal Data We Collect

Depending on your relationship with us and how you interact with CAGlobal, we may collect:

• Identification and contact data: name, title, employer, business and personal contact details (address, email, phone).

• Professional details: role, department, qualifications, licenses, skills, CV/resume details, professional memberships.

• Client and engagement data: information necessary to provide services (e.g., organizational charts, employee data, financial records, transaction details) as shared by clients.

• Regulatory data: KYC/AML checks, conflict‑of‑interest information, independence data where required.

• Website and device data: IP address, browser type, access times, pages visited, referring URLs, cookies and similar technologies (in line with cookie notices).

• Event and marketing data: registrations, attendance, preferences, feedback, newsletter subscriptions.

• Security and access data: CCTV footage where used, visitor logs, access control data for CAGlobal premises or systems.

• Complaint/incident data: information you provide when raising concerns or using whistleblower channels.

• Sensitive data (limited): where necessary and lawful, e.g., disability information for accommodation, or government identifiers as required by law or client engagement.

We generally collect personal data directly from you, from our clients (in the course of providing services), from public sources (e.g., company websites, regulators, professional registries) or from third parties such as background‑check providers, subject to legal requirements.

2.4 Purposes and Legal Bases for Processing

We process personal data for the following purposes, relying on appropriate legal bases (which may vary by jurisdiction):

1. Providing professional services to clients

   • Delivering audit‑adjacent, risk management, advisory, tax, consulting, technology and related services, including analysing client data and preparing deliverables.

   • Legal bases may include performance of a contract, legitimate interests of CAGlobal or its clients, and compliance with legal obligations.

2. Client relationship management and business development

   • Managing client accounts, responding to inquiries, sending proposals, and communicating about services, events, or thought leadership consistent with your preferences.

   • Legal bases: legitimate interests; consent where required (e.g., certain marketing communications).

3. Legal, regulatory and professional obligations

   • Complying with independence, audit, anti‑corruption, anti‑money‑laundering, sanctions, tax and other regulatory requirements.

   • Responding to lawful requests from authorities and regulators.

   • Legal bases: legal obligations; public interest; legitimate interests.

4. Managing our business operations

   • Operating IT and security systems, performing internal controls, audits, risk management and quality reviews.

   • Maintaining records, managing vendor relationships, and processing payments.

   • Legal bases: legitimate interests; contract; legal obligations.

5. Recruitment and HR‑related processing

   • Receiving and evaluating applications, conducting interviews, performing background checks where permitted, and maintaining a talent pool.

   • Legal bases: contract, consent where required, legitimate interests.

6. Protecting rights, property and safety

   • Detecting, preventing and responding to fraud, security incidents, and misuse of our systems or premises.

   • Legal bases: legitimate interests; legal obligations.

Where consent is used as a legal basis (e.g., certain marketing, or specific sensitive data), you may withdraw consent at any time, without affecting prior lawful processing.

2.5 Sharing of Personal Data

We may share personal data with:

• CAGlobal network firms and controlled entities, where necessary for service delivery, internal administration, or cross‑border engagements, subject to internal safeguards.

• Clients and counterparties, where required to perform services or upon your instructions.

• Professional advisers and service providers, such as IT providers, background‑check firms, training providers, or other consultants, under appropriate confidentiality and data‑processing agreements.

• Regulators, courts or law‑enforcement authorities, where required by law, regulation or legal process.

• Potential buyers or partners in the context of mergers, acquisitions, or reorganisations, subject to confidentiality protections.

We do not sell personal data. We do not share personal data with third parties for their own direct marketing purposes without appropriate consent where required.

2.6 International Transfers

Where personal data is transferred across borders (for example, between India and other countries where CAGlobal network firms or clients are located), we will:

• Comply with applicable data‑transfer requirements (e.g., contractual clauses, intra‑group agreements, or other recognised transfer mechanisms).

• Implement safeguards consistent with global standards (similar to binding corporate rule‑type controls used by large networks).

Details of applicable safeguards can be provided upon request, subject to confidentiality.

2.7 Data Security

We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These may include:

• Access controls and role‑based permissions.

• Encryption, secure transmission protocols, and network security controls.

• Logging and monitoring, data loss prevention technologies.

• Staff training on information security and confidentiality.

No system is completely secure, but we regularly review and improve our security measures in line with legal, regulatory and industry developments.

2.8 Data Retention

We retain personal data only for as long as necessary to:

• Fulfil the purposes described above;

• Comply with legal, regulatory, professional and contractual record‑keeping requirements; and

• Establish, exercise or defend legal claims.

Retention periods vary by data type, jurisdiction and nature of the engagement; where possible, we will minimise or anonymise data when full identification is no longer required.

2.9 Your Rights

Depending on applicable law, individuals may have rights regarding their personal data, such as:

• Access to their personal data and information about processing.

• Rectification of inaccurate or incomplete data.

• Erasure (“right to be forgotten”) in certain circumstances.

• Restriction of processing.

• Data portability, where technically feasible and legally required.

• Objection to certain processing, including direct marketing.

• Withdrawal of consent where processing is based on consent.

Requests to exercise these rights can be made using the contact details in Section 2.12. We may need to verify identity and may be unable to fully comply where legal, regulatory or legitimate‑interest grounds apply.

2.10 Cookies and Similar Technologies

Our websites and digital platforms may use cookies and similar technologies to:

• Enable site functionality and security.

• Collect usage statistics (e.g., pages visited, time spent) for analytics and improvement.

• Remember your preferences (e.g., language, cookies choices).

Details of the types of cookies used, their purposes, and your choices (including consent where required) will be provided in a separate Cookie Notice.

2.11 Children’s Privacy

CAGlobal services are generally intended for business and professional audiences. We do not knowingly collect personal data from children below the age defined by local law without appropriate parental/guardian consent where required.

2.12 Contact, Complaints and Governance

For questions, concerns or requests regarding this Privacy Policy or our handling of personal data, individuals may contact:

• CAGlobal Data Protection / Privacy Officer (contact details to be inserted).

• Local CAGlobal entity indicated in engagement letters or website/legal notice.

If you are not satisfied with our response, you may have the right to lodge a complaint with the appropriate data‑protection authority or regulator in your jurisdiction.

2.13 Updates to this Policy

We may update this Privacy Policy periodically to reflect legal, regulatory or operational changes. The revised version will be posted on our website with an updated “last revised” date; material changes may be communicated through additional notices.

General Privacy Policy

CAGlobal website is owned by CAGlobal, which is a data controller of your personal data.

We have adopted this Privacy Policy, which determines how we are processing the information collected by CAGlobal, which also provides the reasons why we must collect certain personal data about you. Therefore, you must read this Privacy Policy before using CAGlobal website.

We take care of your personal data and undertake to guarantee its confidentiality and security.

Personal information we collect:

When you visit the CAGlobal, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the installed cookies on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products you view, what websites or search terms referred you to the Site, and how you interact with the Site. We refer to this automatically-collected information as “Device Information.” Moreover, we might collect the personal data you provide to us (including but not limited to Name, Surname, Address, payment information, etc.) during registration to be able to fulfill the agreement.

Why do we process your data?

Our top priority is customer data security, and, as such, we may process only minimal user data, only as much as it is absolutely necessary to maintain the website. Information collected automatically is used only to identify potential cases of abuse and establish statistical information regarding website usage. This statistical information is not otherwise aggregated in such a way that it would identify any particular user of the system.

You can visit the website without telling us who you are or revealing any information, by which someone could identify you as a specific, identifiable individual. If, however, you wish to use some of the website’s features, or you wish to receive our newsletter or provide other details by filling a form, you may provide personal data to us, such as your email, first name, last name, city of residence, organization, telephone number. You can choose not to provide us with your personal data, but then you may not be able to take advantage of some of the website’s features. For example, you won’t be able to receive our Newsletter or contact us directly from the website. Users who are uncertain about what information is mandatory are welcome to contact us via team@caglobal.in.

Your rights:

If you are a European resident, you have the following rights related to your personal data:

• The right to be informed.

• The right of access.

• The right to rectification.

• The right to erasure.

• The right to restrict processing.

• The right to data portability.

• The right to object.

• Rights in relation to automated decision-making and profiling.

If you would like to exercise this right, please contact us through the contact information below.

Additionally, if you are a European resident, we note that we are processing your information in order to fulfill contracts we might have with you (for example, if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information might be transferred outside of Europe, including Canada and the United States.

Links to other websites:

Our website may contain links to other websites that are not owned or controlled by us. Please be aware that we are not responsible for such other websites or third parties' privacy practices. We encourage you to be aware when you leave our website and read the privacy statements of each website that may collect personal information.

Information security:

We secure information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use, or disclosure. We keep reasonable administrative, technical, and physical safeguards to protect against unauthorized access, use, modification, and personal data disclosure in its control and custody. However, no data transmission over the Internet or wireless network can be guaranteed.

Legal disclosure:

We will disclose any information we collect, use or receive if required or permitted by law, such as to comply with a subpoena or similar legal process, and when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Contact information:

If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may send an email to team@caglobal.in.