Table of Contents

Objective

The objective of this policy is to outline the principles and practices for protecting the privacy of personal
information in the design, development, and delivery of Obox Solution Ltd. products and services. Privacy by
Design is to proactively protect the privacy of individuals by minimizing the amount of personal data collected,
ensuring that the data collected is used only for the intended purpose, and implementing strong security
measures to prevent unauthorized access or disclosure.

Scope

This policy applies to all employees, contractors, and third-party service providers who handle personal
information in the course of their work for our organization.

Policy Statement

At Obox Solution Ltd., we are committed to safeguarding the privacy and security of personal information. We
believe in integrating privacy considerations into our products, services, and business processes from the
earliest stages of development. This Privacy by Design policy outlines our commitment to protecting personal
information and our approach to embedding privacy protections into our operations.

Principles

Our organization is committed to the following Privacy by Design principles:

  • Proactive, not Reactive: Privacy considerations are integrated into all aspects of our products and
    services, from the initial design phase through to end-of-life.
  • Privacy as the Default Setting: Our products and services are designed to minimize the collection and
    use of personal information and to make privacy the default setting.
  • Privacy Embedded into Design: Privacy considerations are incorporated into the design and
    architecture of our products and services, including security measures to protect personal information
    from unauthorized access, use, and disclosure.
  • End-to-End Security: Our products and services are designed to ensure end-to-end security of personal
    information, from collection to storage, use, and disposal.
  • Transparency and User Control: We provide clear and concise information about our privacy practices,
    including how personal information is collected, used, and disclosed, and give individuals control over
    their personal information.
  • Respect for User Privacy: We respect the privacy of individuals and do not use personal information for
    any purpose other than the intended purpose.

Procedures

To implement these principles, Obox Solution Ltd. will:

  • Conduct privacy impact assessments (PIAs) to identify and mitigate privacy risks associated with our
    products and services.
  • Implement data minimization practices to limit the collection, use, and retention of personal information
    to only what is necessary to provide the intended product or service and in accordance with Data
    Protection Policy.
  • Provide clear and concise privacy notices that explain our collection, use, and disclosure practices to
    individuals.
  • Obtain the appropriate consent from individuals before collecting or using their personal information,
    where required by law.
  • Implement appropriate technical and organizational security measures to protect personal information
    from unauthorized access, use, and disclosure.
  • Regularly review and update our Privacy by Design Policy and related procedures to ensure ongoing
    compliance with applicable laws and regulations.

Training and Accountability

Obox Solution Ltd. will provide training and resources to employees, contractors, and third-party service
providers to ensure they understand their roles and responsibilities under this policy. We will also hold
individuals accountable for complying with this policy and related procedures and take appropriate disciplinary
action for non-compliance.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Compliance with this policy shall be verified through various methods, including but not limited to automated
reporting, audits, and feedback to the policy owner.Any staff member found to be in violation of this policy may
be subject to disciplinary action, up to and including termination of employment or contractual agreement. The
disciplinary action shall depend on the extent, intent, and repercussions of the specific violation.

Responsibilities

The Privacy Officer is responsible for approving and reviewing policy and related procedures. Supporting
functions, departments, and staff members shall be responsible for implementing the relevant sections of the Internal Created on sprinto.com
policy in their area of operation.

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

Version history

1 Current Policy version approved by Fazeel Javed 28Aug, 2024
1 New Policy version Created 28Aug, 2024