This GDPR Compliance Statement (hereinafter referred to as the "Statement") pertains exclusively to the processing of personal data subject to the EU General Data Protection Regulation No. 2016/679 (hereinafter referred to as the "GDPR").

1. Introduction

This Statement is presented by Unbox Robotics Labs Pvt. Ltd.. ("We" or "Us") to individuals residing in the European Economic Area (EEA) who are protected under the GDPR. These individuals, who may include our valued customers, are herein referred to as "Data Subjects." This Statement explains how we, as the data controller, collect and process personal data, whether provided directly by Data Subjects, acquired through third parties, or received via any other means. All personal data processing is conducted in strict accordance with the GDPR and other applicable EU and Member State data protection regulations, where applicable.

• Personal data processing within the context of this Statement encompasses:
  • Processing carried out concerning our EEA-based operations,
  • Processing related to the provision of goods or services to Data Subjects, and
  • Processing related to the monitoring of Data Subjects' behavior within the EEA.

2. Collection and Processing of Personal Data

We are committed to processing Data Subjects' personal data in strict compliance with GDPR's legal bases (Articles 6 and 7). Additionally, when handling personal data that requires special care, we adhere to GDPR's special rules (Articles 9 and 10).We may collect and process Data Subjects' personal data under the following circumstances:

• When necessary to provide Data Subjects with our services and products, and we have a legitimate interest.
• When required to execute an agreement with Data Subjects or to carry out pre-execution procedures.
• When Data Subjects have given their explicit prior consent. In such cases, we provide notification of the purpose of data collection and processing when obtaining consent, an agreement, or other appropriate means.

Data Subjects retain the right to withdraw their consent to personal data collection and processing at any time. However, this withdrawal does not affect the lawfulness of processing based on consent obtained before withdrawal.

We process Data Subjects' personal data solely for the specified, explicit, and legitimate purposes outlined in this Statement. Personal data will not be further processed in a manner inconsistent with these purposes. In the event that we intend to process personal data originally collected for other purposes, Data Subjects will be duly informed. We retain

personal data only for the period necessary to fulfill our legal obligations, provide adequate services, and support our business activities (as per Articles 5 and 25(2) of the GDPR).

We ensure that personal data processing is limited to what is adequate and necessary in relation to the stated purposes.

3. Sharing Personal Data

We may share personal data with our affiliated group entities and third parties in accordance with GDPR provisions. When sharing personal data with a data processor, we implement appropriate legal frameworks to cover data transfer and processing (as per Articles 26, 28, and 29 of the GDPR).

Furthermore, when sharing personal data with entities outside the EEA, we establish appropriate legal frameworks, including the use of Controller-to-Controller and Controller-to-Processor Standard Contract Clauses approved by the European Commission (as detailed in Chapter 5 of the GDPR).

Collaborative Partners: Subject to Data Subjects' prior consent, personal data may be transferred to, stored, and further processed by collaborative partners who assist us in providing our products and services or support our marketing efforts.

Outsourcing: We may outsource certain aspects of personal data processing, such as sales services, enquiry response services, equipment maintenance services, fee-related services, and marketing services. When entering into outsourcing agreements, we conduct thorough investigations to ensure the eligibility of the outsourcing party as a service provider. We establish safety management measures, confidentiality requirements, conditions for the outsourcing party to further outsource data, and other provisions regarding the appropriate handling of personal data in the outsourcing agreement. Our outsourcing partners are subject to ongoing supervision, including periodic monitoring.

Corporate Affiliates and Corporate Reorganizations: Personal data may be shared with all corporate affiliates. In the event of a merger, corporate reorganization, civil rehabilitation, acquisition, joint venture, assignment, transfer, sale, or disposition of all or any part of our business, including any bankruptcy or similar proceedings, personal data may be transferred to the relevant third party.

Legal Compliance and Security: We may be legally obliged, by law, legal processes, litigation, or requests from public and governmental authorities, both within and outside the Data Subject's country of residence, to disclose personal data. We may also disclose personal data if deemed necessary for national security, law enforcement, or other concerns of public importance. Additionally, personal data may be disclosed if we believe, in good faith, that disclosure is reasonably necessary to protect our rights, pursue available remedies, enforce our internal regulations, investigate fraud, or safeguard our operations and users. Data Transfers: Disclosures or sharing of personal data as described above may involve transferring personal data outside of the EEA. In each such transfer, we ensure that an adequate level of protection is provided to the data transferred. This is achieved, in particular, by entering into Standard Contract Clauses as defined by European Commission decisions 2001/497/EC, 2002/16/EC, 2004/915/EC, and 2010/87/EU.

4. Our Records of Data Processes

We meticulously maintain records of personal data processing in accordance with GDPR obligations (Article 30), wherever applicable. These records encompass all essential information required to comply with the GDPR and collaborate with supervisory authorities as mandated by the GDPR (Article 31).

5. Security Measures

We process personal data with the utmost care, ensuring that such data undergoes appropriate security measures. These measures encompass protection against unauthorized or unlawful processing, as well as protection against accidental loss, destruction, damage, and similar risks. Appropriate technical and organizational measures are adopted to achieve this (as specified in Articles 25(1) and 32 of the GDPR).

6. Notification of Data Breaches to Competent Supervisory Authorities

In the event of a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed, we have established mechanisms and policies to promptly identify and assess the breach's details. Based on our assessment, we will notify the relevant supervisory authorities and affected Data Subjects, in accordance with Articles 33 and 34 of the GDPR.

7. Processing Likely to Result in High Risk to Data Subjects' Rights and Freedoms

We have implemented mechanisms and policies to identify data processing activities that may pose a high risk to Data Subjects' rights and freedoms (as stipulated in Article 35 of the GDPR). In cases where such data processing activities are identified, we will conduct an internal assessment and either discontinue the activity, ensure GDPR compliance, or establish appropriate technical and organizational protective measures to proceed with the processing.In situations where there is uncertainty, we will consult the competent Data Protection Supervisory Authority for guidance and recommendations (Article 36 of the GDPR).

8. Data Subjects' Rights

Data Subjects will be informed of their rights under the GDPR when notified of the purpose of personal data processing. If Data Subjects wish to exercise these rights, they may contact us at the address provided in Section 9 below.If Data Subjects are dissatisfied with the way we have handled their requests or have any complaints regarding our personal data processing practices, they may lodge a complaint with a Data Protection Supervisory Authority.

9. Children

If we collect and process personal data from a child who is under 16 years of age or who has not reached the age limits defined by the laws of a Member State, we process such data appropriately (Article 8 of the GDPR).

10. Updates to GDPR Compliance Statement

This GDPR Compliance Statement may be subject to occasional changes. Any revisions to this Statement will become effective upon posting of the updated Statement via our website. If we make significant changes that we believe would be of interest to Data Subjects, we will make reasonable efforts to inform Data Subjects through our website and, where applicable, seek their consent.

11. Contact

For inquiries or requests related to this GDPR Compliance Statement, please contact us at:E-mail: [email protected]
Effective Date of Recent Edit - 16 May 2023