Privacy Policy Effective Date: As Last Updated ARTICLE I. PRELIMINARY PROVISIONS AND CORPORATE IDENTITY Section 1.01. Corporate and Application Identification This Privacy Policy (hereinafter referred to as the "Policy") constitutes a legally binding document that governs the methodology by which Sevencircle Innovations LLP (hereinafter referred to as the "Company," "We," "Us," or "Our"), a limited liability partnership duly registered and operating under the laws of the Republic of India, manages the collection, utilization, disclosure, and protection of personal information pertaining to its users (each, a "User," and collectively, the "Users"). The Company is the sole owner and operator of the proprietary digital application and service known as Lunasessions (hereinafter referred to as the "App" or "Service"). Section 1.02. Corporate Address of Record The principal place of business and corporate address of Sevencircle Innovations LLP is duly registered as: LIGHTBRIDGE, HIRANANDANI BUSINESS Mumbai, Sakinaka Police Station Mumbai, Mumbai - 400072, Maharashtra, India The Company hereby affirms its unwavering commitment to the principles of transparent data practices and the stringent protection of the privacy rights of all individuals utilizing the Lunasessions App.ARTICLE II. REGULATORY FRAMEWORK AND COMPLIANCE Section 2.01. Governing Legal Compliance Framework This Policy has been meticulously prepared and shall be interpreted and enforced in strict compliance with the legislative and regulatory framework prevailing within the Republic of India, specifically including, but not limited to: The Digital Data Protection Act, 2023 (DPDP Act). The Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021. The Information Technology Act, 2000 (with particular regard to Sections 43A and 72A). The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (hereinafter, the "SPDI Rules"). Any terms utilized herein but not explicitly defined shall be construed in accordance with the definitions stipulated within the Digital Data Protection Act, 2023. Section 2.02. DPDP Act Section 5 Statutory Compliance Notice This Policy serves as the formal and official notice to the User, pursuant to the mandatory requirements of the DPDP Act, regarding: The nature and specific purposes for which Personal Data is collected by the Company (as comprehensively detailed in Article III, Section 3.01 herein). The established mechanisms and procedures by which a User may exercise their statutory rights as codified under Sections 6(4) and 13 of the DPDP Act (as comprehensively detailed in Article VI herein). The established procedure for lodging grievances or complaints with the designated Data Protection Board. The Company reserves the right to notify the User of any material alterations or modifications to this Policy through appropriate and timely communication channels.ARTICLE III. USER ACCEPTANCE, CONSENT, AND INTERNATIONAL OBLIGATIONS Section 3.01. Agreement, Acknowledgment, and Operative Consent By engaging with, accessing, or utilizing the Lunasessions App or its associated Services, the User hereby acknowledges and affirms, without reservation or qualification, that the User has: Duly read, fully comprehended, and unequivocally understood all provisions contained within this Policy. Expressly agreed to abide by and be bound to the Terms of Service associated with the Service. Provided express, informed, and unequivocal consent to the Company’s practices concerning the collection, processing, retention, and dissemination of data as stipulated herein. Section 3.02. International Access and Jurisdictional Compliance In the event a User accesses the Services from a jurisdiction outside the territorial limits of the Republic of India, such User shall bear the sole and exclusive responsibility for ensuring complete compliance with all applicable local, regional, and national laws. If the User's local jurisdiction imposes a prohibition upon the access or utilization of the Lunasessions App, the User must immediately cease and desist from all further usage. Section 3.03. Policy Amendment and Continued Usage Stipulation The Company explicitly reserves the right, in its sole and absolute discretion, to modify, amend, or substitute any provision of this Policy at any time and without prior notice. Continued use of the App subsequent to the posting of any modifications shall constitute the User’s acceptance of the revised terms. Users are strongly advised to undertake a periodic review of this Policy. In the event of disagreement with any revised terms, the User’s sole recourse shall be the immediate cessation of use of the Lunasessions App and all associated Services. Section 3.04. Explicit Consent Actions The User grants explicit, unambiguous consent for the processing of data by performing any of the following affirmative actions: completing onboarding documentation; submitting one-time password (OTP) verification codes; responding affirmatively to system notifications, SMS, or other electronic messages; or voluntarily transmitting Personal Information. Section 3.05. Third-Party Data Warranties Should the User submit information pertaining to any third party, the User hereby warrants and represents that they possess the requisite proper authorization and corresponding consent from such third party to share that data with the Company.ARTICLE IV. INFORMATION COLLECTION, UTILIZATION, AND HANDLING Section 4.01. Categories of Information Collected The Company gathers several distinct categories of information, necessary for the provision and optimization of the Lunasessions Service: A. Information Provided Directly by the User: This data is furnished proactively by the User: Registration Data: Includes the User’s phone number (verified via OTP), full legal name, declared gender, city of residence, and electronic mail address (where collected). Contact Information: Encompasses voluntarily shared contact details, and, upon explicit User permission, access to the User’s device address book or contact lists for the purpose of facilitating connections with other Users within Lunasessions. Profile and Communicative Content: Includes profile pictures or photographic images (which are viewable by other Users), uploaded content, associated metadata, and all intra-App communications and messaging. B. Information Automatically Collected via the App: This data is gathered through technological means during the operation of Lunasessions: Usage Analytics: Detailing App features utilized, actions performed, content types viewed, interaction patterns, subscription and service plans, and records of profile visits (both the User’s and those visited by the User). Technical Information: Encompassing details of the User's computing device (make, model, operating system), browser user agent, Internet Protocol (IP) address, server logs, cookies, Uniform Resource Locator (URL) information, timestamps, and dates of download or reinstallation. Behavioral Data: Including metrics related to follows, reactions, time expended on the App, chat requests, conversations, internal browsing history, and real-time location information (subject to the User’s explicit permission). C. Third-Party Tracking and Ancillary Technologies: The Company employs technologies to enhance and facilitate the Service: Cookies and Equivalent Technologies: We utilize cookies for the express purpose of enhancing the User's navigational experience and compiling aggregated usage statistics. Software Development Kits (SDKs): The Lunasessions App incorporates proprietary and third-party SDKs for functions including: payment processing mechanisms, enhancement of the overall user experience, and comprehensive analytics and performance monitoring. Location Services: Subject to the User’s express device permission, location data may be collected to facilitate location-based services, including but not limited to targeted advertising and the provision of customized content. Section 4.02. Sensitive Personal Data or Information (SPDI) Protocol The Company reserves the right to collect Sensitive Personal Data or Information (SPDI), as such term is defined under the SPDI Rules, which may comprise: passwords; financial account information (including bank account details, payment card data, and Unified Payments Interface (UPI) particulars); records pertaining to health conditions and medical histories; biometric identification data; information regarding gender and sexual orientation; telephonic contact numbers and associated contact lists; and residential address information. Section 4.03. Inadvertent Data Collection Disclaimer Important Notice: Due to the inherently interactive and dynamic nature of the Services provided through Lunasessions, the User is hereby notified that the User may inadvertently provide, or the Company may inadvertently collect, information capable of identifying the User or other parties during the course of App browsing or Service utilization.ARTICLE V. DATA USAGE, SHARING, AND DISCLOSURE Section 5.01. Purpose of Information Utilization The Company shall collect and utilize information in strict conformity with the following defined purposes for the operation of the Lunasessions App: A. Core Service Provision and Operational Efficacy: This includes, without limitation: fulfilling requests for products and Services via Lunasessions; maintaining operational stability; processing purchases and managing delivery logistics; and developing algorithms, rating systems, and recommendation engines. B. Legal, Safety, and Auditing Compliance: This encompasses strict adherence to all applicable statutes and regulations; execution of comprehensive audits and quality control processes; investigating, preventing, or addressing unlawful activities, suspected fraudulent acts, threats to safety, or violations of this Policy or the Terms of Service. C. Communication, Notification, and Customer Relations: This involves engaging Users regarding purchases, providing customer service resolution, communicating notifications regarding promotions or App updates, and soliciting feedback on existing or future services. D. Automated Personalization and Tracking: The use of collected data to personalize the Service by retaining User information (eliminating redundant data entry) and tracking aggregate usage metrics and activity records within Lunasessions. E. Research and Business Development: The collection, analysis, and publication of de-identified information (which may originate from Personal Information or SPDI) for any permissible business or research purpose, including marketing initiatives. Section 5.02. Authorized Data Sharing and Dissemination The Company shall only share Personal Information with Authorized Third Parties that demonstrably implement security measures and privacy policies deemed to be equally or more protective than those contained herein. A. Service Partners: Sharing is permissible with retail merchants, logistics and delivery service providers, payment gateways, financial institutions, and technical service providers necessary for the functioning of Lunasessions. B. Corporate Operations: Information may be shared with affiliated entities and group companies within the Sevencircle Innovations LLP ecosystem, analytics and advertising partners, and recipients of corporate assets in the context of mergers, acquisitions, or asset transfers. Section 5.03. Disclosures Mandated by Law and Corporate Transactions The Company reserves the right to disclose Personal Information without obtaining prior User consent when required by law or upon the good faith belief that such disclosure is strictly necessary to: comply with judicial processes or court orders; prevent criminal activities; protect national security; or enforce and protect the rights, property, and business interests of the Company. Information may also be transferred during company mergers, acquisitions, or corporate restructuring, provided that appropriate privacy safeguards are formally instituted.ARTICLE VI. USER RIGHTS AND DATA MANAGEMENT Section 6.01. Comprehensive User Rights under Data Protection Statutes In strict accordance with Sections 11, 12, 13, and 14 of the DPDP Act, the User is statutorily entitled to the following rights concerning the information maintained by the Company: Right of Access: The right to obtain comprehensive details regarding the Personal Information held by the Company and the particulars of its processing, and a list of all third parties to whom such information has been disclosed. Right of Correction: The right to formally request the correction, amendment, update, or modification of any inaccurate Personal Information. Right of Erasure (Right to Be Forgotten): The right to request the cancellation or erasure of Personal Data that is deemed inadequate, excessive, or no longer necessary for the original collection purpose; this right is subject to prevailing lawful processing requirements and legal retention prescriptions. Right of Objection: The right to withdraw consent for the continued processing of information at any time, subject only to the Company's demonstration of legitimate, overriding reasons for continued processing. Right to Data Portability: The right to request the transmission of Personal Data to another service provider in a machine-readable format, constrained by extant technology and resource limitations. Right of Nomination: The right to formally nominate an individual authorized to exercise the User’s rights in the event of the User’s death or incapacitation, pursuant to the provisions of the DPDP Act. Section 6.02. Exercise of Rights and Grievance Redressal A User may exercise these rights by completing the designated Grievance Form or by submitting a written request, subject to the Company’s internal procedures and legal requirements. The User possesses the right to report any impediments encountered in exercising these rights using the Company’s established grievance mechanisms. The Company endeavors to achieve resolution of all grievances within the timelines legally prescribed. Grievance Officer Contact Details: Vishal Raju Sharma LIGHTBRIDGE, HIRANANDANI BUSINESS Mumbai, Sakinaka Police Station Mumbai, Mumbai - 400072, Maharashtra, India Landmark: HIRANANDANI BUSINESS Email: grievance.officer@lunasessions.com ARTICLE VII. DATA SECURITY, RETENTION, AND LIMITATIONS Section 7.01. Technical and Organizational Security Protocol The Company implements technical and organizational security measures commensurate with the assessed levels of risk, giving due consideration to the state-of-the-art technologies, implementation costs, and the inherent nature and scope of data processing. Personal data is encrypted both during transmission between the User’s device and Our systems (in motion) and during storage (at rest). Section 7.02. Account Protection and User Responsibility The User shall bear responsibility for safeguarding their account from unauthorized access, maintaining the confidentiality of their password, and logging out of Lunasessions after use. The User must immediately report any suspected unauthorized account use. The Company hereby expressly disclaims all responsibility for losses arising from unauthorized use of the User's account or password. The User agrees to indemnify the Company for any financial losses resulting from such unauthorized usage. Section 7.03. Data Retention and Deletion Stipulations A. Retention Framework: Personal Information and SPDI are retained for predetermined periods based on statutory/legal mandates (especially the Intermediary Rules, 2021), industry guidelines, and for the preservation of de-identified or pseudonymized datasets necessary for scientific, statistical, or historical purposes. B. Deletion Procedures: Upon User request, the Company shall delete information; however, certain data may be archived or retained for compliance with legal prescriptions. The Company maintains automated safeguards for deletion/anonymization when collection purposes are fulfilled or retention is no longer legally required. C. App Uninstallation Limitation: The uninstallation of the Lunasessions App from a device does not constitute or automatically trigger the deletion of Personal Information or SPDI from the Company's servers.ARTICLE VIII. MISCELLANEOUS PROVISIONS Section 8.01. Age and Minor Protection Restrictions The Lunasessions App is restricted exclusively to individuals who possess the requisite legal capacity to enter into binding contracts, as stipulated by the Indian Contract Act, 1872. The Company employs security and processing measures to verify age and restrict access by minors. If a parent or legal guardian discovers a child under the age of 18 has created an account without permission, they are directed to contact the Grievance Officer for the removal of the minor’s Personal Information. Section 8.02. Limitation of Liability and User Indemnification The Company shall not be held liable for security breaches, unauthorized data access, or other third-party actions beyond its reasonable control, including but not limited to, acts of government, computer hacking, or poor internet service quality. The User explicitly agrees to indemnify and compensate the Company for any and all third-party claims or disputes arising from: the User’s disclosure of information to third parties via Lunasessions; or the User’s access and utilization of third-party websites or resources. Section 8.03. Severability and Policy Construction Each clause, section, and provision of this Policy is hereby deemed distinct, independent, and severable. The finding of nullity, invalidity, or avoidance of one or more sections shall not, in any manner, impair or impact the enforceability or validity of the remaining provisions. Section 8.04. User Acknowledgement of Risk The User acknowledges and understands that the Company cannot guarantee that Personal Information or SPDI shall never be disclosed in manners not explicitly set forth herein. Notwithstanding the Company's commitment to robust privacy protection, absolute guarantee that information or private communications will perpetually remain private cannot be offered. The User hereby accepts sole responsibility and liability for the utilization of the Lunasessions App and all associated online behavior. Last Updated: 15 May, 2026