1. Preliminary

This Cookie Policy (“Policy”) is issued by Bharat BrandDShala LLP (“the Company,” “the Data Fiduciary”) in discharge of its statutory obligations as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (No. 22 of 2023) (“DPDPA”), the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), the Information Technology Act, 2000 (“IT Act”) as amended by the Information Technology (Amendment) Act, 2008, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).

This Policy governs the deployment, operation, and management of cookies and analogous tracking technologies on the Website(s) operated by the Company, namely bharatbranddshala.com and its subdomain grow.bharatbranddshala.com (collectively, “the Website”). This Policy is supplemental to, and shall be read conjunctively with, the Privacy Policy published on the Website.

Access to or continued use of the Website shall constitute acknowledgment by the Data Principal of the practices described herein.

2. Definitions

For the purposes of this Policy, the following expressions shall bear the meanings assigned to them hereunder, unless the context otherwise requires:

“Cookie” shall mean a small text file placed on a Data Principal’s device by a web server upon access to the Website, retrieved by the server upon each subsequent visit, enabling session management, preference retention, and behavioural data collection.

“Data Fiduciary” shall have the meaning assigned to it under Section 2(i) of the DPDPA – an entity that determines the purpose and means of processing of personal data.

“Data Principal” shall have the meaning assigned to it under Section 2(j) of the DPDPA – the natural person to whom the personal data relates.

“Personal Data” shall mean any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDPA.

“Processing” shall have the meaning assigned to it under Section 2(x) of the DPDPA, and shall include collection, storage, use, sharing, disclosure, and deletion of personal data.

“Consent” shall mean free, specific, informed, unconditional, and unambiguous consent signified through a clear affirmative action, as required under Section 6 of the DPDPA.

“Third Party” shall mean any natural or legal person other than the Data Principal, the Company, or its processors.

3. Technologies Governed by This Policy

The following technologies, in addition to cookies strictly so called, are governed by this Policy:

Tracking Pixels and Web Beacons – Transparent image files, typically of 1×1 pixel dimensions, embedded within web pages or electronic communications, the loading of which signals to a server that a page has been accessed or a communication has been opened.

Local Storage – A client-side browser storage mechanism through which data is retained on a Data Principal’s device across browser sessions, independently of cookies.

UTM Parameters – Query strings appended to Uniform Resource Locators (“URLs”) for the purpose of attributing traffic to specific campaigns, referral sources, or marketing channels.

Social Plug-ins and Widgets – Interactive elements furnished by third-party platforms, including but not limited to Meta (Facebook and Instagram), LinkedIn, and YouTube, the loading of which may result in the independent collection of browsing data by such third parties.

Session Cookies shall be deleted automatically upon termination of the browser session. Persistent Cookies shall be retained on the device for a defined duration as specified in the Cookie Inventory at Clause 5 hereof, or until manually deleted by the Data Principal.

4. Legal Basis for Deployment

The deployment of cookies on the Website is predicated upon the following legal bases:

4.1 Strictly Necessary Cookies – Deployed on the basis of operational necessity and legitimate interest. Such cookies are indispensable to the functioning of the Website and cannot be disabled without materially impairing its operation. No separate consent of the Data Principal is sought or required for this category.

4.2 Analytics and Marketing Cookies – Deployed exclusively upon the prior, free, specific, informed, unconditional, and unambiguous consent of the Data Principal, in compliance with Section 6 of the DPDPA. Such cookies are disabled and blocked by default and shall not be activated until affirmative consent is expressed through the consent mechanism on the Website.

The Data Principal is entitled to withdraw consent at any time in the manner prescribed under Clause 6 hereof. Such withdrawal shall operate prospectively and shall not affect the lawfulness of processing undertaken prior thereto.

5. Consent Mechanism and Management

Upon initial access to the Website, a consent banner shall be presented to the Data Principal, offering the following options:

• Accept All – All categories of cookies, including analytics and marketing, shall be activated.
• Reject All – Only strictly necessary cookies shall be activated; analytics and marketing scripts shall remain blocked.
• Customise Preferences – Individual cookie categories may be enabled or disabled at the discretion of the Data Principal.

Analytics and marketing scripts – including Google Analytics 4 and Meta Pixel – shall remain blocked and shall not be loaded or executed prior to affirmative consent. Consent records, comprising the date, timestamp, and nature of consent expressed, shall be maintained by the Data Fiduciary for a period of 12 months.

Consent may be withdrawn, modified, or reviewed at any time through the Cookie Preferences mechanism accessible via the footer of the Website. Withdrawal of consent shall take effect from the date of such withdrawal and shall not render any prior processing unlawful.

6. Rights of the Data Principal

In accordance with Chapter III of the DPDPA, the following rights are available to a Data Principal in respect of personal data processed through cookies on the Website:

Right to Information (Section 11) – A Data Principal is entitled to seek information regarding the personal data processed about them, the purposes for which such processing is undertaken, and the identity of third-party recipients.

Right to Correction and Erasure (Section 12) – A Data Principal may request rectification of inaccurate or misleading personal data, or erasure of personal data where the purpose for which consent was given has been served or consent has been withdrawn.

Right to Grievance Redressal (Section 13) – Any grievance pertaining to this Policy or to the processing of personal data by the Data Fiduciary shall be addressed in the manner set out under Clause 11 hereof. Grievances shall be acknowledged within 48 hours of receipt and disposed of within 30 days thereof.

Right to Nominate (Section 14) – A Data Principal may nominate another individual to exercise rights on their behalf in the event of death or incapacity.

7. Opt-Out and Suppression Mechanisms

7.1 Google Analytics The Data Principal may suppress transmission of data to Google Analytics by installing the Google Analytics Opt-Out Browser Add-on, available at https://tools.google.com/dlpage/gaoptout. Alternatively, cookie preferences may be modified via the Cookie Preferences link in the Website footer.

7.2 Meta Pixel Ad preferences and data sharing with Meta Platforms Inc. may be managed through the Facebook Ad Preferences portal at https://www.facebook.com/adpreferences or through the Instagram application under Settings > Ads. Cookie preferences may additionally be modified via the Cookie Preferences link in the Website footer.

7.3 Browser-Level Controls Most commercially available browsers permit the management of cookies through their settings, including the blocking of all cookies, selective blocking of third-party cookies, and deletion of stored cookies. It is noted that disabling strictly necessary cookies may impair the functioning of the Website.

7.4 Do Not Track The Website does not presently process or give effect to “Do Not Track” signals transmitted by browsers, no uniform technical or legal standard for the recognition of such signals having been adopted. The consent mechanism described under Clause 6 constitutes the operative mechanism for the management of tracking preferences.

8. Third-Party Embeds and External Platforms

The Website may, from time to time, incorporate content embedded from third-party platforms, including YouTube, Instagram, Facebook, and LinkedIn. Upon the loading of such embedded content, the respective third-party platform may independently deploy cookies or tracking technologies on the device of the Data Principal.

Such third-party cookies are not within the governance of this Policy. The Data Fiduciary does not exercise control over, and accepts no liability for, any data collected by third parties through such embedded content. The Data Principal is advised to refer to the privacy and cookie policies of the relevant third-party platforms:

• Google / YouTube: https://policies.google.com/technologies/cookies
• Meta Platforms Inc.: https://www.facebook.com/policies/cookies
• LinkedIn Corporation: https://www.linkedin.com/legal/cookie-policy

9. Cross-Border Transfers

Cookies deployed through Google LLC and Meta Platforms Inc. may result in the transfer of personal data to servers situate outside the territory of India, including but not limited to the United States of America, Ireland, and Singapore. Such transfers are undertaken in accordance with the provisions of Section 16 of the DPDPA and any notifications issued by the Central Government thereunder designating countries or territories to which transfers are permissible. Where applicable, Standard Contractual Clauses recognised under applicable law are relied upon as supplementary safeguards.

10. Prohibition on Processing of Children’s Data

The Website and the programmes offered thereunder are directed exclusively at adult entrepreneurs, business owners, and aspiring founders. In compliance with Section 9 of the DPDPA, no behavioural tracking, targeted advertising, or processing of personal data of children (persons below 18 years of age) shall be undertaken through cookies or analogous technologies on the Website without verifiable parental consent.

In the event that personal data of a child is found to have been inadvertently collected, the Data Fiduciary shall cause such data to be deleted without undue delay upon being made aware thereof.

11. Data Minimisation and Retention

The principle of data minimisation, as embedded in the DPDPA, is adhered to – only such personal data as is necessary for the stated and consented purpose shall be collected through cookies. Personal data collected through cookies shall be retained for the duration specified in the Cookie Inventory at Clause 5, and shall thereafter be deleted or rendered anonymous.

12. Amendments

This Policy is subject to amendment at such times as may be necessitated by changes in applicable law, judicial or regulatory pronouncements, or the tracking practices adopted on the Website. Material amendments shall be notified to Data Principals via the cookie consent banner upon their next access to the Website. The “Last Updated” date at the head of this Policy shall at all times reflect the date of the most recent amendment. Continued access to the Website following notification of amendments shall be construed as acceptance of the revised Policy.