DATA PROTECTION POLICY

Mankara Technologies Ltd., (“we,” “us”, or “our”) is committed to protecting the privacy of all

individuals whose personal data we process, in particular our employees, contractors, and other

personnel. This Data Protection Policy (“Policy”) has been developed in accordance with the DIFC

Data Protection Law 2020 (“the Law”) to govern how we collect, process, use, disclose, and secure

Personal Data in the context of staff administration and internal operations.

This Policy explains how we handle Personal Data in the course of administering employment

relationships and performing our HR, compliance, and operational functions. It also outlines your rights

regarding your Personal Data and how you can exercise them.

We encourage you to review this Policy carefully. It may be updated periodically to reflect changes in

law or internal practices. Any material updates will be communicated internally.

For the purposes of this Policy, “Personal Data” means any information relating to an identified or

identifiable natural person. “Data Subject” refers to individuals whose data we collect, including

employees, job applicants, consultants, interns, and former employees. References to “you” or “your”

in this Policy refer to such Data Subjects.

1. Collection and Processing of Personal Data

We collect and process Personal Data strictly for employment and staff administration purposes, in line

with applicable laws and our contractual obligations. The categories of data we may collect include:

• Identification and contact details (e.g., name, title, personal email, phone numbers, residential address);

• Employment and professional data (e.g., designation, work history, qualifications, performance

reviews, disciplinary records);

• Government-issued identification (e.g., passport, visa, Emirates ID);

• Bank and payroll details;

• Emergency contact and next-of-kin information;

• Leave, attendance, and benefits records;

• Data where necessary to comply with employment laws or company policy (e.g., fitness for duty, sick

leave);

• Device and system usage data when accessing company systems, including login records and internal

communication logs.

Such Personal Data is collected directly from employees or through authorized third parties for lawful

business purposes, including recruitment, employment administration, benefits management,

compliance, internal audits, grievance redressal, and statutory obligations.

2. Purpose of Data Processing

We process Personal Data solely for legitimate employment and compliance-related purposes, including

but not limited to:

• Recruitment, onboarding, and verification of background and qualifications;

• Staff administration, payroll, performance management, training, and development;

• Administration of benefits, leave, and entitlements;

• Safety monitoring and compliance;

• Compliance with applicable labor, tax, and regulatory requirements;

• Investigations of employee misconduct, disciplinary procedures, or legal claims;

• Internal audits and reviews to ensure workplace integrity and data security.

3. Data Sharing and Transfers

We do not currently share Personal Data outside our organisation with any external entities except our

affiliates strictly in compliance with applicable regulation.

We may share data internally among authorized departments strictly on a need-to-know basis. Personal

Data may also be disclosed to legal or regulatory authorities if required by applicable law.

We do not transfer personal data outside the jurisdiction. All processing of personal data is conducted

within the applicable legal territory.

4. Data Retention and Security

We shall retain Personal Data only for as long as necessary to fulfil employment-related purposes or

comply with legal and regulatory obligations.

Retention periods will be determined in accordance with applicable statutory limits and legitimate

business needs. For example, payroll records will be retained for six (6) years following termination of

employment as required under the DIFC Employment Law, DIFC Law No. 2 of 2019 (as amended) or

as otherwise required under applicable law. Personal Data not subject to statutory retention obligations

will generally be retained until termination of employment or for applicable limitation periods.

We maintain a comprehensive electronic record of processing activities in accordance with the Law.

This includes details of the categories of data subjects and personal data, processing purposes,

recipients, and security safeguards. These records are periodically reviewed and updated to reflect

ongoing processing activities.

We implement appropriate technical and organizational measures to ensure compliance with our

obligations under the Law, including accountability, data protection impact assessments, and cessation

of processing.

These measures include:

• Pseudonymization and encryption where feasible;

• Role-based access controls for HR systems;

• Integration of data protection principles into all new HR processes and systems;

• Regular data protection impact assessments (DPIAs) where high-risk processing is identified;

• Ongoing training, documentation, and governance measures to ensure and demonstrate compliance with

applicable data protection principles.

In the event of a Personal Data Breach, we shall notify the DIFC Commissioner within 72 hours. Where

the breach is likely to result in a high risk to the rights and freedoms of affected Data Subjects, we shall

also notify such Data Subjects without undue delay.

5. Your Rights as a Data Subject

As a Data Subject, you have the following rights concerning the processing of your Personal Data,

subject to applicable data protection laws and regulations:

• Right to be informed about the collection, processing, storage, and sharing of your Personal Data;

• Right to access your Personal Data and obtain a copy in a structured, commonly used, and machine-

readable format;

• Right to request correction of inaccurate, incomplete, or outdated data;

• Right to request deletion of your Personal Data, subject to legal exceptions;

• Right to object to certain processing activities;

• Right to request restriction of processing under specified conditions;

• Right to withdraw consent for processing of Personal Data at any time, without affecting the lawfulness

of processing based on prior consent;

• Right to receive a response within thirty (30) days to rights requests, extendable where justified;

• Right to file a complaint with the DIFC Commissioner of Data Protection.

No fees will be charged for a data subject’s requests unless requests are manifestly unfounded or

excessive.

6. Privacy by Design and Default

We adopt privacy by design and default principles, including:

• Pseudonymization and encryption where appropriate;

• Role-based access controls;

• Integration of privacy into processes;

• DPIAs for high-risk processing;

• Limiting data to necessary purposes;

• Regular reviews of controls.

7. Contact Details

For privacy-related queries or to exercise your rights, contact us at:

Email: anil.b@hudini.io

Phone: +91 9972583197

8. Complaints

If you believe your rights have been infringed, you may lodge a complaint with the DIFC Commissioner

of Data Protection: https://www.difc.ae

MANKARA TECHNOLOGIES LTD.

Unit 208, Level-1, Gate Avenue, DIFC, Dubai, UAE, Reg No: CL3778