This ZOKTO Staff App Privacy Policy (“Policy”) explains how personal data and operational information is collected, used, stored, accessed, and protected in connection with the ZOKTO Staff App. This Policy is written for internal operational use and is designed to reflect the heightened confidentiality and access-control requirements applicable to staff-side operations.

This Policy applies to the following users of the ZOKTO Staff App (“Staff App”): (a) authorised staff-side operational users, including Operations Staff, Supervisors, and other authorised internal operational users who access the Staff App under role-based permissions (“Staff Users”); and (b) Operations Staff applicants, Supervisor applicants, and other applicants who use any in-app apply or onboarding flow offered within the Staff App (“Applicants”).

(a) The Staff App is a role-based internal/operational application intended for authorised internal use for workflow execution, request handling, queue management, escalations, and operational support. (b) The Staff App is not a patient or consumer app, not a doctor app, not a public-use app, and not the ZOKTO Partner App. (c) This Policy is a staff-side operational privacy policy. It is not a patient privacy policy and does not describe clinical care privacy practices. It is not a doctor privacy policy and does not govern doctor-facing tools. It is not the Partner App privacy policy and does not apply to partner-side accounts or partner-side workflows.

(a) ZOKTO is a trademark/brand of VYSN Technologies Private Limited (“VYSN”, “we”, “us”, or “our”). (b) ZOKTO Healthcare Private Limited is a subsidiary of VYSN Technologies Private Limited. (c) Depending on operational, contractual, legal, or compliance context, certain ZOKTO services, notices, or support functions may also be issued, managed, or supported through ZOKTO Healthcare Private Limited.

(a) Staff Users use the Staff App only as part of authorised work functions and are bound by applicable employment/engagement terms, internal confidentiality and information-security obligations, and operational policies. (b) This Policy operates alongside those obligations. Where internal policies impose stricter requirements, the stricter requirements apply. (c) Applicants should read this Policy before submitting an application. Application submission does not create an employment relationship or guarantee activation.

(a) “Personal Data” means data about an identified or identifiable individual, including Staff Users, Applicants, patients/customers, partner personnel, and other persons whose information appears in operational workflows. (b) “Sensitive Operational Information” means healthcare-adjacent, patient/customer-linked, or otherwise sensitive workflow information accessed or processed through the Staff App, including health-related details, reports/status details, and operational notes (whether or not such data is classified as sensitive under law). (c) “Operational Records” means records created or maintained for operating services, including assignments, queues, escalations, audit trails, and workflow logs. Information We Collect and Receive in Staff Workflows Because the Staff App supports internal operations, the kinds of information handled through the Staff App can be broader than information visible to partner-side users. All access is still role-based, purpose-limited, and subject to audit controls.

We collect and process information necessary to create, manage, and secure Staff User access, such as name, phone number, email address (where applicable), staff identifier/employee code (where applicable), role designation, reporting structure (where applicable), and account status.

We process information about role-based permissions, queues assigned to you, geographic/service-area mappings (where applicable), supervisor mappings, task history, assignment/reassignment details, acknowledgements, completion status, exceptions, and escalations.

Where the Staff App includes an apply lane, we may collect and process: (a) contact details (such as phone number and, where provided, email address); (b) verification information (such as OTP-based phone verification); (c) application details (such as name, location, preferred role, availability, experience, and other details submitted as part of an application); (d) documents and uploads (such as ID proof, address proof, photographs/selfies, certificates, references, or other onboarding documents where required for the role); (e) interview or screening inputs, application review status, and onboarding progress state; and (f) draft application inputs if the Staff App allows saving application progress before submission.

Depending on your job function, the Staff App may display, collect, and process operational workflow information connected to requests and fulfilment, including: (a) request identifiers, timestamps, status, and fulfilment milestones; (b) patient/customer details necessary for operations, such as name, phone number, address, locality, and service instructions; (c) partner-facing workflow details needed for coordination, such as assigned pharmacy/lab/partner identifiers, contact or coordination details, pickup/drop details, and time windows; (d) report-linked status information where relevant to operations (for example, operational indicators that a report is pending, delivered, or requires follow-up); and (e) exception handling details, including cancellation reasons, rescheduling, failed-attempt reasons, and correction history.

Staff operations require documented context. The Staff App may allow creation and viewing (subject to role permissions) of: (a) internal operational notes attached to tasks/requests; (b) workflow correction notes (including address/location correction notes); (c) escalation notes and resolution traces; and (d) compliance or audit notes used to maintain service integrity.

We process information related to operational communications initiated through or associated with the Staff App, such as in-app messages, support tickets, helpdesk interactions, resolution notes, and communications metadata required for operational continuity.

To secure internal access and protect sensitive operational information, we collect and process technical and security-related information, such as device identifiers, device model, operating system version, app version, IP address, network type, time zone, language, session identifiers, authentication events, access logs, crash logs, diagnostics logs, and security signals.

Where enabled and permitted by device settings and role requirements, we collect and process location data to support operational functions such as assignment, service-area verification, field coordination, fraud/misuse detection, and safety-related operational checks. Location collection is designed to be role-appropriate and purpose-limited.

Staff Users and Applicants may upload documents or images through the Staff App. These may include onboarding documents (for Applicants) and operational documents (for Staff Users), such as proof-of-completion images, exception documentation, or other workflow-related files where enabled.

We may receive and display information in the Staff App that originates from other ZOKTO systems (including internal admin tools), partner systems, service participants (such as partner entities involved in fulfilment), and operational service providers, to the extent required to operate workflows.

(a) Staff Users provide information when signing in, completing tasks, submitting notes, uploading files, raising escalations, or requesting corrections. (b) Applicants provide information when using the apply/onboarding lane, submitting documents, and completing verification steps.

The Staff App generates operational records when tasks are created, assigned, actioned, escalated, corrected, or closed. This includes internal notes, status changes, and workflow history.

We receive information from device permissions you enable (such as camera, location, storage access) and from app-level signals necessary for security and performance.

We receive workflow information from internal systems and from authorised workflow participants (for example, partner entities involved in fulfilment) as part of operational coordination. How We Use Information in Staff Operations We use Personal Data and Operational Records only for defined operational purposes, consistent with role-based access, purpose limitation, and confidentiality obligations.

To create and manage Staff User access, authenticate users, enforce role permissions, manage passwords/OTP, and administer access changes, suspensions, or deactivations.

To display and manage assignment queues, enable task acceptance and completion, manage SLA/priority handling, and maintain operational continuity.

To identify exceptions, raise escalations, coordinate resolution, and document outcomes, including internal review trails and corrective steps.

To process operational corrections (such as address corrections, scheduling corrections, and other workflow corrections), track correction history, and prevent repeated errors.

To allocate work based on operational rules and role requirements, reassign tasks to maintain service continuity, and support supervisor oversight.

To coordinate fulfilment with relevant partner entities and workflow participants where required to complete services, resolve exceptions, and maintain accurate status.

To conduct internal quality checks, operational audits, training needs assessment, compliance review, and process improvement, including review of operational notes and resolution traces where authorised and necessary.

To maintain security of internal access, prevent unauthorised browsing and data misuse, detect policy violations, investigate incidents, and support disciplinary or legal action where warranted.

For Applicants, to verify contact details, assess applications, conduct screening and onboarding steps, maintain application status, and administer activation/approval processes. Approved Applicants may later be converted into Staff Users, and additional data may be collected during onboarding as required for operational roles.

To send task alerts, operational notifications, supervisory messages, and support communications. This includes push notifications where enabled and operationally required.

To comply with applicable law and regulatory requirements, respond to lawful requests, manage disputes, and enforce internal policies and contractual obligations. Role-Based Access, Operational Visibility, and Sharing Staff-side operations require broader internal operational visibility than partner-side access. This does not mean unrestricted access. Visibility and sharing are controlled, purpose-limited, and audited.

(a) Access to Personal Data and Sensitive Operational Information is controlled through role-based access controls. (b) Access is provided on a need-to-know basis to perform assigned operational responsibilities. (c) We maintain auditability of access and key actions (including viewing, editing, note creation, uploads, assignment, and escalation actions) to support accountability.

Information processed through the Staff App may be accessible (as permitted by role and operational need) to authorised internal teams, including operations teams, supervisors, admin teams, compliance teams, quality teams, customer support teams, and technical support/security teams.

Supervisors may have visibility into queue performance, task history, escalations, and resolution traces for oversight and quality/compliance purposes. Supervisor access remains purpose-limited and subject to audit.

Where necessary to fulfil a request or resolve an exception, certain information may be shared with relevant partner entities and workflow participants (such as partner pharmacies, laboratories, logistics participants, or other authorised service participants). Sharing is limited to what is operationally necessary.

We may engage service providers to support app functionality and operations (for example, hosting, security monitoring, OTP delivery, customer support tooling, and system maintenance). Service providers are required to process information under contractual duties of confidentiality, security safeguards, and purpose limitation.

We may disclose information when required by law, lawful process, or regulatory directive, or where necessary to protect rights, safety, and security, investigate misuse, or respond to fraud or security incidents.

Depending on operational, contractual, legal, or compliance context, certain ZOKTO services, notices, or support functions may also be issued, managed, or supported through ZOKTO Healthcare Private Limited. Internal sharing within the corporate group is limited to operational need and governed by confidentiality and security controls.

We do not sell Personal Data collected or processed through the Staff App as a commercial product.

We operate the Staff App with India-only storage and processing as a core operating principle. Personal Data and Operational Records processed through the Staff App are stored and processed on systems located in India as part of normal operations.

The Staff App is not designed with routine cross-border transfers as part of normal operations. If an exceptional cross-border transfer is required for a specific lawful or technical necessity (for example, an urgent security incident, legal requirement, or a narrowly necessary support function), we will take reasonable steps to ensure appropriate safeguards and compliance with applicable law.

(a) Staff Users may have access to Sensitive Operational Information as part of internal operations. This information is treated as highly confidential. (b) Additional controls may be applied to such information, including role restrictions, limited visibility views, masking where appropriate, heightened monitoring, and stricter audit trails.

We design workflows so that Staff Users access only what is required for operational tasks. We collect and process information in a manner intended to be proportionate to operational needs.

We implement access logging and monitoring to support accountability and to investigate misuse, security events, and policy violations.

Depending on role and enabled features, the Staff App may request: (a) Camera access: to capture onboarding documents, selfies (Applicants), or operational proof uploads (Staff Users), where enabled; (b) Storage/media access: to upload documents and images where enabled; (c) Location access: to support assignment, service-area checks, and operational integrity where enabled; (d) Notifications: to deliver task alerts and operational communications; and (e) Network access: to connect securely to operational systems. You can control certain permissions through device settings. Some permissions are necessary for core operational functions; disabling them may limit functionality or prevent completion of required workflows.

(a) We maintain operational logs and session logs to secure access, detect suspicious activity, and support audits and investigations. (b) We may apply automated security checks, including detection of abnormal access patterns, repeated failed authentication, or other indicators of misuse.

Staff Users must treat all Personal Data and Sensitive Operational Information accessed through the Staff App as strictly confidential and internal-use only. In addition to employment/engagement obligations, the following controls apply: (a) No unauthorised browsing: do not access records, requests, or profiles without a legitimate work purpose and role permission. (b) No off-platform use: do not copy, export, or transfer information to personal notes, personal messaging apps, personal email, or external storage. (c) No personal use: do not use patient/customer/partner information for any personal purpose. (d) No bypass: do not attempt to bypass role restrictions, access controls, or security features. (e) No misuse of internal notes: do not create, share, or retain internal notes for any purpose outside legitimate operational work.

(a) Capturing screenshots, screen recordings, or photographs of the Staff App content is prohibited unless explicitly authorised for a defined operational purpose and in accordance with internal policy. (b) Sharing any Staff App content externally (including with unauthorised persons) is prohibited. (c) Unauthorised disclosure of Sensitive Operational Information can result in disciplinary action, account deactivation, and legal action.

(a) Staff Users must take reasonable steps to secure devices used to access the Staff App, including using device locks and avoiding use on compromised devices. (b) Staff Users must not share login credentials, OTPs, or access methods. (c) If you suspect your account is compromised, you must report it promptly through internal reporting channels or by using the contact details in Section 13.

If you become aware of suspected unauthorised access, data leakage, misuse of records, or security incidents, you must report it promptly. We may investigate incidents using audit logs and security records.

We retain Personal Data and Operational Records only for as long as necessary for defined operational purposes, legal and regulatory compliance, dispute management, security, and auditability.

Retention varies by data type and role context. As a general operational approach: (a) Staff User account and role records: retained for the duration of employment/engagement and thereafter for a period necessary to meet audit, compliance, security, and dispute-management needs. (b) Operational Records (including task history, queues, escalations, and operational notes): retained for periods necessary to maintain service integrity, audits, compliance review, and dispute handling. (c) Security logs and session records: retained for security monitoring and investigations for a limited period appropriate to security and audit needs. (d) Applicant data: retained for recruitment/onboarding administration and related compliance needs. If an Applicant is not activated, we retain Applicant data for a reasonable period to complete recruitment administration, respond to disputes, and meet legal requirements, after which it is deleted or de-identified where feasible. If an Applicant is activated, relevant onboarding data may form part of Staff User records.

(a) Staff User accounts may be deactivated on role change, termination, or for security/compliance reasons. (b) Deactivation does not automatically delete Operational Records where retention is required for auditability, legal compliance, or dispute handling. (c) We apply deletion, de-identification, or archival processes as appropriate to the data type and purpose.

We implement reasonable administrative, technical, and organisational safeguards designed to protect information processed through the Staff App, including access controls, authentication controls, encryption in transit, monitoring, and audit logging. No system can be guaranteed to be completely secure; however, we maintain security practices designed to reduce risk and respond to incidents.

If a security incident affecting information processed through the Staff App is identified, we take steps to assess impact, contain the incident, and implement remedial actions consistent with applicable law and internal security procedures.

(a) Staff Users must use authorised correction workflows (such as address/location correction, status correction, and escalation channels) when correcting operational records. (b) Unauthorised edits or informal off-platform corrections are not permitted.

Applicants may update certain application details during the application process (where enabled). If you wish to withdraw an application or request deletion of certain application data, you may contact us using the details in Section 13, subject to verification and applicable legal/operational retention requirements.

Subject to applicable law, verification, and operational constraints, Staff Users and Applicants may request: (a) access to certain Personal Data we hold about them; (b) correction of inaccurate Personal Data about them; and (c) deletion of Personal Data about them, where deletion is not restricted by legal, security, or operational retention requirements. it To request the deletion of your account and associated data, please email our support team at support@zokto.in. We will process your request and delete all identifiable data within 90 days, except where retention is legally required for compliance, auditability, fraud prevention, dispute handling, or lawful requests.

(a) We may refuse or limit requests where necessary to protect the confidentiality of Sensitive Operational Information, protect other individuals’ data, maintain system security, prevent fraud/misuse, meet legal obligations, or preserve records required for audits and disputes. (b) For Staff Users, certain records may be retained as part of operational and audit systems even after role changes or deactivation, where retention is required.

If you have a privacy concern, a complaint, or a grievance relating to the Staff App, you can contact us using the details in Section 13. We will review and respond within a reasonable period and, where required by applicable law, within prescribed timelines.

The Staff App is intended only for adults engaged in authorised operational roles or applying for such roles. The Staff App is not intended for children. If you are under 18 years of age, do not use the Staff App or submit an application through it.

If you are not authorised to use the Staff App, you must not access or use it. We may suspend or disable access where we detect unauthorised use, suspicious activity, or policy violations. Changes to This Privacy Policy We may update this Policy to reflect operational, legal, security, or service changes. The updated Policy will be made available through the Staff App or other appropriate channels. Continued use of the Staff App after the Effective Date of an updated Policy indicates acceptance of the updated Policy, to the extent permitted by law and consistent with employment/engagement obligations.

The Staff App can display or process Sensitive Operational Information, including healthcare-adjacent information and patient/customer-linked workflow details, solely for operational coordination and service integrity. Staff Users must handle all such information with strict confidentiality, access it only for legitimate work purposes, and follow internal policies and instructions.

Unauthorised disclosure, unauthorised browsing, copying, photographing, exporting, retaining, or sharing of Sensitive Operational Information is prohibited. Violations can result in immediate access revocation, disciplinary action, and legal consequences. Company Details VYSN Technologies Private Limited 7-1/99, 6 58, Sai Prabhat Nagar, Temple City, Trunk Road (Khammam), Khammam (Urban), Khammam – 507003, Telangana, India Email: info@vysn.in CIN: U62099TS2025PTC198900 ZOKTO Healthcare Private Limited 7-1/99, 6-58, Sai Prabhat Nagar, Temple City, Trunk Road (Khammam), Khammam (Urban), Khammam – 507003, Telangana, India Email: info@zokto.in CIN: U62099TS2025PTC206004