Privacy Policy

This Privacy Policy explains how Canvass Recruit, operated by 1990 Research Labs (the trading brand of Inaiya Vanigam Private Limited, “we”, “us”, “our” or “Canvass Recruit”), collects, uses, shares, retains and protects your Personal Data when you register as a Participant or take part in research Studies conducted through our platform.

It is issued in compliance with Section 5 of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) read with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”). For the purposes of the DPDP Act, 1990 Research Labs is the Data Fiduciary.

This Policy applies to Participants and prospective Participants. It does not apply to (i) client enterprises who buy our research services, which are governed by separate commercial agreements and Data Processing Addenda; or (ii) employees and contractors of 1990 Research Labs.

If you do not agree with this Privacy Policy you should not register with Canvass Recruit, and if you have already registered you may withdraw consent under Section 6 below.

Words used in this Policy have the meanings given to them in our Terms & Conditions. In addition: “Personal Data” has the meaning given under Section 2(t) of the DPDP Act; “Data Principal” is you, the Participant; “Data Fiduciary” is 1990 Research Labs; “Data Processor” means any person who processes Personal Data on our behalf.

We collect the following categories of Personal Data:

• Identity and contact data: name, mobile number, email, date of birth, gender, city / state of residence, language preference.
• Demographic and profile data: age band, household composition, employment status, occupation, education, household income band, category interests, brand affinities and other panel profile information.
• Verification data: PAN (only where required for incentive payouts under Section 194R of the Income-tax Act, 1961), and other identity documents required for higher-value KYC.
• Payment data: UPI ID, bank account number, IFSC code or other payment method details required to remit Incentives. We do not store full card numbers.
• Study Response data: your responses to surveys; audio recordings and transcripts of AI-moderated voice interviews; video recordings (where you opt in); notes from human-moderated interviews. These may, depending on the Study, contain Personal Data including opinions on financial, health, political or religious matters where you choose to share them.
• Communications data: records of our communications with you (WhatsApp, SMS, email, phone calls), including call records and timestamps.
• Device, technical and usage data: IP address, device identifier, browser type, operating system, application version, time-zone, language, log files, pages or screens viewed, time spent, and crash data.
• Cookies and similar technologies: see Section 12 below.

We do not knowingly collect Personal Data from any person under 18. See Section 13.

We collect Personal Data:

• directly from you, when you register, complete profile fields, give consent for a specific Study, or participate in a Study;
• from your device automatically, through cookies, log files and SDKs when you visit our website or use our application;
• from third-party sources, including (i) WhatsApp Business Solution Providers when you opt in via WhatsApp; (ii) Meta and other advertising platforms when you click on a Canvass Recruit recruitment ad that lands on WhatsApp; and (iii) where applicable, Clients who legitimately supply lists of their own users with prior Participant consent for the purpose of a specific Study.

We process your Personal Data for the following purposes, each tied to a lawful basis under the DPDP Act:

• To register and manage your panel membership — Section 6 (consent).
• To invite you to Studies, qualify you for Studies, and conduct Studies (including AI-moderated voice interviews, surveys and human-moderated interviews) — Section 6 (consent).
• To pay Incentives and meet related tax obligations, including deduction of tax at source under Section 194R of the Income-tax Act, 1961, and issuance of certificates such as Form 16A — Section 7(b) (compliance with law).
• To communicate with you about Studies, Incentives, panel news and grievance handling, including via WhatsApp, SMS, email and phone — Section 6 (consent).
• To prevent fraud and protect data quality, including operating attention checks, identity verification, device fingerprinting and multiple-account detection — Section 7(c)/(g) (legitimate uses; fraud prevention).
• To meet legal and regulatory obligations, including tax, anti-money-laundering, court orders and law-enforcement requests — Section 7(b) (compliance with law).
• To improve our Services through internal analytics, quality assurance and model evaluation, conducted on de-identified or aggregated data — Section 6 (consent) plus de-identification.
• To respond to and resolve grievances — Section 7(c) (legitimate use; performance of a function in connection with you).

We will not use your Personal Data for any new purpose without obtaining fresh consent.

Our primary lawful basis is your free, specific, informed, unconditional and unambiguous consent, given by clear affirmative action, in accordance with Section 6 of the DPDP Act.

When you register, you will be presented with a separate, plain-language consent notice covering the matters required by Rule 3 of the DPDP Rules. You may also be asked for additional, specific consent for individual Studies — for example, where a Study involves health-related questions, or where a Client wishes to receive identified (not de-identified) responses.

You may withdraw any consent at any time, at no cost. Withdrawal is as easy as giving consent. To withdraw, write to our Grievance Officer at the contact details in Section 16, or use the in-app “Withdraw Consent” option where available.

Once the Data Protection Board operationalises Consent Managers under the DPDP Rules, you will additionally be able to manage your consent through a registered Consent Manager.

We share Personal Data only as described below. We do not sell your Personal Data.

Some of our Data Processors (including AI processors and cloud providers) process Personal Data on servers located outside India. Under Section 16 of the DPDP Act, the Central Government may restrict transfer of Personal Data to specified countries. As of the effective date of this Policy, no such restriction applies to the countries where our Data Processors operate. We will not transfer Personal Data to any country or territory restricted by the Central Government from time to time.

Where Personal Data leaves India, we ensure that contractual safeguards equivalent to the standards under the DPDP Act apply. De-identified or aggregated insights, from which you cannot reasonably be re-identified, may be shared with foreign Client organisations for the limited purpose of the relevant Study.

We retain your Personal Data only for as long as necessary for the purposes set out in this Policy. Specifically:

• Active panel data (profile, demographics, communications): for the duration of your panel membership, plus 12 months thereafter, after which it is deleted or de-identified.
• Study Responses, transcripts and recordings: for the duration of the relevant Client engagement, plus 24 months thereafter for quality assurance, subject to your right to request erasure of identifiable data.
• Incentive and tax records (including PAN): for 8 financial years from the end of the relevant financial year, as required under Section 44AA of the Income-tax Act, 1961 read with Rule 6F of the Income-tax Rules, 1962.
• Fraud-prevention and ban-list records: for 36 months after closure of your account, to enable us to prevent re-registration of banned accounts.
• Grievance records: for 36 months after the grievance is closed.
• De-identified or aggregated data: indefinitely, as it is no longer Personal Data.

After the relevant period, your Personal Data is securely deleted or anonymised.

We have implemented reasonable and appropriate technical and organisational safeguards to protect your Personal Data, including:

• encryption in transit (TLS 1.2 or above);
• encryption at rest of sensitive fields (including PAN, bank / UPI details);
• role-based access controls and the principle of least privilege;
• audit logging of access to identifiable Personal Data;
• periodic vulnerability assessments;
• written confidentiality and data-protection obligations on our employees and Data Processors;
• incident-response procedures aligned with the CERT-In Directions of 28 April 2022.

In the event of a personal-data breach, we will notify you and the Data Protection Board of India in accordance with Rule 7 of the DPDP Rules, and where applicable will report the incident to CERT-In within six (6) hours as required by the CERT-In Directions.

Subject to verification of identity, you have the following rights:

• Right to access — to obtain a summary of the Personal Data we hold about you, a summary of how we process it, and the identities of Data Fiduciaries / Data Processors with whom it has been shared (Section 11, DPDP Act).
• Right to correction, completion, updating and erasure of your Personal Data, where retention is no longer required by law (Section 12, DPDP Act).
• Right of grievance redressal — to readily available means of grievance redressal (Section 13, DPDP Act).
• Right of nomination — to nominate any other individual to exercise your rights in the event of your death or incapacity (Section 14, DPDP Act).
• Right to withdraw consent at any time, on terms as easy as giving consent (Section 6(4), DPDP Act).
• Right to complain to the Data Protection Board of India if you are not satisfied with our response.

To exercise any of these rights, write to our Grievance Officer at the address in Section 16. We will respond within the timelines required by the DPDP Rules and, in any event, within fifteen (15) days of receipt of a valid request.

Our website and application use cookies and similar technologies for: (i) strictly necessary functions (login, security, fraud detection); (ii) analytics (to understand how Participants use the Services); and (iii) recruitment (campaigns run on Meta and other advertising platforms). You may control non-essential cookies through the cookie banner presented on first visit, and through your browser settings.

Canvass Recruit is intended for adults aged 18 years or older. We do not knowingly collect Personal Data from any person under 18. Section 9 of the DPDP Act prohibits processing that is likely to cause any detrimental effect on the well-being of a child, and prohibits tracking, behavioural monitoring and targeted advertising directed at children.

If we discover that we have collected Personal Data of a person under 18, we will (i) immediately deactivate the account, (ii) delete the Personal Data, except where retention is required by law, and (iii) forfeit any unpaid Incentives. If you believe a person under 18 has registered, please notify our Grievance Officer immediately.

Many of our Studies involve AI-moderated voice interviews. Where you participate in such a Study:

• you will be told at the start of the call that the call will be recorded and processed by AI;
• the recording and its transcript will be processed for the limited purposes of the relevant Study, plus de-identified insights and quality assurance, as set out in Section 5;
• we do not use your voice recordings to create voice-prints or other biometric identifiers, and we do not use your voice recordings to train generic third-party AI models;
• where we use de-identified extracts for evaluation or improvement of our own research tools, those extracts cannot reasonably be linked back to you;
• decisions about your eligibility for Studies are made by our research operations team with input from automated screening; we do not make solely automated decisions that produce legal effects on you.

We may amend this Privacy Policy from time to time. The current version will always be available on the Canvass Recruit website with the date of last update clearly indicated.

For any material change — including changes to the categories of Personal Data we collect; the purposes for which we process it; the categories of recipients with whom we share it; cross-border transfers; or your rights under this Policy — we will notify you by email and/or WhatsApp at least fifteen (15) days before the change takes effect. If you do not agree to a material change, you may withdraw consent before the change takes effect.

Non-material changes (typographical corrections, clarifications, or changes that do not adversely affect your rights) take effect when posted.

In compliance with Section 8(10) of the DPDP Act, Rule 3 of the DPDP Rules and Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer to address complaints relating to your Personal Data.

Name

Dharmesh Ba

Designation

Grievance Officer, Canvass Recruit (1990 Research Labs / Inaiya Vanigam Private Limited)

Email

panel@1990labs.com

Postal address

#74, 15th Cross, JP Nagar III Phase, Bangalore 560078, Karnataka, India

The Grievance Officer will acknowledge complaints within twenty-four (24) hours and resolve them within fifteen (15) days. If we are unable to resolve your complaint to your satisfaction, you may approach the Data Protection Board of India.

This Policy is published in English. On request to the Grievance Officer, we will make it available, free of charge, in any language listed in the Eighth Schedule of the Constitution of India, as required by Section 5(3) of the DPDP Act.

This Policy is governed by the laws of India. Disputes arising out of or in connection with this Policy are subject to the grievance-redressal and dispute-resolution provisions in our Terms & Conditions, and ultimately to the exclusive jurisdiction of the courts at Bengaluru, Karnataka, India, subject to your rights under the Consumer Protection Act, 2019 and your right to approach the Data Protection Board of India.