For the purposes of this Privacy Policy:

• Personal Data: Any information that identifies or can reasonably be used to identify an individual.
• Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• Data Controller / Data Fiduciary: The entity that, alone or jointly with others, determines the purposes of processing, the categories of Personal Data to be collected, and the means by which such Personal Data is processed (under GDPR, UAE PDPL, and India DPDP Act).
• Data Processor: The entity that processes Personal Data on behalf of the Data Controller or Data Fiduciary.
• Customer: An organization that uses Meritto’s Services.
• User: An employee, representative, agent, or appointee of a Customer who accesses the platform.
• Sub-Processor: A third party engaged by Meritto to process Personal Data on our behalf.
• Device Data: Information automatically collected from your device, such as IP address, browser details, and operating system.
• Cookies: Small text files stored on your device that support functionality, analytics, or preferences.
• Data Protection Officer (DPO): NoPaperForms Solutions Limited has designated a privacy officer to act as the Data Protection Officer for applicable jurisdictions.

Meritto is a product of NoPaperForms Solutions Limited, incorporated under the Companies Act, 2013, India.

Depending on how you interact with us, Meritto may act either as a Data Processor or as a Data Fiduciary / Data Controller.

When We Act as a Data Processor

When We Act as a Data Fiduciary / Data Controller

Use of Sub-Processors and Service Providers

This Privacy Policy applies to the Personal Data that we collect, receive, or process when you:

• Visit or interact with our website, mobile applications, or digital interfaces
• Communicate with us through email, phone, chat, support tickets, or online forms
• Use or access our products, solutions, or platforms in any capacity
• Engage with our events, webinars, marketing campaigns, or surveys
• Interact with Meritto / NoPaperForms in a digital or physical setting
• Otherwise provide Personal Data to us when we act as a Data Controller / Data Fiduciary

This Policy explains:

• The categories of Personal Data we collect
• How and why we process Personal Data
• When we act as a Data Controller / Data Fiduciary and when we act as a Data Processor
• How long we retain Personal Data
• How we share information with third parties, processors, and Sub-Processors
• Your privacy rights under applicable laws (including the DPDP Act/Rules, GDPR, and UAE PDPL)
• How you may exercise these rights

Where This Privacy Policy Does Not Apply

This Privacy Policy does not apply in the following circumstances:

1. Customer-Controlled Data

2. Third-Party Tools Used by Customers

While we strongly encourage you to read this Privacy Policy in full, the following summary provides a quick overview of how your personal data is handled when you interact with Meritto (a product of NoPaperForms Solutions Limited).

Who We Are: Meritto is owned and operated by NoPaperForms Solutions Limited, headquartered in New Delhi and Gurugram, India.

How You Interact With Us: Your relationship with Meritto determines what data we collect and how we use it. You may engage with us as:

• A Visitor browsing meritto.com
• A Customer using our Services
• A User (an employee or representative of a Customer) accessing the platform

Each role involves different categories of personal data and processing purposes, all of which are described in this Privacy Policy.

Voluntary Submission: When you choose to provide personal information—such as submitting an enquiry, requesting a demo, or using our Services—you do so voluntarily. Certain information may be required to deliver Services or provide effective support.

Your Rights: This Privacy Policy explains the rights available to you under applicable data protection laws and how you may exercise them.

If you do not agree with any part of this Privacy Policy, we advise that you discontinue use of our website, application, or Services.

This Privacy Policy forms part of and should be read together with our Terms of Service. Submission of information is voluntary, but may be required to access or receive certain Services.

We collect different categories of personal data depending on how you interact with Meritto. Collection and processing are based on appropriate lawful bases, including consent, performance of a contract, legitimate interests, legal obligations, or processing on behalf of a Customer.

4.1 Visitors (Website Browsers)

4.2 Customers (Organizations Using Our Services)

4.3 Users (Employees / Representatives of our Customers)

4.4 User Choice & Control

4.5 Lawful Bases for Processing

We use cookies and similar technologies to support website functionality, remember user preferences, analyze performance, and—where consent is provided— deliver personalized content and advertising.

• Cookies: Small text files stored on your device that enable login sessions, preferences, security, analytics, and performance monitoring. Non-essential cookies (such as analytics and marketing cookies) are used only after obtaining your consent and can be managed through browser settings or cookie controls.
• Web Beacons / Pixels: Technologies used to measure email and page engagement. These tools do not install software on your device or collect sensitive personal data.
• Optional Mobile App Features: Features such as location tracking (for field operations including check-in/check-out and periodic updates while the app runs in the background), calendar integration, and communication metadata synchronization. These features are strictly opt-in and can be revoked at any time.
• Customer-Installed Third-Party Tools: Customers may deploy third-party analytics tools, pixels, scripts, or tags. These tools operate independently and are governed by the Customer’s and the respective third party’s privacy policies.

By using our Services, you agree to the use of cookies and tracking technologies as described above, subject to your right to manage or withdraw consent in accordance with applicable laws.

Our Services are primarily intended for use by educational organizations and their authorized representatives. Meritto does not directly provide services to children or minors, nor does it collect their personal data for its own independent purposes.

However, Meritto may process minors’ personal data as a Data Processor, strictly on behalf of its Customers (educational organizations). In such cases:

• The Customer, acting as the Data Controller / Data Fiduciary, is responsible for obtaining verifiable parental or guardian consent where required under applicable laws.
• Meritto processes minors’ personal data only in accordance with the Customer’s documented instructions and its contractual obligations.
• Meritto does not use minors’ data for marketing, profiling, behavioral tracking, or any purpose other than delivering the services requested by the Customer.

Where Meritto acts as a Data Controller, we do not knowingly collect or process personal data of children or minors without appropriate parental or guardian consent, as required by applicable law.

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with contractual or legal obligations, or support legitimate business needs. When retention is no longer required, we securely delete or anonymize the data. Where immediate deletion is not technically feasible, the data is isolated and secured until deletion can be completed.

• Optional Feature Data: SMS, call, and email metadata, as well as calendar and location data, are retained only while the relevant feature is enabled and deleted upon revocation where technically possible.
• Customer-Controlled Data: Retained or deleted in accordance with Customer instructions, contractual commitments (including Data Processing Agreements), and applicable law.
• Responding to Rights Requests: If you request deletion and it is technically feasible, we remove data from active systems and through backup cycles in line with our retention and deletion policies.

To deliver our Services, we work with vetted third-party Sub-Processors such as providers for hosting, email, SMS, payments, security, and support. These providers process personal data only under our documented instructions and applicable contractual protections. We do not permit Sub-Processors to use personal data for their own purposes.

As our infrastructure and service partners operate globally, personal data may be transferred to jurisdictions with different data protection laws. Where such transfers occur, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) under the GDPR
• PDPL-compliant international transfer mechanisms
• Contractual safeguards aligned with India’s DPDP requirements

We maintain a list of authorized Sub-Processors and notify Customers as required by applicable contracts or law. Customers may request additional details or raise objections in accordance with their contract or Data Processing Agreement (DPA).

All international data transfers and third-party engagements are limited to legitimate business purposes and protected through contractual, technical, and organisational safeguards.

Customers may independently integrate third-party tools, scripts, or applications. Any personal data collected through such Customer-initiated tools is governed by the Customer’s and the respective third party’s privacy policies.

Our website and platform may contain links to third-party websites, applications, or services. Meritto does not operate, control, or endorse these third parties and is not responsible for their content, privacy practices, security measures, or data handling activities.

Any personal data you choose to provide to third parties is governed by their respective privacy policies. We encourage you to review those policies carefully before sharing personal information or granting access.

We may disclose personal information where required or permitted by law, including in response to court orders, government directives, regulatory requests, or to protect the rights, safety, or security of users, Customers, employees, or the public (for example, for fraud prevention, security incidents, or investigations).

When acting as a Data Processor, we will forward governmental or regulatory requests relating to Customer-controlled data to the applicable Customer, unless we are legally prohibited from doing so. Where we are required to respond directly, we will comply and notify the Customer where legally permitted.

We follow the principle of minimum necessary disclosure and will notify affected individuals or Customers where allowed by law. All legal disclosures are documented and handled using appropriate security controls.