Effective: November 8, 2025

1) Who we are and how to reach us

White Blink Private Limited (“Cleobase”, “we”, “us”, “our”) provides EOR, contractor, and recruitment services. Address: White Blink Pvt Ltd, 1/1 Periot, Gajendra Nagar, Off Hosur Road, Post, Adugodi, Bengaluru, Karnataka 560030, India. Contact: hello@cleobase.com

2) Scope

This Policy explains how we collect, use, share, and protect personal information about: (a) website visitors and prospects, (b) customer representatives, and (c) workers (employees/contractors) and candidates processed through our Services. It applies to India and APAC operations and to our marketing worldwide.

3) Roles under data protection laws

• For our website, CRM, billing, and marketing, we act as a controller.

• For workforce data we handle on behalf of customers (e.g., payroll, HR files), we act as a processor; the customer is the controller.

• Where required for international transfers, we use Standard Contractual Clauses (SCCs) or equivalent lawful transfer mechanisms. A DPA is available on request.

4) What we collect

Depending on your relationship with us, we may process:

• Business contact data: name, employer, role, email, phone, address.

• Account/KYC data: company registration details, ID numbers where permitted by law, tax IDs, sanctions screening results.

• Workforce data (employees/contractors): identification, contact, date of birth, tax and social IDs (e.g., PAN, UAN, ESIC in India), bank details, compensation, leave/attendance, benefits, statutory contributions, employment agreements, performance/disciplinary records (where applicable), and offboarding records.

• Recruitment data: CVs, education/work history, qualifications, interview notes, assessment results.

• Transaction & funding data: invoices, payment confirmations, funding status, FX details.

• Usage & device data: log files, IP, browser/device, cookies or similar technologies.

• Support communications: emails, chats, attachments. Where we handle special categories (e.g., limited health information for insurance or ESI claims), we do so only where necessary and lawful (e.g., explicit consent or legal obligation).

5) Sources

We collect data from you, your employer, workers and candidates, public sources, background screening providers (where lawful), and service providers (payments, analytics, hosting).

6) Why we use data (purposes & legal bases)

• Provide Services (contract performance) including onboarding, payroll, compliance filings, and support.

• KYC/AML/sanctions checks (legal obligation; legitimate interests).

• Recruitment services (contract; legitimate interests; consent where required).

• Billing and collections (contract; legitimate interests).

• Security, fraud prevention, and misuse detection (legitimate interests; legal obligation).

• Marketing and communications (consent where required; otherwise legitimate interests with opt-out).

• Legal compliance and defense of claims (legal obligation; legitimate interests).

7) Cookies, analytics, and ads

We use cookies and similar technologies to operate the site and measure performance. We may use analytics and ad pixels (e.g., Google Ads, LinkedIn, Meta) to understand interest in our Services. Where required, we display a consent banner and honor your choices. CPRA/US state laws: We do not sell or share personal information for cross-context behavioral advertising as defined by CPRA. If we change this, we will provide required notices and opt-out mechanisms. You can manage preferences through your browser settings and, where available, our cookie banner or a “Your Privacy Choices” link.

8) Sharing and international transfers

We share data with:

• Service providers/sub-processors (hosting/cloud, payments, communications, analytics, background screening) under contract.

• Local EOR partners in APAC solely to deliver the Services.

• Professional advisors and authorities where required by law.

• Corporate transactions (e.g., merger or acquisition). We may transfer data internationally (e.g., between India, APAC, EU/UK, and the US). We use SCCs or equivalent safeguards where required.

9) Retention

We retain data only as long as needed for the purposes described or as required by law. Typical periods:

• Payroll/HR records: at least 7 years (or longer if legally required).

• Recruitment data: up to 24 months after last interaction unless deletion is requested or required sooner.

• Marketing/website analytics: up to 24 months (or shorter per cookie preferences).

10) Security

We use reasonable technical and organizational measures, including encryption in transit and at rest where supported, role-based access, audit logging, and vendor due diligence. No system is perfectly secure; please notify us promptly of any suspected breach.

11) Your rights

Depending on your location (e.g., EU/UK GDPR, CPRA in California, India DPDP Act 2023), you may have rights to access, correct, delete, restrict, object, or port your data, and to withdraw consent where applicable. To exercise rights or submit a complaint, email hello@cleobase.com. We will verify your identity and respond within legally required timelines. If we process your data on behalf of a customer (processor role), we will direct your request to that customer.

12) Children

Our Services and website are not directed to children under 16. We do not knowingly collect personal information from children.

13) Changes

We may update this Policy from time to time. Material changes will be communicated via the site or email.

14) Contact

Privacy questions or requests: hello@cleobase.com