Cookie and Consent Management Policy

1.1 Purpose of This Policy

This Cookie and Consent Management Policy ("Policy") explains how Gulf Return managed by Sheruh ("Company", "we", "us", or "our") uses cookies, web beacons, pixels, local storage, and similar tracking technologies (collectively referred to as "Cookies") on our website, mobile applications, and digital platforms. This Policy also sets out our framework for obtaining, managing, recording, and honouring User consent in compliance with applicable Indian data protection laws. As part of our vision, we are committed to transparency regarding the technologies we use to collect information about you and your activities. This Policy should be read together with our Privacy and Data Protection Policy www.gulfreturn, which provides comprehensive information about how we process your personal data. Our cookie practices and data processing methods may vary depending on your location, device type, and the data protection laws applicable to you. We adapt our practices to comply with regional legal requirements while maintaining service functionality.

1.2 Legal Framework

This Policy has been developed in accordance with the requirements of:

• The Digital Personal Data Protection Act, 2023 ("DPDP Act")
• The Digital Personal Data Protection Rules, 2025 ("DPDP Rules")
• The Information Technology Act, 2000 ("IT Act")
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
• And other guidelines and directions issued by the Data Protection Board of India and other relevant authorities.

1.3 Scope

This Policy applies to all users who access our website, mobile applications, registered members including job seekers, employers, and recruiters, visitors who browse without creating an account, and any other digital touchpoints where cookies or similar technologies are deployed. For the purposes of this Policy, "Platform" shall have the same meaning as assigned under the User Agreement, Terms of Service, other associated Policies including our website, mobile application, and other digital touchpoints.

2.1 What Are Cookies?

Cookies are small text files that are placed on your device (computer, smartphone, tablet, or other electronic device) when you visit a website or use an application. Cookies are widely used to make websites and applications work efficiently, to provide a better user experience, and to provide information to the operators of the site or application. Each cookie typically contains the name of the domain from which the cookie originates, the lifetime of the cookie, and a randomly generated unique identifier.

2.2 Similar Technologies

2.3 Cookie Duration

2.4 Cookie Origin

3.1 Strictly Necessary Cookies

**Consent Required:** No (These cookies are essential and do not require consent) Strictly necessary cookies are fundamental to the operation of our platform. Without these cookies, essential services and features you have requested cannot be provided. These cookies do not collect personal data for marketing purposes and cannot be disabled through our cookie preference settings. **Purposes include:**

• Enabling you to log in and access your account securely
• Maintaining your session as you navigate between pages
• Remembering security settings and authentication tokens
• Preventing fraudulent activity and ensuring platform security
• Load balancing to ensure consistent platform performance
• Storing your cookie consent preferences

**Examples of Strictly Necessary Cookies:** • **session_id** - Maintains user session state (Session) • **auth_token** - Authentication and login verification (30 days) • **csrf_token** - Security - prevents cross-site request forgery (Session) • **cookie_consent** - Stores your cookie preferences (1 year)

3.2 Functional Cookies

**Consent Required:** Yes Functional cookies enable enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have integrated into our platform. If you do not allow these cookies, some or all of these services may not function properly. **Purposes include:**

• Remembering your language and regional preferences
• Storing your display preferences (e.g., dark mode, font size)
• Remembering your job search preferences and saved searches
• Enabling social media sharing functionality
• Providing live chat and customer support features

3.3 Performance Cookies

**Consent Required:** Yes Performance cookies collect information about how visitors use our platform. This information helps us understand user behaviour, identify areas for improvement, and measure the effectiveness of our content and features. The data collected is aggregated and anonymized where possible. **Purposes include:**

• Counting visitors and understanding traffic sources
• Measuring page views, session duration, and bounce rates
• Identifying which pages and features are most popular
• Detecting technical errors and performance issues
• Testing new features and improvements (A/B testing)

3.4 Social Media Cookies

**Consent Required:** Yes Social media cookies enable you to share content from our platform on social networks and interact with our social media presence. These cookies are set by social media platforms when you use their sharing buttons or log in using your social media credentials. We do not control these cookies; they are subject to the respective social media platform's privacy policies.

4.1 Automated Processing and Personalisation

Some cookies, analytics tools, and tracking technologies contribute to automated processing that assists in providing personalised job recommendations, improving Platform features, and enhancing your experience. No automated decision produces legal or similarly significant effects without human intervention or review.

5.1 Cookie Consent Banner

When you first visit our platform, you will be presented with a cookie consent banner that allows you to accept or reject different categories of cookies. You can customize your preferences by selecting which categories of cookies you wish to allow. Your cookie consent choices are recorded and retained in accordance with the consent record-keeping requirements set out in this Policy.

5.2 Cookie Preference Centre

At any time, you can access our Cookie Preference Centre to review and modify your cookie settings. The Cookie Preference Centre is accessible through the "Cookie Settings" or "Privacy Preferences" link in the footer of our website, the Settings menu in your account dashboard, or directly at www.gulfreturn.com.

5.2(a) Fresh Consent for New Purposes or Cookie Categories

We shall obtain fresh consent if we introduce new categories of cookies, change the purpose for which any cookie is used, or begin processing cookie-derived data for any additional purpose not previously disclosed.

5.3 Browser Settings

Most web browsers allow you to control cookies through their settings. You can configure your browser to accept all cookies, notify you when a cookie is set, block third-party cookies while allowing first-party cookies, block all cookies, or delete cookies when you close your browser.

5.4 Mobile Device Settings

For our mobile applications, you can manage tracking and advertising preferences through your device settings. iOS users can access Settings > Privacy > Tracking and Settings > Privacy > Advertising. Android users can access Settings > Google > Ads to opt out of personalized ads.

5.5 Consequences of Disabling Cookies

Please be aware that disabling certain cookies may affect the functionality of our platform. Disabling strictly necessary cookies may prevent you from using core features such as logging in or applying for jobs. Disabling functional cookies may result in loss of personalization and saved preferences. Disabling analytics cookies will not affect your use of the platform but will limit our ability to improve our services. Disabling advertising cookies will not eliminate advertisements but may result in less relevant ads.

6.1 Our Approach to Consent

As a Data Fiduciary under the Digital Personal Data Protection Act, 2023, we are committed to implementing a robust consent management framework that respects your autonomy and control over your personal data. Our approach is guided by the following principles:

• Consent is the primary legal basis for processing your personal data
• Consent must be free, specific, informed, unconditional, and unambiguous
• Consent must be given through a clear affirmative action
• Withdrawing consent must be as easy as giving consent
• We maintain comprehensive records of consent for accountability

Withdrawing consent shall be made as easy as giving consent, in accordance with the DPDP Act, 2023 and as reflected across our Privacy and Data Protection Policy.

6.2 Legal Basis for Processing

Under the DPDP Act, 2023, we process your personal data based on consent and certain legitimate uses. Consent is required for most processing activities, including account creation, job applications, profile visibility, marketing communications. In limited circumstances, as provided under Section 7 of the DPDP Act, we may process personal data without consent for certain legitimate uses, including when you have voluntarily provided personal data, for compliance with court orders, for responding to medical emergencies, and for employment-related purposes.

7.1 Requirements for Valid Consent

For consent to be valid under the DPDP Act, 2023, it must be free (given voluntarily without coercion), specific (obtained for specific, clearly defined purposes), informed (provided after receiving clear information about processing), unconditional (not tied to unfair conditions), and unambiguous (obtained through clear affirmative action). We do not rely on silence, pre-ticked boxes, or inactivity as consent.

7.2 Privacy Notice Requirements

In accordance with the DPDP Act, 2023 and DPDP Rules, 2025, our privacy notices are written in clear and plain language, presented independently and not buried in lengthy terms of service, made available in English and in any of the 22 languages specified in the Eighth Schedule of the Constitution of India, provided at the time of collection or before processing commences, and easily accessible throughout your use of our platform.

7.3 Consent for Sensitive Personal Data

For processing of Sensitive Personal Data or Information as defined under the SPDI Rules, 2011, we obtain explicit consent through written communication (letter, fax, or email) that specifically identifies the categories of sensitive personal data being collected, the purpose of collecting and using such data, the intended recipients, and the fact that data may be transferred outside India where applicable. We generally do not collect Sensitive Personal Data unless you voluntarily provide such information as part of job applications or resume uploads. Any Sensitive Personal Data voluntarily submitted is processed strictly in accordance with this Policy and the SPDI Rules, 2011.

7.4 Granular Consent Options

We provide granular consent options allowing you to consent to different processing activities separately. This includes separate consent for core platform functionality, profile visibility to employers, marketing communications via email and SMS, personalized job recommendations, sharing data with third-party partners, and analytics and research activities.

8.1 Right to Withdraw

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. We ensure that withdrawing consent is as easy as giving consent.

8.2 Methods for Withdrawal

You may withdraw your consent through Account Settings (Settings > Privacy > Consent Management), the Cookie Preference Centre, email request to our Data Protection Officer, through a registered Consent Manager, or using unsubscribe links in marketing emails.

8.3 Processing of Withdrawal Requests

Upon receiving your withdrawal request, we shall acknowledge receipt within forty-eight (48) hours, cease processing based on the withdrawn consent within seven (7) days, notify any third parties with whom your data has been shared to cease processing, and confirm completion of the withdrawal to you.

8.4 Consequences of Withdrawal

We shall inform you of any consequences that may arise from withdrawal of consent before processing the request. Depending on the consent withdrawn, consequences may include inability to provide certain services, reduced personalization of content, loss of access to certain functionality, or in extreme cases, termination of the account if core functionality cannot be provided. Where withdrawal of consent prevents us from providing core Platform functionalities, your account may become partially or fully unusable, consistent with the Terms of Service.

9.1 Role of Consent Managers

The DPDP Act, 2023 introduces the concept of Consent Managers, entities registered with the Data Protection Board of India that act as intermediaries to enable Data Principals to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

9.2 Our Interaction with Consent Managers

We are committed to working with Consent Managers registered with the Data Protection Board of India. Our systems are designed to accept and process consent instructions received through registered Consent Managers, provide consent status information upon authenticated request, honour consent withdrawal requests received through Consent Managers, and maintain interoperability with Consent Manager platforms as per technical standards prescribed by the Data Protection Board.

10.1 Consent Record Keeping

We maintain comprehensive records of consent to demonstrate compliance with applicable laws. Our consent records include identity of the Data Principal, date and time consent was given or modified, method through which consent was obtained, specific processing activities consented to, version of the privacy notice presented, and any changes to consent status.

10.2 Retention of Consent Records

Consent records are retained for the following periods: active consent records for the duration of processing plus seven (7) years, withdrawn consent records for seven (7) years from the date of withdrawal, and records required for legal proceedings until conclusion of proceedings plus applicable limitation period.