Privacy and Data Protection Policy
| Platform Name | Gulf Return |
| Policy Owner | Data Protection Officer Gulf Return |
| Effective Date | 06-Feb-2026 |
| Applicable Laws | DPDP Act, 2023; DPDP Rules, 2025; IT Act, 2000; SPDI Rules, 2011 |
Your Privacy Matters
This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules, 2025. We are committed to protecting your personal data. For any privacy concerns or to exercise your data rights, contact our Grievance Officer at support@gulfreturn.com
INTRODUCTION AND SCOPE
About This Policy
This Privacy and Data Protection Policy ("Policy") describes how Gulf Return managed by Sheruh ("Company", "we", "us", or "our"), a job and social networking platform incorporated under the laws of India, collects, uses, processes, stores, shares, and protects the personal data of its users. This Policy is designed to ensure transparency in our data practices and to comply with applicable data protection laws in India. We are committed to safeguarding the privacy of individuals who visit our platform, create accounts, apply for jobs, post-employment opportunities, engage in professional networking, or otherwise interact with our services. This Policy applies to all digital personal data processed through our website, mobile applications, and any other digital interfaces operated by us.
Legal Framework
This Policy has been formulated in accordance with and is intended to comply with: (a) The Digital Personal Data Protection Act, 2023 (DPDP Act) (b) The Digital Personal Data Protection Rules, 2025 (DPDP Rules) (c) The Information Technology Act, 2000 (IT Act) (d) The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) (e) Any rules, regulations, guidelines, or directions issued by the Data Protection Board of India or other competent authorities from time to time (f) Other applicable sectoral regulations pertaining to data protection and privacy
Applicability
This Policy applies to: (a) All digital perso data collected online through our platform (b) Personal data collected offline and subsequently digitized (c) All categories of Data Principals including job seekers, employers, recruiters, and general users (d) Processing activities conducted within and outside India where such processing relates to offering goods or services to Data Principals in India (e) Personal data collected through the Platform may be processed in India and may also be stored or processed on cloud infrastructure located outside India, including data centres operated by third-party service providers such as Amazon Web Services (AWS). Users accessing the Platform from outside India, including from the Gulf region and other countries, acknowledge and consent to the processing of their personal data in India and other jurisdictions in accordance with this Policy and applicable laws.
DEFINITIONS
For the purposes of this Policy, the following terms shall have the meanings ascribed to them below. Where not specifically defined herein, terms shall have the meanings assigned to them under the DPDP Act, 2023, IT Act, 2000, and rules made thereunder:
means any freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of personal data relating to the Data Principal for a specified purpose.
means a person registered with the Data Protection Board of India who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. For the purposes of this Policy, Gulf Return is the Data Fiduciary.
means the individual to whom the personal data relates. Where the individual is a child, the parent or lawful guardian shall be considered the Data Principal. Where the individual is a person with disability, the lawful guardian acting on their behalf shall be considered the Data Principal.
means any person who processes personal data on behalf of a Data Fiduciary pursuant to a valid contract.
means any data about an individual who is identifiable by or in relation to such data. This includes any information that can directly or indirectly identify an individual.
means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.
means a wholly or partly automated operation or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction.
means personal data consisting of: (i) passwords; (ii) financial information such as bank account, credit card, debit card, or other payment instrument details; (iii) physical, physiological, and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above as provided to a body corporate forproviding services; and (viii) any information received under the above clauses for processing or storage under lawful contract.
means a Data Fiduciary or class of Data Fiduciaries notified by the Central Government based on an assessment of relevant factors including volume and sensitivity of personal data processed, risk to the rights of Data Principals, potential impact on sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.
CATEGORIES OF PERSONAL DATA COLLECTED
Information You Provide Directly
We collect personal data that you voluntarily provide when registering on our platform, creating or updating your profile, applying for jobs, posting job opportunities, engaging in networking activities, or communicating with us. This includes:
Account and Identity Information
- Full name, date of birth, gender
- Email address, phone number, postal address
- Username and password (stored in encrypted form)
- Profile photograph
- Government-issued identification details (where required for verification)
Professional and Educational Information
- Resume or curriculum vitae, including work history and experience
- Educational qualifications, certifications, and academic records
- Skills, expertise, and professional interests
- Current and past employer details, job titles, and designations
- Professional licenses and memberships
- Portfolio links, publications, and professional achievements
Employment-Related Information
- Job preferences including desired role, location, salary expectations
- Availability and notice period
- Work authorization and visa status (where applicable)
- References and recommendations
Financial Information (for Employers/Premium Services)
- Billing address and payment information
- Bank account details or payment instrument information (processed through secure payment gateways)
- Tax identification numbers (where required)
Information Collected Automatically
When you access or use our platform, we automatically collect certain information, including:
- Device information: device type, operating system, unique device identifiers, browser type and version
- Log information: access times, pages viewed, IP address, referring URL
- Location information: approximate location derived from IP address
- Usage data: features used, actions taken, time spent on pages, search queries
- Cookie data and similar tracking technologies (subject to our Cookie Policy)
Information from Third Parties
We may receive personal data about you from third-party sources, including:
- Social media platforms when you choose to link or sign in through such services
- Background verification agencies (with your consent, for employment purposes)
- Professional references provided by you
- Employers or recruiters who may share information about you in the recruitment process
PURPOSES OF PROCESSING
Primary Purposes
We process your personal data for the following primary purposes, which are essential to providing our services:
- Account Creation and Management: To create, maintain, and manage your user account; verify your identity; and enable access to platform features.
- Job Matching and Recruitment Services: To facilitate job matching between candidates and employers; enable job applications; process and share applications with prospective employers; and provide recruitment-related services.
- Professional Networking: To enable networking features including profile visibility, connections, messaging, content sharing, and professional community engagement.
- Communication: To send service-related communications including account notifications, job alerts, application updates, and platform announcements.
- Payment Processing: To process payments for premium services, subscriptions, and employer services; issue invoices; and maintain billing records.
Secondary Purposes
With your consent or as permitted by law, we may also process your personal data for:
- Personalisation and Recommendations: To personalise your experience, provide tailored job recommendations, and suggest relevant connections based on your profile and activity.
- Marketing Communications: To send promotional content, newsletters, and marketing materials about our services and those of our partners (subject to your consent and preferences).
- Analytics and Research: To conduct analytics, research, and surveys to understand user behaviour, improve our services, and develop new features.
- Advertising: To display relevant advertisements on our platform and measure advertising effectiveness.
Legal and Compliance Purposes
We process personal data as necessary to:
- Comply with applicable laws, regulations, legal processes, or government requests
- Enforce our Terms of Service and other agreements
- Protect our rights, privacy, safety, or property, and that of our users and the public
- Detect, prevent, or address fraud, security issues, or technical problems
- Respond to claims that content on our platform violates the rights of third parties
Automated Decisioning and Profiling
The Platform uses automated systems (including AI/ML) for job-candidate matching, ranking and personalised recommendations. Data Principals may request an explanation of the logic, significance, and envisaged consequences of such processing and may request human review or correction of outputs where automated processing has materially affected them. Requests concerning automated decisioning will be acknowledged within 7 days and resolved within 90 days.
LAWFUL BASIS FOR PROCESSING
In accordance with the DPDP Act, 2023 and applicable laws, we process your personal data only when we have a valid lawful basis. The following are the legal grounds upon which we rely:
Consent
Consent is our primary basis for processing personal data. We obtain your free, specific, informed, unconditional, and unambiguous consent through clear affirmative action before processing your personal data. Consent shall be obtained in the following manner: (a) At the time of registration and account creation (b) Before processing any new categories of personal data not covered by initial consent (c) Before sharing personal data with third parties for purposes beyond service delivery (d) For marketing communications and non-essential processing activities
Certain Legitimate Uses
As permitted under Section 7 of the DPDP Act, 2023, we may process personal data without consent for certain legitimate uses, including: (a) Where you have voluntarily provided personal data and have not indicated that you do not consent to its use for the specified purpose (b) For compliance with any judgment, decree, or order of any court, tribunal, or authority in India (c) For responding to medical emergencies involving threats to life or immediate threats to health (d) For employment-related purposes, where personal data is processed for recruitment, verification, termination, or provision of services by employer to employee
CONSENT MANAGEMENT
Obtaining Consent
We obtain consent in compliance with the requirements of the DPDP Act, 2023 and DPDP Rules, 2025. Consent requests shall: (a) Be presented in clear and plain language (b) Be made available in English and any of the 22 languages specified in the Eighth Schedule of the Constitution of India, as applicable (c) Specify the personal data being collected and the purpose of processing (d) Be separate and distinguishable from other terms and conditions (e) Include information on how to exercise Data Principal rights and lodge complaints
Withdrawal of Consent
You have the right to withdraw your consent at any time. The process for withdrawal of consent shall be as easy as the process for giving consent. To withdraw consent: (a) Access the Privacy Settings section of your account (b) Email our Data Protection Officer at Support@gulfreturn.com (c) Use any Consent Manager platform registered with the Data Protection Board of India Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Upon withdrawal of consent, we shall cease processing your personal data for the relevant purposes within a reasonable time, subject to any legal obligations requiring continued retention.
Consent for Sensitive Personal Data
For Sensitive Personal Data (e.g., financial information, health data, biometric data), we will obtain explicit consent in a clear, auditable manner prior to processing. In limited cases where law requires written consent for certain sensitive categories, we will request and retain such consent in the format required. You may withdraw explicit consent at any time; withdrawal will not affect the lawfulness of processing prior to withdrawal.
Consent Records and Consent Manager
Consent will be recorded in an auditable manner and retained for a minimum of seven (7) years from the date of consent or withdrawal, or for a longer period if required by law. Where relevant, the Company will integrate with a Consent Manager (registered under the DPDP framework) to enable Data Principals to give, view, manage, and withdraw consent. Consent records will include the purpose, scope, timestamp, and medium of consent.
DATA SHARING AND DISCLOSURE
Categories of Recipients
We may share your personal data with the following categories of recipients:
Service Providers and Data Processors
We engage third-party service providers who process personal data on our behalf under written contracts that ensure compliance with the DPDP Act and applicable laws. These include: (a) Cloud hosting and infrastructure providers (b) Payment processing services (c) Email and communication services (d) Analytics and performance monitoring services (e) Customer support tools (f) Background verification agencies (with consent)
Employers and Recruiters
When you apply for jobs or make your profile visible to employers, your profile information, resume, and application materials may be shared with prospective employers and their authorized representatives. This sharing is integral to our job matching services and is conducted based on your consent and actions on the platform.
Other Users
As a social networking platform, certain information you choose to share may be visible to other users based on your privacy settings, including your public profile information, posts, comments, and professional connections.
Legal and Regulatory Authorities
We may disclose personal data to government authorities, law enforcement agencies, courts, or other public authorities when required by law, pursuant to legal process, or to comply with regulatory requirements. Such disclosures shall be made only upon receipt of a request in writing specifying the purpose and confirming that the information shall not be further disclosed. The Company does not sell personal data. Personal data is never transferred for monetary consideration. Any sharing with advertisers, analytics providers, or partners occurs only with consent and strictly for permitted purposes.
Data Processor Obligations
All Data Processors engaged by us are contractually bound to: (a) Process personal data only in accordance with our instructions and for the specified purposes (b) Implement appropriate technical and organisational security measures (c) Ensure confidentiality of personal data (d) Not engage sub-processors without our prior written authorization (e) Assist us in responding to Data Principal requests and compliance obligations (f) Delete or return personal data upon termination of the contract (g) Notify us promptly of any personal data breach
Sub-processors and Publication
We will ensure that Data Processors act only on our documented instructions and implement appropriate technical and organisational measures. The Company will publish a list of material sub-processors on the Platform and provide prior notice of any material additions. Processors must notify the Company promptly of any personal data breach and assist in remediation and regulatory reporting. Contracts with processors will require deletion or return of personal data upon contract termination.
Platform Account Deletion Effect
Upon account deletion, the Platform will permanently erase the User's personal data (except data required to be retained by law), revoke access tokens, delete authentication credentials, and remove the User's content from public areas. Certain information may be retained for legal, fraud-prevention, or compliance purposes in accordance with the Data Security & Retention Policy.
CROSS-BORDER DATA TRANSFERS
Transfer Mechanisms
Personal data may be transferred outside India in accordance with the provisions of the DPDP Act, 2023 and subject to any restrictions notified by the Central Government. Transfers shall only be made to countries or territories not restricted by the Central Government. Prior to any cross-border transfer, we shall ensure that: (a) The transfer is to a country or territory not appearing on the restricted list notified by the Central Government (b) Adequate contractual safeguards are in place with the receiving entity (c) The receiving entity maintains security standards equivalent to those required under Indian law (d) You are informed of such transfers through this Policy or specific notice
Transfer under SPDI Rules
To the extent the SPDI Rules, 2011 remain applicable, any transfer of Sensitive Personal Data or Information to a person or entity outside India shall be made only where: (a) It is necessary for the performance of a lawful contract between us or any person acting on our behalf and the Data Principal; or (b) The Data Principal has consented to such transfer; and the receiving entity ensures the same level of data protection as required under the SPDI Rules.
DATA RETENTION
Retention Principles
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Our retention periods are determined based on: (a) The nature and sensitivity of the personal data (b) The purposes for which the data is processed (c) Legal, regulatory, and contractual requirements (d) Business needs including maintaining records for dispute resolution
Specific Retention Periods
(a) User Profile Data (Active): retained while account is active (b) Deactivated Accounts: archived for 12 months from deactivation, then deleted unless legal requirements apply (c) Job Applications & Resumes: retained for 3 years from date of application unless lawfully required longer or the Data Principal consents to longer retention (d) Processing Logs & Traffic Data / Logs & Metadata: retained for 24 months for security, forensic and compliance purposes (e) ICT System Logs: retained for 180 days within Indian jurisdiction as per CERT-In Directions (f) Consent Records: retained for 7 years from date of consent or withdrawal
RIGHTS OF DATA PRINCIPALS
Under the DPDP Act, 2023 and applicable laws, you have the following rights in relation to your personal data:
Right to Access
You have the right to obtain from us confirmation as to whether your personal data is being processed and, where that is the case, access to the personal data and information about the processing activities, including the categories of personal data being processed, the purposes of processing, and the categories of recipients to whom personal data has been disclosed.
Right to Correction and Erasure
You have the right to: (a) Request correction of inaccurate or misleading personal data (b) Request completion of incomplete personal data (c) Request updating of personal data that is no longer current (d) Request erasure of personal data that is no longer necessary for the purpose for which it was collected or where consent has been withdrawn
Right to Grievance Redressal
You have the right to have readily available means of lodging a grievance with us regarding our processing of your personal data. We shall respond to grievances within the time period specified in our grievance redressal mechanism.
Right to Nominate
You have the right to nominate any other individual who shall, in the event of your death or incapacity, exercise your rights under the DPDP Act in relation to your personal data.
Exercising Your Rights
To exercise any of your rights, you may: (a) Access the Privacy Dashboard in your account settings (b) Submit a request through our designated request form (c) Email our Data Protection Officer at Support@gulfreturn.com (d) Write to us at our registered address We shall respond to your request within a reasonable period, and in any event within the timelines prescribed under applicable law. We may verify your identity before processing your request.
Data Portability Format
Where you request portability of your personal data, we will provide a machine-readable copy of your data in a commonly used interoperable format (for example JSON or CSV) within the timelines set out above. Portability will include the core profile and content you provided; third-party data or employer-provided records may be excluded or provided subject to separate consent.
Additional Rights for International Users
If you are covered by data protection laws outside India that provide you with additional rights, we will make reasonable efforts to respect those rights where applicable and practical, after verifying your identity and ensuring compliance with legal requirements.
DUTIES OF DATA PRINCIPALS
Under the DPDP Act, 2023, Data Principals have certain duties which include: (a) To comply with applicable laws when exercising rights under the DPDP Act (b) Not to register a false or frivolous grievance or complaint with us or the Data Protection Board of India (c) Not to furnish false particulars or impersonate another person when providing personal data (d) Not to suppress any material information when providing personal data for obtaining any document, service, or benefit
DATA SECURITY
Security Measures
We implement reasonable security safeguards to protect personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include, but are not limited to:
Technical Measures
(a) Encryption of personal data in transit and at rest using industry-standard protocols (b) Data masking and obfuscation techniques for sensitive data elements (c) Secure authentication mechanisms including multi-factor authentication (d) Firewalls, intrusion detection, and prevention systems (e) Regular security testing including vulnerability assessments and penetration testing (f) Secure software development practices
Organisational Measures
(a) Access controls based on role and need-to-know principles (b) Comprehensive access logs and regular reviews thereof (c) Employee training on data protection and security (d) Confidentiality obligations for personnel handling personal data (e) Regular data backup procedures to ensure business continuity (f) Documented information security policies and procedures
Security Standards
Our security practices are aligned with internationally recognized standards including ISO/IEC 27001 (Information Security Management Systems) and the practices recommended by the Indian Computer Emergency Response Team (CERT-In). We conduct regular audits to verify compliance with these standards.
PERSONAL DATA BREACH MANAGEMENT
Breach Detection and Response
We maintain systems and procedures designed to detect, assess, and respond to personal data breaches. Upon becoming aware of a personal data breach, we shall: (a) Assess the nature, scope, and severity of the breach (b) Take immediate steps to contain and mitigate the breach (c) Preserve evidence for investigation and legal proceedings (d) Conduct a root cause analysis to prevent recurrence
Notification to Data Protection Board
If we become aware of a Personal Data Breach, we will assess its nature and impact and notify the Data Protection Board of India without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach. The notification will include a description of the breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken or proposed to mitigate the breach. Where the breach is likely to result in a high risk to the rights and interests of Data Principals, we will also notify affected Data Principals without undue delay and provide clear guidance on steps they should take to protect themselves.
Notification to Affected Data Principals
Where a personal data breach is likely to result in high risk to the rights and interests of Data Principals, we shall communicate the breach to affected Data Principals without undue delay. The communication shall describe in clear and plain language the nature of the breach and provide recommendations for measures to mitigate potential adverse effects.
PROCESSING OF CHILDREN'S DATA
Age Restrictions
Our platform is intended for users who are eighteen (18) years of age or older. We do not knowingly collect or process personal data of individuals under eighteen (18) years of age without the verifiable consent of their parent or lawful guardian.
Parental Consent
If we become aware that personal data of a child has been collected, we shall: (a) Obtain verifiable consent from the parent or lawful guardian before any further processing (b) Provide the parent or guardian with the ability to review and request deletion of the child's data (c) Delete such personal data if verifiable consent cannot be obtained
Restrictions on Processing
In accordance with Section 9 of the DPDP Act, 2023, we shall not: (a) Undertake any processing of personal data that is likely to cause harm to a child (b) Undertake tracking or behavioral monitoring of children, except where specifically permitted (c) Target advertising directed at children
GRIEVANCE REDRESSAL
Grievance Officer
In accordance with the IT Act, 2000 and SPDI Rules, 2011, we have appointed a Grievance Officer to address complaints and grievances regarding our handling of personal data. The contact details are as follows: Name: Mohd Raavi Designation: Grievance Officer Email: Support@gulfreturn.com Address: [-]
Data Protection Officer
We have appointed a Data Protection Officer responsible for overseeing compliance with data protection laws and serving as the point of contact for the Data Protection Board of India. The Data Protection Officer may be contacted at: Name: Mohd Raavi Email: Support@gulfreturn.com Address: [-]
Grievance Resolution Process
Upon receipt of a grievance: (a) We shall acknowledge receipt within forty-eight (48) hours (b) The grievance shall be investigated and addressed within thirty (30) days of receipt (c) The Data Principal shall be informed of the outcome and any actions taken (d) If unsatisfied with our response, the Data Principal may file a complaint with the Data Protection Board of India FOR MORE INFORMATION on GRIEVANCE REDRESSAL MECHANISM please check out GRIEVANCE REDRESSAL POLICY at www.gulfreturn.com on our website.
Data-Principal Requests (Access/Correction/Erasure/Portability)
We will acknowledge receipt of data-subject requests within 7 calendar days. We will ordinarily fulfil routine requests within 30 calendar days of receipt; complex requests may require upto 90 calendar days and we will notify the Data Principal of any extension. Where the DPDP Rules prescribe a shorter or different timeline for a particular request type, we will comply with the applicable statutory timeline.
CHANGES TO THIS POLICY
We may update this Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes: (a) We shall notify you by email, in-app notification, or prominent notice on our platform (b) The updated Policy shall indicate the date of the last revision (c) Where required by law, we shall obtain your consent to material changes (d) Your continued use of our platform after the effective date of changes constitutes acceptance of the revised Policy We encourage you to review this Policy periodically to stay informed about how we protect your personal data.
COMPLIANCE AND AUDIT
We are committed to ensuring compliance with the DPDP Act, 2023, IT Act, 2000, and other applicable data protection laws. Our compliance measures include: (a) Conducting Data Protection Impact Assessments for high-risk processing activities (b) Maintaining records of processing activities (c) Conducting periodic internal audits of data protection practices (d) Engaging independent auditors for annual security audits as required under SPDI Rules (e) Regular training and awareness programs for employees handling personal data
GOVERNING LAW AND JURISDICTION
This Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts at Hyderabad, India, without prejudice to the jurisdiction of the Data Protection Board of India to adjudicate complaints under the DPDP Act, 2023.
CONTACT US
If you have any questions, concerns, or complaints regarding this Policy or our data protection practices, please contact us at: Gulf Return [Registered Office Address] [City, State, PIN Code] Email: Support@gulfreturn.com Phone: [-] ***AS SET OUT IN THIS POLICY*** By using our platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy and Data Protection Policy. If you do not agree with any part of this Policy, please do not use our services.