Website Privacy Statement

1. Purpose

This Policy establishes an effective, accountable, and transparent framework for ensuring compliance with the requirements of various Privacy Laws with Milestone Technologies. 

2. Scope

This Policy documents Milestone’s overall approach to managing privacy, which includes but is not limited to information relating to employees, business partners, customers and any third parties etc 

As a US-based company serving clients all across the globe, we comply with the California Consumer Privacy Act, 2018 (‘CCPA’); California Privacy Rights Act, 2020 (‘CPRA’); EU General Data Protection Regulations, 2018 (‘EU GDPR’), United Kingdom General Data Protection Regulation, 2018 (‘UK GDPR’) and UK Data Protection Act, 2018 (‘UK DPA’), India Digital Personal Data Protection Act, 2023 (‘DPDPA’), Singapore Personal Data Protection Act, 2012 (‘PDPA’) and Philippines Data Privacy Act, 2012 (‘PH-DPA’with jurisdiction-specific requirements addressed in dedicated sections of this Policy.  

Applicability 

This Policy applies to all collection and processing  of Personal Data by Milestone relating to: 

Organizational Scope 

This Policy applies to: 

Territorial Scope

This Policy applies to processing: 

Note: The territorial scope set out in Section 2.3 above reflects the specific applicability criteria under India’s DPDPA. For all other jurisdictions referenced in Section 2 (including CCPA/CPRA, EU GDPR, UK GDPR, Singapore PDPA, and Philippines PH-DPA), the applicable territorial scope is determined by the requirements of each respective law. This Policy is to be read and applied accordingly on a jurisdiction-by-jurisdiction basis. 

3. Review

The document shall be under the control of the Information Security Team who shall be responsible for updating the Policy to reflect on any updates and amendments as needed. Such updates/amendments/additions shall be approved by the Chief Information Security Officer (CISO) on the recommendation of the CISO. This Policy shall be reviewed at least on an annual basis by the Information Security Team or in case of any major changes. 

4. Compliance and Exceptions

4.1 Compliance Measurement 

The Information Security Team will verify compliance with this Policy through various methods, including but not limited to, periodic walk-throughs, monitoring business tool reports, internal and external audits, and feedback to the Policy owner. 

4.2 Exception  

Periodically, technical or business requirements may require an exception to specific requirements within this Policy. The CISO, their appointed designee, can authorize an exception (“Policy Exception”), following an appropriate risk assessment. Any Policy Exception shall include an assessment of potential harm to Data Principals and documentation of mitigation measures. 

5. Distribution

This Policy is to be distributed to   

6. Non-Compliance

Breach of company Policy may be subject to disciplinary action, up to and including termination of contract or fine or both. This is applicable to all the employees (including contractors, interns, and part-time employees), vendors, and external contractors as well. 

7. Policy Statement

Milestone is committed to processing Personal Data only for lawful purposes, with Consent or other permitted grounds under applicable data protection laws, including GDPR and the Digital Personal Data Protection Act, 2023 and in line with the highest standards of ethical conduct. This Policy sets forth the expected behaviors of Milestone employees and third parties in relation to the collection, use, correction, retention, transfer, disclosure, and destruction of any personal data belonging to Milestone or its client’s contact (i.e., the Data Principal and hereafter referred as Milestone contact). 

Personal Data is any information (including opinions and intentions) which relates to an identified or identifiable natural person. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organizations may process Personal Data. Any person or organization that handles Personal Data determines the need and purpose for the data collected, about its use and disposal is known as a Data Fiduciary. Milestone may act as a Data Fiduciary/Controller or Data Processor depending on the context of processing. In each case, Milestone will comply with applicable legal obligations relevant to its role. Non-compliance may expose Milestone to complaints, regulatory action, fines and/or reputational damage Where Milestone acts as a Data Processor on behalf of a client under a Master Services Agreement or similar engagement, the processing of Personal Data in that context is governed by the specific Data Processing Agreement concluded with that client. In such cases, the client acts as the Data Controller/Data Fiduciary, and Milestone’s obligations and liabilities are defined and limited by the terms of that Data Processing Agreement and MSA. This Policy does not create additional Controller-level obligations for Milestone in respect of Personal Data that it processes solely on client instructions. 

Milestone, as a Data Processor, is responsible for ensuring compliance with the requirements of the    Data Fiduciary and with the data protection requirements outlined in this Policy. Non-compliance may expose Milestone and the Data Fiduciary    to complaints, regulatory action, fines and/or reputational damage. 

Sub-Processor Management and Notification. Where Milestone engages sub-processors to assist in the delivery of services involving Personal Data, it shall ensure that sub-processors are bound by data protection obligations at least equivalent to those imposed on Milestone under the applicable Data Processing Agreement and this Policy.  

8. Governance

Everyone who works for or with Milestone has some responsibility to ensure that data is collected, stored, and handled appropriately. Each team that handles Personal Data must ensure that it is handled and processed in line with this Policy and data protection principles. The Board of Directors are responsible for ensuring that Milestone meets its legal obligations. 

9. Data Protection Officer

To demonstrate our commitment to data protection, and to enhance the effectiveness of our compliance efforts, Milestone has appointed the Chief Information Security Officer which shall act as the Data Protection Officer (“DPO”) at Milestone. The Data Protection Officer works with the Information Security  at Milestone along with members from the Executive Team. 

The duties of the Data Protection Officer and Information Security Team include: 

10. Data Protection by Design

To ensure that all data protection requirements are identified and addressed when designing new systems or processes or services and/or when reviewing or expanding existing systems or processes or services, each of them must go through an approval process before continuing. Each Milestone service/entity must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the DPO, for all new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA must then be submitted to the Information Security Team for review and approval. Where applicable, any third-party Information Technology (IT) contractors, as part of Milestone’s IT system and application design review process, will cooperate with the DPO to assess the impact of any new technology uses on the security of Personal Data. Milestone shall publish a Privacy by Design Policy, where required under the DPDPA, describing managerial, organizational, business practices, and technical systems designed to safeguard Personal Data. 

11. Compliance Monitoring

To ensure that adequate level of compliance is being achieved by all Milestone services/entities in relation to this Policy, the DPO shall conduct regular data protection compliance audit for all such services/entities. Each audit will, as a minimum, assess: 

  • Compliance with Policy in relation to the protection of personal data, including: 
  • The assignment of responsibilities:  
    1. Raising awareness.
    2. Training of employees. 
    3. The effectiveness of data protection related operational practices, Data Protection Principles. 
    4. Regulatory Requirements to be updated as per legislative changes 

Milestone has adopted the following principles to govern its collection, use, correction, retention, transfer, disclosure, and destruction of Personal Data: 

12. Data Collection

12.1 Data Sources 

Personal data should be collected only from the Data Principal unless one of the following applies: 

If Personal Data is collected from someone other than the Data Principal, the Data Principal must be informed of the collection unless one of the following applies: 

Where it has been determined that notification to a Data Principal is required, notification should occur promptly, but in no case later than: 

12.2 Data Collection  

We will process the following categories of Personal Data about you: 

We may also collect, store, and use the following categories of Personal Data that may pose higher risk to Data Principals due to their nature or context: 

Processing of Special Categories of Personal Data shall be subject to enhanced safeguards to prevent harm to Data Principals. Where processing involves Special Categories of Personal Data, Milestone implements enhanced safeguards proportionate to the risk. 

You may provide us with Personal Data in the course of your employment with us. We also collect Personal Data about you through our application and recruitment processes, either directly from you or sometimes from third parties. The third parties from whom we may have collected your Personal Data include: 

Personal Data shall be collected only to the extent necessary for the specified purpose and shall not be excessive. 

13. Data Principal Consent

Each Milestone service/entity will obtain Personal Data only by lawful and fair means and, where appropriate, with the knowledge and consent of the individual concerned. Where a need exists to request and receive the consent of an individual prior to the collection, use or disclosure of their personal data, Milestone is committed to seeking such consent. Consent, where required by applicable law, shall be:

Where Consent is not required, Milestone will rely on other lawful grounds permitted by applicable law. 

The Data Protection Officer, in cooperation with other relevant business representatives, shall establish a system for obtaining and documenting Data Principal Consent for the collection, processing, and/or transfer of their personal data. For its Indian customers/residents, Milestone shall appoint a Consent Manager fulfilling all the requirements of the Indian laws to give, manage, review and withdraw the Data Principal’s consent through an accessible, transparent and interoperable platform. Milestone shall maintain auditable records of Consent in a machine-readable format, where required by law. 

14. Data Principal Notification

Each Milestone service/entity will, when required by applicable law or contract, or where it considers that it is appropriate to do so, provide Data Principals with information as to the purpose of the processing of their personal data. When the Data Principal is asked to give Consent to the processing of Personal Data and when any Personal Data is collected from the Data Principal, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following applies: 

As per DPDPA, the notice provided to Data Principals shall include:

15. External Privacy Notice

Each external website provided by Milestone will include an online ‘Privacy Statement’ and an online ‘Cookie Notice’, fulfilling the requirements of applicable law(s). 

16. Data Use

16.1 Data Processing

Milestone uses the personal data of its contacts for the following broad purposes: 

The use of a contact’s information should always be considered from their perspective and whether the use will be within their expectations or if they are likely to object. For example, it would clearly be within a contact’s expectations that their details will be used by Milestone to respond to a contact request for information about the  products and services on offer. However, it will not be within their reasonable expectations that Milestone would then provide their details to third parties for marketing purposes. 

Vendors, Contractors and other entities which use Milestone collected and processed data     will process Personal Data in accordance with all applicable laws and applicable contractual obligations. More specifically, Milestone will not process Personal Data unless at least one of the following requirements are met: 

  • For the specified purpose for which the Data Principal has voluntarily provided his personal data to Milestone, and in respect of which he has not indicated to us that he does not consent to the use of his personal data; 
  • For fulfilling any legal obligation to disclose any information to the government;
  • For compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; 
  • For responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; 
  • For taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; 
  • For taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order
  • For the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. 

There are some circumstances in which Personal Data may be further processed for purposes that go beyond the original purpose for which the personal data was collected. When deciding as to the compatibility of the new reason for processing, guidance and approval must be obtained from the Data Protection Officer before any such processing may commence. 

In any circumstance where consent has not been gained for the specific processing in question, Milestone will address the following additional conditions to determine the fairness and transparency of any processing beyond the original purpose for which the personal data was collected:  

16.2 Special Categories of Data

Milestone will only process Special Categories of Personal Data where the Data Principal expressly consents to such processing or where one of the following conditions apply:

16.3 Data Quality

Each Milestone service/entity will adopt all necessary measures to ensure that the personal data it collects, and processes is complete and accurate in the first instance and is updated to reflect the current situation of the Data Principal. The measures adopted by Milestone to ensure data quality include: 

17. Change of Purpose

We will only use your Personal Data for the purposes for which we collected it, unless we consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Where processing for a new purpose is materially different from the original purpose, Milestone shall obtain fresh Consent from the Data Principal unless otherwise permitted by law. 

Please note that we may process your Personal Data without your knowledge or Consent, in compliance with the above rules, where this is required or permitted by law. 

18. Profiling and Automated Decision Making

Milestone will only engage in profiling and automated decision-making where it is necessary to enter, or to perform, a contract with the Data Principal or where it is authorized by law. Where a Milestone service/entity utilizes profiling and automated decision-making, this will be disclosed to the relevant Data Principals. In such cases the Data Principal will be given the opportunity to: 

Milestone’s automated decision-making practices are designed to align with emerging regulatory standards, including the obligations relevant to high-risk AI systems under relevant laws and equivalent frameworks, as applicable. Any automated or algorithmic decision that produces a legal or similarly significant effect on a Data Principal shall be subject to the safeguards set out in the list below. 

19. Digital Marketing

As a rule, Milestone will not send promotional or direct marketing material to any Milestone contact through digital channels such as mobile phones, email, and the Internet, without obtaining explicit Consent of Data Principals. Any Milestone service/entity wishing to conduct a digital marketing campaign without obtaining prior Consent from the Data Principal must first have it approved by the Data Protection Officer. Where personal data (e.g., case studies or photographs) processing is approved for digital marketing purposes, the Data Principal must be informed at the point of first contact that they have the right to object, at any stage, to having their data processed for such purposes. If the Data Principal puts forward an objection, digital marketing related processing of their personal data must cease immediately, and their details should be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted. It should be noted that where digital marketing is conducted in a ‘business to business’ context, there is no legal requirement to obtain an indication of Consent to conduct digital marketing to individuals if they are given the opportunity to opt-out. Data Principals shall be provided with a clear and accessible mechanism to opt out of marketing communications at any time. 

20. Data Retention

To ensure fair processing, personal data will not be retained by Milestone for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. The length of time for which Milestone services/entities need to retain personal data is set out in Milestone’s ‘Data Retention Policy.’ This considers the legal and contractual requirements, both minimum and maximum, that influence the retention periods set forth in the schedule. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it. Personal data shall be deleted upon the earlier of: (a) the completion of the purpose for which it was collected or further processed; or (b) the expiration of any applicable legal or statutory holding period (including, without limitation, financial records required for tax audit purposes and employment records required by applicable labour law, which may require retention for up to seven (7) years or such longer period as prescribed by law). Where a Data Principal exercises a right to erasure and a statutory retention obligation applies, Milestone will restrict processing of the relevant data to compliance purposes only and delete it upon expiry of the mandatory holding period, notifying the Data Principal accordingly. 

21. Data Protection

Each Milestone service/entity will adopt physical, technical, and organizational measures to ensure the security of personal data. Security safeguards shall be proportionate to the risk of harm to Data Principals arising from unauthorized processing or data breaches. This includes the prevention of loss or damage, unauthorized alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. A summary of the personal data related to security measures is provided below:

22. Data Principal Rights

Milestone Technologies has a system in place to enable and facilitate the exercise of Data Principal rights related to: 

22.1 Rights Pertaining to EU and UK Residents
22.2 Rights Pertaining to California Residents

While California residents have the right to opt out of the sale of their personal information under CCPA, we do not sell personal information to any third parties, and therefore, we have not included a “Do Not Sell My Personal Information” link on our Site. If our practices change, we will update this Privacy Policy and take any other necessary action to comply with applicable law. 

If you are a California resident and you want to exercise any of your rights as set forth above, please contact us at privacy@milestone.tech  For all requests, it is helpful to put the statement “California Privacy Rights” in the body of your request, describe the nature of your request, and provide your name, street address, city, state, and zip code. In your request, you need to attest to the fact that you are a California resident and provide a current California address for our response. 

22.3 Rights Pertaining to Singapore Residents
22.4 Rights Pertaining to Philippines Residents
22.5 Rights pertaining to Indian Residents

Under DPDPA, Milestone shall respond to Data Principal requests within timelines prescribed under applicable law. The Data Principals have the following rights:  

We shall upon receipt of such notice inform you of the repercussions of withdrawing your consent. We may not allow withdrawal of consent in circumstances where it is required or authorized under this Act or any other written law. It is essential to note that your withdrawal of consent could result in legal consequences arising from such withdrawal. 

Milestone will consider each such request in accordance with all applicable data protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature. Data Principals are entitled to make such request, made in writing or sending email to the Information Security Team at privacy@milestone.tech. 

*Rights under other applicable relevant laws can be referred to from the DSR Manual.    

23. Law Enforcement Requests and Disclosures

In certain circumstances, it is permitted that personal data be shared without the knowledge or consent of a Data Principal. This is the case where the disclosure of personal data is necessary for any of the following purposes: 

If a Milestone service/entity processes personal data for one of these purposes, then it may apply an exception to the processing rules outlined in this Policy but only to the extent that not doing so would be likely to prejudice the case in question. If any Milestone service/entity receives a request from a court or any regulatory or law enforcement authority for information relating to a Milestone contact, you must immediately notify the Data Protection Officer who will provide comprehensive guidance and assistance. 

24. Data Protection Training

All Milestone employees that have access to personal data will have their responsibilities under this Policy outlined to them as part of their staff induction training. In addition, each Milestone service/entity will receive regular Data Protection training and procedural guidance. All trainings will be recorded and can be always accessed by employees. 

25. Data Transfers

Milestone services/entities may transfer personal data to internal or third-party recipients located in another country where that country is recognized as having an adequate level of legal protection for the rights and freedoms of the relevant Data Principals. Where transfers need to be made to countries lacking an adequate level of legal protection (i.e., third countries), they must be made in compliance with an approved transfer mechanism. Internal data transfers within the organization are done using services which are compliant to privacy provisions of leading regulations. Cross-border data transfers are done either through the use of Binding Corporate Rules or Standard Contractual Clauses or Data Processing Agreements whichever the organization deems fit. Milestone services/entities may only transfer personal data where one of the transfer scenarios listed below applies:

In the case of Indian residents, the transfer of Personal Data to any other person or body corporate whether in India or outside India is permitted if that person or body corporate has the same level of protection that is provided under the Digital Personal Data Protection Act, 2023 (DPDPA), the applicable rules, and that the transfer is not restricted by the Central Government, subject to compliance with any conditions notified under the DPDPA. Milestone shall monitor notifications issued by the Government of India identifying restricted jurisdictions. 

26. Complaint Handling

Data Principals with a complaint about the processing of their personal data, should put forward the matter in writing to the Data Protection Officer (DPO). Data Principals can use the email address privacy@milestone.tech, or the phone number and postal address provided on Milestone’s website privacy statement, to reach out to the DPO. 

An investigation of the complaint will be conducted to the extent that it is appropriate based on the merits of the specific case. The Data Protection Officer will inform the Data Principal of the progress and the outcome of the complaint within a reasonable period. If the issue cannot be resolved through consultation between the Data Principal and the Data Protection Officer, then the Data Principal may, at their option, seek redress through mediation, binding arbitration, litigation, or via complaint to the Data Protection Authority within the applicable jurisdiction and/or Data Protection Board of India.

27. Data Breach

A Data Breach includes but is not limited to the following:

If any member of Staff, or other person learns of a suspected or actual Personal Data Breach, it must be reported to Information Security Team via mail at privacy@milestone.tech. The report should include as many details of the incident as possible, including date and time of the breach (if known), the nature of the information concerned, and how many individuals are involved. 

The Information Security Team will perform incident management and take appropriate remedial measures in a timely manner. Staff shall report any Data Breach as soon as they become aware of such breach. 

Milestone shall inform the relevant authority by notice about the breach of any personal data processed by them where such a breach may herein cause harm to any Data Principal. The notice, as mentioned, shall include the following particulars, as applicable:

The above notice shall be made by Milestone to the Authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, as required by applicable law. This timeline takes into account any time required to adopt urgent measures to remedy the breach or mitigate any immediate harm. Milestone shall provide such information to the Authority in phases if it is not possible to provide all the information specified above, without undue delay. Upon receipt of a notice, the Authority shall determine whether a such breach should be reported to the respective Data Principals by Milestone, considering the severity of the harm that may be caused to such Data Principals or whether some action is required on the part of the Data Principal to mitigate such harm. The Authority may, in addition, also post the details of the personal data breach on its website. 

28. Children's Personal Data

Milestone shall not process personal data of children without obtaining verifiable consent from a parent or lawful guardian, where required under applicable law. Processing likely to cause harm to children shall be prohibited.

29. Annexure 1: Definitions

Milestone shall not process personal data of children without obtaining verifiable consent from a parent or lawful guardian, where required under applicable law. Processing likely to cause harm to children shall be prohibited.
  1. The primary supervisory authorities for GDPR compliance are the Data Protection Authorities (DPAs) of each EU member state. Individuals can lodge complaints with their respective national DPAs, which oversees enforcement within that jurisdiction. 
  2. The Data Protection Board of India (DPBI) serves as the adjudicating authority under the DPDPA, responsible for addressing grievances, investigating breaches, and enforcing compliance with the law.
  3. The Personal Data Protection Commission (PDPC) is the regulatory authority under Singapore’s Personal Data Protection Act (PDPA). It is responsible for enforcing compliance, investigating breaches, addressing complaints, and issuing guidelines to support organizations in adhering to data protection requirements.
  4. Under the UK GDPR and UK DPA, the Information Commissioner’s Office (ICO) serves as the regulatory authority. It is responsible for overseeing compliance, investigating data breaches, addressing complaints, and enforcing data protection laws. 
  5. The National Privacy Commission (NPC) is the regulatory authority under the Philippines’ Data Privacy Act (PH-DPA). It is responsible for enforcing compliance, investigating data breaches, addressing complaints, and issuing guidelines to ensure the protection of personal data.  
  6. The California Attorney General’s Office serves as the primary adjudicating authority under the CCPA. In addition, the California Privacy Protection Agency (CPPA) has enforcement powers to ensure businesses comply with the CCPA. 
Skip to content