Privacy policy

ExlService Holdings, Inc. and its affiliates/ subsidiaries (“Company”, “we” or “us”) worldwide, are committed to respecting your online privacy and recognizing your need for appropriate protection and management of any personally identifiable information ("PII") you share with us based on applicable data protection laws and regulations. This privacy notice describes our approach to privacy, what data we are collecting, how we are processing it, why we are collecting your personal data, processing/sharing and transfer of personal data and your rights relating to such personal data shared with us.

In this privacy notice, we would also provide information about different or higher jurisdiction-specific standards that apply in those particular locations.

If you have any questions or concerns about this privacy notice or your personal data, please contact us at Privacy@exlservice.com.

Table of contents

1. What personal data we collect and how; why we collect this information.

2. Lawful basis for processing personal data.

3. Security.

4. Third Party Links.

5. To whom we share your information with.

6. International and group company transfers of personal data.

7. Data storage and retention.

8. Data Subject rights:

Residents of Europe/UK

Residents of Australia

Residents of Philippines

Residents of South Africa

Residents of India

Residents of Columbia

Residents of Canada

Residents of USA (Federal and State Laws)

9. Information that we collect using cookies

10. Do Not Track (DNT)

11. Contact us and information regarding complaints.

12. Modifications to Statement.

1. What personal data we collect and how we collect it.

For the purposes of this privacy statement, 'Personal data is any data which relates to an individual who may be identified or identifiable from that data, or from a combination of a set of data, and other information which is in possession of EXL.

Depending upon the Site(s)/apps and context, the information shared by you or automatically collected whenever you visit our sites/apps:

Contact Information: Name, phone number, address, city, state, postal/zip code, and email address.

Financial Details & National IDs: Bank account details, NI number, SSN, PAN card, Aadhar card etc.

Demographic information: Date of birth, gender, occupation, country of origin, educational details, and employer details.

Account/registration Information: If you create user account on our website or use restricted access or password protected portions of the website, then we may collect name, password, email, telephone number, street address, city, state, country, postal code and other information useful to our products and services.

On the ‘Contact Us’ page: EXL uses the contact information you submit to enable us to respond to a general or business inquiry made by you, or on behalf of the company that you represent.

Internet and network activity when you visit our website: We use cookies and web beacons to collect data on how you use our websites, including your IP address, internet domain, browser type, type of operating system you use, domain name of your internet service provider, pages visited, and length of time spent on the site. You can customize your cookie preferences.

Social media widgets: Our Sites and applications may include social media features connected with social media platform such as Facebook, Twitter, Instagram, YouTube, LinkedIn and others. Your interactions with those features are governed by the privacy policies of the companies that provide them.

Our career portal: Our Site may include a link to our Career Section. Any Personal data submitted through that portion of the site, by upload or via e-mail, shall be governed as per this privacy policy.

Information from other sources: Depending on your relationship with us, we may receive information about you from other sources, including but not limited to data vendors, insurance providers, auditors, travel service providers, consulting firms, background check service providers, and social media to ensure the accuracy and completeness of your personal data.

This list will be reviewed at least once in 12 months and required changes will be made accordingly. This policy is reviewed at least once every 12 months unless changes are made to laws affecting it, in which case the policy will also be reviewed at that point.

Why Do We Collect These Information?

Unless otherwise provided in the Policy, we may use personal data collected from the Sites/Apps in various ways including:

  • To facilitate or fulfil the information, products or services you have requested
  • To contact the user for confirming your registration on our website
  • To communicate with the user to respond to his/her queries or seeking feedback or resolving disputes on the product and services
  • For business, marketing and promotional purposes such as sending information about special promotions, programs, schemes, offers, new features, plans on products/services and marketing communications that we believe may be of interest to you
  • For the legitimate business interest, such as prevention of money laundering, fraud detection and prevention, and enhancing safety
  • To consider an application from prospective Vendors for partnering with EXL
  • To educate you about us, our products and services or to understand your interest to improvise the content and performance of our Sites/Apps
  • For maintenance of high quality and standards of products and services
  • To send you important information regarding the Sites/Apps, changes in terms and conditions, user agreements, and policies and/or other administrative information
  • For internal business operations including:
    • i. Reviews and data analysis for the website (e.g., to determine the number, category of visitors to specific pages within the website)
    • ii. To manage, operate, maintain and secure our Sites/Apps, network system, and other assets and to customize/personalise your experience with us, which may include displaying content based upon your preferences
    • iii. For the purposes of analysing the use of the Sites/Apps, enabling and monitoring your use of our Sites, /Apps operating our Sites/Apps, ensuring the security of our Sites/Apps, for maintaining back-ups of our databases
    • iv. To help diagnose problems with our server, and to administer our Sites/Apps
  • To comply with our legal obligations or as otherwise permitted by law
  • To investigate potential breaches, or to protect the rights, property or safety of EXL, the users of our sites/apps or others
  • For any other purpose necessary or incidental to our business
  • For any other purpose for which you give your consent

In the event we use your personal data for other purposes, not specified above, we will inform you about the specific purposes for processing your personal data and, when required, our basis for doing so at the time we collect the personal data from you to the extent required by law.

For the purposes of clarity, we may also use your personal data in combination with information we obtain from third parties about you for the same purposes described above.

2. Lawful basis for processing personal data.

EXL utilises or processes the personal data it has acquired from you based on any of the below mentioned legal bases:

  • Consent: Where we process personal data based on consent, you will have the option to opt-out and will have the ability to withdraw your consent at any time. If at any point you wish to unsubscribe from any of our communications or opt-out of our services or in case of any queries/concerns with regards to your personal data processed by us, kindly feel free to contact us at Privacy@exlservice.com.
  • Contract: When we need to carry out a contract with you that we are about to enter into or have already entered into. This applies in any case where we provide services to you pursuant to a contract. If you do not provide the personal data that we need in order to provide our services, we may not be able to provide our services to you.
  • Legal or regulatory obligation: This includes records keeping and performing compliance reviews (e.g., anti-money laundering, financial checks). This includes automatic checks of the personal data you submit regarding your identification against appropriate databases, as well as contacting you to confirm your identity for compliance purposes or maintaining records of our communication for compliance purposes.
  • Legitimate interests: Wherever necessary for our legitimate interests, such as conducting and developing our business, meeting and anticipating the requirements of our current and prospective customers, appropriate controls to ensure our website, processes, and procedures are running effectively, for the prevention and detention of fraud, for Information Technology (IT) security purposes.

Consequences of not providing Personal Data

If you choose not to provide your Personal data that is mandatory to process your request, we may not be able to provide the corresponding service.

3. Security.

The Company has implemented technological and operational security processes to protect information from loss, misuse, alteration, or unintentional destruction. While no security measure can guarantee against compromise, the Company regularly reviews and updates its security measures in accordance with industry standards, in an effort to provide appropriate security for all information held by Company.

4. Third Party Links.

Our Sites/Apps may have links to the websites/Apps of other third parties and these third-party websites/Apps may collect personal data about Users for their own purpose, in such cases, our Privacy Policy does not extend to these external websites/Apps of third parties. Please be aware that if you access these links, you will be leaving our Site(s). We encourage users to read the privacy policies of those websites/apps, as we are not responsible for their content, links, or privacy procedures.

5. To whom we share your information with.

We may share the Personal data collected from the Sites/Apps with third parties as outlined in this section.

Affiliates

Our parent business, subsidiaries, joint ventures, group of firms, and affiliated companies. These entities may use this information for the aforementioned purposes.

Business Partner

  • Service Providers who perform services on behalf of EXL and may require information about you in order to perform their functions, such as authorised service partners, payroll processors, call centre operators, marketing contractors, social media website providers, IT agencies handling or maintaining Sites/Apps, storing/processing information, overseas service providers who work for us, and so on.
  • Suppliers, research and development vendors, professional advisers, agents, representatives, and other EXL business associates

Legal Authorities

We may disclose your personal data in response to any notification, order, inquiry, demand, request, or other communication from a law enforcement agency that requires or mandates the disclosure of such personal data, or in accordance with applicable laws.

Changes in Corporate Structure

In the event that EXL is involved in a merger, acquisition, reorganisation, or sale of assets, or if it files for bankruptcy, your information may be transferred as part of such transaction. We keep a copy of such information.

We DO NOT use or disclose Information for purposes other than as mentioned in this Policy, except with the consent of user providing such Information or as required by law.

6. International transfers of your information.

In nearly all cases, the above-described data may be collected or processed by, and transferred to, the Company’s facilities in the United States and in other jurisdictions where the Company performs its business activities, such as India, South Africa, Australia, the Philippines, Canada, Colombia, Europe and UK; the data may then be subject to the legal systems of those countries. This may be done through the website’s internet service provider (ISP) or through the use of such tools as google analytics. This information is gathered to improve the quality of our services and our ability to market those products and services to specific individuals and organizations that could benefit from them.

We only transfer personal data to countries that provide an adequate level of protection and/or we ensure that we have appropriate safeguards (such as standard contractual clauses etc.) in place to cover these transfers, as permitted by the applicable data protection legislation.

You may contact us to find out more about the relevant safeguards in place for cross-border transfers (see “Contact information” below).

7. Data storage and retention.

Your personal data processed by EXL are kept in a form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed in line with legal, regulatory, contractual or statutory obligations as applicable. At the expiry of such periods, your personal data will be deleted or archived to comply with legal/contractual retention obligations or in accordance with applicable statutory limitation periods.

8. Data Subject Rights.

You may have certain rights in relation to your personal data pursuant to data protection laws in your jurisdiction. To exercise such rights, please contact here. The rights for certain jurisdictions are explained in further detail below.

Residents of Europe and the UK:

  • The right to request access to your personal data and request details of the processing activities conducted by us.
  • The right to erasure of your personal data under certain circumstances.
  • The right to request for rectification of your personal data if it is inaccurate or incomplete.
  • The right to request restriction of the processing of your personal data in certain circumstances.
  • The right to object to the processing, including the sale or commercial use, of your personal data in certain cases.
  • You may opt-out of receiving non-essential (promotional, marketing-related) communications from us. If you want to opt-out from any such communication, then you may send an email to Privacy@exlservice.com.
  • The right to object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • The right to withdraw your consent provided at any time by contacting us.

In accordance with the GDPR, we will respond to your request within one month upon receipt of your request. Provided we are unable to progress your response, we will contact you. In certain circumstances, we may extend the timeline of our response to 3 months in accordance with applicable law.

Residents of Australia:

We recognize that individuals must have the option to not identify themselves, or to use a pseudonym when liaising with us. We seek to provide this option to the extent possible. However, due to the nature of our business operations, it is impracticable in most cases for us to deal with individuals who have not identified themselves or who use a pseudonym.

As a resident of Australia, you have the following rights:

  • The right to have your personal data de-identified and/or destroyed.
  • The right to require that any personal data held and processed by us is accurate, up-to-date, and complete. If the information is inaccurate, incomplete and/or out-of-date, you have the right to request that it is corrected.
  • The right to be informed regarding when and how your personal data is collected, used and disclosed.
  • The right to “opt out” of your personal data being used for direct marketing purposes.
  • The right to request Data Holders and accredited bodies to share information relating to yourself, with consent, in a standardized machine-readable format.

Residents of the Philippines:

  • The right to be informed about your personal data being collected and processed.
  • The right to access to your personal data.
  • The right to object to processing of your personal data if the personal data processing involved is based on consent or legitimate interest.
  • The right to erasure or blocking of your personal data under certain circumstances.
  • The right to file a complaint with the National Privacy Commission (NPC) if your personal data has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated.
  • The right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of their personal data.
  • The right to rectify your personal data under certain circumstances.
  • The right to data portability.

Residents of South Africa:

  • Request access to your personal data and request details of the processing activities conducted by us and third parties, within a reasonable time and at a prescribed fee, if any.
  • Request that your personal data is rectified if it is inaccurate or incomplete, irrelevant, excessive, out of date, misleading or obtained unlawfully.
  • Request the destruction or de-identification of your personal data where we are no longer authorised to retain the information.
  • Right to Request restriction of the processing of your personal data by us in certain circumstances.
  • Right to object to the processing of your personal data in certain circumstances.
  • Receive your personal data in a structured, commonly used and machine-readable format in certain circumstances.
  • Lodge a complaint with the Information Regulator.
  • Right to Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • Right to withdraw any consent you have provided to us at any time by contacting us.

Residents of India:

  • Request details/summary of the processing activities conducted by us and third parties, within a reasonable time and at a prescribed fee, if any.
  • Request that your personal data is rectified if it is inaccurate or incomplete, irrelevant, excessive, out of date, misleading or obtained unlawfully.
  • Request the identity of all the third parties with whom the personal data has been shared by us, along with a description of the personal data so shared, unless prohibited by applicable law.
  • Request the erasure of your personal data where we are no longer legally authorised to retain the information.
  • Lodge a complaint with the grievance redressal mechanism set up by us.
  • Right to withdraw any consent you have provided to us at any time by contacting us.

Residents of Colombia:

  • The right to be informed about the use of your personal data.
  • The right to access (includes right to data portability).
  • Under certain circumstances, you have the right to have your personal data rectified.
  • Right to revoke authorisation and/or request the deletion of data when processing is not compliant with principles, rights, and constitutional guarantees. The revocation and/or deletion shall proceed when the SIC determines that the processing by the data controller or data processor was contrary to the law and the Constitution
  • To request evidence of the consent granted to the data controller, except when consent is not required for the processing; and
  • To submit to the SIC claims for violations of the provisions contained in the Data Protection Law and other rules that modify, amend, or complement it.

Residents of Canada:

  • The right to be informed of the existence, use, and disclosure of their personal data.
  • The right to access your personal data.
  • Individuals have the right to challenge the accuracy and completeness of that information and have it amended/rectified as appropriate.
  • Individuals can withdraw their consent to the collection, use and disclosure of their PI, including for marketing purposes.
  • Right to file a complaint with relevant privacy regulator(s).

Residents of USA (Federal and State Laws):

Virginia-

  • In accordance with §59.1-574(C) of the CDPA, you have the right to be informed about the categories of personal data collected and processed, information shared and sold to third parties, purpose, all uses and disclosures.
  • The right to access, rectify and erasure of your personal data.
  • The right to data portability.
  • The right to opt out of the processing of their personal data for purposes of:
    Targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
  • The right to appeal against a controller's refusal to take action following a consumer's request to exercise their rights.

Colorado-

  • In accordance with §6-1-1308(1)(a) to (b) of the CPA, you have the right to be informed about the categories of personal data collected and processed, information shared and sold to third parties, purpose, all uses and disclosures.
  • The right to access, rectify and erasure of your personal data.
  • The right to data portability.
  • A consumer has the right to opt out of the processing of personal data concerning the consumer (§6-1-1306(1)(a) of the CPA) for the purposes of:
    Targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

California-

  • The right to know what information the business collects, discloses, and if applicable, sells (as defined in section 1798.140(t) of the California Consumer Privacy Act (CCPA)).
  • The right to access what personal data has been collected about you by making a proper Verifiable Consumer Request (VCR). Through a VCR, you may request:
    1. the categories of personal data collected about you in the preceding 12 months;
    2. the categories of sources from which personal data is collected; the business or commercial purposes behind collecting personal data;
    3. the categories of third parties with whom we share personal data; and
    4. specific pieces of personal data collected about you.
  • If the business has “sold” (as that term is defined in section 1798.140(t) of the CCPA) or disclosed your personal data for a business purpose, you have the right to request an itemized list of the categories of personal data:
    1. Personal data collected about you
    2. Sold about you (this includes categories of third parties to whom information was sold and what categories of personal data for each third party); and
    3. Disclosed about you for a business purpose.
  • The right to opt out of the sale of your personal data to a third party at any time.
  • The right to request deletion of personal data that has been collected about you, subject to certain exceptions.
  • The right to non-discrimination against you for exercising any of the rights listed above.

We do not sell personal data as defined in section 1798.140(t) of the CCPA. We also do not sell the personal data of children under age 16 without affirmative authorization.

How to submit a request.

You may submit a request to exercise your rights through any one of three means:

  • By visiting the privacy page in your account portal, where you can request and download specific pieces of information we have collected. By logging in to your account to submit the request, you will be able to automatically verify your identity, which will result in faster processing of your request.
  • By filling out a consumer data request form available here.
  • By calling us at the applicable office or, if available, the designated 800 number as mentioned below.

9. Information that we collect using cookies

Please refer the https://www.exlservice.com/cookie-policy.

10. Do Not Track

Do Not Track (DNT) is a privacy preference that users can set in some web browsers, allowing users to opt out of tracking by websites and online services. At the present time, the World Wide Web Consortium (W3C) has not yet established universal standards for recognizable DNT signals and therefore, EXL Company and the Site do not recognize DNT.

11. Contact us and information regarding complaints.

Contact us:

Please contact us with any concerns you may have. You can contact us by writing to us at Privacy@exlservice.com

1855-760-3562

* For California residents only

# For individuals from other geographies

You may also have the right to complain about the use of your personal data to the applicable authority with oversight of applicable data protection laws. The European GDPR, give you the right to lodge a complaint with a supervisory authority, in the Member State where you particularly work, normally live, or where any alleged infringement of data protection laws has occurred. For other data protection laws, where applicable, you can contact the nominated data protection supervisory body in that jurisdiction.

12. Modifications to Statement.

The Company reserves the right to change, modify, or update this statement at any time. We indicate the date of the current statement below, so you know when it was last updated. Continued use of the website after any such revision or modification constitutes your acceptance of the privacy statement as so revised or modified, where permitted by law.

 

Version: 31st July 2024