Legal · Privacy

Privacy policy

Last updated: 15 July 2026 · Governed by India's Digital Personal Data Protection Act, 2025

1. Introduction and our role

VivahMandi (“VivahMandi”, “we”, “us”) is a B2B marketplace operated by [[FILL IN: registered entity name]] (CIN [[FILL IN: CIN]]), registered office at [[FILL IN: registered address]], India (“the Company”). This policy explains, in plain language, what personal data we collect from buyers, sellers and visitors, why we collect it, who we share it with, and the rights you have over it under the Digital Personal Data Protection Act, 2025 (“DPDP Act”) and its associated Rules.

For personal data we collect and use for our own purposes — running your account, verifying sellers, processing payments, sending notifications, improving the platform — we act as a Data Fiduciary: we determine why and how that data is processed. Where we handle personal data solely to enable a transaction between a specific buyer and a specific seller (for example, passing a delivery address to the seller who is shipping an order, or passing KYC details to our payment partner to onboard a seller for payouts), we act as a Data Processor facilitating that exchange on the parties’ behalf.

2. Personal data we collect

Account & identity

  • Name, email address and phone number
  • Password (stored hashed, never in plain text)
  • Shipping and billing addresses

Seller verification (KYC)

  • GSTIN (a public business identifier, used to verify GST registration and gate inter-state sale)
  • PAN and Aadhaar (encrypted at rest; used for identity and payout onboarding)
  • Bank account or UPI details (encrypted at rest; used to pay out seller settlements)
  • Business/store name and, currently, an Instagram handle collected as part of seller onboarding for storefront verification

Transaction data

  • Orders, offers, listings, disputes and messages between buyers and sellers
  • Payment confirmation and settlement data from our payment partner (we do not store card or UPI credentials ourselves)

Automatically collected information

  • Device information and browser type
  • IP address and coarse location data
  • Usage data and browsing behaviour on the platform
  • Cookies and similar technologies (see our Cookie Policy)

3. Why we collect it — itemized notice

As required under the DPDP Act, here is what we use each category of data for:

  • Facilitate transactions: account, identity and address data — to let buyers and sellers find, negotiate and complete a sale, including sharing a buyer’s delivery address with the seller fulfilling that order
  • Verify sellers & prevent fraud: GSTIN, PAN, Aadhaar, bank/UPI details — to confirm a seller’s identity and GST registration before they can list
  • Process payments & payouts: transaction and KYC data — shared with our payment partner to collect, hold in escrow and release funds, and to compute and remit statutory tax withholding (GST, TCS)
  • Customer support & dispute resolution: order, message and evidence data — to review and resolve disputes between buyers and sellers
  • Transactional notifications: contact details — order confirmations, delivery/inspection-window updates, dispute status
  • Platform security & fraud prevention: device/usage data — to detect abuse and protect accounts
  • Improve the platform: aggregated usage data — to understand what is and isn’t working
  • Marketing communications: contact details — only with your consent, and you can withdraw it at any time
  • Legal & regulatory compliance: transaction, tax and KYC data — retained and disclosed where Indian law (GST, income tax, RBI payment-aggregator rules, anti-money-laundering law, or a court/regulator) requires it

4. Lawful basis and your consent

Where we rely on consent (for example, marketing communications, or optional profile data), that consent is free, specific, informed, unconditional and unambiguous, given through a clear affirmative action, and you can withdraw it at any time as easily as you gave it — withdrawal does not affect processing already carried out, and does not affect our ability to complete an order you have already placed.

For some processing we do not need separate consent because it falls under the DPDP Act’s “legitimate uses”, notably: data you voluntarily provide to us for a specified purpose (e.g. creating a listing), and processing needed to comply with an obligation under Indian law (e.g. GST invoicing, TCS/TDS withholding under Section 52 of the CGST Act, RBI payment-aggregator KYC, or a court order).

5. How we share your information — sub-processor register

We share personal data only where necessary to run the platform, with the following categories of recipients:

  • Other users: buyers see the seller’s store name, GST-verification badge and location; the seller fulfilling an order receives the buyer’s shipping address and contact number for that order only
  • Cashfree (payments & escrow): our payment aggregator — processes payments, holds funds in escrow during the inspection window, handles seller payouts and buyer refunds
  • Our self-hosted Supabase stack (authentication & storage): hosts your login credentials and account data, and product/listing images, on India-based infrastructure we control
  • Resend (transactional email): delivers account, order and notification emails on our behalf
  • Our GSTIN/KYB verification provider: confirms a seller’s GST registration status against government records during onboarding
  • Freight/logistics providers you or the seller choose: VivahMandi does not run an integrated carrier network — buyer and seller agree on a courier or freight arrangement for each order, and any tracking details entered are visible to both parties (see our Shipping Policy)
  • Internal AI-assisted admin tooling: authorized VivahMandi personnel use an AI assistant to query operational data (orders, listings, seller status) for support, moderation and analytics. This tooling is accessible only to authorized staff, is never used to make an automated decision that produces a legal or similarly significant effect on you, and does not receive your KYC, bank or payment credentials
  • Legal authorities: when required by law, a valid legal process, or to protect the rights, safety or property of VivahMandi or our users

We do not sell personal data to anyone, for any purpose.

6. Cross-border data transfers

Personal data is hosted on India-based infrastructure. Some service providers listed above may process data using infrastructure located outside India in the ordinary course of providing their service. Where that happens, we require the provider to protect the data to a standard consistent with the DPDP Act, and we do not transfer personal data to any country the Central Government has restricted under the Act.

7. Data security

KYC fields (PAN, Aadhaar, bank account, UPI ID) are encrypted at rest with AES-256-GCM; GSTIN is kept in plain text because it is a public business identifier printed on every tax invoice. We apply access controls, encryption in transit and append-only audit logging on money and verification actions. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security — but we work to reduce risk and will tell you if something goes wrong (see below).

8. Data breach notification

If a personal data breach occurs, we will assess it, contain it, and notify the Data Protection Board of India and affected data principals without undue delay, and in any event within 72 hours of becoming aware of it, in line with the DPDP Rules, 2025. The notification will describe the nature of the breach, the data likely affected, and the steps we are taking and recommend you take.

9. Data retention

Retention is purpose-based, not indefinite:

  • Account data: retained while your account is active; if you delete your account, we anonymize your profile (name, email, phone, avatar removed) immediately — order records stay linked to an anonymized account so the transaction history of the other party is not broken
  • KYC data: retained for as long as required under RBI payment-aggregator and anti-money-laundering rules, then deleted or irreversibly de-identified
  • Tax & financial records (invoices, GST, TCS/TDS): retained for the period mandated under Indian tax law (currently up to 8 years), regardless of account deletion
  • Dispute & audit records: retained for as long as needed to defend a legal claim or satisfy audit requirements; these are append-only and are not deleted on request, but the personal data within them is erased or redacted once the retention purpose lapses
  • Marketing data: retained until you withdraw consent

10. Your rights as a data principal

Under the DPDP Act, you have the right to:

  • Access a summary of the personal data we hold about you and how it has been processed
  • Correct inaccurate or incomplete personal data
  • Erase personal data that is no longer necessary for the purpose it was collected for, subject to our legal retention obligations above
  • Withdraw consent for any consent-based processing (e.g. marketing) at any time
  • Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity
  • Grievance redressal — raise a complaint with our Grievance Officer (below) if you believe your rights have not been respected

11. How to exercise your rights

Delete or update your account and addresses directly from My account. For access, correction, erasure, nomination or any other rights request, email support@vivahmandi.com with the subject line “DPDP Rights Request”. We will verify your identity and respond as soon as reasonably possible, and in any event within 30 days.

12. Grievance Officer

In accordance with the DPDP Act and the Information Technology Act, 2000, our Grievance Officer is:

  • Name: [[FILL IN: Grievance Officer name]]
  • Email: [[FILL IN: Grievance Officer email]]
  • Phone: [[FILL IN: Grievance Officer phone]]
  • Address: [[FILL IN: registered address]]

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India in the manner prescribed under the DPDP Act.

13. Children’s data

VivahMandi is a trade platform for verified businesses and professionals and is not directed at or intended for use by anyone under 18. We do not knowingly collect personal data from children. If we become aware that we have, we will delete it promptly.

14. Cookies

We use cookies and similar technologies for authentication, essential site functions, and (with consent) analytics. See our Cookie Policy for details on what we use and how to manage your preferences.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or the law. We will post the revised policy here with an updated “last updated” date and, for material changes, notify you by email or an in-platform notice.

16. Contact us

For privacy-related questions or to exercise your rights, contact us at support@vivahmandi.com. Phone: [[FILL IN: support phone number]].