PRIVACY POLICY

Grapino Technology (“Firm”, “We”, “Us”, or “Our”), a Sole Proprietorship firm with its principal place of business at Grapino Technology, Jashpur, Chhattisgarh - 496224, operates the Grapino mobile applications and website (collectively, the “Platform”). This Privacy Policy describes how we collect, use, store, process, and protect the personal data of our Customers, Vendors, and Delivery Partners (individually referred to as a “Data Principal” and collectively as “Users”, “You”, or “Your”).

Grapino Technology acts as a “Data Fiduciary” under the Digital Personal Data Protection (DPDP) Act, 2023. This policy is strictly formulated to comply with the DPDP Act, 2023, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Consumer Protection (E-Commerce) Rules, 2020 of India.

---

1. Lawful Basis and Categories of Data We Collect

We collect only specified, necessary, and minimal personal data required to perform our contractual obligations and deliver hyper-local e-commerce services, based on your explicit, unconditional consent.

• Customers: Name, dynamic delivery addresses, validated phone numbers, email addresses, transaction history, and precise device-level real-time geolocation data required exclusively for proximity order dispatch and routing.
• Vendors (Sellers): Authorized commercial contact profiles, registered business/trade names, pickup addresses, financial accounts for weekly settlements, Goods and Services Tax Identification Number (GSTIN), and Permanent Account Number (PAN).
• Delivery Partners: Contact numbers, banking credentials for payout disbursements, and continuous background/fine geolocation tracking data during active shift windows to compute logistics transit. Identity verification records (such as driving licenses, vehicle registrations, or government-issued photo badges) gathered during onboarding are processed securely for statutory compliance and access control.

2. Purpose of Processing Personal Data

Your personal data is processed solely for explicit, specified, and lawful purposes:

• Account initialization, verification, and transactional notification delivery executed via Firebase Cloud Messaging (FCM).
• Logistical fulfillment, route optimization for delivery partners, and transaction tracking.
• Processing financial transactions, executing weekly vendor settlements, and implementing mandatory statutory tax obligations, including **GST TCS** (Section 52 of the CGST Act) and **Income Tax TDS** (Section 194-O of the Income Tax Act, 1961).
• Investigating operational defects, detecting fraud, mitigating technical system failures, and enforcing customer safety protocols.

3. Data Sharing, Intermediary Disclosures, and Localization

As an intermediary marketplace framework under Section 79 of the Information Technology Act, 2000, data sharing is restricted strictly to operational necessity:

• Inter-User Disclosures: Customer physical coordinates and telephone contacts are shared selectively with assigned Vendors and Delivery Partners for order routing. Vendor identification details and registration credentials are appended to customer taxable invoices.
• Statutory Disclosures: We share personal profiles with government bodies, judicial courts, tax investigators, or law enforcement units when strictly mandated under prevailing Indian laws.
• Zero Marketing Exploitation: Grapino Technology maintains an explicit ban on the sale, rental, trade, or unconsented extraction of data profiles to third-party advertising brokers or external syndicates.
• Data Localization: All collected user metrics are structurally stored and processed within servers physically localized inside the territorial boundaries of the Republic of India.

4. Reasonable Security Practices & Data Retention

We maintain robust technical, organizational, and physical security measures that comply with international standards and the technical mandates of the IT Rules, 2011. Your personal records are retained only for as long as necessary to fulfill the operational purposes described in this policy, or to fulfill statutory periods required under Indian tax framework laws (such as GST and Income Tax retention codes).

5. Your Legal Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, you retain enforceable rights over your data, which can be exercised through your platform dashboard:

• Right to Information & Summary: Access a summary of personal data currently being processed and a list of third parties with whom it has been shared.
• Right to Correction and Erasure: Rectify inaccurate tracking logs, update outdated parameters, or command the complete erasure of your platform footprint (subject to overriding legal retention codes).
• Right to Withdrawal of Consent: Revoke permissions at any point (e.g., background location metrics). Note that withdrawing core permissions may degrade or suspend matching hyper-local operational capabilities.
• Right to Grievance Redressal: Register complaints regarding omissions or data mishandling with the Firm before escalating to the Data Protection Board of India.

6. Statutory Redressal Officers & Grievance Mechanism

In compliance with the Information Technology Act, 2000, the Consumer Protection (E-Commerce) Rules, 2020, and the DPDP Act, 2023, the designated enforcement officers for Grapino Technology are detailed below.

Grievance submittals will be acknowledged within forty-eight (48) hours of receipt and processed to absolute closure within the legally stipulated limits or within one month from submission.