Back to Home

Privacy Policy

Last updated: 3 March 2026

This Privacy Policy describes how Tingrai Services (“DukaanBanao”, “we”, “us”, or “our”), operating at Anandapara, Margherita, collects, uses, stores, and protects your personal data when you use our platform at dukaanbanao.store (the “Platform”). This policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000.

1. Data We Collect

We collect the following personal data for the purposes stated below:

DataPurposeLegal Basis (DPDP Act)
Mobile numberAccount creation, login, WhatsApp order routingConsent + Contract performance
Password (hashed)Account authenticationContract performance
Store name, tagline, logoDisplaying your public catalogConsent
Product info (name, price, image, description)Catalog display and order messagingConsent
Payment dataSubscription billing (processed by Razorpay)Contract performance
IP address, browser infoSecurity, rate limiting, analyticsLegitimate use

We do not collect Aadhaar numbers, financial data beyond subscription payments, or sensitive personal data as defined under the DPDP Act.

2. Purpose Limitation

We only process your personal data for the specific purposes mentioned above. We will not use your data for any unrelated purpose without obtaining your fresh consent.

3. Data Processors (Third-Party Services)

We share your data with the following third-party processors to provide our services:

  • Razorpay (Razorpay Software Private Limited, India) — Subscription payment processing. Razorpay processes your payment information under their own PCI DSS compliant infrastructure. We do not store your card/UPI details.
  • Cloudinary (Cloudinary Ltd., Israel/USA) — Image hosting for product photos and store logos. Images are stored on Cloudinary’s servers.
  • Turso (Turso Inc., USA) — Cloud database hosting. Your account, store, and product data is stored in Turso’s edge database infrastructure.
  • Upstash (Upstash Inc., USA) — Redis caching and rate limiting. Temporary session and rate-limit data is stored.
  • Vercel (Vercel Inc., USA) — Application hosting and deployment. Serves the DukaanBanao platform to end users.

4. Cross-Border Data Transfer

Some of our data processors (Cloudinary, Turso, Upstash, Vercel) operate servers outside India, including in the United States. By using DukaanBanao, you consent to the transfer of your data to these countries. We ensure that these processors maintain adequate data protection standards. Once the Indian government notifies a list of approved countries under the DPDP Act, we will update this section accordingly.

5. Data Retention

  • Account data: Retained as long as your account is active. Deleted within 30 days of account deletion request.
  • Product/catalog data: Deleted when you remove products or delete your account.
  • Payment records: Retained for 8 years as required by Indian tax laws (Income Tax Act, 1961).
  • Server logs (IP, access): Retained for 90 days for security and debugging.
  • Rate limiting data: Automatically deleted within 1 hour.

6. Your Rights Under the DPDP Act, 2023

As a Data Principal, you have the following rights:

  • Right to Access: Request a summary of your personal data and how it is being processed.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
  • Right to Withdraw Consent: Withdraw your consent at any time. This may result in loss of access to certain features.
  • Right to Nominate: Nominate another person to exercise your rights in case of your death or incapacity.
  • Right to Grievance Redressal: File a complaint with our Grievance Officer or the Data Protection Board of India.

To exercise any of these rights, email us at support@dukaanbanao.store with the subject “Data Rights Request”. We will respond within 30 days.

7. Cookies

We use the following cookies:

  • auth_token (httpOnly, essential) — Keeps you logged in. Expires in 7 days.
  • csrf-token (essential) — Protects against cross-site request forgery attacks.
  • cookie-consent (functional) — Remembers your cookie consent preference. Expires in 1 year.

We do not use any third-party tracking cookies, advertising cookies, or analytics cookies. All cookies used are strictly essential or functional.

8. Data Security

We implement the following security measures to protect your data:

  • Passwords are hashed using bcrypt (never stored in plain text)
  • All data transmission is encrypted using HTTPS/TLS
  • Authentication tokens are stored in httpOnly cookies (not accessible to JavaScript)
  • CSRF protection on all state-changing requests
  • Rate limiting and account lockout to prevent brute-force attacks
  • Input validation and sanitization on all API endpoints

9. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to you, we will notify the Data Protection Board of India within 72 hours as required by the DPDP Act. We will also notify affected users via email or platform notification without unreasonable delay.

10. Children’s Data

DukaanBanao is intended for users aged 18 and above. We do not knowingly collect personal data from children (persons under 18 years). If a parent or guardian becomes aware that their child has provided us with personal data, please contact us immediately. We will delete such data within 72 hours of verification. As per the DPDP Act, processing of children’s data requires verifiable parental consent.

11. Information Sharing

We do not sell, trade, or rent your personal data to third parties. We may share data only in these circumstances:

  • With data processors listed in Section 3 (to provide our services)
  • When required by Indian law, court order, or government authority
  • To protect the rights, safety, or property of DukaanBanao or its users

Public data: Your store name, logo, tagline, products, and WhatsApp number are publicly visible to anyone who accesses your catalog URL. This is the core function of our platform.

12. Grievance Officer

In accordance with the DPDP Act, 2023, and the Information Technology Act, 2000, the details of the Grievance Officer are:

Email: support@dukaanbanao.store

Response time: Within 30 days of receiving a complaint

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as constituted under the DPDP Act, 2023.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. If the changes materially affect how we process your personal data, we will seek your fresh consent where required by law.

14. Contact Us

For any questions about this Privacy Policy or to exercise your data rights, contact us at:

Email: support@dukaanbanao.store

Address: Anandapara, Margherita