Privacy policy
This Privacy Policy (“Policy”) was updated at 16th August, 2025 (“Effective Date”). Harkaran Boparai Retail Limited (“Company”) is committed to respecting the privacy and safeguarding the personal data of its customers, website visitors, vendors, employees, and all other stakeholders. As a responsible e-commerce brand engaged in the sale of apparel through its digital platform, Company recognises the critical importance of transparency, consent, and data protection in building lasting trust.
This Privacy Policy is designed in compliance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and relevant rules including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. It is also informed by global privacy standards and industry best practices.
Company is committed to ensuring that all personal data is collected, stored, used, and shared in a secure, lawful, and fair manner. We believe in empowering our users with meaningful choices, data rights, and access to redressal mechanisms to protect their privacy interests.
WHEREAS
A. Harkaran Boparai Retail Limited (“Company”) operates an online apparel platform and is committed to protecting the personal data and privacy rights of its users and stakeholders in accordance with the highest standards of transparency, accountability, and ethical data governance;
B. The Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 require data fiduciaries such as the Company to establish clear privacy practices, ensure security safeguards, and provide mechanisms for informed consent and redressal;
C. The Company acknowledges that personal data, including sensitive personal data such as payment information, must be processed lawfully, with consent or legitimate basis, and handled in a manner that prevents misuse, loss, or unauthorized access;
D. The Company aims to foster user trust and legal compliance by establishing this comprehensive Privacy Policy, which ensures that all individuals interacting with the brand—whether as buyers, browsers, service providers, or personnel—are informed of their rights, the Company’s obligations, and the mechanisms available for grievance redressal and data protection;
NOW THEREFORE, Harkaran Boparai Retail Limited hereby adopts this Privacy Policy to provide a clear, lawful, and user-friendly framework for the collection, processing, storage, and protection of personal data, thereby reinforcing its commitment to privacy, compliance, and responsible data stewardship.
1. DEFINITIONS AND INTERPRETATION
1.1. Definitions : In this Policy (including the recitals above hereto), except where the context otherwise requires, the following words and expressions shall bear the meaning assigned to them below:
a) “Act” shall mean the Digital Personal Data Protection Act, 2023, including all applicable rules, notifications, and amendments relating to the collection, processing, storage, transfer, and protection of personal data in India, and shall include the Information Technology Act, 2000, and IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to the extent applicable.
b) “Data Principal” shall mean the individual to whom the personal data relates, and includes any user, customer, website visitor, or individual whose personal data is processed by the Company.
c) “Data Fiduciary” shall mean Harkaran Boparai Retail Limited , which determines the purpose and means of processing personal data in its capacity as a data fiduciary under the Act.
d) “Personal Data” shall mean any data about an individual who is identifiable by or in relation to such data, whether directly or indirectly, through reference to identifiers such as name, contact details, location data, online identifiers, or any other characteristic or attribute of identity.
e) “Sensitive Personal Data” shall mean personal data that relates to passwords, financial information such as bank account or credit card details, biometric data, and any other category of data notified as sensitive under applicable law.
f) “Processing” shall mean any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
g) “Consent” shall mean any freely given, specific, informed, and unambiguous indication of the Data Principal’s agreement to the processing of their personal data for the intended purpose, either through a clear affirmative action or through any other prescribed manner under applicable law.
h) “Grievance Officer” shall mean the designated individual appointed by the Company to address privacy-related grievances and ensure redressal in accordance with the timelines and procedures under the Act.
i) “Third Parties” shall mean any external persons or entities, including service providers, contractors, consultants, logistics partners, and technology vendors, with whom personal data may be shared for business purposes, subject to appropriate safeguards.
j) “Data Breach” shall mean any unauthorised or accidental disclosure, alteration, loss, access, or destruction of personal data that compromises its confidentiality, integrity, or availability.
k) “Website” shall mean the online platform of the Company, accessible at https://hb.store/including all subdomains and mobile applications operated by or on behalf of the Company.
l) “User” shall mean any individual who accesses or uses the Company’s website, interacts with its services, purchases products, or otherwise provides personal data to the Company.
m) “Personnel” shall mean all full-time, part-time, probationary, temporary, or contractual employees, interns, consultants, and authorised representatives of the Company, regardless of location or designation.
n) “Nominee” shall mean a person appointed by a Data Principal under the Act to act on their behalf in the event of their death or incapacity.
o) “Notice” shall mean a clear and accessible statement provided by the Company to the Data Principal, before collecting personal data, informing them of the purpose, method, legal basis, and rights in relation to such processing.
1.2. Interpretation
a) In addition to the terms defined above, certain terms may be defined elsewhere in this Policy, and wherever such terms are used, they shall have the meaning assigned to them.
b) Section headings are for convenience only and shall not affect the construction or interpretation of any provision of this Policy.
c) References to sections or annexures are, unless the context otherwise requires, references to sections or annexures of this Policy.
d) Where a word or phrase is defined, other parts of speech and grammatical forms and the cognate variations of that word or phrase will have corresponding meanings
e) Words denoting singular shall include the plural and vice versa, and words denoting any gender shall include all genders unless the context otherwise requires.
f) The terms “hereof”, “herein”, “hereto” and derivative or similar words refer to this entire Policy or specified Sections of this Policy, as the case may be.
g) All references to this Policy shall include any amendments or updates to this Policy, as approved by the Compliance Officer or the designated authority from time to time.
2. PURPOSE
a) This Privacy Policy (“Policy”) applies to all Personal Data collected, received, processed, stored, disclosed, transferred, or otherwise handled by Harkaran Boparai Retail Limited (“Company”) in the course of its operations through its website https://hb.store/ , mobile applications, communication platforms, or other digital interfaces owned or operated by the Company (“Platform”). This Policy governs the privacy practices adopted by the Company in relation to:
(i) Individuals who visit, access, or use the Platform, including those who browse the site, place an order, register an account, or engage in any communication or transaction with Company (“Users”);
(ii) All categories of Data Principals whose Personal Data is processed by the Company, including customers, prospective customers, business partners, vendors, employees, consultants, service providers, and visitors who voluntarily provide their data;
(iii) Personal Data collected through both online and offline channels, including but not limited to customer interactions, surveys, feedback forms, product inquiries, email communications, social media interactions, and payment gateways;
(iv) Third parties acting on behalf of the Company (such as logistics providers, payment processors, marketing affiliates, or cloud service providers), to the extent that they process Personal Data under the Company’s instructions and authority;
(v) Personal Data processed in India, as well as data collected from Users outside India but processed or stored in India, subject to applicable local and cross-border data transfer laws.
b) This Policy shall apply regardless of the device, platform, or medium used to access the Company’s services, including desktops, mobile phones, tablets, smart devices, and other digital channels.
c) This Policy does not apply to:
(i) Aggregated or anonymised information that does not, directly or indirectly, identify an individual;
(ii) Third-party websites, platforms, or applications which may be linked from the Company’s Platform but are not owned or operated by the Company. Users are encouraged to review the privacy policies of such third-party services independently;
(iii) Data that is collected or processed for purely personal, household, or journalistic purposes by individuals and is exempted under the provisions of the Digital Personal Data Protection Act, 2023.
d) By accessing or using the Platform or otherwise providing Personal Data to the Company, the User expressly acknowledges and agrees to the terms of this Policy, and consents to the processing of their Personal Data in accordance with the terms stated herein.
e) In case of any conflict between this Policy and any contractual terms agreed between the Company and any Data Principal (such as employees, vendors, or consultants), the provisions offering higher privacy protection shall prevail, unless otherwise required by applicable law.
3. CATEGORIES OF PERSONAL DATA COLLECTED
a) In the course of providing its products, services, and operating its Platform, the Company may collect and process the following categories of Personal Data, either directly from the User or through third-party service providers acting on its behalf:
|
CATEGORY |
DESCRIPTION |
SOURCE |
|
Identity Data |
Full name, username, gender, date of birth, profile photo (if provided), user ID |
User during account registration or checkout |
|
Contact Data |
Email address, mobile number, billing address, shipping address |
Checkout forms, account registration |
|
Payment and Financial Data |
Credit/debit card number (masked), UPI ID, bank account details (limited), billing transaction ID, payment timestamps |
Payment gateway, order processing |
|
Order and Transaction Data |
Purchase history, order ID, cart items, delivery tracking number, mode of payment |
Platform backend, logistics partners |
|
Device & Technical Data |
IP address, browser type, device type, operating system, screen resolution, time zone, device identifiers |
Automatically via website or app |
|
Usage Data |
Browsing behaviour, clickstream, pages visited, time spent, items added to cart or wishlist |
Analytics tools, cookies |
|
Marketing & Communication Data |
Newsletter opt-in, promotional preferences, communication logs, feedback or responses |
User entries, CRM tools |
|
Account Credentials |
Hashed passwords, OTP verification records, login timestamps |
Registration & login systems |
|
Social Media Data |
Public profile name, email ID, or linked account data when logged in via social platforms |
Facebook, Google login integrations |
|
Customer Support Data |
Chat transcripts, service tickets, complaint records, call recordings (if applicable) |
Helpdesk tools, email/chat support |
|
Location Data (if any) |
Approximate geolocation or delivery location via IP or GPS (when permitted by the user) |
Device/browser during use |
|
Referral or Affiliate Data |
Referral codes, influencer coupon usage, affiliate tracking URLs |
Marketing platforms |
|
User-Generated Content |
Product reviews, comments, feedback, testimonials, and uploaded media (images/videos) |
Platform, user interaction |
b) The above Personal Data may be collected at the time of account creation, while placing an order, subscribing to newsletters, interacting with the Platform or customer care, participating in surveys or contests, or otherwise voluntarily provided by the User.
c) In addition to the above, the Company may collect certain Non-Personal Data (data that does not identify an individual directly or indirectly), which may include aggregated statistics, anonymised usage metrics, and analytics data, solely for internal research, service improvement, or marketing performance purposes.
d) The Company does not intentionally collect or process biometric data, health data, or official government identifiers (such as Aadhaar or PAN), unless specifically required by law or consented to by the User for a legitimate purpose.
4. PURPOSE OF DATA COLLECTION & USE
a) The Company collects and processes Personal Data only for specified, lawful, and legitimate purposes. Such processing is done either with the consent of the Data Principal or as reasonably necessary for the performance of a contract, compliance with legal obligations, or for purposes permissible under applicable law.
b) The following table outlines the specific purposes for which each category of Personal Data may be collected and used:
|
PURPOSE OF PROCESSING |
CATEGORY OF PERSONAL DATA INVOLVED |
LEGAL BASIS UNDER DPDPA |
|
To process, fulfil and deliver orders |
Identity Data, Contact Data, Payment Data, Transaction Data, Location Data |
Performance of contract; Consent |
|
To provide account registration and login functionality |
Identity Data, Account Credentials, Contact Data |
Consent; Legitimate use |
|
To communicate order updates and service-related information |
Contact Data, Order Data, Transaction Data |
Legitimate use; Performance of contract |
|
To personalise user experience and recommend products |
Usage Data, Device Data, Purchase History, Wishlist |
Consent (via cookies); Legitimate use |
|
To conduct marketing campaigns and send promotional content |
Contact Data, Marketing Preferences, Purchase History |
Explicit Consent |
|
To conduct customer satisfaction surveys, reviews, and feedback |
Contact Data, Usage Data, Review Content |
Consent |
|
To provide customer service and resolve complaints |
Contact Data, Order Data, Support Data |
Legitimate use; Performance of contract |
|
To detect and prevent fraud, abuse or policy violations |
Identity Data, Device Data, Transaction Data |
Legitimate use; Legal obligation |
|
To comply with applicable legal, regulatory and tax requirements |
Identity Data, Transaction Data, Payment Data |
Legal obligation |
|
To maintain records for audit, dispute resolution, and risk management |
Identity Data, Transaction Data, Payment Data, Contact Data |
Legal obligation; Legitimate interest |
|
To improve website performance, analytics and internal reporting |
Usage Data, Device Data, Aggregated Non-Personal Data |
Consent (via cookie consent); Legitimate use |
|
To process influencer codes and affiliate marketing programs |
Referral Data, Identity Data, Transaction Data |
Consent; Performance of contract |
c) The Company does not use Personal Data for any purpose other than those stated above without providing appropriate notice and, where applicable, obtaining specific and informed consent from the Data Principal.
d) Where consent is the legal basis for processing, the User may withdraw such consent at any time by contacting the Grievance Officer or using the mechanisms provided on the Platform. However, withdrawal of consent may affect the ability to deliver certain products or services.
c) The Company ensures that all processing of Personal Data is proportionate, limited to the extent necessary for the stated purposes, and in accordance with the principles of fairness, transparency, and accountability under applicable law.
5. LEGAL BASIS FOR PROCESSING
a) The Company processes Personal Data only when there is a lawful basis for such processing under the Digital Personal Data Protection Act, 2023, or other applicable laws. The legal bases may include one or more of the following:
(i) Consent of the Data Principal: Where the Company collects Personal Data directly from a User or Data Principal, it shall do so after obtaining the individual’s free, specific, informed, unconditional, and unambiguous consent through clear affirmative action.
Examples:
1. Subscribing to marketing emails or newsletters;
2. Providing optional demographic details or feedback;
3. Participating in surveys, contests, or promotional campaigns;
4. Creating an account on the Platform.
(ii) The User may withdraw consent at any time through the settings panel, opt-out links, or by contacting the Grievance Officer. Such withdrawal shall not affect any prior lawful processing.
(iii) Performance of a Contract: The Company may process Personal Data where such processing is necessary to fulfil its obligations under a contract with the Data Principal or to take steps at their request before entering into a contract.
Examples:
1. Processing an order placed by a User;
2. Arranging for delivery, payment, and returns;
3. Providing customer support regarding the order.
(iv) Compliance with Legal Obligations: The Company may process Personal Data where it is legally required to do so under applicable laws, court orders, or regulations, including requirements imposed by government or law enforcement agencies.
Examples:
1. Complying with taxation and invoicing regulations;
2. Retaining records for audits;
3. Assisting law enforcement in fraud or criminal investigations;
4. Compliance with obligations under the Information Technology Act or applicable consumer laws.
(v) Legitimate Use (as permitted under Section 7 of the DPDPA, 2023): The Company may process Personal Data without consent for certain “legitimate uses” as explicitly provided under the DPDPA, including but not limited to:
|
LEGITIMATE USE CATEGORY |
EXAMPLE |
|
Voluntary Data Provided by User |
User submits details for placing an order or contacting customer support |
|
Provision of Benefit or Service |
Delivering a purchased product or issuing an invoice |
|
Legal Proceedings or Dispute Resolution |
Defending legal claims, enforcing contractual rights |
|
Public Interest or Public Order |
Co-operating with investigations, law enforcement or public safety officials |
|
Employment or Internal Administration |
Processing employee/vendor data for internal compliance or record-keeping |
(vi) The Company ensures that any reliance on legitimate use does not override the fundamental rights and expectations of the Data Principal and is consistent with the purpose limitation and necessity principles.
(vii) Public Interest or Public Health (If Applicable): In exceptional circumstances such as pandemics or emergencies, the Company may process Personal Data in the interest of public health, subject to applicable statutory permissions or directions from government authorities.
(viii) Where Personal Data is collected indirectly or through third-party service providers, the Company ensures that such third parties have obtained appropriate legal basis (including consent) for sharing such data with the Company. A list of categories of third parties (including their names, where applicable) with whom Personal Data may be shared is set out below. These third parties are contractually obligated to maintain the confidentiality and security of the data and to process such data strictly in accordance with applicable law and instructions issued by the Company.
|
CATEGORY |
PURPOSE OF PROCESSING |
TYPE OF DATA SHARED |
|
Payment Processors |
To facilitate secure payments |
Name, contact, transaction ID, masked card/bank info |
|
Shipping & Logistics Partners |
To deliver orders and provide tracking |
Name, contact, address, order details |
|
Email & SMS Communication |
To send order updates, alerts, and promotional messages |
Email, phone number, communication logs |
|
Web Hosting & Infrastructure |
Website operation, backups, and performance |
Device metadata, IP address, access logs |
|
Marketing and Retargeting Tools |
Online advertising, analytics, and promotional campaigns |
IP address, browsing behavior, cookies |
|
Customer Support Tools |
Customer query management and ticketing |
Name, contact, chat logs, order info |
|
Analytics & Tracking Providers |
Monitor website usage and improve services |
IP, session data, page visits, clicks |
|
Affiliate/Influencer Platforms |
Track referral codes, commissions |
Referral ID, coupon usage, transaction data |
|
Internal Consultants & Auditors |
Legal, tax, or compliance purposes |
Financial, order, and sometimes user data |
|
Government or Legal Authorities |
Legal compliance, law enforcement |
Any legally mandated personal data, upon request |
(ix) The Company maintains detailed internal records of the legal basis applicable to each processing activity, and such records are reviewed periodically to ensure compliance.
(x) In cases where the legal basis for processing changes (e.g., from contract to consent), the Company shall notify the Data Principal and, where required, obtain fresh consent before proceeding.
6. CONSENT MANAGEMENT
a) Obtaining Consent: The Company shall obtain the free, specific, informed, unconditional, and unambiguous consent of the Data Principal before collecting or processing any Personal Data, unless the processing is permitted under legitimate use or legal obligation in accordance with Section 5 of this Policy.
b) Consent is obtained in a clear and granular manner at the point of data collection, such as during:
(i) Account registration;
(ii) Checkout and payment stages;
(iii) Subscription to newsletters or marketing communications;
(iv) Participation in contests, surveys, or referral programs;
(v) Accepting cookies and similar tracking technologies on the website.
c) No pre-ticked boxes, bundled consent, or inferred consent mechanisms are used. Consent must be affirmatively provided by the User.
d) Layered Notices: All consent requests are accompanied by a layered privacy notice that includes:
(i) The purpose of data collection;
(ii) The categories of data collected;
(iii) Whether the data will be shared with third parties;
(iv) A link to this Privacy Policy;
(v) Contact details of the Grievance Officer.
e) These notices are drafted in clear, plain, and concise language to ensure that Users understand what they are agreeing to.
f) Proof and Record of Consent: The Company maintains verifiable records of the consent obtained from each Data Principal, including the time, method, and purpose for which consent was granted. These records are stored securely and may be made available to the Data Protection Board or other authorities in the event of a lawful request or audit.
g) Refusal or Conditional Consent:
(i) Users have the right to refuse consent for optional features (such as marketing communications) without affecting their access to essential services (such as ordering products).
(ii) Any conditional consent that ties unrelated services or benefits to the provision of Personal Data is not enforced by the Company, unless reasonably necessary for the functioning of such services.
h) Withdrawal of Consent:
(i) The Data Principal may withdraw consent at any time, without any adverse consequences, by:
1. Using the unsubscribe or opt-out links in emails or messages;
2. Changing settings in the user account dashboard;
3. Contacting the Grievance Officer directly at Info@harkaranboparai.com .
i) Upon withdrawal of consent:
(i) The Company shall cease processing the concerned Personal Data within a reasonable time, unless required to retain it under law;
(ii) Certain services may become unavailable to the User where such services are dependent on the withdrawn data.
j) Consent for Minors:
(i) The Company does not knowingly collect Personal Data from individuals below the age of 18 years without verifiable parental or guardian consent as required under Section 9 of the DPDPA, 2023.
(ii) If the Company becomes aware that Personal Data of a minor has been collected without lawful parental consent, such data shall be promptly deleted.
k) Cookies and Tracking Consent:
(i) The Company uses cookies and similar technologies for enhancing User experience, analytics, and targeted advertising.
(ii) Consent for cookies is obtained through a cookie banner that allows Users to:
1. Accept all cookies;
2. Manage preferences by category;
3. Reject non-essential cookies.
l) Updates to Consent Preferences:
(i) Users may modify their consent preferences at any time by visiting their My Account > Privacy Settings section or by contacting customer care.
(ii) The Company periodically prompts Users to review and confirm their consent preferences to ensure continued alignment with their expectations and legal requirements.
6 CHILDREN’S DATA
a) The Company is committed to protecting the privacy of children and complying with the provisions of Section 9 of the Digital Personal Data Protection Act, 2023, which restricts the processing of personal data of children without verifiable parental or guardian consent.
b) For the purposes of this Policy, a child is defined as an individual who has not completed the age of 18 years, unless a different age threshold is prescribed by applicable law.
c) The Company does not knowingly collect, process, or store Personal Data from children unless:
(i) It is necessary for delivering a service explicitly intended for child users; and
(ii) Verifiable parental or guardian consent has been obtained through acceptable means, such as a digitally signed declaration or validated OTP-based consent process.
d) If it comes to the Company’s attention that Personal Data of a child has been collected without lawful consent, the Company shall:
(i) Promptly delete such Personal Data from its systems; and
(ii) Notify the parent or guardian, if identifiable, of such deletion.
e) The Company does not engage in behavioural tracking, profiling, or targeted advertising towards children, directly or indirectly, in compliance with the prohibitions under Section 9 of the DPDPA.
8. DATA SHARING AND THIRD-PARTY TRANSFERS
a) Internal Access and Sharing: Personal Data collected by the Company may be accessed by authorised internal teams, including but not limited to operations, customer support, marketing, logistics coordination, product development, finance, and compliance, strictly on a need-to-know basis. All such access is governed by internal access controls, confidentiality obligations, and data minimisation principles.
b) Third-Party Disclosures: The Company may share Personal Data with trusted third-party service providers, vendors, and business partners (collectively, “Third Parties”) solely for the purpose of enabling the Company to provide its products and services efficiently. These Third Parties process Personal Data on behalf of the Company and are contractually bound to comply with applicable data protection laws, maintain data confidentiality, and use the data only for the specified purposes. A summary of categories of Third Parties with whom data may be shared, and the purpose of sharing, is set out in Section 5(a)(viii) above.
c) Categories of Third Parties May Include:
(i) Payment gateways and processors – to facilitate secure payment transactions;
(ii) Shipping and logistics providers – to deliver products to customers;
(iii) Cloud hosting and IT infrastructure providers – to securely store and manage Platform data;
(iv) Marketing, analytics, and advertising tools – to run campaigns and personalise content;
(v) Customer support and CRM tools – to resolve service requests and complaints;
(vi) Auditors, legal counsel, tax advisors – for regulatory, dispute, or audit purposes;
(vii) Government authorities or law enforcement – when required under applicable laws or court orders.
d) Cross-Border Transfers:
(i) As of the effective date of this Policy, the Company stores and processes all Personal Data on servers located within India. However, certain third-party tools and service providers may process data on infrastructure located outside India, subject to appropriate legal safeguards.
(ii) Any transfer of Personal Data outside India (if required in the future) shall be conducted in accordance with Section 16 of the Digital Personal Data Protection Act, 2023, and any rules or government-issued notifications relating to cross-border transfers.
(iii) The Company shall ensure that any such transfers are made:
1. To countries or territories recognised by the Indian Government as having adequate data protection standards; or
2. Pursuant to appropriate contractual arrangements (such as standard contractual clauses or data protection agreements) that ensure the same level of data protection as applicable under Indian law.
(iv) No Sale of Personal Data: The Company does not sell, rent, trade, or otherwise monetise Personal Data of its users or customers to any third party for direct commercial gain.
(v) Aggregated and Anonymised Data: The Company may share anonymised or aggregated data (which does not identify an individual directly or indirectly) with business partners, advertisers, or research agencies for the purpose of market analysis, trend detection, or improving services. Such data is outside the scope of “Personal Data” as defined under applicable law.
(vi) Due Diligence and Oversight: The Company undertakes vendor due diligence and executes appropriate data processing agreements or confidentiality undertakings with all Third Parties who receive or process Personal Data, ensuring that:
1. Data is processed only for legitimate and stated purposes;
2. Adequate security measures are in place to prevent misuse or unauthorised access;
3. Processing ceases upon completion of the contractual purpose or termination of engagement.
9. DATA RETENTION & STORAGE
a) Retention Principle: The Company retains Personal Data only for as long as is reasonably necessary to:
(i) Fulfil the purpose for which it was collected;
(ii) Comply with legal or regulatory obligations;
(iii) Resolve disputes, enforce contracts, or defend legal claims;
(iv) Maintain records for auditing, taxation, or business continuity purposes.
b) The retention period is determined by the nature of the data, the purpose of processing, and any applicable legal or contractual requirements.
c) Data Retention Timelines:
|
CATEGORY OF DATA |
TYPICAL RETENTION PERIOD |
LEGAL/OPERATIONAL BASIS |
|
Identity and Contact Data |
3 years from last activity or transaction |
Statutory limitation period for claims, customer support |
|
Order and Transaction Data |
8 years from date of transaction |
Income Tax Act, accounting and audit requirements |
|
Payment and Financial Data (masked) |
Retained as per Payment Aggregator Guidelines (RBI) |
Regulatory requirements and fraud detection |
|
Customer Support and Complaint Logs |
3 years from last contact |
Dispute resolution and quality assurance |
|
Marketing Preferences and Opt-in Data |
Until withdrawal of consent or inactivity beyond 2 years |
Consent-based processing |
|
Analytics and Usage Data (pseudonymised) |
12–18 months from date of collection |
Internal performance and improvement analysis |
|
Account Credentials |
Until account is deleted or deactivated |
Contractual necessity for user authentication |
|
Unused or Dormant Account Data |
2 years of inactivity (with 30-day prior notice before deletion) |
Data minimisation and retention compliance |
|
Anonymised or Aggregated Data |
Retained indefinitely |
Outside scope of “Personal Data” under DPDPA |
Note: The above periods are subject to change in case of any legal proceedings, enforcement actions, or statutory hold directives.
d) Deletion and De-identification: Upon expiration of the applicable retention period, Personal
Data is either:
(i) Permanently deleted from all systems (active and backup); or
(ii) Anonymised or de-identified in a way that prevents re-identification of the Data Principal.
The Company ensures that deletion is performed in a secure manner using industry-standard sanitisation or erasure methods.
e) Right to Request Deletion:
(i) A Data Principal may request deletion of their Personal Data where:
1. The data is no longer necessary for the purpose for which it was collected;
2. Consent has been withdrawn and there is no other legal basis for retention;
3. The data has been unlawfully processed.
(ii) Such requests will be honoured subject to legal and contractual retention obligations and shall be responded to within a reasonable period as prescribed under the DPDPA, 2023.
f) Storage Location and Backups: Personal Data is stored on secure servers operated by the Company or its authorised hosting providers, currently located in India. Periodic encrypted backups are maintained to ensure data recoverability in case of system failure, which are subject to the same retention and deletion practices outlined above.
g) Policy Review and Updates: The Company periodically reviews its data retention schedules and storage practices to ensure compliance with evolving legal standards and operational needs. Any changes to retention durations will be notified through an update to this Policy.
10. NOTIFICATION OF PERSONAL DATA BREACH
a) Company adopts a proactive and structured approach to identifying, mitigating, and responding to any personal data breach. A personal data breach refers to any unauthorised or accidental disclosure, alteration, loss, destruction, or access to Personal Data that compromises its confidentiality, integrity, or availability—whether caused by technical failures, malicious attacks, human error, or organisational gaps.
b) Data Breach Response Procedure and Timelines: In the event of a suspected or confirmed data breach, the Company shall activate its internal Data Breach Response Procedure, which comprises the following steps and timeframes as detailed in Annexure A.
c) Information Included in Notifications: Any notification to the Data Protection Board of India, CERT-In, or affected individuals (Data Principals) shall include the following information:
(i) Nature and categories of Personal Data affected;
(ii) Number of individuals impacted;
(iii) Date and time of the breach (estimated and confirmed);
(iv) Likely consequences or harm;
(v) Actions taken to mitigate risks and limit damage;
(vi) Contact information of the Grievance Officer or point of contact;
(vii) Instructions for Users on how to protect themselves.
d) Breach Severity Categorisation: The Company classifies data breaches into three severity levels:
(i) Level 1 – Minor: No sensitive data involved, minimal or no risk;
(ii) Level 2 – Moderate: Involves contact or identity data, limited exposure;
(iii) Level 3 – Critical: Involves sensitive personal data, financial data, or a large number of individuals, with potential for significant harm.
Only Level 2 and Level 3 breaches require mandatory external notification.
e) User Cooperation: Users who become aware of any potential compromise of their account, such as unauthorised login attempts, phishing emails, or suspicious transactions, must report the same immediately by emailing Info@harkaranboparai.com . The Company will investigate such reports on priority and take appropriate action.
11. RIGHTS OF DATA PRINCIPALS
a) As a Data Principal under the Digital Personal Data Protection Act, 2023, you are entitled to exercise the following rights in relation to your Personal Data collected and processed by Company. These rights are subject to reasonable limitations and applicable legal requirements.
b) As per the Digital Personal Data Protection Act, 2023, Data Principals have the following rights in relation to their Personal Data:
|
RIGHT |
DESCRIPTION |
TIMELINE FOR RESPONSE |
HOW TO EXERCISE THIS RIGHT |
|
Right to Access |
To know whether the Company processes your Personal Data and request details such as categories, purpose, recipients, and retention period. |
Within 15 working days |
Email a request to p[●] or use your account dashboard (if available). |
|
Right to Correction |
To request correction, updating, or completion of inaccurate, outdated, or incomplete Personal Data. |
Within 10 working days |
Submit a correction request with valid supporting documents to Info@harkaranboparai.com |
|
Right to Erasure |
To request deletion of Personal Data that is no longer necessary, has been unlawfully processed, or after consent withdrawal. |
Within 15 working days |
Send a deletion request via email to Info@harkaranboparai.com with identity verification. |
|
Right to Withdraw Consent |
To withdraw previously given consent for specific data processing activities. |
Immediate upon confirmation |
Use opt-out links in emails or write to Info@harkaranboparai.com specifying the consent to withdraw. |
|
Right to Grievance Redressal |
To file a complaint regarding delay, denial, misuse, or mishandling of Personal Data or non- fulfilment of rights. |
Acknowledgement in 48 hrs, resolution in 7 working days |
Email your grievance to the Grievance Officer at Info@harkaranboparai.com |
|
Right to Nominate |
To nominate another individual to exercise your rights under this Policy in the event of your death or incapacity. |
As per Company records |
Send a signed nomination form or declaration via email to Info@harkaranboparai.com |
|
Right to Be Informed |
To receive clear, accessible information on data collection, legal basis, purpose, rights, third- party disclosures, and policy changes. |
Continuous right |
Review this Privacy Policy regularly and subscribe to update notifications via email or the Platform. |
12. GRIEVANCE REDRESSAL MECHANISM
a) Company is committed to addressing all privacy-related concerns, complaints, and requests in a transparent, secure, and time-bound manner. In accordance with Section 13 of the Digital Personal Data Protection Act, 2023 and Rule 5(9) of the IT Rules, 2011, the Company has appointed a Grievance Officer to ensure proper handling of grievances related to Personal Data.
b) Lodging a Grievance: If you have any concerns or grievances regarding:
(i) Denial or delay in fulfilling your data rights;
(ii) Misuse, unauthorised access, or mishandling of your Personal Data;
(iii) Withdrawal of consent not being respected;
(iv) Violation of any terms of this Privacy Policy;
(v) Any breach of applicable data protection laws;
c) You may raise a grievance by sending an email to the designated Grievance Officer:
Grievance Officer
Email: Info@harkaranboparai.com
Working Hours: 10:00 AM – 6:00 PM
d) Grievance Handling Procedure and Timelines:
|
STAGE |
ACTION |
TIMELINE |
|
Acknowledgement |
The Grievance Officer will acknowledge receipt of your complaint. |
Within 48 hours |
|
Initial Review |
Assess completeness and legitimacy of the grievance. |
Within 2 working days |
|
Investigation and Resolution |
Conduct internal inquiry, coordinate with relevant departments, resolve issue. |
Within 7 working days |
|
Notification of Outcome |
Communicate resolution decision or status update to the complainant. |
Within 10 working days total |
e) If you are dissatisfied with the resolution provided by the Grievance Officer or if no response is received within the prescribed period, you have the right to escalate the matter to the Data Protection Board of India under Section 13(2) of the Digital Personal Data Protection Act, 2023.
13. FORCE MAJEURE
The Company shall not be held liable for any failure or delay in performing its obligations under this Privacy Policy, including the processing of rights requests or breach notifications, due to circumstances beyond its reasonable control. Such events may include natural disasters, war, civil unrest, pandemic, governmental actions, electricity or internet outages, cyberattacks, or other force majeure events. During such periods, the Company will take reasonable steps to mitigate the impact and restore normal operations as soon as practicable.
4. GOVERNING LAW AND JURISDICTION
This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts located in New Delhi, India, without regard to conflict of law principles.
15. CHANGE IN OWNERSHIP OR CONTROL
In the event of a merger, acquisition, reorganisation, or sale of all or a portion of the Company’s assets or business, Personal Data held by the Company may be transferred to the successor entity. Such transfer will continue to be governed by the terms of this Privacy Policy unless and until it is amended by the successor with due notice to Users.
16. POLICY UPDATES AND NOTIFICATION
The Company may update or modify this Privacy Policy from time to time to reflect changes in legal requirements, business practices, or technological advancements. Any material changes will be notified to Users through:
(i) Prominent notices on the Platform;
(ii) Email communication to registered Users (where applicable); and
(iii) Updates to the “Last Updated” date at the top of this Policy.
Users are encouraged to periodically review this Policy to stay informed of how their Personal Data is protected.
17. CONTACT US
If you have any questions, concerns, or require clarification regarding this Privacy Policy, the processing of your Personal Data, or your rights as a Data Principal, you may contact our designated
Grievance Officer
Email: Info@harkaranboparai.com
Working Hours: 10:00 AM – 6:00 PM
By continuing to access or use the Platform, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. Your continued use of the services constitutes your consent to the collection, processing, and disclosure of your Personal Data in accordance with this Policy.
This Privacy Policy shall remain in effect until it is updated, superseded, or revoked by the Company.
******
ANNEXURE A
DATA BREACH RESPONSE FRAMEWORK & TIMELINE
|
STAGE |
ACTION |
TIMELINE |
|
1. Detection & Containment |
Identify and verify the breach, isolate affected systems |
Within 6 hours of detection |
|
2. Preliminary Risk Assessment |
Assess scope, type of data affected, sensitivity, and potential impact |
Within 12 hours of detection |
|
3. Internal Escalation |
Notify Compliance Officer, Data Protection Officer, and senior management |
Within 12 hours |
|
4. Reporting to Authorities |
Notify CERT-In and/or the Data Protection Board of India, where applicable |
Within 6 hours of confirming the breach (as per CERT-In guidelines) |
|
5. Notification to Individuals |
Inform affected Data Principals of the nature of the breach, risk, and mitigation steps |
Within 48 hours, where risk of harm is high |
|
6. Remedial Action |
Contain breach, patch systems, reset credentials, and prevent recurrence |
Immediate, completed within 72 hours |
|
7. Documentation & Audit Trail |
Record breach details, investigation logs, and corrective measures taken |
Within 7 days of incident |
|
8. Final Report & Policy Update |
Root cause analysis and review of internal policies/training |
Within 15 days of breach |
