1. Who we are
Data Fiduciary: Aware Consultants (the "Company", "we", "us"). Registered office: 577, 2nd Main, 2nd Phase, 6th Block, Banashankari 3rd Stage, Bangalore 560085. GSTIN: 29AEDPR3291M1ZV. Contact: privacy@dukaansethu.com.
"You" means the shopkeeper or business owner who uses DukaanSethu, or anyone visiting dukaansethu.com / dukaansethu.in.
2. What we collect
2.1 Information you give us directly
- Business details: shop name, category, address, city, state, PIN code, your name, GST number if you choose to provide it.
- Contact details: WhatsApp number, email (if provided), preferred language.
- Catalog data: products, prices, descriptions, photos you upload or that we pull from your Google Business listing on your behalf.
- Payment details: UPI VPA for receiving payments; payment confirmations from Razorpay. We do NOT store full UPI mandate credentials — those live with Razorpay and the NPCI rails.
- Messages: WhatsApp messages exchanged with DukaanSethu's own number (for setup, support, and onboarding).
2.2 Information we collect about your customers (on your behalf)
When your customers interact with your DukaanSethu storefront or WhatsApp catalog, we process the data as a Data Processor on your behalf:
- Their WhatsApp number (only when they message your business)
- Their order details (products selected, quantities, address for delivery)
- Payment confirmations from Razorpay or direct UPI receipts
You are the Data Fiduciary for your customers' data. We don't market to your customers, sell their information, or use it for anything other than fulfilling the service you've paid us to provide.
2.3 Information we collect automatically
- Technical: IP address, browser type, device, pages visited, timestamps. Standard server logs.
- Cookies: we use only essential cookies (session, language preference). No marketing or third-party tracking cookies are set without your consent.
3. Why we collect it
| Purpose | Legal basis under DPDP Act |
|---|---|
| Setting up and operating your storefront | Performance of contract; your consent |
| Sending you account, billing, and support messages | Performance of contract |
| Processing UPI Autopay subscription charges via Razorpay | Performance of contract; legitimate interest |
| Fraud prevention, security, abuse detection | Legitimate interest; legal obligation |
| Tax invoicing, GST compliance, statutory record-keeping | Legal obligation |
| Improving the product (aggregated, anonymized analytics) | Legitimate interest |
| Sending you marketing emails or WhatsApp broadcasts about your own customers | Performance of contract — initiated by you, not us |
4. Who we share data with
We share the minimum data necessary with a small set of processors who are themselves subject to DPDP-equivalent obligations:
- Meta Platforms Inc. / WhatsApp: for delivering your catalog and messages via the WhatsApp Business Cloud API. Subject to Meta's privacy terms.
- Razorpay (Razorpay Software Private Limited): for processing UPI subscription payments. Razorpay is a licensed Payment Aggregator regulated by the RBI.
- Google LLC: Places API for sourcing public business listing data; Geocoding for addresses.
- Cloudflare, Inc.: for storing storefront previews and serving images via R2 storage. Data resides on Cloudflare's India-aware infrastructure.
- OpenRouter / Anthropic / Google AI: for AI-generated copy in your storefront. We send only the minimum context needed (your business name, category, language). No customer PII is sent to LLM providers.
- Supabase / Hostinger: our primary database and hosting providers. Data is stored on infrastructure with servers in AWS Mumbai (ap-south-1).
We do NOT sell your data. We do NOT share your data with advertisers. We do NOT use your data to train any AI model.
5. Where data is stored
Customer + business data is stored on AWS / Supabase infrastructure in the AWS Mumbai (ap-south-1) region. Cross-border transfers, if any, are limited to operational necessity (e.g., Meta WhatsApp API calls) and subject to standard contractual safeguards. The Government of India may notify restrictions on cross-border transfer; we comply with all such notifications.
6. How long we keep it
- Active customer data: for the duration of your subscription, plus 90 days after cancellation (to allow re-activation without data loss).
- Tax/invoice data: 8 years, per Indian tax law.
- WhatsApp message logs: 12 months, then archived.
- Server logs: 30 days.
- Aggregated analytics: indefinitely (no personal identifiers).
7. Your rights under the DPDP Act
As a Data Principal, you have the right to:
- Access a summary of personal data we hold about you
- Request correction of inaccurate data, or completion of incomplete data
- Request erasure of your data (subject to legal retention requirements)
- Nominate someone to exercise rights on your behalf in case of incapacity or death
- Withdraw consent at any time
- File a grievance — see our Grievance Officer page
To exercise any of these rights, email privacy@dukaansethu.com. We respond within 15 days as required by law.
8. Children's data
DukaanSethu is intended for business owners 18 or older. We do not knowingly collect personal data of children. If a parent or guardian believes a child has provided us with personal data, please contact us and we will delete it.
9. Security
We use industry-standard safeguards: TLS encryption in transit, encrypted-at-rest databases, role-based access controls, regular security audits, and incident response procedures. No system is 100% secure, but we treat your data the way we'd want ours treated.
10. Changes to this policy
We may update this policy from time to time. Material changes will be announced via WhatsApp to active customers and via banner on our site at least 7 days before they take effect. Continued use of the service after the effective date constitutes acceptance.
11. Contact
For privacy questions: privacy@dukaansethu.com
For formal grievances: see our Grievance Officer page
For everything else: Contact us