Privacy Policy — Bael Trade

1. About This Policy

This Privacy Policy describes how Bael Trade Pvt. Ltd. (“we”, “us”, “our”, “Company”) collects, uses, stores, and processes your personal data in compliance with the Digital Personal Data Protection Act 2023 (DPDP Act), the IT Act 2000 (Section 79), Consumer Protection (E-Commerce) Rules 2020, and UIDAI Aadhaar guidelines.

By using our platform you confirm that you have read and agree to this policy. This policy applies to all users — Sellers, Buyers, and visitors.

2. Data We Collect

Category	Data Points	Legal Basis (DPDP)
Identity	Name, email, mobile, password hash	§7(a) — Contract performance
Business (Seller)	GST Number, PAN, IEC, Udyam, company name	§7(b) — Legal obligation (GST Act, FEMA)
Aadhaar	Last 4 digits ONLY — full Aadhaar never stored	UIDAI circular — minimal data principle
KYC Documents	Photos/scans of certificates (encrypted at rest)	§7(b) — Legal obligation (PMLA 2002)
Transaction	Orders, payments, invoices, wallet balance	§7(b) — Legal obligation (IT Act, GST Act)
Usage	Pages visited, search queries, click events	§6 — Explicit consent (Analytics)
Communications	Messages, enquiries, support tickets	§7(a) — Contract performance
Technical	IP address, device type, browser, session tokens	§7(a) — Essential for security

3. How We Use Your Data

Account creation & management — Creating your seller/buyer profile, enabling login, and maintaining session security.
KYC verification — Verifying your business identity with GSTN, DGFT, and Income Tax APIs as required by applicable law.
Marketplace operations — Processing orders, payments (via Razorpay), issuing GST-compliant invoices, and revealing buyer contact details.
Communications — Sending transactional emails, SMS OTPs, and in-app notifications related to your account activity.
Marketing (with consent) — Promotional emails, product recommendations, and market updates. You may withdraw this consent at any time.
Analytics (with consent) — Improving platform performance, understanding feature usage. Fully anonymized after withdrawal.
Legal compliance — Retaining financial records for 7 years as required by the GST Act, IT Act, and PMLA.

4. Your Rights Under the DPDP Act 2023

§11 — Right to Information

Know what data we hold about you and how it is used.

§12 — Right to Correction

Correct inaccurate or incomplete personal data.

§12 — Right to Portability

Download a copy of all your data as JSON.

§13 — Right to Erasure

Delete your account and anonymize personal data (financial records retained per GST law).

§6 — Right to Withdraw Consent

Withdraw non-essential consents at any time.

§13 — Right to Grievance

Lodge complaints with our Grievance Officer (72h SLA).

5. Data Sharing & Third Parties

We do not sell your personal data. We share data only in the following circumstances:

Government APIs: GSTN (GST verification), DGFT (IEC verification), Income Tax portal (PAN verification) — required for KYC.
Payment Gateway: Razorpay receives payment card/UPI data directly; we do not store raw payment credentials.
Cloud Infrastructure: Supabase (database, encrypted at rest), Vercel/Railway (application hosting) — data processed within India.
SMS Gateway: MSG91 processes mobile numbers for OTP delivery only.
Legal Requirement: Law enforcement or regulatory authorities when legally mandated.

6. Data Retention

Data Type	Retention Period	Legal Basis
Account / Profile PII	Until deletion request, then anonymized	DPDP Act §13
Financial records (invoices, GST)	7 years from transaction date	GST Act §36, IT Act
KYC documents (raw scans)	Until account deletion, then hard-deleted	UIDAI guidelines
Audit logs	7 years	IT Act §7A
Consent records	Lifetime of account + 3 years	DPDP Act §6
Session tokens	Until logout or 7 days, whichever first	Security requirement
Analytics data (anonymized)	2 years, fully aggregated	With explicit consent

7. Security Measures

AES-256-GCM encryption for all PII fields stored in database.
Passwords hashed with bcrypt (12 rounds) — plaintext never stored.
HTTPS/TLS 1.3 enforced on all endpoints.
JWT tokens with 4-hour expiry; refresh tokens stored hashed.
Role-based access control — only authorized staff can access your data.
Regular penetration testing and security audits.
Full Aadhaar numbers are never collected or stored per UIDAI circular dated 28.05.2024.

8. Children's Privacy

Our platform is intended for businesses only. We do not knowingly collect personal data from individuals under 18 years of age. If you are under 18, please do not use this platform or provide any personal information.

9. Changes to This Policy

We may update this policy to reflect changes in law or our practices. Material changes will be notified via email and in-app notification at least 15 days before they take effect. Your continued use after the effective date constitutes acceptance.

⚖️ Grievance Officer (DPDP Act §13 — Mandatory Disclosure)

Appointed under the Digital Personal Data Protection Act 2023. You may approach the Grievance Officer for any complaint or query regarding your personal data. A response will be provided within 72 hours as mandated by law.

Name

Rajesh Kumar

Designation

Grievance Officer

Emailgrievance@b2bmarket.in

Phone

+91-80-4567-8901

Address

Bael Trade Pvt. Ltd., MG Road, Bengaluru — 560001, Karnataka, India

File a Grievance →