DRAFT — pending lawyer review

The legally binding privacy policy and terms of service are in preparation. This document is a working draft authored as a starting point for legal counsel review and has no legal effect. Any consent captured on this site remains bound to policy version 2026-04-22 (the prior placeholder); this draft has NOT YET PUBLISHED status until lawyer-finalized text lands and CONSENT_POLICY_VERSION is bumped.

Draft last modified: 20 Oct 2018

Privacy Policy

← Back to bizboozt

Document status: DRAFT for review. NOT YET PUBLISHED. Authoring basis: V1 privacy policy (IT Act 2000 / SPI Rules 2011) + DPDPA 2023 uplift per docs/v1-legal-content.md. Drafter: AI-assisted starting draft; intended as a base for lawyer refinement, NOT a substitute for legal counsel. Action required: (1) operator/client review for accuracy of business descriptions; (2) lawyer review for DPDPA 2023 compliance, enforceability, and jurisdiction-specific language; (3) DPO designation; (4) finalisation prior to first paid call. Targeted policy version on publication: 2026-XX-XX (set on day-of-publish; bump CONSENT_POLICY_VERSION env var in lockstep).

1. Introduction

This Privacy Policy ("Policy") describes how BizBoozt Services LLP ("BizBoozt", "we", "us", "our") — a Limited Liability Partnership incorporated under the Limited Liability Partnership Act, 2008, having its registered office at:

40/3456, Flat No. 602, Pearl Ouplence, Metro Pillar No. 505, Palarivattom, Kochi, Ernakulam, Kerala — 682025, India

— collects, uses, stores, processes, and shares your Personal Data when you access or use the BizBoozt platform, including the website at https://app.bizboozt.com (the "Platform"), the related Progressive Web App, and any associated services (collectively, the "Services").

By accessing or using the Services, you consent to the collection, processing, and sharing of your Personal Data in accordance with this Policy and applicable law, including the Digital Personal Data Protection Act, 2023 ("DPDPA") and the rules made thereunder, the Information Technology Act, 2000, and the rules made thereunder including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "SPDI Rules") to the extent applicable.

If you do not agree with any part of this Policy, please do not use the Services.

2. Definitions

In this Policy, the following capitalised terms shall have the meaning ascribed to them below. Terms used but not defined here have the meaning given to them in the DPDPA.

Term	Meaning
Data Principal	The natural person to whom Personal Data relates (i.e., you, the user). DPDPA terminology.
Data Fiduciary	The person who, alone or in conjunction with others, determines the purpose and means of processing of Personal Data — for the Services, this is BizBoozt.
Data Processor	Any person who processes Personal Data on behalf of a Data Fiduciary. Examples include our payment aggregators and observability vendors (see § 7).
Personal Data	Any data about an individual who is identifiable by or in relation to such data.
Sensitive Personal Data or Information ("SPDI")	Personal information defined as such under the SPDI Rules — including financial information (bank account, payment instrument details), passwords, biometric data, etc.
Owner / Business Owner	A user who books consultations as a buyer of advisory services. Internally classified as `role = OWNER`.
Advisor	A user approved to provide consultation services to Owners. Internally classified as `role = ADVISOR` after KYC and admin approval.
Admin	A BizBoozt operator who manages the Platform. Internally classified as `role = ADMIN`.
Consultation / Call	A scheduled paid video session between an Owner and an Advisor delivered through the Platform.
KYC	Know-Your-Customer verification, including identity proof, PAN, and bank details where applicable.
Payment Aggregator ("PA")	An RBI-licensed entity that processes payments on our behalf. We use Razorpay (primary) and Instamojo (secondary).

3. Personal Data we collect

We collect the following categories of data, only to the extent necessary for the specified purposes (§ 4):

3.1 Information you provide directly

Data type	When collected	Purpose tag
Email address	Account creation, login (one-time-code authentication)	Identification, communication
Display name / business name	Profile setup	Personalisation
Phone number (where collected)	Account, OTP, WhatsApp transactional messaging	Authentication, communication
Goods & Services Tax Identification Number (GSTIN), where applicable	Owner profile (B2B invoicing); Advisor profile	Tax compliance, invoice routing
Permanent Account Number (PAN) — Advisors	KYC verification	Tax compliance (TDS), regulatory
Bank account number + IFSC — Advisors	Payout processing	Payouts, regulatory
KYC documents (PAN card, address proof, etc.) — Advisors	Admin approval	Verification
Consultation request details, notes, agenda	Booking creation	Service delivery
Communications you send us (support tickets, dispute submissions)	As you contact us	Support, dispute resolution

3.2 Information generated automatically through your use of the Services

Data type	When collected	Purpose tag
Booking, payment, payout, and invoice records	Throughout the user lifecycle	Service delivery, tax & audit retention
Consultation video recordings	When a Consultation is conducted (see § 3.4)	Quality assurance, dispute resolution
Device, browser, and IP information	Each session	Security, fraud detection, troubleshooting
Approximate geographic information derived from IP	Each session	Fraud detection, regulatory reporting
Performance and error logs	As errors occur	Reliability, troubleshooting
Anonymous Web Vitals telemetry (page-load timings)	Each page load	Performance monitoring
Authentication events (login, logout, role change, OTP verification outcomes)	Throughout the lifecycle	Security audit, regulatory compliance
Consent records (policy version accepted, timestamp, IP, user agent)	Each consent action	Lawful basis evidence

3.3 Information from third parties

We may receive information about you from third parties — for example, payment status from our Payment Aggregators (Razorpay / Instamojo), and identity verification information from our KYC partners (where applicable). We treat this information consistent with this Policy.

3.4 Consultation recordings

All Consultations conducted through the Platform are recorded and stored through our video-call partner (Agora.io). This is disclosed to users at multiple touchpoints (signup, booking, in-call notice). Recordings are retained for 30 days from the date of the call and automatically deleted thereafter, except where a dispute has been raised in respect of the call, in which case the recording is retained for 2 (two) years to enable dispute resolution and as evidence under applicable law. See § 9 for full retention durations.

By proceeding with a Consultation, you provide your consent for recording in accordance with this § 3.4.

3.5 What we do NOT collect

We do not knowingly collect:

Biometric data
Health or medical records
Sexual orientation
Caste / religion
Political opinions

You should not share such information with us unless specifically required by a regulator or court of law and even then only through the channels we direct you to.

4. Specific purposes for processing

In line with the DPDPA principle of purpose limitation, we process your Personal Data only for the specific purposes described below, or for purposes compatible with these and disclosed to you at or before the time of collection.

4.1 General purposes (all users)

To create, authenticate, and maintain your account.
To provide, operate, and improve the Services.
To enable bookings, video consultations, recordings, and dispute resolution.
To process payments and payouts and to issue and store invoices in compliance with the Goods and Services Tax law and the Income-tax Act, 1961.
To communicate with you about your account, transactions, service availability, and policy changes.
To investigate and resolve disputes, complaints, and any improper use of the Services.
To comply with applicable law, court orders, and the lawful directions of regulators (including the Data Protection Board of India and the Reserve Bank of India where applicable).
To enforce our Terms of Service and to prevent and detect fraud, abuse, and security incidents.

4.2 Owner-specific purposes

To match you with suitable Advisors based on your stated requirements.
To facilitate your bookings and the conduct of Consultations.
To provide you with invoices and tax documentation in respect of your bookings.
To enable you to raise disputes and receive refunds where applicable.

4.3 Advisor-specific purposes

To verify your professional credentials and identity through KYC.
To list your services on the Platform once admin-approved.
To process payouts to your registered bank account.
To deduct and deposit applicable withholding taxes on your behalf (TDS, TCS, GST-TDS) as required by law.
To issue and receive invoices in connection with your services.
To monitor service quality, including review of recordings where a dispute has been raised.

4.4 No further processing without consent

We will not process your Personal Data for purposes beyond those stated in this Policy without obtaining your consent (where consent is required) or relying on another lawful basis under the DPDPA.

5. Lawful basis for processing

We process your Personal Data on the following lawful bases, depending on the activity:

5.1 Consent (DPDPA s. 6)

We rely on your consent for processing where:

You explicitly agree to this Policy at signup (the "I agree to the Terms and Privacy Policy" checkbox);
You initiate optional features that involve additional processing (e.g., subscribing to non-transactional WhatsApp updates).

Your consent is specific, informed, free, unambiguous, and given through clear affirmative action. We record consent events with the policy version, timestamp, IP address, and user-agent for our audit records.

5.2 Legitimate Uses (DPDPA s. 7)

We process Personal Data without separate consent only where DPDPA permits ("Legitimate Uses"), including:

For the specified purpose for which you have voluntarily provided the data (e.g., a booking you create);
For the performance of any function under any law (e.g., tax filings, RBI compliance reporting where applicable);
For compliance with any judgment, decree, or order issued under law in India;
In response to a medical emergency (rare; we do not anticipate this for our service category);
For ensuring safety of, or providing assistance or services to, an individual during a disaster or breakdown of public order.

5.3 Legitimate interests under SPDI Rules (where DPDPA notification is partial)

To the extent the DPDPA's commencement provisions in respect of any sub-section have not yet taken effect, we additionally rely on the SPDI Rules for the lawful basis of processing.

6. How long we retain your data ("Retention")

We retain your Personal Data only for as long as necessary to fulfil the purpose for which it was collected, or for as long as required under applicable law — whichever is longer. The table below sets out our standard retention periods. Specific durations may be revised based on legal advice.

Data category	Retention period	Basis
Account profile data	While your account is active + 30 days following soft-delete, then anonymised	Service delivery + grace for restoration
Authentication events (logins, logouts, role changes)	8 years	Goods & Services Tax retention requirements applicable to associated transactions
Consent records	Lifetime of the related processing + 8 years	Audit trail
Booking, payment, payout, and invoice records	8 years from the end of the relevant financial year	Goods & Services Tax — Section 36 of the CGST Act, 2017 (in line with the prescribed retention period for tax-relevant documents)
Tax invoice copies (B2B and B2C)	8 years from the end of the relevant financial year	Goods & Services Tax
Consultation recordings — non-disputed	30 days from the date of the Call	Quality control + auto-deletion
Consultation recordings — disputed	2 years from the date of the Call	Evidence for dispute resolution and as may be required for legal proceedings
Bank account details (Advisors)	While your advisor account is active + 8 years post-closure	Tax retention (TDS records)
KYC documents (Advisors)	While your advisor account is active + 5 years post-closure	KYC retention norms
Support, complaint, and dispute correspondence	5 years from resolution	Dispute trail
IP, device, and security logs	1 year (rolling)	Security operations
Anonymous Web Vitals telemetry	Aggregated; no identifying information retained	N/A

After the applicable retention period, we either:

Delete the data permanently;
Anonymise the data (so that you cannot be reasonably re-identified) and retain it only for statistical and product-improvement purposes; or
Retain the data only where a longer period is required under law (e.g., subject to an active investigation or legal proceeding).

[LAWYER TO VERIFY: 8-year tax retention is based on Section 36 of the CGST Act, 2017, which prescribes retention of accounts and records for 72 months from the due date of furnishing the annual return for the financial year pertaining to such accounts and records. We use 8 years as a defensible margin. Confirm whether this matches industry practice for the marketplace structure.]

We share your Personal Data with the categories of recipients listed below, only to the extent necessary for the stated purposes.

7.1 Other users on the Platform

Recipient	What is shared	Purpose
Advisor (in respect of an Owner who books their slot)	Owner's display name, the booking subject and notes you provide, and any chat or recording from the Consultation	Service delivery
Owner (in respect of an Advisor they book)	Advisor's display name, public profile information, public ratings, and the booking confirmation	Service delivery

We do not disclose your email address, phone number, or other contact details to other users on the Platform.

7.2 Service providers (Data Processors)

We share Personal Data with the following service providers under written agreements that limit their use of the data to the purposes for which it has been provided to them:

Service provider	Function	Data shared
Razorpay (primary) and Instamojo (secondary) — RBI-licensed Payment Aggregators	Payment processing, settlement, and refund operations	Booking amount, transaction reference, and minimal user identifiers necessary for settlement
Agora.io	Real-time video calling and cloud recording	Consultation video and audio streams
bharathbiz.com (or successor partner)	Transactional WhatsApp messaging	Phone number, message content (transactional templates only)
Resend (or successor)	Transactional email delivery (one-time codes, account notifications)	Email address, message content
Sentry (EU region — Frankfurt)	Error monitoring	Error stack traces and operational metadata; user data is redacted in transit
PostHog (EU region — eu.i.posthog.com)	Anonymous product analytics, gated by your consent	Anonymised event data only after consent
Vercel Inc. (United States) — hosting	Hosting, edge delivery, anonymous Web Vitals	Web Vitals (anonymous); data at rest in Mumbai (see § 8)
Inngest	Background job processing	Operational metadata only
Supabase (project hosted in Mumbai, India — `ap-south-1`)	Database, authentication, and file storage	Profile data, KYC documents, encrypted Sensitive Personal Data
Upstash (rate limiting)	API rate-limit operations	Truncated identifiers (IP, email-hash)
GST-suvidha and tax-compliance providers (as engaged)	Compliance filings and tax operations	Tax-relevant invoice and transaction data

7.3 Professional advisors

We share Personal Data with our chartered accountants, tax advisors, lawyers, and auditors, in each case under confidentiality obligations, as required for the conduct of our business.

7.4 Authorities and legal disclosures

We disclose Personal Data to government authorities, law-enforcement agencies, regulators (including the Data Protection Board of India and the Reserve Bank of India where applicable), and courts of law where:

We are required to do so by law (including Section 28(2)(c) of the DPDPA, where applicable);
We are required to do so under a binding court order or notice from a competent authority;
We reasonably believe that disclosure is necessary to prevent imminent harm, protect rights, or investigate fraud or violations of our Terms of Service.

7.5 Business transfers

If we undergo a merger, acquisition, financing transaction, asset sale, or insolvency proceeding, your Personal Data may be transferred to the acquirer or successor entity. We will notify you by email and through a notice on the Platform of any such transfer; the transferee will be subject to obligations no less restrictive than those described in this Policy.

7.6 With your consent

We share Personal Data with any other third party only with your explicit consent.

7.7 We do not sell your Personal Data

We do not sell your Personal Data to advertisers or any other third party.

8. Storage location and cross-border transfers

8.1 Primary data residency

Your Personal Data, including booking records, profile information, and KYC documents, is stored in Mumbai, India (ap-south-1) on infrastructure operated by Supabase (Postgres database, authentication, and storage). This includes the encrypted columns of Sensitive Personal Data (PAN, bank account, bank IFSC) which are stored using symmetric encryption at rest.

Backups are operated by our infrastructure provider and remain within India.

8.2 Application execution region

Our serverless application runs on Vercel functions in the Mumbai region (bom1). The Platform is configured to pin compute to the Mumbai region.

8.3 Limited cross-border transfers

The following categories of data flow outside India in the ordinary course:

Recipient region	Data categories	Lawful basis
European Union (Frankfurt) — Sentry error reporting	Error stack traces with PII redacted in transit; no booking/profile content	DPDPA s. 16 — transfers permitted to a country other than a country to which the Central Government has restricted transfer; written processor agreement; redaction-at-source
European Union — PostHog analytics (`eu.i.posthog.com`)	Anonymised product analytics post-consent	DPDPA s. 16; user consent; processor agreement
United States — Vercel (anonymous Web Vitals)	Anonymous performance telemetry without identifying information	DPDPA s. 16; processor agreement; data is anonymous
Inngest (region selected at provisioning time)	Operational metadata	DPDPA s. 16; processor agreement

We rely on the framework of DPDPA s. 16 read with notifications issued thereunder, and on the SPDI Rules to the extent applicable, for these transfers. We do not transfer Personal Data to any country to which the Central Government has restricted transfers. [LAWYER TO VERIFY: Confirm current state of DPDPA s. 16 notifications and any restricted-country list.]

8.4 RBI Payment Aggregator data residency

Card data and payment-instrument details are handled by Razorpay and Instamojo within their PCI-DSS-compliant environments under RBI Payment Aggregator regulations, including data localisation norms that require storage of payment system data within India.

9. Security

We implement technical and organisational measures designed to protect your Personal Data from unauthorised access, disclosure, alteration, and destruction. These include:

Encryption in transit (TLS) for all communications between your device and the Platform.
Encryption at rest for Sensitive Personal Data (PAN, bank account, bank IFSC) using pgp_sym_encrypt symmetric encryption with keys held outside the database.
Row-level security ("RLS") policies on the application database to enforce that users can only access their own data.
Service-role access controls for system writes, with separation between the user-context client and the system-context client at the code level.
Rate limiting on authentication and OTP endpoints to deter brute-force attacks.
Three-layer log redaction to scrub Personal Data from error reports and breadcrumbs before they reach our error monitor.
Mandatory consent capture at sign-up with policy versioning.
Monthly review of our security baseline (/cso audits) and periodic third-party security assessments.
Reasonable security controls and procedures consistent with the IT Reasonable Security Practices and Procedures Rules.

No system, however, can be guaranteed to be completely secure. We cannot guarantee or warrant the absolute security of any information you provide and you do so at your own risk.

You are responsible for safeguarding your account, including your login credentials and one-time codes. Do not share your one-time code with anyone. We will never ask you for your one-time code by phone, email, or chat.

10. Cookies, local storage, and tracking technologies

We use a small number of essential cookies and local-storage entries strictly necessary for the functioning of the Services, including:

Authentication session cookies (HttpOnly, Secure, SameSite=Lax) used to keep you signed in;
Service-worker storage used to deliver offline functionality;
Anonymous Web Vitals beacons to monitor page performance.

We do not use advertising or third-party cross-site tracking cookies. We do not auto-capture your activity for analytics purposes by default. If you opt-in to optional product analytics (PostHog), no session replay or auto-capture is enabled, and the data is stored in EU-region infrastructure. Persistence is in-memory (cleared when you close the tab) and is reset on logout.

11. Children's data

The Services are not directed to individuals under the age of 18. We do not knowingly collect Personal Data from children under 18. If you are under 18, please do not use the Services. If we learn that we have collected Personal Data of a child without verifiable parental consent, we will take steps to delete such Personal Data.

[LAWYER TO VERIFY: DPDPA s. 9 requires verifiable consent of the parent / lawful guardian of a child. Decide whether to (a) maintain an 18+ user requirement (current draft) or (b) implement a parental-consent flow for minors. The former is operationally simpler.]

12. Your rights as a Data Principal

Under the DPDPA, you have the following rights in respect of your Personal Data:

12.1 Right to access information about Personal Data (DPDPA s. 11)

You may request a summary of the Personal Data we hold about you, the purposes for which we are processing it, and the recipients with whom we have shared it.

12.2 Right to correction and erasure (DPDPA s. 12)

You may request that we correct inaccurate or misleading Personal Data, complete incomplete Personal Data, update Personal Data, or erase Personal Data that is no longer necessary for the purposes for which it was processed (subject to retention exceptions in § 6 — for example, tax and audit records that we are required to retain).

12.3 Right of grievance redressal (DPDPA s. 13)

You may raise a grievance with our Grievance Officer (§ 14). We will respond within the timeframes prescribed under the DPDPA. If you are not satisfied with our response, you may complain to the Data Protection Board of India.

12.4 Right to nominate (DPDPA s. 14)

You may nominate any other individual to exercise the rights of the Data Principal in your event of death or incapacity. To do so, write to our Grievance Officer with the nominee's name, contact details, and a clear statement of nomination.

12.5 Right to withdraw consent (DPDPA s. 6(4))

You may withdraw your consent to processing at any time. Withdrawal of consent will not affect the lawfulness of processing carried out on the basis of consent before its withdrawal. Withdrawal may impair our ability to provide you with the Services, and may result in cancellation of pending or scheduled Consultations. Where we are entitled to retain your data on a Legitimate Use under DPDPA s. 7 or under any other law, we may continue to process your data on that basis even after consent withdrawal.

12.6 How to exercise your rights

To exercise any of your rights, please contact our Grievance Officer at support@bizboozt.com, with the subject line "DPDPA Request — [Type of Request]". We may ask you to verify your identity before acting on your request. We will respond within the time prescribed by law and, in any case, within a reasonable period not exceeding the timeline prescribed under the DPDPA Rules from receipt.

12.7 No fee, save for manifestly unfounded or excessive requests

We do not charge a fee for handling your request, unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request.

13. Account closure and data deletion

You may close your account at any time by writing to support@bizboozt.com with the subject line "Account Closure". On account closure:

Your account is soft-deleted within seven (7) days of receipt of the request; you will not be able to log in or use the Services thereafter.
Personal Data is anonymised within thirty (30) days, except where we are required to retain it for tax, audit, dispute, or other legal purposes (§ 6).
Pending Consultations are cancelled and refunded in accordance with our cancellation policy.
Pending Advisor payouts are settled if eligible.

14. Grievance Officer / Data Protection Officer

In compliance with the IT Rules, 2011, the DPDPA, and other applicable law, we have designated the following officer to address questions, complaints, or requests in respect of this Policy and our handling of your Personal Data:

Grievance Officer / Data Protection Officer (DPO) [Name and designation TO BE FILLED at policy publication — operator + lawyer to designate] BizBoozt Services LLP 40/3456, Flat No. 602, Pearl Ouplence, Metro Pillar No. 505, Palarivattom, Kochi, Ernakulam, Kerala — 682025 Email: support@bizboozt.com (with subject "Grievance — [type]") Phone: +91 8336 980 930 (Mon–Fri 8a–8p; Sat 9a–7p; Sun 9a–9p IST) Response timeline: within 30 days of receipt [LAWYER TO VERIFY against final DPDPA Rules]

If you are not satisfied with our response, you may register a complaint with the Data Protection Board of India (once operational and accessible to Data Principals).

15. Personal Data breach notification

If we become aware of a Personal Data breach (including any unauthorised processing, destruction, loss, alteration, or unauthorised disclosure or access of Personal Data) likely to result in a risk to the rights and interests of Data Principals, we will:

Notify the Data Protection Board of India in the manner and within the timeframes prescribed under the DPDPA Rules; and
Notify each affected Data Principal at their registered email address with information about the nature of the breach, the data affected, the likely consequences, and the steps we are taking to address the breach.

[LAWYER TO VERIFY: timeline for DPB notification and affected user notification once final DPDPA Rules are notified.]

16. Changes to this Policy

We may amend this Policy from time to time. Material changes will be notified to you by email at the registered email address on your account, by a prominent notice on the Platform, or by both, at least seven (7) days before the change becomes effective. Each version of the Policy is identified by a unique version identifier; we record the version of the Policy you have accepted, with the date of acceptance.

If you continue to use the Services after the change, you are deemed to have accepted the revised Policy. If you do not agree, please discontinue use and contact us to close your account.

17. Governing law and dispute resolution

This Policy is governed by the laws of India. The courts at Kochi, Kerala have exclusive jurisdiction over all disputes arising out of or in connection with this Policy, subject to your statutory right to approach the Data Protection Board of India.

18. Contact

Subject	Contact
General privacy queries	support@bizboozt.com
DPDPA rights requests	support@bizboozt.com (subject "DPDPA Request — [type]")
Grievance	support@bizboozt.com (subject "Grievance — [type]")
Phone	+91 8336 980 930
Postal	40/3456, Flat No. 602, Pearl Ouplence, Metro Pillar No. 505, Palarivattom, Kochi, Ernakulam, Kerala — 682025, India
Hours	Mon–Fri 8a–8p / Sat 9a–7p / Sun 9a–9p IST

Appendix A — Open items for client + lawyer review

Items marked [LAWYER TO VERIFY] in the body, plus the following:

Designate a Grievance Officer / DPO by name (§ 14). Decide whether one named individual (recommended for v0.1) or a function (e.g., "Privacy Operations Lead") is appropriate.
Confirm 8-year tax retention as the working baseline (§ 6).
Confirm 18+ user policy rather than parental-consent flow for minors (§ 11).
Confirm cross-border transfer wording for EU observability (§ 8.3) — DPDPA s. 16 framework is still being notified; lawyer to advise on transfer impact assessments and processor terms.
Confirm DPB / Data Principal notification timelines for breach (§ 15) once the DPDPA Rules are notified.
Confirm Pearl Ouplence vs Pearl Opulence registered spelling — V1 docs are inconsistent; the registered legal spelling per client confirmation is Pearl Ouplence and we have used that throughout.
Confirm 30-day account closure → anonymisation timeline (§ 13) is operationally feasible.
Confirm sharing with chartered accountants and lawyers under § 7.3 is correctly framed as a Data Processor relationship.
Translate to additional languages? v0.1 is English-only; translations may be required by DPDPA s. 5(3) (Notice in 22 Eighth Schedule languages on user request).