Privacy Policy

This Privacy Policy (“Policy”) is published by Simranpal Singh, operating under the trade name KCITR (“Platform”, “we”, “us”, or “our”), and governs the collection, use, storage, processing, disclosure, and protection of personal data and information when you access or use our website at kcitr.com, our mobile application, and all related services (collectively, the “Services”).

Kcitr is an online marketplace platform that connects independent sellers with buyers and facilitates a gig-based task marketplace. This Policy applies equally to all users of the Services, including buyers, sellers, gig posters, gig workers, and visitors.

This Policy is published in compliance with Section 43A of the Information Technology Act, 2000 (“IT Act”) and Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and applicable provisions of the Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020.

By accessing or using the Services, you expressly consent to the collection, processing, and use of your information as described in this Policy. If you do not agree with any provision of this Policy, you must immediately discontinue use of the Services.

For the purposes of this Policy:

• “Personal Data” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available, is capable of identifying such person.
• “Sensitive Personal Data or Information” (“SPDI”) has the meaning ascribed under Rule 3 of the SPDI Rules, and includes, without limitation, financial information such as bank account details, payment instrument details, and passwords.
• “Data Controller” refers to Kcitr, which determines the purposes and means of processing Personal Data.
• “Processing” includes any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.

3.1 Information You Provide Directly

• Account Registration Data: full name, email address, mobile number, profile photograph, and encrypted password upon creation of an account.
• Third-Party Authentication (Google Sign-In): if you authenticate via Google OAuth, we receive your Google account display name, email address, and profile photograph. We do not receive or store your Google account password.
• Address Information: shipping and billing addresses, including street address, area/locality, city, state, postal code, country, and, where provided, GPS coordinates.
• Seller/Merchant Information: store name, store contact number, store description, store category, store address with GPS coordinates, delivery configuration parameters, and operating hours.
• Seller Financial Information (SPDI): bank account holder name, bank account number, and IFSC code, collected exclusively for the purpose of payment settlement via our payment processing partner. This information constitutes Sensitive Personal Data or Information under Rule 3 of the SPDI Rules.
• Gig Marketplace Data: task title, description, budget parameters, location details, contact telephone number, scheduling information, and offers submitted.
• Communications: text messages exchanged through the in-app chat facility (store enquiries, order conversations, and gig conversations). Chat messages are text-only. Messages may be reviewed for the purposes of policy compliance, fraud prevention, and user safety.
• User-Generated Content: product reviews, store reviews, gig reviews, numerical ratings, review images, and seller reply content.
• Support Correspondence: any communications directed to us for the purpose of obtaining assistance, reporting issues, or providing feedback.

3.2 Information Collected Automatically

• Device Information: device type and model, operating system and version, application version, unique device identifiers, and push notification tokens (FCM tokens).
• Location Data: with your explicit permission, we collect GPS coordinates from your device to enable location-based features, including auto-detection of your area and display of geographically relevant stores and products. You may deny or revoke location permission at any time through your device settings; in such case, you may enter your postal code manually.
• Usage Data: pages and screens visited, search queries executed, products viewed, items added to cart, orders placed, and interaction patterns with the Services.
• Log Data: Internet Protocol (IP) address, browser type and version, access timestamps, referring and exit URLs, and crash/error diagnostic reports.

3.3 Information from Third Parties

• Payment Processor (Razorpay Technologies Private Limited): payment status confirmations, transaction identifiers, refund status, linked account verification status, and settlement details. We do not receive or store full card numbers, CVV/CVC codes, UPI PINs, or net banking credentials.
• Geocoding Services: area, city, and state information derived from postal codes or reverse geocoding of coordinates.

We process your Personal Data for the following purposes, each of which constitutes a lawful basis for processing under applicable Indian law:

• Performance of Services: creating and managing accounts; displaying geographically relevant stores and products; processing, fulfilling, and tracking orders; facilitating buyer-seller and gig communications; managing gig offers; and settling payments to sellers.
• Payment Processing: facilitating marketplace payments via Razorpay Route split-payment infrastructure, including Razorpay linked account onboarding, KYC verification, and payment settlement to sellers. Seller bank details are processed solely for this purpose.
• Transactional Communications: sending order status updates, delivery notifications, email OTP for account verification, password reset links, payment confirmations, refund status updates, and settlement notifications via email, SMS, and push notifications.
• Safety, Security, and Fraud Prevention: detecting, investigating, preventing, and addressing fraud, abuse, security incidents, technical vulnerabilities, and violations of our Terms of Service.
• Platform Improvement: analysing usage patterns and aggregated data, diagnosing technical issues via error monitoring, and improving the functionality, performance, and user experience of the Services.
• Legal Compliance: complying with applicable laws, regulations, legal processes, or enforceable governmental requests, including obligations under the IT Act, SPDI Rules, GST laws, and Income Tax Act.

We do not sell, rent, trade, or otherwise commercially exploit your Personal Data. We disclose information only in the following limited circumstances:

• With Sellers (Order Fulfilment): upon placement of an order, the relevant seller receives the buyer’s name, delivery address, telephone number (if provided), and order details strictly necessary for order fulfilment. Sellers do not receive your email address, payment instrument details, or account credentials.
• With Buyers (Store Visibility): seller store name, store address, category, operating hours, aggregate ratings, and reviews are displayed to buyers. Seller bank account details and personal financial information are never disclosed to buyers.
• Payment Processor (Razorpay Technologies Private Limited): transaction details and seller bank account information are shared with Razorpay for payment processing, linked account creation, KYC verification, settlement, and chargeback resolution. Razorpay’s privacy policy governs their independent handling of such data.
• Cloud and Infrastructure Providers: we engage third-party hosting, storage, and infrastructure service providers to operate the Platform. Data is stored and processed by these providers under contractual obligations that require them to protect the confidentiality and security of your data.
• Error Monitoring (Sentry): anonymised crash reports and error diagnostic logs may be processed by Sentry for debugging and service reliability purposes. These reports do not contain identifiable personal data such as names, email addresses, or financial information.
• Push Notification Services (Firebase Cloud Messaging): device tokens are transmitted to Google Firebase for the purpose of delivering push notifications. Notification content is routed through Firebase infrastructure.
• Geocoding (OpenStreetMap/Nominatim): GPS coordinates may be transmitted to the Nominatim service for reverse geocoding purposes. No personally identifiable data is transmitted alongside the coordinates.
• Legal and Regulatory Obligations: we may disclose information when required by law, regulation, court order, subpoena, or other compulsory legal process, or when we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of the Platform, our users, or the public.
• Business Transfers: in the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, user data may be transferred as part of the transaction. We will provide prior notice of any such transfer and the applicable privacy protections.

We implement commercially reasonable technical and organisational security measures designed to protect Personal Data against unauthorised access, alteration, disclosure, or destruction, in accordance with Rule 8 of the SPDI Rules, including:

• Encryption of all data in transit via TLS/HTTPS protocols
• Cryptographic hashing of passwords using bcrypt with appropriate work factors
• Secure token-based authentication (JSON Web Tokens) with configurable expiry periods
• Storage of sensitive credentials (authentication tokens, financial data) in device-level secure storage facilities on mobile devices
• Role-based access controls for internal systems and data access
• HMAC-SHA256 verification of payment webhook authenticity to prevent tampering
• Regular security assessments and vulnerability monitoring

Notwithstanding the foregoing, no method of electronic transmission or storage is entirely secure. We cannot guarantee absolute security of your data but shall promptly notify affected users of any data breach in accordance with applicable law, including Section 43A of the IT Act.

The mobile application stores certain data locally on your device for performance and convenience purposes:

• Authentication tokens (stored in device-level secure storage, inaccessible to other applications)
• Cached user profile and address data (for reduced load times)
• Shopping cart contents
• Recently viewed products (up to 20 items)
• Saved location preferences (city, postal code)
• Notification preference settings
• Recent search terms

This locally stored data is cleared upon logout or uninstallation of the application. The web application utilises browser localStorage for analogous purposes and session cookies for authentication state management.

8.1 Essential Cookies: Our web application employs essential cookies and localStorage strictly for authentication, session management, and security purposes. These are necessary for the proper functioning of the Services and cannot be disabled.

8.2 No Advertising Cookies: We do not use third-party advertising cookies, behavioural tracking pixels, or cross-site tracking technologies.

8.3 Error Monitoring: Minimal session identifiers may be utilised by our error monitoring service (Sentry) solely for crash reporting and diagnostic purposes. These identifiers do not contain personally identifiable information.

8.4 Managing Cookies: You may configure your browser to refuse cookies or to alert you when cookies are being sent. However, disabling essential cookies may impair the functionality of the Services.

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

• Active Accounts: Personal Data is retained for the duration of your active account and for a reasonable period thereafter to address any post-termination enquiries or obligations.
• Order and Transaction Records: retained for a minimum period of eight (8) years from the date of the transaction, as mandated under the Income Tax Act, 1961, the Central Goods and Services Tax Act, 2017, and related regulatory requirements.
• Chat Messages: automatically deleted thirty (30) days after transmission. Conversations with no remaining messages are closed and removed automatically.
• Deleted Accounts: upon receipt of a verified account deletion request, Personal Data is removed or irreversibly anonymised within thirty (30) days, except for records required for legal compliance, fraud prevention, dispute resolution, or regulatory obligations.
• Seller Financial Data: bank account details are retained for the duration of the seller’s active store and for a minimum of eight (8) years following the last transaction, for regulatory and audit compliance purposes.
• Log and Usage Data: retained for up to twenty-four (24) months from the date of collection, unless longer retention is required for security investigations or legal proceedings.

Subject to applicable law, you have the following rights in respect of your Personal Data:

• Right of Access: the right to obtain confirmation as to whether we process your Personal Data and, where so, to request access to such data.
• Right to Rectification: the right to have inaccurate or incomplete Personal Data corrected. You may update most information directly via your profile settings.
• Right to Erasure: the right to request deletion of your account and associated Personal Data, subject to statutory retention obligations set out in Section 9 above.
• Right to Withdraw Consent: the right to withdraw consent for optional data processing (e.g., location access, push notifications) at any time through your device or application settings. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.
• Right to Object: the right to object to certain processing activities, including promotional communications, via notification preferences within the application.
• Right to Data Portability: the right to request a copy of your Personal Data in a structured, commonly used, and machine-readable format.
• Right to Lodge a Complaint: the right to lodge a complaint with the appropriate data protection authority or adjudicating officer under the IT Act if you believe your rights have been infringed.

To exercise any of these rights, please contact us at support@kcitr.com or via our contact page. We shall acknowledge your request within forty-eight (48) hours and endeavour to fulfil it within thirty (30) days of receipt.

The Services are not directed at, and are not intended for use by, individuals under the age of eighteen (18) years. We do not knowingly collect Personal Data from minors. If we become aware that we have inadvertently collected Personal Data from a person under 18, we shall take immediate steps to delete such data. If you believe that a minor has provided Personal Data to us, please contact us immediately at support@kcitr.com.

The Services may contain hyperlinks to third-party websites, applications, or services (including, without limitation, payment gateways and seller external websites). We are not responsible for, and this Policy does not govern, the privacy practices of such third parties. We strongly recommend that you review the respective privacy policies of any third-party service before providing personal information to them.

Our servers and primary data processing facilities are located in India. If you access the Services from a jurisdiction outside India, your data may be transferred to and processed in India. By using the Services, you expressly consent to the transfer of your data to India and its processing in accordance with this Policy and applicable Indian law. We shall ensure that appropriate safeguards are in place for any cross-border transfer of Personal Data.

We reserve the right to amend this Policy from time to time to reflect changes in our data practices, legal requirements, or the Services. When we make material amendments, we shall:

• Update the “Last updated” date at the top of this page
• Provide notice via email and/or in-app notification prior to the changes taking effect
• Where required by law, obtain your explicit consent before applying the amendments to your data

Your continued use of the Services following the effective date of the amended Policy shall constitute your acceptance of the revised terms. If you do not agree with any amendment, you must discontinue use of the Services and may request deletion of your account.

In accordance with Section 43A of the Information Technology Act, 2000, and Rule 5(9) of the SPDI Rules, the name and contact details of the Grievance Officer are provided below. If you have any grievance, complaint, or concern regarding the collection, processing, or use of your Personal Data, you may contact:

This Policy shall be governed by and construed in accordance with the laws of India. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts in Indore, Madhya Pradesh, India.