Privacy Policy

Effective date: 1 April 2025

1. Introduction

Avysh Technologies Private Limited (“Avysh”, “we”, “us”, or “our”) operates Avysh ONDC Store (“Platform”), a buyer application (BAP) on the Open Network for Digital Commerce (ONDC). We are committed to protecting your privacy and handling your personal data responsibly.

This Privacy Policy explains what information we collect when you use our Platform, how we use it, with whom we share it, and the rights you have over your data. It applies to our website, mobile applications, and all related services.

By creating an account or using the Platform, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Platform.

2. Information We Collect

2.1 Information You Provide

• Name, email address, and phone number (during registration)
• Delivery addresses (street, city, state, PIN code)
• Payment information (processed by our payment gateway partners — we do not store card or bank details)
• Profile picture (optional, if provided via Google Sign-In)
• Communications with our support team

2.2 Information We Collect Automatically

• Device identifiers (IP address, browser type, OS)
• Usage data (pages visited, search queries, product views, time spent)
• Location data (city/PIN code for delivery — only when you provide it)
• Session and cookie data for authentication and preferences
• Transaction metadata (order IDs, timestamps, ONDC transaction identifiers)

2.3 Information from Third Parties

• Google: Name, email, and profile picture when you sign in with Google
• Payment Gateway Partners: Payment status, refund status, and transaction identifiers
• ONDC Network: Seller information, product data, and order fulfilment updates

3. How We Use Your Information

• Account Creation & Authentication: To create and manage your account, including Google OAuth sign-in and session management.
• Order Processing: To search for products on the ONDC network, place orders with sellers, process payments via our payment gateway partners, and coordinate delivery.
• Customer Support: To respond to your queries, process return or refund requests, and manage grievances through the ONDC Issue & Grievance Management (IGM) system.
• Platform Improvement: To analyse usage patterns, fix bugs, improve performance, and personalise your experience (e.g., location-based search results).
• Legal Compliance: To comply with applicable Indian laws, regulations, and ONDC network policies, including responding to lawful government requests.
• Communications: To send transactional notifications (order confirmation, shipping updates, refund status) via email or SMS. Marketing communications are sent only with your consent.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contractual Necessity: Processing required to fulfil your orders and provide our services.
• Consent: For Google Sign-In, optional marketing communications, and optional location access. You may withdraw consent at any time.
• Legitimate Interests: To improve the Platform, detect fraud, ensure security, and maintain service quality.
• Legal Obligation: To comply with Indian laws (IT Act 2000, IT Rules 2011, Consumer Protection Act 2019, ONDC network policies).

5. Sharing of Information

We do not sell your personal data. We share information only as described below:

• ONDC Network Sellers: Your name, phone number, and delivery address are shared with sellers only to fulfil your orders.
• Payment Gateway Partners: Payment details are shared with our payment gateway partner(s) to process transactions securely. Each gateway's privacy policy governs their use of this data.
• Google (Authentication Provider): We use Google OAuth for sign-in. Google's privacy policy governs data shared during authentication.
• Logistics Partners: Delivery address and contact information are shared with logistics providers assigned by sellers for order fulfilment.
• Legal Authorities: We may disclose information when required by law, court order, or to protect the rights, property, or safety of Avysh, its users, or others.
• Service Providers: We use trusted third-party services (e.g., Meilisearch for search, Redis for caching, PostgreSQL for database). These providers are contractually obligated to protect your data.

6. Google Sign-In & OAuth Disclosure

Avysh uses Google OAuth 2.0 to allow you to sign in with your Google account. When you sign in with Google, we receive your name, email address, and profile picture from Google.

• We use Google account data solely for authentication and account creation.
• We do not access your Google Drive, Gmail, contacts, or any other Google services.
• We do not share your Google account data with third parties except as described in Section 5.
• You can revoke Avysh's access to your Google account at any time via Google Account Settings → Security → Third-party apps with account access.
• Our use of Google Sign-In complies with Google's OAuth 2.0 Policies and the Google API Services User Data Policy.

7. Cookies & Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Strictly Necessary Cookies: Session tokens, authentication state, and security cookies. These cannot be disabled without breaking core functionality.
• Functional Cookies: Remembering your preferred delivery location, language, and cart state between sessions.
• Analytics Cookies: Understanding how users navigate the Platform to improve performance. These are used in aggregate and do not identify individuals.

You can manage cookies through your browser settings. Disabling cookies may limit Platform functionality.

8. Data Retention

We retain your personal data for as long as necessary to provide services and comply with legal obligations:

• Account Data: Until account deletion request, plus 90 days for recovery
• Order & Transaction Data: 7 years (tax and legal compliance)
• Payment Data: As required by payment gateway partners and RBI regulations
• ONDC Transaction Logs: As per ONDC network retention requirements
• Support Communications: 3 years from resolution
• Marketing Preferences: Until consent is withdrawn or account deleted

9. Your Rights

Under applicable Indian data protection laws, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your account and personal data (subject to legal retention requirements).
• Right to Withdraw Consent: Withdraw consent for Google Sign-In, marketing communications, or location access at any time.
• Right to Grievance Redressal: Lodge a complaint with our Grievance Officer (see Section 12) if you believe your data rights have been violated.

To exercise your rights, email us at info@avysh.com. We will respond within 30 days.

10. Data Security

We implement industry-standard security measures to protect your data:

• HTTPS encryption for all data in transit
• Secure, hashed storage of authentication credentials
• Ed25519 cryptographic signing for all ONDC network communications
• Role-based access controls limiting data access to authorised personnel only
• Regular security reviews of third-party integrations
• Payment data handled exclusively by PCI-DSS compliant payment gateway infrastructure

No method of internet transmission is 100% secure. If you suspect a security breach affecting your account, contact us immediately at info@avysh.com.

11. Children's Privacy

Avysh ONDC Store is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at info@avysh.com and we will promptly delete such data.

12. Grievance Officer

In accordance with the Information Technology Act, 2000, and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer:

• Grievance Officer
• Avysh Technologies Private Limited
• Email: grievance@avysh.com
• Response Time: Acknowledgement within 24 hours; resolution within 30 days

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on the Platform at least 7 days before they take effect.

The “Effective Date” at the top of this page reflects when the current version was last updated. Continued use of the Platform after changes take effect constitutes acceptance of the revised policy.