Privacy Policy
Effective Date: 01/08/2025]
Legal Entity: DROPIFFY ,Propertiorship
Registered Address: Yewelwadi Road, Kondhwa bk, Pune-411048, Maharashtra, India
Contact (Privacy): help@dropiffy.in, +91 9356218390
Grievance Officer: help@dropiffy.in , +91-9356218390
Data Protection Officer (if appointed): NA
1. Scope and Applicability
· This Privacy Policy explains how we collect, use, disclose, and protect personal data
when operating our website, mobile app, and services as a dropshipping supplier to
retailers/resellers and servicing end-customer orders fulfilled on retailers’ behalf.
· This Policy applies to: (a) retailers/resellers (“Retailers”), (b) Retailer personnel, and (c)
end customers whose orders we fulfill, and (d) visitors to our site/app.
· By accessing our site/app or using our services, you agree to this Policy and consent to
processing per Indian law and, where applicable, international transfer requirements.
2. Legal Bases and Key Laws
· We process personal data in accordance with the DPDP Act, 2023, the Information
Technology Act, 2000, and the Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).
· Depending on the context, processing is based on: consent, performance of a contract
(order fulfillment, support), compliance with legal obligations (tax/GST, invoicing), and
our legitimate interests (fraud prevention, security, improving services).
3. Personal Data We Collect
A. Retailers (and their personnel)
· Identity: name, business name, GSTIN, PAN, CIN, designation, KYC details.
· Contact: email, phone, billing/shipping addresses.
· Account & Authentication: username, hashed passwords, role permissions.
· Financial/Transactional: invoices, order history, payment confirmations (we avoid storing
full card details; we use PCI‑compliant payment gateways).
· Communications: emails, chats, support tickets, call recordings where permitted.
B. End Customers (of Retailers)
· Identity: name.
· Contact: email, phone, shipping address.
· Order & Delivery: order items, quantity, value, delivery notes.
· Returns/Warranty: RMA requests, defect images, explanations.
· Limited payment metadata as necessary for reconciliation; we do not collect full card data
from end customers unless we directly process payments for specific flows (in which
case we use PCI‑compliant processors).
C. Device/Usage Data (Visitors, Retailers, End Customers)
· Device identifiers, IP address, app version, browser type, OS, language, referral URLs.
· Usage and diagnostic logs, crash logs, timestamped events.
· Cookies/SDKs: session cookies, preference cookies, analytics cookies/SDKs, and
optional marketing cookies subject to consent.
D. Sensitive Personal Data
· We do not intentionally collect sensitive personal data (e.g., health, biometrics). If
provided inadvertently (e.g., in attachments), we will delete or minimize it.
4. Sources of Data
· Directly from users (forms, checkout, account setup, customer support).
· From Retailers about their end customers to fulfill dropship orders.
· From payment gateways, logistics providers, KYC vendors, analytics providers.
· From publicly available sources for verification or fraud prevention when lawful.
5. Purposes of Processing
· Account management and onboarding (Retailers).
· Order processing, fulfillment, shipment tracking, and delivery communications (End
Customers).
· Invoicing, GST compliance, accounting, and reconciliation.
· Customer support, returns/RMA, warranty, and dispute resolution.
· Fraud detection, information security, abuse prevention.
· Service improvement, analytics, and product development.
· Compliance with legal obligations and law‑enforcement requests.
· Marketing communications to Retailers (with opt‑out), and operational notifications to End
Customers (e.g., order/shipping updates).
6. Consent Management
· We obtain consent where required (e.g., marketing cookies/communications, specific data
uses not necessary for the contract).
· Retailers are responsible for representing they have a lawful basis and valid consent (as
applicable) to share end-customer data with us for fulfillment.
· Users can withdraw consent at any time through account settings or by contacting us;
withdrawals do not affect prior lawful processing and may limit available services.
7. Cookies and Tracking Technologies
· We use essential cookies for login/session integrity and cart/checkout; these are required.
· We use analytics cookies/SDKs (e.g., for page/app usage). Enable/disable via cookie
banner or app settings, where available.
· Marketing cookies/SDKs (retargeting, ads) are disabled by default and only enabled with
express consent (where implemented).
· Browser settings may block cookies; essential functionality may be impacted.
8. Data Sharing and Disclosures
· Logistics/Carriers: names, addresses, contact numbers, order and package details to
deliver goods.
· Payment Processors/Gateways: transaction IDs, amounts, partial identifiers; we do not
store full card data.
· KYC/Verification Vendors: for business verification of Retailers when required.
· IT/Cloud Providers: hosting, storage, backup, analytics, communications, and security
tooling under contracts with confidentiality and data protection obligations.
· Professional Advisors: auditors, accountants, legal counsel for compliance.
· Affiliates/Subsidiaries: for centralized operations under this Policy.
· Government/Regulators/Law Enforcement: upon lawful requests or to comply with legal
obligations.
· Business Transfers: merger, acquisition, or asset sale; personal data may be transferred
with notice and continued protection.
We do not sell personal data.
9. International Data Transfers
· Our primary processing occurs in India. Some vendors or cloud infrastructure may be
located outside India.
· Where cross‑border transfers occur, we implement contractual, technical, and
organizational safeguards consistent with Indian law and, where applicable, destination
laws. We disclose key cross‑border vendors on request.
10. Data Security
· We implement reasonable security practices and procedures as per the IT Act and SPDI
Rules, including:
o Encryption in transit (TLS) and at rest where feasible.
o Access controls, least privilege, MFA for internal systems.
o Network segmentation, firewalls, endpoint protection, logging and monitoring.
o Secure SDLC practices, vulnerability management, periodic penetration tests.
o Vendor due diligence and confidentiality obligations.
· Users should protect account credentials; we are not responsible for unauthorized access
caused by credential compromise outside our control.
11. Data Retention and Deletion
· We retain data for as long as necessary for the purposes stated, including legal,
accounting, and tax requirements (e.g., GST records retention).
· Typical retention:
o Account/Order/Invoice records: up to 8 years or as required by law.
o Support tickets and communications: up to 3 years from closure.
o Analytics data: 12–24 months, aggregated thereafter.
· On request, we delete or de‑identify personal data unless retention is required by law or
for legal claims, fraud prevention, or accounting.
12. Your Rights (under Indian Law)
Subject to applicable law and verifiable requests, individuals may:
· Access: request a copy of personal data we hold.
· Correction/Rectification: correct inaccurate or incomplete data.
· Deletion/Erasure: request deletion where data is no longer necessary, consent is
withdrawn, or processing is unlawful.
· Portability: request portable copies where technically feasible.
· Objection/Restriction: object to or restrict certain processing, including direct marketing.
· Grievance Redressal: contact our Grievance Officer for concerns; escalate to the Data
Protection Board of India (when operational) if unresolved.
How to exercise: Email [privacy@yourdomain.com] or use in‑app privacy controls. We may
require identity verification. We respond within reasonable timelines mandated by law.
13. Children’s Privacy
· Our services are intended for adults and business users. We do not knowingly collect
data from children under 18. If a child’s data is identified, we will delete it promptly.
14. Special Clauses for Dropshipping Workflows
· Retailer Responsibilities: Retailers must provide accurate end‑customer shipping/contact
data and confirm a lawful basis for sharing it with us for fulfillment.
· Minimality: We collect the minimum data necessary to ship orders and handle
returns/warranty.
· RMA/Returns: Photos or defect descriptions shared for returns are used solely to validate
claims and improve quality.
· Blind Shipping/Branding: Where enabled, we may exclude supplier branding; this does
not alter data flows described here.
15. Communications Preferences
· Operational emails/SMS/WhatsApp (order confirmations, shipping updates, RMA steps)
are essential and cannot typically be opted out while orders are active.
· Marketing emails to Retailers include an unsubscribe link. We do not send marketing to
end customers unless they directly subscribe with us.
16. Third‑Party Links and SDKs
· Our site/app may link to third‑party websites or embed third‑party SDKs. Their privacy
practices are governed by their policies. Review them before use.
17. Grievance Officer and DPO
· Grievance Officer (as per IT Act/Rules): help@dropiffy.in , +91-9356218390
. We aim to acknowledge grievances within 48 hours and resolve within 30 days (or as
required by law).
· Data Protection Officer (if appointed under DPDP or voluntarily): NA
18. Changes to This Policy
· We may update this Policy to reflect legal, technical, or business changes. Significant
changes will be notified via email/in‑app notice and by updating the “Effective Date.”
19. Jurisdiction
· This Policy is governed by the laws of India. Disputes will be subject to the exclusive
jurisdiction of the courts at Maharashtra, India.
20. Contact Us
· Email: help@dropiffy.in
· Address: Pune Maharashtra, India
· Phone: +91 9356218390
Annex: Processing Inventory (Record of Processing Activities) – Optional, Recommended
· Categories of Data Subjects: Retailers, Retailer staff, End Customers, Visitors.
· Categories of Data: identity, contact, order, logistics, device/usage, support
communications.
· Purposes: onboarding, fulfillment, invoicing/GST, support, analytics, security, legal
compliance.
· Recipients: logistics providers, payment processors, IT/cloud providers, advisors,
affiliates, regulators.
· Cross‑Border Transfers: [List key vendors/regions].
· Retention: as per Section 11.
· Security Measures: as per Section 10.
· Lawful Bases: consent, contract performance, legal obligation, legitimate interests.