Privacy Policy

1. Who We Are

Rubytronix IT soluitons ("Dgtol", "we", "us", or "our") operates the Dgtol merchant application, dashboard, and buyer storefront (collectively, the "Platform"). By using our Platform, you agree to the collection and use of your information as described in this Policy.

Our registered office and data operations are based in Bangalore, Karnataka, India. All data of Indian users is stored within India.

2. Information We Collect

2.1 Information You Provide Directly

Merchant Account Information:

• Full name, email address, and phone number
• Business name, category, and description
• GST Identification Number (GSTIN) and business registration details
• UPI ID(s) and bank account details (for payment settlement via Cashfree)
• Product listings: names, descriptions, prices, and stock levels
• Product photographs, videos, and other media you upload

Buyer Information (collected on your behalf as a merchant):

• Name and contact details provided at checkout
• Delivery address (if applicable)
• Order history and transaction amounts

2.2 Information Collected Automatically

• Device model, OS version, and unique device identifiers
• App usage data: screens visited, features used, session duration
• Crash reports and error logs (anonymised before transmission)
• IP address and approximate location (city/state — not GPS)
• Transaction metadata: timestamps, payment statuses, order states

2.3 Information from Third-Party Services

• Cashfree Payments: payment status, reference IDs, settlement amounts
• Expo Push Service (Expo Inc.): push notification delivery receipts
• PostHog: anonymised product analytics events

We do not collect raw card numbers, CVVs, or full bank credentials — these are handled exclusively by Cashfree's PCI-DSS certified infrastructure.

3. How We Use Your Information

We use your personal data solely for the following purposes:

• Service delivery: Process orders, enable payment acceptance, manage your storefront and Khata records
• Transaction processing: Route payments through Cashfree, generate GST invoices, prepare GSTR-1 and Tally XML exports
• Communication: Send order notifications via app and email; trigger WhatsApp reminders you configure (not autonomous marketing)
• Platform improvement: Analyse usage patterns to improve features and fix bugs via Sentry error reports
• Legal compliance: Maintain records required under GST law, the Companies Act, and RBI regulations
• Security: Detect fraud, unauthorised access, and abuse of the Platform

We do NOT sell, rent, or trade your personal data to third parties for advertising or marketing purposes — ever.

4. How We Share Your Information

4.1 Data Processors (Vendors We Trust)

We engage vendors who process data strictly on our behalf and under our instructions:

• Supabase Inc. — Database hosting and authentication (AWS ap-south-1, Mumbai)
• Cashfree Payments India Pvt. Ltd. — Payment processing and merchant settlement
• Expo Inc. (Expo Push Service) — Push notification infrastructure
• PostHog Inc. — Product analytics (data minimised and anonymised at source)
• Sentry.io — Error and crash tracking (no personally identifiable information in error payloads)

Each vendor is bound by a data processing agreement and applicable privacy law.

4.2 Merchant–Buyer Relationship

When a buyer places an order through your store, you (the merchant) receive the buyer's contact and order information. You are independently responsible for handling that buyer data lawfully, including under the DPDPA 2023.

4.3 Legal Requirements

We may disclose your data when required by a valid court order, government requisition, or applicable Indian law (including the IT Act, 2000 and DPDPA, 2023). We will, where legally permitted, notify you before such disclosure.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of Dgtol, your data may be transferred to the acquiring entity. We will provide at least 30 days' notice before your data becomes subject to a different privacy policy.

5. Data Localization & Retention

All personal data of Indian users is stored and processed on servers within India (AWS ap-south-1, Mumbai), in compliance with applicable data localization requirements.

We retain your data as follows:

• Active account data: for the duration of your subscription plus 3 years
• Transaction and GST records: 7 years (as required under the GST Act and Companies Act)
• Deleted account data: purged within 30 days of deletion (except legally mandated records)
• Crash logs and analytics events: 90 days, then automatically deleted

6. Data Security

We implement industry-standard security controls across our Platform:

• All data in transit is encrypted using TLS 1.2 or higher
• Database storage is encrypted at rest using AES-256
• Row-Level Security (RLS) policies ensure each merchant can only access their own data — enforced at the database layer, not just application logic
• Authentication uses JWT tokens with automatic expiry; tokens are stored in the device's secure enclave (expo-secure-store), not plain storage
• All secret credentials (API keys, payment gateway keys) are stored exclusively in server-side Edge Functions — never in the client app
• Sentry captures errors without PII; PostHog events are anonymised before transmission

No transmission method or storage system is 100% secure. While we work relentlessly to protect your data, we cannot guarantee absolute security against all threats. We commit to notifying you promptly in the event of a data breach affecting your personal information, as required by law.

7. Your Rights Under Indian Law

Under the Digital Personal Data Protection Act, 2023 and applicable Indian law, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal retention obligations)
• Right to Grievance Redressal: Lodge a complaint with our Data Protection Officer
• Right to Nominate: Designate an individual to exercise these rights on your behalf in the event of death or incapacity
• Right to Withdraw Consent: Withdraw consent for data processing at any time (note: withdrawal may affect your ability to use the Platform)

To exercise any of these rights, email our Data Protection Officer at privacy@dgtol.in. We will respond to verified requests within 30 days.

8. Cookies & Local Storage

The Dgtol mobile app uses device-level storage (not browser cookies) to:

• Store authentication tokens securely in the device's secure enclave
• Cache merchant data locally for offline access (WatermelonDB)
• Store app preferences and settings (MMKV)

The buyer storefront (store.dgtol.in/shop/…) uses browser localStorage/sessionStorage solely to maintain cart state and session information. We do not place third-party advertising or tracking cookies on the buyer storefront.

9. Children's Privacy

The Dgtol Platform is intended for adults operating a lawful business. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a minor has provided us with personal data, contact us immediately at privacy@dgtol.in and we will delete such data promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated:

• Via in-app notification at least 14 days before the changes take effect
• By email to your registered address
• By updating the "Last Updated" date on this page

Continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy.

11. Contact Us

For any privacy-related queries, data requests, or complaints: