JumboBuy.in ("we," "us," "Platform") operates as a dedicated B2B marketplace connecting manufacturers, wholesalers, importers, and business buyers across India and globally. As a Data Fiduciary under Section 2(i) of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are committed to protecting your personal data with the highest standards of privacy and security. This Privacy Policy explains how we collect, use, share, and protect personal data in accordance with the DPDP Act, the Information Technology Act, 2000, and other applicable Indian laws.
This Policy applies to all personal data collected through our Platform, mobile applications, business communications, and any other channels through which we interact with users. It governs our data practices, whether you are a manufacturer showcasing products, a wholesaler sourcing goods, an importer exploring Indian markets, or any other business entity utilising our services. By using our Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal data as described herein.
DATA WE COLLECT
We collect various categories of personal data necessary for operating a secure and efficient B2B marketplace. Business information includes your legal entity name, trade names, registration numbers such as CIN, LLP identification, or GST registration, Import-Export Codes for international trade, PAN details, and bank account information for payment processing. We also collect individual contact information, including the names of proprietors, directors, and authorised representatives; professional email addresses and phone numbers; office addresses; and designations within the organisation.
Our Platform automatically collects specific technical data to ensure security and improve user experience. This includes IP addresses, device information, browser types, operating systems, clickstream data showing navigation patterns, search queries, and communication preferences. Transaction data encompasses order history, payment records, shipping information, business verification documents, tax invoices, and credit information, where relevant for trade finance facilities. We collect this data through direct means such as registration forms, product listings, and support requests, as well as through automated technologies including cookies, analytics tools, and security monitoring systems.
In accordance with Section 8(3) of the DPDP Act, we adhere to the principle of data minimisation, collecting only the personal data necessary for specified purposes. We may also receive data from third-party sources, including government databases for business verification, credit bureaus with your consent, payment processors, and logistics partners, ensuring all such collection complies with applicable laws.
LAWFUL BASIS AND PURPOSE OF PROCESSING
We process personal data only for lawful purposes as mandated under Section 4 of the DPDP Act. Processing based on consent under Section 6 includes marketing communications about platform features and industry trends, sharing data with selected third parties for business opportunities, using business success stories for promotional purposes, and collecting optional information for enhanced services. When relying on consent, we ensure it is free, specific, informed, unconditional, and unambiguous, and that precise mechanisms for withdrawal are in place, as required under Section 6(4) of the DPDP Act.
Certain processing activities do not require consent under Section 7 of the DPDP Act for specified legitimate purposes. These include compliance with legal obligations such as tax reporting under GST regulations and anti-money laundering checks; responding to court orders and regulatory investigations; ensuring platform security and preventing fraud; and performing contracts to which you are a party. Every instance of data processing is tied to specific, explicitly stated purposes, including platform operation, legal compliance, business development, and service improvement, ensuring compliance with the purpose limitation principle under Section 8(1) of the DPDP Act.
DATA SHARING AND DISCLOSURE
We share personal data only when necessary and with appropriate safeguards in place. Service providers acting as data processors under Section 8(2) of the DPDP Act include cloud infrastructure providers, payment gateways, customer support platforms, and analytics services. These processors are contractually bound to process data only in accordance with our instructions and to implement appropriate security measures. When you interact with other businesses on our Platform, we share limited information necessary for transaction facilitation, typically including your business name, contact details, and product information you've chosen to make public.
Legal and regulatory authorities may receive data when required by law, including tax authorities for GST compliance, customs officials for import-export transactions, law enforcement agencies with proper authorisation, and regulatory bodies overseeing B2B commerce. We carefully verify the legal basis for each disclosure and limit sharing to what's specifically required. International data transfers comply with Section 16 of the DPDP Act and occur only to countries notified by the Central Government, unless restricted for specified purposes. For transfers to non-notified countries, we implement appropriate contractual safeguards and obtain specific consent after explaining potential risks.
YOUR RIGHTS AS A DATA PRINCIPAL
Chapter III of the DPDP Act establishes comprehensive rights for Data Principals, which we fully support through dedicated systems and processes. Under Section 11, you have the right to obtain information about your personal data being processed, including a summary of data collected, processing activities and purposes, and details about data sharing. Section 12 grants you the right to correction and erasure, enabling you to correct inaccurate or incomplete data and request deletion when data is no longer necessary for the specified purpose.
The right to grievance redressal under Section 13 ensures accountability for our data practices. If you're unsatisfied with our data handling, you can file complaints with our Grievance Officer, escalate unresolved issues to the Data Protection Board of India, and seek appropriate remedies. Section 14 provides the right to nominate another individual to exercise your rights in case of death or incapacity, particularly relevant for sole proprietorships where business and personal data may be interlinked.
To exercise these rights, you can use our online privacy portal, email our Data Protection Officer at contact@JumboBuy.in, or submit written requests to our registered office. We respond to requests within seven working days or as mandated by the Data Protection Board. However, certain limitations may apply when rights conflict with legal obligations, ongoing legal proceedings, platform security requirements, or technical impossibility.
DATA SECURITY MEASURES
Section 8(5) of the DPDP Act requires the implementation of appropriate technical and organisational measures to prevent personal data breaches. Our technical security includes AES-256 encryption for data at rest, TLS 1.3 protocols for data in transit, multi-factor authentication for sensitive accounts, role-based access controls, comprehensive audit logs, firewalls, intrusion detection systems, and 24/7 security monitoring through our Security Operations Centre. These layered defences ensure that even if one security measure fails, others continue protecting your data.
Organisational measures complement our technical safeguards by including employee background verification, mandatory confidentiality agreements, regular security training, documented information security policies, and ISO 27001 certification, which demonstrates adherence to international standards. We conduct regular security audits, including vulnerability assessments, penetration testing, and compliance reviews, to identify and address potential weaknesses before they can be exploited.
In the event of a personal data breach, we comply with Section 8(6) of the DPDP Act by promptly notifying the Data Protection Board where the breach is likely to cause harm to Data Principals. Affected users receive clear communication about the nature of the breach, potential consequences, and recommended protective actions.
DATA RETENTION AND DELETION
Section 8(7) of the DPDP Act requires deletion of personal data when no longer necessary for the specified purpose. Our retention periods balance legal obligations, business needs, and privacy rights. Active account data is retained throughout your relationship with JumboBuy, plus any period required for legal compliance. Financial records are typically maintained for eight years as required under tax laws, while transaction records are kept according to applicable statutory requirements.
For inactive accounts, we conduct annual reviews to identify data eligible for deletion. After one year of inactivity, we are contacting you to confirm continued interest. If no response is received, we begin a graduated deletion process, first anonymising behavioural data while preserving legally required records, then removing unnecessary personal identifiers. Complete deletion across all systems, including backups, may take up to 90 days due to the technical constraints of distributed systems.
Certain data must be retained despite deletion requests to comply with legal obligations, including tax records under the Income Tax Act, company records under the Companies Act, anti-money laundering documentation, and legal hold notices for ongoing litigation. Anonymised data that cannot identify individuals may be retained for analytics and platform improvement purposes.
COOKIES AND TRACKING TECHNOLOGIES
Our Platform uses cookies and similar technologies to enable functionality and improve user experience. Essential cookies necessary for platform operation include session management, security tokens, load balancing, and preference storage. These don't require consent as they're fundamental to providing requested services. Analytics cookies help us understand platform usage patterns, identify technical issues, and improve user experience. Marketing cookies enable targeted advertising and campaign effectiveness measurement.
We provide granular cookie consent management, allowing you to accept or reject different cookie categories. You can modify preferences anytime through account settings or browser controls. When you withdraw consent for certain cookies, we immediately stop setting new cookies of that type and delete existing ones where technically feasible. We also respect Do Not Track signals and provide clear information about all tracking technologies used on our Platform.
SPECIFIC PROVISIONS
We do not knowingly collect personal data from individuals under 18 years of age, as our Platform is designed exclusively for business entities. All accounts require adult authorisation, and we immediately delete any data inadvertently collected from minors unless retention is legally required. In family-run businesses where minor information might be included, we ensure processing occurs only with verifiable parental consent and implement additional security measures.
Third-party services integrated with our Platform, including payment processors and logistics providers, operate under their own privacy policies while being contractually bound to maintain data protection standards comparable to ours. We conduct due diligence on all third parties handling personal data and retain the right to audit their compliance. However, when you directly interact with these services, additional privacy considerations may apply, and we encourage you to review their respective policies.
COMPLIANCE AND UPDATES
Our privacy program ensures compliance with multiple regulatory frameworks. Under the DPDP Act 2023, we implement all required Data Principal rights and Data Fiduciary obligations. The Information Technology Act, 2000, particularly Sections 43A and 72A, guides our security practices and confidentiality obligations. We comply with sector-specific requirements, including RBI guidelines for payment processing, GST regulations for tax compliance, and FEMA requirements for international transactions.
This Privacy Policy may be updated to reflect changes in law, platform features, or business practices. Material changes affecting your rights or our processing activities will be notified by email and platform notifications, with typically 30 days' advance notice, unless urgent legal compliance requires immediate implementation. Continued use of the Platform after notification constitutes acceptance of updated terms. Previous policy versions remain available for reference, demonstrating our commitment to transparency in privacy practices evolution.
CONTACT INFORMATION
For privacy-related queries or to exercise your rights, contact our Data Protection Officer at contact@JumboBuy.in or write to us at our registered address. Our Grievance Officer, appointed under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, can be reached at contact@JumboBuy.in and provides an acknowledgement within 24 hours and a resolution within 15 days. For law enforcement requests, our Nodal Officer is available 24x7 at contact@JumboBuy.in.
We maintain dedicated channels for different privacy needs to ensure prompt and appropriate responses. General privacy inquiries should be directed to contact@JumboBuy.in, while security concerns should be reported immediately to contact@JumboBuy.in.
ACKNOWLEDGMENT
By using the JumboBuy Platform, you acknowledge that you have read and understood this Privacy Policy, including how we collect, use, share, and protect your personal data, your rights as a Data Principal under the DPDP Act, the legal bases for our processing activities, and our commitment to data protection compliance. You understand that certain data processing is necessary for platform operation and legal compliance, while other processing relies on your consent, which can be withdrawn at any time. You acknowledge your responsibility to maintain data accuracy and inform us of relevant changes affecting your personal data.
This acknowledgement doesn't limit your statutory rights under applicable data protection laws but ensures informed participation in our Platform ecosystem. We encourage you to regularly review this Policy and contact us with any questions or concerns about our privacy practices. Your trust is essential to our success, and we remain committed to protecting your personal data with the highest standards of care and compliance.
