Data Policy

Kutoot Innovations Private Limited ("Kutoot", "we", "our", or "us") operates a technology-enabled merchant promotion and customer engagement platform that facilitates local commerce through digital incentives, transaction enablement, and promotional campaigns (the "Platform").

This Data Policy ("Policy") outlines how personal data is collected, processed, stored, shared, retained, and deleted when you access or use the Platform.

This Policy is governed by the Digital Personal Data Protection Act, 2023 (India), the Information Technology Act, 2000, and other applicable laws.

This Policy should be read together with our Privacy Policy and Terms & Conditions.

Kutoot acts as a Data Fiduciary, determining the purpose and means of processing personal data.

Third-party vendors, payment providers, analytics partners, and service providers act as Data Processors.

All such entities are contractually bound to maintain confidentiality and comply with applicable data protection laws.

Kutoot has appointed a Data Protection Officer responsible for compliance and grievance handling.

Kutoot collects personal data through:

A. Direct Collection

• Name, mobile number, email
• Account registration details
• Transaction and interaction data

B. Automatic Collection

• Device information
• IP address
• Usage activity and logs
• App interaction behaviour

C. Location Data (With Consent)

Used for:

• Hyperlocal merchant discovery
• Fraud prevention
• Campaign targeting

Lawful Basis for Processing

We process personal data based on:

• Consent - provided during registration and usage
• Contractual Necessity - to enable transactions and platform services
• Legal Obligations - tax, compliance, and regulatory requirements
• Legitimate Interests - fraud detection, analytics, and platform improvement

Sensitive personal data (if required for verification or compliance) is collected only with explicit consent.

Personal data is used for:

• Account creation and authentication
• Enabling in-store transactions via the Platform
• Facilitating merchant interactions and transaction validation
• Issuing promotional stamps and managing campaigns
• Customer support and grievance resolution
• Fraud detection and prevention
• Analytics and platform improvement
• Compliance with legal and regulatory requirements

Kutoot does not use data for unrelated purposes.

Personal data may be shared only in the following circumstances:

With Merchants

• Limited data required for transaction validation and service fulfilment

With Payment Service Providers (PSPs)

• For processing transactions via RBI-authorised systems

With Service Providers

• Cloud hosting, analytics, communication tools
• Bound by confidentiality and legal compliance

With Legal Authorities

• Where required by law, court orders, or regulatory authorities

With Business Transfers

• In case of mergers, acquisitions, or restructuring

Kutoot does not sell personal data.

Personal data is retained only as long as necessary:

Data may be retained longer where required by law or for dispute resolution.

Users may request deletion of personal data by contacting:

Kutoot will:

• Verify the request
• Process deletion within 30 days, subject to legal obligations

Data may not be deleted where required for:

• Legal compliance
• Fraud prevention
• Dispute resolution
• Ongoing investigations

Deleted data is securely erased or anonymized.

Kutoot stores data on secure servers and implements:

• Encryption (in transit and at rest)
• Role-based access control
• Secure authentication systems
• Regular monitoring and audits

Data is primarily stored within India. Any cross-border transfer, if applicable, will comply with Indian laws.

In case of a data breach:

• Users and authorities will be notified as per legal requirements

Under the Digital Personal Data Protection Act, 2023, you have the right to:

• Access your personal data
• Request correction or updates
• Request deletion
• Withdraw consent
• Seek grievance redressal
• Nominate another individual for data rights

Requests may be submitted to:

Kutoot will respond within 30 days or as required by law.

The Platform is not intended for individuals below 18 years of age.

Kutoot does not knowingly collect data from minors.

If such data is identified, it will be deleted promptly.

Kutoot maintains internal governance frameworks including:

• Periodic audits
• Access control policies
• Employee training on data protection

Any violations may result in:

• Disciplinary action
• Termination of contracts
• Legal proceedings

Kutoot processes data to facilitate platform services.

However:

• Merchant-related data usage is limited to transaction facilitation
• Kutoot does not control how Merchants independently process data outside the Platform

This Policy shall be governed by the laws of India.

Courts in Bengaluru, Karnataka shall have jurisdiction, subject to applicable dispute resolution mechanisms.

For any data-related queries or requests: