Privacy Policy
Last updated: 1 May 2026 · Version 1.0
Published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA") of India.
1. Identity of the Data Fiduciary
Mandee Store is operated by Tanvrit Pvt. Ltd. ("Tanvrit", "we", "us"), the data fiduciary under the DPDPA. Registered office: 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.
2. Data Protection Officer
Vivek Singh (founder) acts as DPO under DPDPA Section 8(9) until a separate DPO is appointed. Contact: dpo@tanvrit.com.
3. Personal Data We Collect
| Category | Examples | Purpose | Retention |
|---|---|---|---|
| Account | Name, mobile, email, profile photo, default delivery address. | Create and manage your shopper account. | Life of account + 90 days post deletion request. |
| Authentication | Password hashes, OTPs, magic-link tokens, refresh tokens. | Verify identity, prevent takeover. | OTP / magic-link 10 minutes; auth audit logs 365 days. |
| Order & transactional | Order line items, GST invoice fields, shipping address, UPI VPA / handle (never the PIN), payment-processor reference IDs, refund records. | Process orders, fulfil deliveries, comply with GST / Income Tax obligations. | 7 years (Income Tax Act, GST Act). |
| Device & telemetry | Device, OS, app version, IP, crash logs, anonymised usage events. | Diagnose crashes, prevent abuse, measure aggregate use. | 90 days raw events. |
| Communications | Support emails, chats with our team, ratings & reviews you post. | Respond to queries, surface reviews to other shoppers. | 3 years after the case closes. |
We never store full payment-card numbers, CVVs, or UPI PINs. Card and UPI data is tokenised by Razorpay and Stripe.
4. Lawful Basis
Under DPDPA Section 4 we rely on consent (Section 6) for account creation, optional marketing, and non-essential analytics; and on certain legitimate uses (Section 7) for order fulfilment, statutory compliance, and emergencies.
5. Sharing & Cross-Border Transfers
We do not sell personal data. We share order details with the seller you bought from (so they can fulfil the order) and with the following processors:
- Google Cloud Run (asia-south1, Mumbai) — application servers; data stays in India.
- MongoDB Atlas — primary database.
- Cloudflare — global CDN and DDoS protection.
- Razorpay (India) — UPI / cards / netbanking.
- Stripe Inc. (United States) — recurring subscriptions or international cards where applicable.
- Twilio Inc. (US, with Indian DLT partners) — transactional SMS / OTP.
- Logistics partners that you choose at checkout, only for the purpose of delivering your order.
Cross-border transfers occur under safeguards permitted by DPDPA Section 16. We do not transfer data to countries notified by the Central Government as restricted.
6. Your Rights as a Data Principal (DPDPA Section 11)
- Access a summary of personal data we process.
- Correction or erasure of inaccurate data.
- Nominate another individual to exercise your rights.
- Grievance redressal.
- Withdraw consent (where consent is the basis of processing).
Email dpo@tanvrit.com from your registered address, or use the deletion form at /account/delete. We respond within 30 days.
7. Children's Data
Mandee Store is not directed to users under 18. We do not knowingly collect personal data from a child. If a parent or guardian becomes aware that a child has signed up, write to dpo@tanvrit.com and we will delete the account; we will not undertake any behavioural tracking or targeted advertising of children.
8. Security
- TLS 1.3 in transit.
- AES-256-GCM encryption at rest for personal-data fields.
- JWT auth with mutex-protected refresh-token rotation.
- OTP rate limiting, passkey replay protection.
- Role-based access controls and audit trails on admin actions.
We do not currently hold ISO 27001 or SOC 2 attestations and do not claim a public uptime SLA. Availability is best-effort and will be backed by a public status page once operational.
9. Breach Notification
We will notify the Data Protection Board of India and every affected data principal within 72 hours of detecting a personal-data breach, in line with DPDPA Section 8(6) and rules thereunder.
10. Retention
- Order / financial / tax records: 7 years.
- Inactive accounts after a deletion request: 90 days.
- Authentication logs: 365 days.
- Analytics events: 90 days raw; aggregate counts longer.
11. Cookies & Local Storage
auth_token,refresh_token— session continuity; cleared on logout.cart_state— remembers items in your cart between sessions.- Cloudflare anti-bot cookies (
__cf_bm) — security; set by Cloudflare.
12. Updates to this Policy
Material changes are notified to registered users by email at least 30 days in advance.
13. Grievance Redressal & Contact
- Tanvrit Pvt. Ltd., 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.
- DPO: dpo@tanvrit.com
- Shopper support: support@mandee.store
- Phone: +91 901 680 11 01