Privacy Policy

BuyWell Marketplace ("BuyWell", "we", "our", or "us"), operated by Qbiqal Technology Solutions, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit buywell.in or use our services.

This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India, the General Data Protection Regulation (GDPR) of the European Union, and other applicable data protection laws.

1. Who We Are (Data Fiduciary)

Data Fiduciary / Controller: Qbiqal Technology Solutions
Platform: BuyWell Marketplace (buywell.in)
Registered Address: Ranchi – 834005, Jharkhand, India
Contact Email: privacy@buywell.in
Grievance Officer: Reachable via the contact email above.

2. Personal Data We Collect

2.1 Data You Provide

• Account data: Name, email address, phone number, and password hash when you register.
• Profile data: First name, last name, avatar URL, linked BuyWell Global ID.
• Address data: Shipping/billing addresses including name, phone, address lines, city, state, and pincode.
• Order data: Products ordered, quantities, prices, delivery instructions, and payment proof uploads.
• Vendor data: Business name, GSTIN, bank details, store description (for seller applicants only).
• Communication data: Messages you send us, review text, blog comments.

2.2 Data Collected Automatically

• Usage data: Pages visited, time on site, click paths (first-party analytics, no third-party trackers).
• Device data: Browser type, operating system, IP address, language preference.
• Cookie data: Session tokens, preference cookies. See our Cookie Policy.

2.3 Data from Third Parties

• BuyWell Global: If you link your BuyWell Global account, we receive your BuyWell user ID and wallet balance via their API, with your explicit consent.
• Razorpay: Payment confirmation signals (we do not store card data; all sensitive payment data is processed by Razorpay).

3. Lawful Bases for Processing (GDPR / DPDP)

• Contract performance: Processing orders, managing your account, delivering products.
• Consent: Marketing communications, optional profile features, linking BuyWell Wallet.
• Legitimate interests: Fraud prevention, platform security, analytics to improve the service.
• Legal obligation: Tax records, compliance with court orders, DPDP and GST requirements.

4. How We Use Your Data

• Create and manage your customer or vendor account.
• Process and fulfil orders, including sharing delivery address with the relevant vendor.
• Send order confirmations, status updates, and transactional notifications via email and WhatsApp.
• Provide customer support and respond to queries.
• Detect and prevent fraud, abuse, and security incidents.
• Improve the platform through aggregated, anonymised analytics.
• Send promotional emails or offers — only with your explicit opt-in consent.
• Comply with applicable laws and regulatory requirements.

5. Data Sharing and Disclosure

We never sell your personal data. We share data only in the following circumstances:

• Vendors: Your name, phone, and delivery address are shared with the seller of products you purchase, solely to fulfil your order.
• Payment processors: Razorpay receives order amount and identifiers to process payment. See Razorpay's Privacy Policy.
• Logistics partners: If applicable, your delivery address is shared with courier services.
• Service providers: Hosting (Hetzner Cloud), email delivery, analytics — all under data processing agreements.
• Legal authorities: When required by law, court order, or to protect the rights and safety of users.
• Business transfers: In the event of a merger or acquisition, with prior notice to you.

6. Data Retention

We retain personal data only as long as necessary:

• Active account data: Retained while your account is active.
• Order records: 7 years for GST/tax compliance.
• Deleted accounts: 60-day soft-delete period (you can restore your account); then anonymised within 30 days.
• Marketing consent: Until withdrawn.
• Security logs: 90 days.

See our full Data Retention Policy for details.

7. Your Rights

Under DPDP Act 2023 (India)

• Right to access your personal data.
• Right to correction of inaccurate data.
• Right to erasure (deletion) of data, subject to legal retention obligations.
• Right to nominate a person to exercise rights on your behalf in case of death/incapacity.
• Right to grieve — file a complaint with the Data Protection Board of India.

Under GDPR (EU Users)

• Right of access, rectification, erasure ("right to be forgotten"), and data portability.
• Right to restrict or object to processing.
• Right to withdraw consent at any time.
• Right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@buywell.in. We will respond within 30 days.

8. Cookies and Tracking

We use strictly necessary cookies for session management and optional analytics cookies. See our Cookie Policy for details. You can manage cookie preferences through your browser settings.

9. Data Security

We implement industry-standard security measures including:

• TLS 1.3 encryption in transit; AES-256 encryption at rest for sensitive fields.
• Password hashing using bcrypt with salt rounds ≥ 12.
• Access controls: employees access only data necessary for their role.
• Regular security audits and vulnerability assessments.
• Incident response plan: affected users notified within 72 hours of a data breach.

10. Cross-Border Transfers

Your data is primarily stored on servers in Germany (EU) via Hetzner Cloud. Transfers to recipients outside India or the EU are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by applicable law.

11. Children's Privacy

BuyWell is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, please contact us immediately for deletion.

12. Changes to This Policy

We may update this policy periodically. Material changes will be notified via email (if you have an account) and displayed prominently on the site for 30 days before taking effect. Continued use after the effective date constitutes acceptance.