Tapua

Privacy Policy

1.  PREAMBLE AND STATUTORY CONTEXT

Tapua Agritech Solutions LLP (hereinafter ‘the Company’, ‘Data Fiduciary’, ‘We’, ‘Us’, or ‘Our’), a Limited Liability Partnership registered under the Limited Liability Partnership Act, 2008, operating the digital platform accessible at https://www.tapuafoods.com, hereby publishes this Privacy Policy (‘Policy’) in discharge of its mandatory statutory obligations.

This Policy is issued pursuant to and in compliance with the following legislative instruments, each of which governs a distinct dimension of data protection and privacy:

  • Digital Personal Data Protection Act, 2023 (DPDPA, 2023) — Act No. 22 of 2023, notified in the Gazette of India, Extraordinary, Part II, Section 1, dated 11 August 2023; governing the processing of Digital Personal Data within India.
  • Information Technology Act, 2000 (IT Act) — with particular reference to Section 43A (liability for failure to protect data) and Section 72A (punishment for disclosure of information in breach of contract), as amended by the Information Technology (Amendment) Act, 2008.
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) — framed under Section 87(2)(ob) read with Section 43A of the IT Act, governing collection, storage, transfer, and disclosure of Sensitive Personal Data or Information.
  • Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020 — governing the rights of consumers engaging in e-commerce transactions on the Platform.
  • Telecom Regulatory Authority of India (TRAI) Regulations — applicable to the extent that the Company utilises SMS-based marketing or tele-communication channels.
  • Reserve Bank of India (RBI) Master Directions and Guidelines — applicable to the extent that the Company processes payment data or facilitates financial transactions.

This Policy constitutes a legally valid ‘Notice’ as defined under Section 5 of the DPDPA, 2023, and shall precede any request for Consent made to a Data Principal. This Policy is not a mere disclosure document but a dynamic legal instrument forming an integral part of the Consent framework mandated by the DPDPA, 2023.

2.  DEFINITIONS

The following terms, wherever used in this Policy, shall carry the meanings ascribed to them by their respective governing statutes. In the event of any conflict between a definition contained herein and a statutory definition, the statutory definition shall prevail.

TermStatutory Definition
Data FiduciaryAny person who, alone or in conjunction with other persons, determines the purpose and means of processing of Personal Data, as defined under Section 2(i) of the DPDPA, 2023. The Company acts as a Data Fiduciary in respect of all Personal Data processed through its Platform.
Data PrincipalThe individual to whom the Personal Data relates and who, in the context of children, includes the parent or lawful guardian, as defined under Section 2(j) of the DPDPA, 2023.
Data ProcessorAny person who processes Personal Data on behalf of a Data Fiduciary, as defined under Section 2(k) of the DPDPA, 2023. Data Processors engaged by the Company process data solely under valid written contracts and as per the Company’s instructions.
Personal DataAny data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDPA, 2023.
Digital Personal DataPersonal Data in digital form, including data originally collected in non-digital form and subsequently digitised, as per Section 3(a) of the DPDPA, 2023.
ProcessingA wholly or partly automated operation or set of operations performed on Digital Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction, as per Section 2(x) of the DPDPA, 2023.
ConsentA free, specific, informed, unconditional, and unambiguous indication of the Data Principal’s wishes, given through a clear affirmative action, signifying agreement to the processing of her Personal Data, as per Section 6 of the DPDPA, 2023.
Consent ManagerA person registered with the Data Protection Board, enabling Data Principals to give, manage, review, and withdraw Consent through an accessible and interoperable platform, as per Section 2(g) of the DPDPA, 2023.
Significant Data FiduciaryA Data Fiduciary notified as such by the Central Government under Section 10 of the DPDPA, 2023, based on volume and sensitivity of data processed, risk to Data Principals, national security implications, or public order.
SPDISensitive Personal Data or Information as defined under Rule 3 of the SPDI Rules, 2011, comprising passwords; financial information; physical, physiological, and mental health condition; sexual orientation; medical records; biometric information.
Grievance OfficerThe designated officer responsible for redressing grievances of Data Principals and users in accordance with Rule 3(11) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
Data Protection BoardThe adjudicatory body established under Section 18 of the DPDPA, 2023, for determination of non-compliance with the provisions of the Act.
Blacklisted JurisdictionAny country or territory notified by the Central Government under the DPDPA, 2023, or pursuant to any international treaty obligations, to which the transfer of Personal Data is restricted or prohibited.
Purpose LimitationThe principle that Personal Data shall be processed only for the specific, legitimate, and clearly stated purpose for which Consent was obtained, consistent with Section 4(1)(b) of the DPDPA, 2023.
Right to ErasureThe right of a Data Principal to obtain erasure of Personal Data when such data is no longer necessary for the purpose for which it was collected, as per Section 13(2)(c) of the DPDPA, 2023.

3.  IDENTITY AND CONTACT DETAILS OF THE DATA FIDUCIARY

In accordance with Rule 3(1)(a) of the SPDI Rules, 2011, and the transparency obligations under Section 5 of the DPDPA, 2023, the following details of the Data Fiduciary are hereby disclosed:

Legal Name: Tapua Agritech Solutions LLP Nature of Entity: Limited Liability Partnership registered under the Limited Liability Partnership Act, 2008 Registered Office Address: C/O Abhinandan Kr. Mandal, Vill-Chausa, Chausa (Madhepura), Madhepura, Chausa, Bihar – 852213, India Digital Platform: https://www.tapuafoods.com Support and Queries: hello@tapuafoods.com Role: Data Fiduciary as defined under Section 2(i) of the DPDPA, 2023 Governing Jurisdiction: Republic of India

4.  SCOPE AND APPLICABILITY

4.1  This Policy shall apply to all Digital Personal Data collected, processed, stored, shared, or otherwise dealt with by the Company in connection with:

  • Access to and use of the Platform at https://www.tapuafoods.com, including all sub-domains and associated mobile applications;
  • Purchase, sale, subscription, or any commercial transaction conducted through the Platform;
  • Registration and maintenance of user accounts;
  • Communication between the Data Principal and the Company through any digital channel, including email, SMS, in-app messaging, or social media;
  • Participation in surveys, promotional campaigns, loyalty programmes, or feedback mechanisms offered by the Company.

4.2  This Policy shall apply to all Data Principals who are citizens of India or whose Personal Data is processed within the territory of India, in accordance with Section 3(a) of the DPDPA, 2023, which extends the Act’s application to processing of Digital Personal Data in connection with any activity related to offering of goods or services to Data Principals within India.

4.3  This Policy does not govern data processed by third-party websites, applications, or services that may be linked from the Platform. Data Principals are advised to review the privacy policies of such third parties independently. The Company disclaims all liability in respect of data processing conducted by such third parties.

4.4  The processing of Personal Data of children (persons below the age of eighteen years) shall be subject to the additional protections mandated under Section 9 of the DPDPA, 2023, including verified parental Consent and prohibition on tracking, behavioural monitoring, or targeted advertising directed at children.

5.  CATEGORIES OF PERSONAL DATA PROCESSED

In accordance with the Data Minimisation principle under Section 4(1)(e) of the DPDPA, 2023, and Rule 5(2) of the SPDI Rules, 2011, the Company shall collect only such Personal Data as is adequate, relevant, and necessary for the stated purpose. The following categories of Personal Data may be processed:

5.1  Identification and Contact Data

  • Full name
  • Date of birth
  • Residential or delivery address
  • Email address
  • Mobile phone number
  • Government-issued identification numbers (collected only where mandated by law for age verification or KYC compliance)

5.2  Account and Transaction Data

  • Username and encrypted password credentials
  • Order history, transaction records, and invoices
  • Returns, refunds, and grievance records
  • Purchase preferences and wishlist data

5.3  Financial Data (SPDI under Rule 3, SPDI Rules, 2011)

The following data constitutes Sensitive Personal Data or Information (SPDI) and shall be subject to the heightened protections prescribed under Section 43A of the IT Act read with the SPDI Rules, 2011:

  • Payment card details (processed exclusively through PCI-DSS compliant payment gateways; the Company does not store raw card numbers on its own servers)
  • Bank account information submitted for refunds or mandate-based payments
  • UPI IDs or wallet identifiers
  • Transaction authentication records

5.4  Technical and Device Data

  • Internet Protocol (IP) address
  • Browser type, version, and operating system
  • Device identifiers, including IMEI or device token (collected only for push notification functionality)
  • Session logs, access timestamps, and clickstream data
  • Cookies and similar tracking technologies (governed by Section 10 of this Policy)

5.5  Communications Data

  • Content of correspondence initiated by the Data Principal with the Company’s support team
  • Records of marketing communications and opt-in/opt-out preferences
  • Product reviews, ratings, and user-generated content submitted on the Platform

5.6  Location Data

  • Delivery address(es) and geo-location (with the Data Principal’s explicit consent, solely for enabling accurate delivery logistics)
  • General location inferred from IP address for legal compliance, fraud prevention, and service customisation

The Company shall not, at any point, collect biometric data, sexual orientation, or medical/health information from Data Principals, unless mandated by applicable law and with explicit Consent, in which case such data shall be handled as SPDI under the highest level of protection.

6.  NOTICE AND CONSENT FRAMEWORK UNDER THE DPDPA, 2023

6.1  Notice Requirement (Section 5, DPDPA, 2023)

Prior to, or at the time of, requesting Consent, the Company shall provide the Data Principal with a Notice containing the following information in clear and plain language, as mandated under Section 5(1) of the DPDPA, 2023:

  • The Personal Data sought to be collected and the specific purpose for which it is to be processed;
  • The manner in which the Data Principal may exercise her rights under Sections 11 to 14 of the DPDPA, 2023; and
  • The manner in which the Data Principal may make a complaint to the Data Protection Board of India.

Where Personal Data has been collected prior to the commencement of the DPDPA, 2023, and the Company intends to continue processing such data, a Notice shall be issued to the Data Principal in the manner prescribed, before such continued processing commences.

6.2  Consent Framework (Section 6, DPDPA, 2023)

Consent obtained by the Company shall satisfy all of the following conditions prescribed under Section 6(1) of the DPDPA, 2023:

  • Free: Consent shall not be a pre-condition for accessing the Company’s core goods or services, where processing is not strictly necessary for such access;
  • Specific: Consent shall be obtained for each distinct purpose of processing;
  • Informed: Consent shall be sought only after providing the requisite Notice as described in Clause 6.1;
  • Unconditional: Consent shall not be bundled with terms and conditions unrelated to the processing purpose;
  • Unambiguous: Consent shall be indicated through a clear affirmative act; silence, pre-ticked boxes, or inactivity shall not constitute Consent.

Consent requests shall be presented separately from other terms and conditions, in a clear and plain language, in a manner that is easily accessible by persons with disabilities (as per Section 6(4) of the DPDPA, 2023).

6.3  Withdrawal of Consent (Section 6(4), DPDPA, 2023)

A Data Principal shall have the right to withdraw Consent at any time, with the ease equal to the ease with which such Consent was given, without affecting the lawfulness of processing based on Consent before its withdrawal. Upon withdrawal:

  • The Company shall cease processing of the Data Principal’s Personal Data for the relevant purpose within a reasonable period not exceeding thirty (30) days from the date of withdrawal;
  • The Company shall notify all Data Processors engaged by it to cease processing of the relevant data;
  • The Data Principal acknowledges that withdrawal of Consent may result in the Company’s inability to provide the relevant service or product.

Withdrawal of Consent shall be communicated by the Data Principal to the Company at hello@tapuafoods.com or through the account settings page on the Platform.

6.4  Certain Legitimate Uses — Processing Without Consent (Section 7, DPDPA, 2023)

The enacted DPDPA, 2023 (as gazetted on 11 August 2023) reserves the concept of processing without Consent exclusively for the specific ‘Certain Legitimate Uses’ enumerated under Section 7 of the Act. This is distinct from, and narrower than, the concept of ‘deemed consent’ present in earlier legislative drafts, which was not carried into the final enacted text. Standard commercial operations of the Platform — including order fulfilment, delivery logistics, and billing — shall be processed on the basis of explicit Consent obtained under Section 6 and the contractual necessity arising from the Data Principal’s act of placing an order, not under the Section 7 exemption.

Processing without Consent under Section 7 of the DPDPA, 2023, is permissible only in the following specific and exhaustive circumstances:

  • For the performance of any function under any law for the time being in force in India, or in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, maintenance of public order, or prevention of incitement to any cognisable offence;
  • For responding to a medical emergency that threatens the life of the Data Principal or any other individual, or during disasters or breakdowns of public order;
  • For the purpose of employment or provision of services or benefits to employees, to the extent strictly necessary for such purpose, and where the Data Principal is an employee, contractor, or job applicant of the Company;
  • For purposes related to the processing of publicly available Personal Data, to the extent that such data has been voluntarily made publicly available by the Data Principal.

The Company shall not invoke Section 7 as a basis for processing Personal Data in respect of routine commercial activities. All such processing shall be premised on valid Consent under Section 6.

7.  PURPOSES OF PROCESSING

In strict conformity with the principle of Purpose Limitation under Section 4(1)(b) of the DPDPA, 2023, Personal Data collected by the Company shall be processed only for the following specified, explicit, and legitimate purposes:

7.1  Account Creation and Management

To enable Data Principals to register for and maintain user accounts on the Platform, including authentication, security, and personalisation of account preferences.

7.2  Order Processing and Fulfilment

To receive, process, and fulfil orders placed on the Platform, including coordination with third-party logistics partners for delivery, management of returns and refunds, and issuance of invoices and receipts.

7.3  Payment Processing

To facilitate secure payment transactions through PCI-DSS compliant payment gateways, and to comply with applicable RBI guidelines and anti-money laundering requirements. Financial SPDI processed for payment shall not be retained beyond the period strictly necessary for transaction completion and dispute resolution.

7.4  Customer Support and Grievance Redressal

To respond to enquiries, resolve complaints, and provide after-sales support, including maintenance of records of communications for quality assurance and legal compliance purposes.

7.5  Legal and Regulatory Compliance

To comply with applicable laws, regulations, judicial orders, or lawful requests from governmental or regulatory authorities, including the Goods and Services Tax (GST) regime, the Foreign Exchange Management Act, 1999, and directions from the Data Protection Board.

7.6  Fraud Prevention and Platform Security

To detect, investigate, prevent, and respond to fraudulent transactions, security incidents, policy violations, and other unlawful activities on the Platform, in furtherance of the Company’s obligations under Section 43A of the IT Act.

7.7  Marketing and Promotional Communications (with Consent)

To send promotional communications, newsletters, offers, and recommendations to Data Principals who have expressly opted in to receive such communications. All marketing via SMS or electronic means shall comply with the TRAI Telecom Commercial Communications Customer Preference Regulations, 2018. Data Principals may opt out of marketing communications at any time through the unsubscribe mechanism provided in each communication or through account settings.

7.8  Product Improvement and Analytics

To conduct anonymised or pseudonymised analysis of Platform usage data to improve product offerings, user experience, and Platform functionality. Individually identifiable data shall not be used for analytics without the Data Principal’s Consent where such analytics constitutes profiling.

The Company shall not process Personal Data for any purpose other than those stated herein without seeking fresh Consent from the Data Principal, except where processing is mandated by law.

8.  DISCLOSURE AND SHARING OF PERSONAL DATA

The Company shall not sell, rent, trade, or otherwise transfer Personal Data to third parties for commercial gain. Disclosure of Personal Data shall be made only in the circumstances described below, and only to the extent strictly necessary:

8.1  Data Processors

The Company engages Data Processors (within the meaning of Section 2(k) of the DPDPA, 2023) to support its operations, including:

  • Logistics and delivery service providers (for order fulfilment);
  • Payment gateway operators and banking partners (for transaction processing, subject to RBI guidelines);
  • Cloud infrastructure and IT service providers (for data storage and Platform hosting);
  • Customer relationship management (CRM) and marketing platform providers (for communications management);
  • Legal, audit, and compliance service providers.

All Data Processors shall be engaged under valid written Master Service Agreements (MSAs) or Data Processing Agreements (DPAs) that impose data protection obligations consistent with the DPDPA, 2023, and the SPDI Rules, 2011. Such agreements shall, at minimum, contain: (a) express restrictions on sub-processing without the Company’s prior written consent; (b) obligations to implement security measures consistent with Section 12 of this Policy; (c) obligations to assist the Company in fulfilling Data Principal rights requests; (d) obligations to notify the Company of any Personal Data breach within twenty-four (24) hours of discovery; and (e) indemnification clauses that mirror the Company’s liability exposure as Data Fiduciary, ensuring that the Company has contractual recourse against a Data Processor whose acts or omissions result in a breach, penalty, or regulatory action against the Company. The Company shall remain ultimately liable as Data Fiduciary for the acts or omissions of its Data Processors vis-à-vis Data Principals and the Data Protection Board.

8.2  Legal and Regulatory Disclosures

The Company shall disclose Personal Data to governmental authorities, law enforcement agencies, courts, or regulatory bodies in the following circumstances:

  • When required by applicable law, regulation, or legal process, including court orders, search warrants, or summons;
  • When required by orders of the Data Protection Board of India;
  • When necessary to prevent or investigate fraud, national security threats, or public safety incidents;
  • When required for compliance with reporting obligations under FEMA, GST, or other applicable statutes.

The Company shall, to the extent permitted by applicable law, notify the affected Data Principal of any such disclosure request prior to compliance, unless prohibited by law or court order.

8.3  Business Transfers

In the event of a merger, acquisition, amalgamation, demerger, restructuring, or sale of business assets, Personal Data held by the Company may be transferred to the successor entity, provided that:

  • The successor entity assumes the obligations of this Policy in full; and
  • Data Principals are notified of such transfer at the earliest practicable opportunity and provided with the option to withdraw Consent.

8.4  Prohibition on Disclosure (Section 72A, IT Act)

Any disclosure of Personal Data obtained by the Company in a fiduciary capacity or in the course of business, without the Consent of the Data Principal and with the intent to cause wrongful loss or wrongful gain, shall constitute an offence punishable under Section 72A of the IT Act with imprisonment of up to three years and a fine of up to five lakh rupees. The Company’s employees, contractors, and Data Processors are bound by confidentiality obligations consistent with this provision.

9.  CROSS-BORDER TRANSFER OF PERSONAL DATA

9.1  The Company shall not transfer Personal Data to any country or territory outside India except in accordance with the provisions of the DPDPA, 2023, and any rules or notifications issued by the Central Government thereunder.

9.2  Pending the issuance of a final list of permitted or prohibited jurisdictions by the Central Government under the DPDPA, 2023, the Company shall apply the following interim safeguards to all cross-border data transfers:

  • Transfers shall be made only to jurisdictions that provide an adequate level of data protection as assessed by the Company, having regard to applicable law, reciprocal treaty obligations, and the sensitivity of the data involved;
  • No Personal Data shall be transferred to any jurisdiction that has been designated by the Central Government or the Ministry of Electronics and Information Technology (MeitY) as a ‘Blacklisted Jurisdiction’ or an ‘Inadequate Protection’ territory;
  • Transfers to jurisdictions not expressly approved shall be subject to execution of appropriate contractual safeguards, including Standard Contractual Clauses (or equivalent mechanisms as may be prescribed by the Central Government);
  • Financial SPDI shall not be transferred outside India except as strictly required for payment processing in compliance with applicable RBI guidelines on cross-border data localisation.

9.3  In the event that a cross-border transfer becomes necessary for fulfilment of services requested by the Data Principal, the Company shall inform the Data Principal of the transfer and the destination jurisdiction prior to such transfer, where feasible.

9.4  The Company shall maintain a register of all cross-border transfers and shall make such register available to the Data Protection Board upon request.

10.  DATA RETENTION, STORAGE LIMITATION, AND RIGHT TO ERASURE

10.1  Retention Periods

In accordance with the Storage Limitation principle under Section 8(7) of the DPDPA, 2023, Personal Data shall not be retained for a period longer than is necessary for the purpose for which it was collected, subject to any mandatory retention obligations imposed by applicable law. The following retention periods shall apply:

TermStatutory Definition
Category of DataRetention Period / Legal Basis
Account InformationDuration of active account + 3 years post account closure (limitation period under the Limitation Act, 1963 for contractual claims)
Transaction and Order Records7 years from transaction date (mandatory under GST Act, 2017, and applicable financial regulations)
Payment Gateway Data (SPDI)60 days post-transaction, unless required for active dispute resolution; card data not stored on Company servers
Customer Support Communications2 years from resolution of the relevant grievance
Marketing Opt-in RecordsDuration of subscription + 3 years (for regulatory audit trail)
Fraud Prevention Logs5 years, or until conclusion of any investigation or proceedings arising therefrom
Legal Compliance RecordsAs mandated by the specific applicable law, which shall prevail over shorter retention periods
Technical/Device Logs90 days from collection (unless required for ongoing security incident investigation)
KYC/Identity Verification DataAs mandated by applicable anti-money laundering or regulatory frameworks

10.2  Automated Deletion

Upon expiry of the applicable retention period, Personal Data shall be securely deleted or anonymised through automated processes established within the Company’s data management systems. The Company shall maintain audit trails of deletion activities.

10.3  Right to Erasure (Section 13(2)(c), DPDPA, 2023)

A Data Principal shall have the right to request erasure of her Personal Data when:

  • The data is no longer necessary for the purpose for which it was collected;
  • The Data Principal has withdrawn Consent and there is no other lawful basis for processing; or
  • The processing is contrary to the provisions of the DPDPA, 2023.

Requests for erasure shall be submitted by the Data Principal to the Grievance Officer at hello@tapuafoods.com. The Company shall process verified erasure requests within thirty (30) days of receipt, except where retention is mandated by applicable law or is necessary for the establishment, exercise, or defence of legal claims. The Company shall communicate the outcome of the erasure request to the Data Principal within the aforesaid period.

11.  RIGHTS OF THE DATA PRINCIPAL

The DPDPA, 2023, confers the following rights upon Data Principals in Sections 11 to 14. The Company shall honour these rights without imposing any unjustified burden or excessive procedural conditions:

11.1  Right to Access Information (Section 11)

A Data Principal shall have the right to obtain from the Company:

  • A summary of the Personal Data being processed and the processing activities undertaken in respect thereof;
  • The identities of all Data Processors with whom Personal Data has been shared, and the categories of data shared;
  • Any other information as may be prescribed by the Central Government.

11.2  Right to Correction and Updation (Section 12)

A Data Principal shall have the right to correct inaccurate or misleading Personal Data, complete incomplete Personal Data, and update Personal Data in a manner consistent with the purposes for which it was collected. Requests for correction shall be processed within thirty (30) days.

11.3  Right to Erasure (Section 13)

As detailed in Clause 10.3, a Data Principal shall have the right to request erasure of her Personal Data, subject to lawful retention obligations.

11.4  Right to Grievance Redressal (Section 13(3))

A Data Principal shall have the right to have her grievances redressed expeditiously by the Grievance Officer of the Company, as detailed in Section 14 of this Policy.

11.5  Right to Nominate (Section 14)

A Data Principal may nominate any other individual to exercise her rights under Sections 11 to 13 in the event of her death or incapacity. The Company shall establish a nomination mechanism and honour validated nominations in accordance with applicable law.

11.6  Right to Appeal to Data Protection Board

If a Data Principal is aggrieved by the Company’s response to any rights request, she shall have the right to lodge a complaint with the Data Protection Board of India under Section 27 of the DPDPA, 2023, after first exhausting the Company’s internal grievance redressal mechanism.

Requests for exercise of the above rights shall be submitted to the Grievance Officer via email at hello@tapuafoods.com, clearly identifying the right sought to be exercised, the Personal Data concerned, and proof of identity of the Data Principal.

12.  SECURITY PRACTICES AND PROCEDURES

In discharge of its obligations under Section 8(4) of the DPDPA, 2023, and Section 43A of the IT Act read with the SPDI Rules, 2011, the Company shall implement and maintain reasonable security practices and procedures to protect Personal Data, and particularly SPDI, from unauthorised access, disclosure, alteration, or destruction.

The following security measures, constituting ‘reasonable security practices and procedures’ as per Rule 8 of the SPDI Rules, 2011, are implemented by the Company:

  • Encryption: All Personal Data transmitted over networks shall be encrypted using industry-standard protocols (TLS 1.2 or above). SPDI stored in databases shall be encrypted at rest.
  • Access Controls: Access to Personal Data shall be restricted on a strict need-to-know basis using role-based access controls, multi-factor authentication, and audit logging.
  • Pseudonymisation: Where technically feasible, Personal Data used for analytics shall be pseudonymised to minimise exposure risk.
  • Security Audits: The Company shall conduct periodic information security audits, vulnerability assessments, and penetration testing of its systems.
  • IS/ISO 27001 Alignment: The Company shall endeavour to align its information security management practices with internationally recognised standards including IS/ISO/IEC 27001.
  • Incident Response: The Company shall maintain a documented Data Breach Response Plan and shall report significant Personal Data breaches to the Data Protection Board in the manner and within the timeframes prescribed under the DPDPA, 2023.
  • Employee Training: All personnel with access to Personal Data shall receive regular training on data protection obligations and security practices.

Notwithstanding the above measures, no method of transmission over the internet or method of electronic storage is completely secure. The Company cannot guarantee absolute security of Personal Data, but shall promptly notify affected Data Principals and the Data Protection Board in the event of a breach that is likely to result in risk to such individuals.

13.  COOKIES AND TRACKING TECHNOLOGIES

The Platform uses cookies and similar tracking technologies to enhance user experience and enable certain functionalities. Cookies are small text files placed on the Data Principal’s device by the Platform’s server.

13.1  Categories of Cookies

  • Strictly Necessary Cookies: Essential for the operation of the Platform, including session management and authentication. These do not require Consent as they are necessary for service delivery.
  • Functional Cookies: Enable the Platform to remember user preferences such as language, location, and cart contents. Collected with Consent.
  • Analytical Cookies: Used to understand how Data Principals interact with the Platform, through anonymised or aggregated data, for improving Platform performance. Collected with Consent.
  • Marketing and Targeting Cookies: Used to deliver personalised advertisements and track the effectiveness of campaigns. Deployed only with explicit prior Consent of the Data Principal.

13.2  Consent for Cookies

Upon the Data Principal’s first visit to the Platform, a Cookie Consent banner shall be displayed, presenting granular options to accept or reject each category of cookie other than Strictly Necessary Cookies. The Data Principal may modify cookie preferences at any time through the Platform’s Cookie Preference Centre. Withdrawal of Consent for non-essential cookies shall not affect the Data Principal’s ability to access the Platform’s core functionality.

13.3  Third-Party Cookies

The Platform may permit third-party service providers (e.g., analytics providers, advertising networks) to place cookies on the Data Principal’s device. The Company shall ensure that such third parties are bound by appropriate data protection obligations. Data Principals are encouraged to review the privacy policies of such third parties.

14.  CONSUMER PROTECTION AND E-COMMERCE COMPLIANCE

In compliance with the Consumer Protection (E-Commerce) Rules, 2020, the Company makes the following disclosures in respect of its e-commerce operations:

  • The Company shall not engage in price manipulation, unfair trade practices, or deceptive advertising on the Platform;
  • The Company shall not use algorithms that artificially influence pricing, product visibility, or search rankings to the detriment of consumers without adequate disclosure;
  • Personal Data collected from Data Principals shall not be used for price discrimination or for offering different prices to different consumers for the same product or service based solely on the data profile, without the Data Principal’s knowledge and Consent;
  • The Company shall clearly display on the Platform the name, registered address, email address, and helpline details of the Data Fiduciary in the manner prescribed under Rule 4 of the E-Commerce Rules, 2020;
  • Data Principals shall have the right to know whether their Personal Data is being used for profiling, behavioural targeting, or personalised advertising, and shall have the ability to opt out of such use;
  • The Company shall not impose any unfair terms and conditions on consumers in relation to the collection or use of their Personal Data;
  • All refund and return timelines, as well as product quality claims, shall be accurately represented and shall not be conditioned on the Data Principal surrendering any Personal Data rights.

15.  FINANCIAL DATA, RBI GUIDELINES, AND TRAI COMPLIANCE

15.1  Payment Data and RBI Compliance

To the extent that the Company facilitates payment transactions on the Platform:

  • Payment data shall be processed exclusively through payment gateways that are authorised by the Reserve Bank of India and comply with the RBI’s guidelines on payment aggregators and payment gateways (Circular RBI/DPSS/2020-21/97, March 2020, as updated);
  • The Company shall not store card-on-file data (card numbers, CVV, expiry dates) on its own servers. Such data shall be tokenised in accordance with applicable RBI tokenisation guidelines;
  • Financial SPDI processed in connection with payment shall be handled in compliance with Rule 6 of the SPDI Rules, 2011, requiring that such data be transferred only to entities that maintain equivalent levels of data protection.

15.2  SMS and Electronic Marketing (TRAI)

All commercial communications transmitted by the Company via SMS, pre-recorded voice calls, or other telecom channels shall be governed by and comply with:

  • The Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, issued by the Telecom Regulatory Authority of India;
  • Data Principals who have registered on the National Do Not Call (NDNC) or Distributed Ledger Technology (DLT) registry shall not receive unsolicited commercial communications from the Company;
  • All commercial SMS communications shall include the Company’s registered entity name and a clear mechanism for the recipient to opt out;
  • The Company shall maintain records of Consent obtained for marketing communications in a form that can be produced before TRAI or any other competent authority upon demand.

16.  GRIEVANCE OFFICER AND REDRESSAL MECHANISM

In discharge of the mandatory obligations under Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and Section 13(3) of the DPDPA, 2023, the Company has designated a Grievance Officer with the following mandate:

GRIEVANCE OFFICER DETAILS Organisation: Tapua Agritech Solutions LLP Registered Office: C/O Abhinandan Kr. Mandal, Vill-Chausa, Chausa (Madhepura), Madhepura, Chausa, Bihar – 852213, India Contact (Primary): hello@tapuafoods.com Contact (Web Platform): https://www.tapuafoods.com Designation: Grievance Officer — Data Protection & Privacy Acknowledgement Timeline: Within 24 (twenty-four) hours of receipt of grievance [Rule 3(11), IT Intermediary Guidelines Rules, 2021] Resolution Timeline: Within 15 (fifteen) calendar days of acknowledgement [Rule 3(11), IT Intermediary Guidelines Rules, 2021] Escalation: Data Protection Board of India (post-exhaustion of internal mechanism)

16.1  Scope of Grievances

The Grievance Officer shall be empowered to address and resolve grievances relating to:

  • Violation of rights of Data Principals under Sections 11 to 14 of the DPDPA, 2023;
  • Non-compliance with the SPDI Rules, 2011, in respect of collection, use, storage, or disclosure of SPDI;
  • Complaints relating to cookies, marketing communications, or data retention;
  • Concerns regarding cross-border data transfers;
  • Any other complaint relating to Personal Data processing on or in connection with the Platform.

16.2  Grievance Procedure

A Data Principal seeking to lodge a grievance shall:

  1. Submit a written grievance to hello@tapuafoods.com, clearly identifying the nature of the grievance, the Personal Data concerned, and the relief sought;
  2. Include a copy of any prior correspondence with the Company relating to the subject matter, if applicable;
  3. Provide identity verification sufficient to establish that the complainant is the Data Principal or a duly authorised representative.

The Company shall acknowledge receipt of the grievance within twenty-four (24) hours of receipt, as mandated under Rule 3(11) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and shall provide a full and substantive resolution within fifteen (15) calendar days of such acknowledgement. In circumstances where additional time is required for investigation of complex matters, the Grievance Officer shall inform the Data Principal of the status and reasons for delay, while ensuring that a final resolution is communicated within the statutory period.

16.3  Escalation to Data Protection Board

If a Data Principal remains aggrieved upon receipt of the Company’s response, or upon the Company’s failure to respond within the prescribed period, the Data Principal shall have the right to approach the Data Protection Board of India under Section 27 of the DPDPA, 2023.

17.  AGE RESTRICTION AND CHILDREN’S DATA POLICY

17.1  Platform Age Restriction: The Platform at https://www.tapuafoods.com is strictly intended for use by individuals who are eighteen (18) years of age or older. The Company does not offer its services directly to children (persons below eighteen years of age). Any purchase or transaction on the Platform by or on behalf of a minor must be conducted exclusively by that minor’s parent or lawful guardian acting in their own capacity and on the minor’s behalf.

17.2  By registering an account or completing a purchase on the Platform, a user represents and warrants that they are at least eighteen (18) years of age. The Company reserves the right to require proof of age and to suspend or terminate any account where there is a reasonable basis to believe that the registered user is below eighteen years of age.

17.3  The Company has adopted this age restriction as a matter of deliberate regulatory prudence. Implementing a verifiable parental consent management system under Section 9 of the DPDPA, 2023, imposes significant operational obligations. In the current stage of the Company’s operations, the safer and more compliant approach is to exclude the direct participation of minors from the Platform entirely, thereby avoiding the regulatory burden and liability exposure associated with child data processing.

17.4  Notwithstanding the above, in the event that the Company becomes aware that Personal Data of a person below eighteen years of age has been collected — whether through misrepresentation by the user or any other means — the Company shall:

  • Immediately cease processing such data for any purpose beyond the identification and erasure of such data;
  • Permanently erase all Personal Data associated with the relevant account within seventy-two (72) hours of discovery;
  • Notify the parent or lawful guardian, where such contact information is available or ascertainable, of the data collection and its erasure;
  • Review and strengthen its age-gate mechanisms to prevent recurrence.

17.5  The Company shall not, under any circumstances, engage in tracking, behavioural monitoring, profiling, or targeted advertising in respect of any individual known or suspected to be below eighteen years of age, in accordance with Section 9(3) of the DPDPA, 2023.

18.  AMENDMENTS TO THIS PRIVACY POLICY

18.1  The Company reserves the right to amend this Policy at any time to reflect changes in applicable law, regulatory requirements, or the Company’s business practices. This Policy is a dynamic instrument forming part of the Consent framework, and material amendments shall constitute a new Notice requiring fresh Consent where mandated by the DPDPA, 2023.

18.2  The Company shall notify Data Principals of material changes to this Policy through:

  • A prominent notice on the Platform;
  • An email notification to registered users at the email address on record; and/or
  • An in-app notification, where applicable.

18.3  The amended Policy shall come into effect on the date specified in the notification, which shall not be less than thirty (30) days from the date of notification, unless a shorter period is necessitated by legal or regulatory requirements.

18.4  Continued use of the Platform following the effective date of an amended Policy shall constitute acceptance of the amended terms, save where fresh explicit Consent is required under applicable law.

19.  GOVERNING LAW, JURISDICTION, AND DISPUTE RESOLUTION

19.1  This Policy shall be governed by and construed in accordance with the laws of the Republic of India, including but not limited to the DPDPA, 2023, the IT Act, 2000, the Indian Contract Act, 1872, and applicable rules framed thereunder.

19.2  Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of competent jurisdiction in India.

19.3  To the extent that any dispute constitutes a matter within the exclusive jurisdiction of the Data Protection Board of India under the DPDPA, 2023, such dispute shall be adjudicated in accordance with the procedure prescribed by the Board.

19.4  The invalidity or unenforceability of any provision of this Policy shall not affect the validity or enforceability of any other provision, which shall be modified to the minimum extent necessary to make it valid and enforceable.

20.  CONTACT AND COMMUNICATIONS

All communications, requests, grievances, and correspondence under this Policy shall be directed to:

DATA PROTECTION CONTACT POINT Legal Entity: Tapua Agritech Solutions LLP Registered Office: C/O Abhinandan Kr. Mandal, Vill-Chausa, Chausa (Madhepura), Madhepura, Chausa, Bihar – 852213, India Email: hello@tapuafoods.com Website: https://www.tapuafoods.com Acknowledgement within 24 hours. Resolution within 15 days. Statutory timeline per Rule 3(11), IT Intermediary Guidelines Rules, 2021.

This Privacy Policy was last reviewed and updated on 27 April 2026 and is issued under the authority of Tapua Agritech Solutions LLP in its capacity as Data Fiduciary under the Digital Personal Data Protection Act, 2023.