PRIVACY POLICY

1.1 Food Business Data Controller

Bantu'S kitchen, an individual sole proprietorship (FSSAI Registration: 23625028002731) operated by Sailaja from Hayathnagar, Hyderabad, Telangana, India, acts as DATA FIDUCIARY (under DPDPA 2023) / DATA CONTROLLER (under GDPR/CCPA) for:

• Food order data: Order details, food preferences, dietary restrictions, delivery instructions
• Culinary profile data: Taste preferences, favorite dishes, allergen information, spice tolerance
• Food business customer relationship data: Customer service interactions, complaints, feedback, refund requests
• Delivery logistics data: Delivery addresses, phone numbers (for delivery coordination), delivery timing preferences

Legal Basis for Processing: Contract performance (DPDPA § 2(1)(h), GDPR Art. 6(1)(b)) - necessary to fulfill food orders and provide customer service.

Data Location: India (primary), with cloud storage in India-based data centers for food business operations.

1.2 TechBantu IT Solutions LLC (Technology Platform Data Controller)

TechBantu IT Solutions LLC, a California limited liability company with principal place of business in California, USA, acts as INDEPENDENT DATA CONTROLLER for:

• Technical infrastructure data: IP addresses, browser fingerprints, device information, session logs, API calls
• Account authentication data: Hashed passwords, login timestamps, security tokens, two-factor authentication data
• Payment processing facilitation data: Payment gateway transaction IDs, tokenized payment methods (NOT full card details - see Section 2.2)
• Platform usage analytics: Page views, click patterns, performance metrics, error logs, A/B test data
• Legal compliance data: Consent records, data access requests (DPDPA/GDPR/CCPA), privacy settings

Legal Basis for Processing: Legitimate interest (GDPR Art. 6(1)(f), CCPA business purpose) - necessary for platform security, fraud prevention, service improvement, and legal compliance.

Data Location: United States (primary), with use of US-based cloud infrastructure (AWS/Google Cloud) complying with US data protection standards.

1.3 Critical Boundary Rule - NO Joint Data Processing

STRICTLY PROHIBITED: There is NO joint data processing agreement, NO shared customer database, NO data partnership between TechBantu IT Solutions LLC and the Independent Home Chef.

Each entity:

• Operates as independent data controller for its respective data categories
• Maintains separate data storage systems (no unified customer profile across both entities)
• Bears independent legal liability for data breaches or privacy violations within its control
• Processes data only for its specific business purposes (food operations vs. technology services)

Data Sharing Limited to Operational Necessity: TechBantu provides technology platform that routes order data to Independent Home Chef for fulfillment. This constitutes data transmission for service provision, NOT joint processing. TechBantu acts as mere conduit (IT Act § 79), similar to an email service provider transmitting messages.

1.4 Statutory Compliance Framework

This Policy is formulated in strict compliance with:

• Digital Personal Data Protection Act, 2023 (DPDPA 2023) - Primary governing law for Indian users; Independent Home Chef and TechBantu each act as "Data Fiduciary" under § 2(1)(i)
• Information Technology Act, 2000, § 43A - Compensation for failure to protect sensitive personal data
• Information Technology Act, 2000, § 72A - Criminal penalty for disclosure of personal information (imprisonment up to 3 years)
• Information Technology (Reasonable Security Practices) Rules, 2011 - Mandatory security standards for data protection
• General Data Protection Regulation (GDPR) - For users in the European Economic Area (extraterritorial application under Art. 3(2))
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) - For California residents; TechBantu complies as California-based entity
• Consumer Protection Act, 2019, § 2(47) - Unfair trade practices definition includes privacy violations

1.5 Mandatory Acceptance and Consent

By accessing or using this Platform, you ("User," "Customer," "Data Principal," "you," "your") hereby irrevocably acknowledge and consent that you have read, understood, and agree to be bound by this Privacy Policy.

Withdrawal of Consent: Under DPDPA 2023 § 6, you have the right to withdraw consent for non-essential data processing at any time by contacting privacy@gharse.app. However, withdrawal may limit your ability to use certain Platform features or food ordering services.

Mandatory Rejection: If you do not agree to this Policy, you MUST immediately cease using our services and delete your account. Continued use constitutes explicit consent under DPDPA 2023 § 6(1).

2.1 Personal Identification Information

We collect the following data when you create an account or place an order:

• Full Name - For order processing and delivery
• Email Address - For order confirmations, receipts, and account recovery
• Phone Number - For order updates and delivery coordination
• Delivery Address - For fulfillment of food delivery services
• Date of Birth (Optional) - For age verification and birthday offers

Legal Basis (DPDPA 2023, Section 2(1)(h)): Contract performance and legitimate business interest.

2.2 Payment Information

We collect payment data through PCI-DSS compliant third-party processors:

• Payment method type (Credit Card, Debit Card, UPI, Net Banking, Cash on Delivery)
• Last 4 digits of card (for transaction reference only)
• Transaction ID and payment gateway response

2.3 Technical and Usage Data

Automatically collected for security and service improvement:

• IP Address - For fraud detection and geographic service restrictions
• Browser Type and Version - For compatibility optimization
• Device Information - Operating system, screen resolution, device fingerprint
• Cookies and Session Data - For maintaining login sessions (see Section 5)
• Order History - For personalized recommendations and customer service
• Browsing Behavior - Pages viewed, time spent, items added to cart (analytics only)

Legal Basis (GDPR Article 6(1)(f)): Legitimate interest in security and fraud prevention.

2.4 Biometric Data (PROHIBITED)

We do NOT collect fingerprints, facial recognition data, iris scans, or any other biometric identifiers as defined under DPDPA 2023, Section 2(1)(c). Any future collection will require explicit opt-in consent with detailed notice.

2.5 Children's Data (ABSOLUTE PROHIBITION)

Users below 18 years of age are STRICTLY PROHIBITED from creating accounts or using this Platform. We do not knowingly collect data from minors. If we discover that a minor has provided data, we will immediately delete such data within 48 hours of discovery and notify the registered email (if provided).

Penalty for Violation: Any adult who knowingly provides false age information to create an account for a minor will be subject to account termination and potential legal action under Section 14 of DPDPA 2023.

4.1 Third-Party Service Providers

We share limited data with trusted partners under strict confidentiality agreements:

• Payment Gateways: Stripe, Razorpay (only transaction data)
• Email Service: Resend, SendGrid (for transactional emails only)
• SMS Service: Twilio, MSG91 (for order updates)
• Cloud Hosting: Vercel, Supabase (encrypted data storage)
• Analytics: Google Analytics (anonymized data only)

All third parties are contractually bound to GDPR Article 28 (Data Processing Agreements) and DPDPA 2023 Section 8 (obligations of data processors).

4.2 Legal Disclosures

We may disclose your data without consent in the following circumstances:

• Court orders or subpoenas from competent jurisdiction
• Law enforcement requests under Section 69 of IT Act, 2000
• Food safety investigations by FSSAI or health authorities
• Tax audits by Income Tax Department or GST authorities
• Emergency situations involving imminent harm to life or property

4.3 No Sale of Personal Data

We DO NOT sell, rent, or trade your personal data to third parties for marketing purposes. This is a non-negotiable commitment.

6.1 Storage Location

Your data is stored on servers located in India and the United States. We comply with cross-border data transfer requirements under DPDPA 2023, Section 16 (notified countries only).

6.2 Security Measures

We implement industry-standard security controls:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication for admins
• Audit Logs: All data access logged and monitored for 180 days
• Penetration Testing: Annual security audits by third-party experts
• Password Hashing: bcrypt with salt (no plain-text storage)

6.3 Data Retention

We retain your data as follows:

• Active Accounts: Retained until account deletion request
• Deleted Accounts: Anonymized after 30 days, logs retained for 7 years (tax compliance)
• Order History: 7 years (Income Tax Act, 1961, Section 44AA)
• Payment Records: 10 years (Reserve Bank of India guidelines)

6.4 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you within 72 hours via email and prominently on our website, as required by DPDPA 2023, Section 8(6).

10.1 GDPR Rights (EU Users)

If you are in the EEA, you have additional rights:

• Right to lodge a complaint with your local Data Protection Authority
• Right to object to automated decision-making (Article 22)
• Right to data portability (export your data)

EU Representative: [Contact to be designated if required]

10.2 CCPA Rights (California Users)

California residents have rights under CCPA:

• Right to know what personal information is collected
• Right to know if data is sold (we do NOT sell data)
• Right to deletion (with legal exceptions)
• Right to opt-out of sale (not applicable - we don't sell)
• Right to non-discrimination for exercising rights

California Contact: privacy@gharse.app