Privacy Policy

SwapZen Retail Pvt Ltd ("SwapZen," "we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Consumer Protection (E-Commerce) Rules, 2020.

This policy explains how we collect, use, store, share, and protect your personal information when you access or use the SwapZen platform, including our website and mobile applications. By using SwapZen, you consent to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

1. Data Fiduciary Information

As per the DPDP Act, 2023, SwapZen acts as a Data Fiduciary. Our details are:

Legal name: SwapZen Retail Pvt Ltd
Registered address: WeWork Rajapushpa Summit, Financial District, Hyderabad, Telangana, India
Contact: support@swapzen.in

2. Personal Data We Collect

In compliance with the DPDP Act, 2023, here is an itemized list of the personal data we collect and the purpose for each:

Account data: Name, email address, phone number, city — for account creation, identity verification, and communication.

Listing data: Item details, photos, category, condition, price, delivery preferences — for creating and displaying listings, and for AI-assisted listing verification.

Transaction data: Payment hold status, delivery outcomes, payout records, dispute records — for facilitating protected transactions, processing payouts, and resolving disputes.

Device and usage data: Device type, operating system, browser type, IP address, pages visited, features used, time spent — for platform improvement, security monitoring, and analytics.

Location data: City-level location based on IP address or device settings — for matching users with relevant local listings and delivery coordination.

Communication data: Messages sent through the platform, support inquiries, feedback — for customer support, dispute resolution, and platform safety.

3. Purpose of Data Processing

We process your personal data only for the specific purposes disclosed at the time of collection, as required under the DPDP Act, 2023. These purposes are:

Platform operations: To enable you to use SwapZen's services, including account management, transactions, and communications between users.

Trust and safety: To verify listings, prevent fraud, detect misuse, and maintain a safe environment for all users.

Transaction facilitation: To process payments, coordinate deliveries, and manage transaction outcomes between buyers and sellers.

Customer support: To respond to your inquiries, resolve disputes, and provide assistance.

Service communications: To send you transaction updates, policy changes, and platform notifications. We will not send promotional communications without your explicit consent.

Legal compliance: To comply with applicable Indian laws, respond to legal requests, and fulfill regulatory obligations.

Internal improvement: To improve our services, develop new features, and analyze platform performance. Where data is used for analytics or improvement purposes, we use aggregated and anonymized data that cannot be linked back to individual users. No personally identifiable information is used for internal model training or research.

4. Consent

As required by the DPDP Act, 2023, we obtain your free, specific, informed, and unambiguous consent before processing your personal data. Consent is collected through affirmative action — we do not use pre-ticked checkboxes, as prohibited under the Consumer Protection (E-Commerce) Rules, 2020. You may withdraw your consent at any time by contacting our Grievance Officer at support@swapzen.in or through the consent management features on our platform. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal, but may result in limited access to certain platform features.

5. Data Sharing and Disclosure

We do not sell your personal data.

We may share your information with the following categories of recipients, only to the extent necessary for the stated purpose:

Logistics and delivery partners: Name, phone number, and pickup/delivery address — to facilitate item pickup, transit, and delivery coordination.

Payment processors: Transaction details as required — to process payment holds, seller payouts, and buyer refunds. Payment data is handled in accordance with RBI guidelines and PCI-DSS standards.

Service providers: Hosting, analytics, AI processing, and customer support vendors — contractually obligated to protect your data and use it only for the purposes we specify.

Government and regulatory authorities: We may disclose your information if required by law, regulation, court order, or governmental request under applicable Indian laws, or to protect the rights, property, or safety of SwapZen, our users, or the public.

6. Cross-Border Data Transfers

Your personal data is primarily stored and processed within India. If any data needs to be transferred outside India, we will ensure such transfers comply with the provisions of the DPDP Act, 2023 and are made only to countries or territories permitted by the Central Government of India. We will implement appropriate safeguards to protect your data during such transfers.

7. Data Retention and Erasure

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable Indian laws. Specifically:

Account data: Retained while your account is active and for 30 days after account deletion request. Transaction records: Retained for a minimum of 8 years as required under Indian tax and accounting laws. Dispute records: Retained for 3 years after dispute resolution. Usage and analytics data: Retained in anonymized form for up to 2 years.

Upon erasure, we will delete or anonymize your personal data within the timelines specified above, except where retention is required by law.

8. Data Security

In compliance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we implement reasonable security practices including: encrypted data transmission (TLS/SSL), secure server infrastructure with access controls, regular security audits and vulnerability assessments, employee access limited to need-to-know basis, and incident response procedures. No system is completely secure, but we are committed to maintaining industry-standard protections commensurate with the sensitivity of the data we process.

9. Data Breach Notification

In the event of a personal data breach that compromises the confidentiality, integrity, or availability of your data, we will: notify the Data Protection Board of India without unreasonable delay and within 72 hours of becoming aware of the breach, notify affected Data Principals (users) without unreasonable delay, and provide details of the nature of the breach, the data affected, and the remedial measures taken.

10. Your Rights as a Data Principal

Under the DPDP Act, 2023, you have the following rights:

Right to Access: You may request confirmation of whether we process your personal data and obtain a summary of the data we hold about you.

Right to Correction: You may request correction of inaccurate or misleading personal data, and completion of incomplete data.

Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements.

Right to Grievance Redressal: You may raise grievances with our Grievance Officer. We will acknowledge your grievance within 48 hours and resolve it within one month of receipt, as required under the Consumer Protection (E-Commerce) Rules, 2020.

Right to Nominate: You may nominate another individual to exercise your data rights in the event of your death or incapacity.

Right to Complain: If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India established under the DPDP Act, 2023.

To exercise any of these rights, contact our Grievance Officer at support@swapzen.in.

11. Cookies and Tracking Technologies

SwapZen uses cookies, local storage, and similar technologies for: essential platform functionality (authentication, session management), performance analytics (Google Analytics — anonymized), and remembering user preferences. You can manage or disable cookies through your browser settings. Disabling essential cookies may affect platform functionality. We do not use cookies for third-party advertising purposes.

12. Children's Privacy

SwapZen is not intended for users under 18 years of age. We do not knowingly collect personal data from children. In accordance with the DPDP Act, 2023, if we become aware that we have collected personal data from a person under 18 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, contact us immediately at support@swapzen.in.

13. Third-Party Links

Our platform may contain links to third-party websites or services that are not operated by SwapZen. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party services you access through our platform.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or regulatory guidance. When we make material changes, we will: update the "Last updated" date at the top of this page, provide notice through the platform or via email where appropriate, and obtain fresh consent where required under the DPDP Act, 2023. Continued use of SwapZen after changes are posted constitutes acceptance of the updated policy.

15. Disclaimer and Limitation of Liability

While SwapZen takes reasonable steps to protect your personal data in accordance with applicable Indian laws, we provide our platform on an "as-is" and "as-available" basis. To the maximum extent permitted by law, SwapZen shall not be liable for any unauthorized access, disclosure, alteration, or loss of personal data resulting from circumstances beyond our reasonable control, including cyber attacks, system failures, force majeure events, or actions by third parties. Users are responsible for maintaining the security of their own devices, accounts, and credentials. SwapZen's total liability under this Privacy Policy shall not exceed the amount paid by you to SwapZen in the 12 months preceding the incident giving rise to the claim.

16. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of India, including but not limited to the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the Consumer Protection Act, 2019. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts in Hyderabad, Telangana, India.

17. Contact and Grievance Redressal

In compliance with Rule 4 of the Consumer Protection (E-Commerce) Rules, 2020 and the DPDP Act, 2023, you may contact us for any privacy-related concerns, data access requests, or complaints:

SwapZen Retail Pvt Ltd
Email: support@swapzen.in
Address: WeWork Rajapushpa Summit, Financial District, Hyderabad, Telangana, India

All grievances will be acknowledged within 48 hours and resolved within one month of receipt. If you are not satisfied with our resolution, you may approach the Data Protection Board of India or the National Consumer Helpline (NCH) at 1800-11-4000.