Privacy Policy

BidVault Technologies Pvt. Ltd. ("Company", "we", "us", "our") operates the BidVault platform ("Platform") and is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit or use our Platform.

This Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Amendment) Act, 2008, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").

By using our Platform, you consent to the data practices described in this Policy. If you do not agree, please discontinue use of the Platform.

We collect the following categories of information:

2.1 Information you provide directly:

• Registration data: Full name, mobile number, email address
• KYC data: Government ID type and number (Aadhaar, PAN) when required for subscription verification
• Contact form data: Name, email, phone, and message content when you contact us
• Payment data: Razorpay transaction IDs and order references (we do not store card numbers or bank account details)

2.2 Information collected automatically:

• IP address, browser type, device type, and operating system
• Pages visited, time spent, and navigation patterns (analytics)
• Referring URLs and search terms used to reach the Platform
• Cookies and similar tracking technologies (see Section 8)

2.3 Information from third parties:

• Payment confirmation and transaction status from Razorpay
• Browser push notification tokens (if you enable notifications)

Under the SPDI Rules, certain data qualifies as "Sensitive Personal Data or Information" and requires heightened protection. We may collect the following SPDI:

• Financial information: Payment method type (not card numbers), transaction history on the Platform
• Government IDs: PAN or Aadhaar number (collected only where legally required for subscription or compliance)

We collect SPDI only with your explicit consent, use it solely for the stated purpose, and do not retain it longer than necessary. You may withdraw consent by contacting our Grievance Officer, though this may result in inability to access certain features.

We use the information we collect for the following purposes:

• Account management: Registration, authentication (OTP/PIN), and account maintenance
• Service delivery: Providing access to auction listings based on your subscription tier
• Payments: Processing subscription purchases and managing billing through Razorpay
• Communication: Sending service updates, subscription confirmations, and responding to contact form enquiries
• Notifications: Alerting you to new auction listings matching your saved preferences (if enabled)
• Analytics: Understanding usage patterns to improve the Platform
• Legal compliance: Maintaining records as required by Indian tax, financial, and regulatory laws
• Fraud prevention: Detecting and preventing fraudulent or unauthorised use of the Platform

We will not use your data for any purpose other than those stated above without obtaining your prior consent.

We do not sell, trade, or rent your personal information to third parties. We may share your data only in the following circumstances:

• Service providers: With Razorpay (payment processing) and cloud/hosting providers who process data on our behalf under confidentiality obligations
• Legal obligations: When required by law, court order, subpoena, or request from a competent government authority under Indian law
• Protection of rights: To protect the rights, property, or safety of the Company, our users, or the public
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections
• Aggregated analytics: Non-personally identifiable, aggregated data may be shared with partners or published publicly

All third-party service providers are required to maintain the confidentiality and security of your information and are prohibited from using it for any other purpose.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable Indian law:

• Account data: Retained for the duration of your active account + 3 years after deletion (for legal and audit purposes)
• Transaction records: Retained for 8 years as required under the Income Tax Act, 1961 and GST rules
• Contact form messages: Retained up to 2 years unless you request earlier deletion
• Analytics data: Retained in anonymised form indefinitely; identifiable analytics data is deleted within 24 months

Upon expiry of the retention period or upon your request (subject to legal obligations), we will securely delete or anonymise your personal data.

We implement reasonable security practices and procedures as required under the SPDI Rules, including:

• Encryption of data in transit using TLS/HTTPS
• Encrypted storage of sensitive credentials (PINs are hashed and never stored in plaintext)
• Access controls limiting data access to authorised personnel only
• Regular security assessments of our systems
• JWT-based authentication with short-lived tokens for API access

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify you as required by applicable law.

We use the following types of cookies and similar technologies:

• Essential cookies: Required for authentication, session management, and core Platform functionality. Cannot be disabled.
• Analytics cookies: Used to understand how users interact with the Platform (e.g., pages visited, time on site). May be disabled via browser settings.
• Preference cookies: Store your filter preferences and UI settings for a better experience.

You may configure your browser to refuse cookies or alert you when cookies are being set. Disabling essential cookies will affect Platform functionality. We do not use third-party advertising cookies or cross-site tracking.

As a user, you have the following rights with respect to your personal data:

• Right to access: Request a copy of the personal data we hold about you
• Right to correction: Request correction of inaccurate or incomplete data
• Right to deletion: Request deletion of your account and personal data (subject to legal retention requirements)
• Right to withdraw consent: Withdraw consent for use of SPDI at any time (may affect service availability)
• Right to object: Object to processing of your data for purposes other than service delivery
• Right to data portability: Request your data in a machine-readable format where technically feasible

To exercise any of these rights, please contact our Grievance Officer (Section 11). We will respond within 30 days of receiving your request.

The Platform is intended for users aged 18 and above. We do not knowingly collect personal information from individuals under 18 years of age. If we become aware that we have inadvertently collected data from a minor, we will delete such information immediately. If you believe a minor has provided us with personal information, please contact our Grievance Officer.

In accordance with the Information Technology Act, 2000 and the SPDI Rules, we have designated a Grievance Officer to address any complaints or concerns regarding the processing of your personal data:

Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users via email or an in-platform notification

Your continued use of the Platform after the effective date of the revised Policy constitutes acceptance of the updated terms. We encourage you to review this Policy periodically.