SeekhoBecho — Privacy Policy v2.0

Policy No. LEG-04 · Version 3.0 · Edition 2026

DPDP Act 2023 · IT Act 2000 · IT Rules 2021 · CERT-In · Consumer Protection Act 2019

Policy Code	4.0 · SeekhoBecho.com
Policy Title	Privacy Policy — Data Protection, Processing, Rights, and Information Governance
Version	2.0 — Full Enterprise Rebuild \| Supersedes all prior versions
Applicable Law	DPDP Act 2023 · IT Act 2000 · IT (Intermediary) Rules 2021 · Consumer Protection Act 2019
Data Fiduciary	RLS Retail Private Limited (SeekhoBecho.com)
Grievance Officer Consumer Forum Path (Consumer Protection Act, 2019): After exhausting internal grievance, Subscribers may approach: DCDRC (claims ≤₹50L — edaakhil.nic.in), SCDRC (₹50L–₹2Cr), NCDRC (above ₹2Cr — ncdrc.nic.in). National Consumer Helpline: 1800-11-4000 (toll-free) \| consumerhelpline.gov.in.	Venjula \| grievance@seekhobecho.com
Privacy Queries	privacy@seekhobecho.com
Data Storage	Within India (data localisation) — except where cross-border transfers are disclosed in Section 8
DPB Notification	72 hours on material data breach
Response Commitment	Grievance: 48 hours acknowledgement \| 30 days resolution
Record Retention	7 years (legal/tax records) · Account + 3 years (operational) · See Section 11
Next Annual Review	Due: May 2027 \| Or on material platform change
Cross-References	Master T&C (1.0) \| Definitions Policy (2.0) \| Acceptance Policy (3.0) \| Cookie Policy (5.0) \| All Plan Agreements \| Vendor Agreements (177.0–188.0)

YOUR PRIVACY MATTERS TO US: This Privacy Policy explains how RLS Retail Private Limited (SeekhoBecho.com) collects, uses, stores, shares, and protects your personal data. We are committed to full compliance with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and all applicable data protection laws. Read alongside the Master Terms of Service.

REGULATORY FRAMEWORK

Law / Guideline	Relevance
DPDP Act, 2023	Primary law — Data Fiduciary, consent, user rights, breach notification, DPB
IT Act, 2000 — Section 43A	Compensation for failure to protect sensitive personal data
IT Act, 2000 — Section 72A	Punishment for breach of lawful contract disclosing personal information
IT (Intermediary Guidelines) Rules, 2021	Platform intermediary obligations, Grievance Officer appointment
CERT-In Directives (April 2022)	Cybersecurity incident reporting within 6 hours; 5-year log retention
Consumer Protection Act, 2019	Consumer data rights, unfair trade practices
Income Tax Act, 1961 (S.194B)	TDS on prize winnings — mandatory data retention
FEMA, 1999	USD receipt / Platinum Plus international data
MSME Act, 2006	Vendor payment records data retention
BNS, 2023	Criminal liability for data theft/breach (Sections 316, 318)
PROG Act, 2025 + PROG Rules, 2026 OGAI — Online Gaming Authority of India: Constituted under the PROG Act, 2025, OGAI is the regulatory body for Online Social Game platforms. All SeekhoBecho gamification = Online Social Games — not Online Money Games. OGAI voluntary registration planned post-500 subscribers.	Gamification/Pearl Economy data — Online Social Games classification
NITI Aayog Responsible AI Principles	AI transparency, fairness, bias prevention

SECTION 1 · WHO WE ARE — DATA FIDUCIARY IDENTITY

1.1. Data Fiduciary

RLS Retail Private Limited (CIN: U52609HR2019PTC078962), operating as SeekhoBecho.com, is the Data Fiduciary under the DPDP Act, 2023. Registered Office: Plot-76-D, Phase IV, Udyog Vihar, Sector 18, Gurugram, Haryana – 122001. GSTIN: 06AAJCR4683G1Z3. We determine the purposes and means of processing your personal data in connection with your use of the Platform — including website, app, subscription services, gamification, Pearl Economy, learning, vendor operations, and all related services.

1.2. Scope of Applicability

This Policy applies to personal data collected from:

(a) Visitors browsing the website (www.seekhobecho.com) or app — including non-registered visitors;

(b) Registered users and subscribers (all seven plans: Silver, Gold, Titanium, Elite, Platinum, Platinum Plus, Diamond);

(d) Vendors — Brand Store Partners (Type 1) and Bulk Purchase Vendors (Type 2) — including their KYC and business data;

(e) Employees, contractors, interns, and consultants of RLS Retail Private Limited (see Section 13.3);

(f) Anyone contacting us through any channel (email, WhatsApp, phone, in-app support, social media).

1.3. Relationship to Other Policies

This Policy is to be read alongside the Master Terms of Service (1.0), Definitions Policy (2.0), Cookie Policy (5.0), and all applicable Plan Agreements. Capitalised terms carry meanings from the Definitions Policy (2.0) unless defined here.

SECTION 2 · WHAT PERSONAL DATA WE COLLECT

2.1. User and Subscriber Data

Category	Specific Data Points
Identity Data	Full legal name, date of birth (where provided), Aadhaar (last 4 digits only — full Aadhaar never stored), PAN (masked — last 4 digits visible), passport/voter ID (prize KYC only)
Contact Data	Mobile number (OTP-verified), email address, WhatsApp number, delivery/postal address
Financial Data	Bank account (masked), IFSC, GSTIN, UPI ID (masked), transaction IDs — tokenised/masked only
Account & Profile Data	Username, profile photo, subscription plan, Customer ID (SB-X-XXXXX), activation date, renewal history
KYC & Verification Data	PAN (masked), Aadhaar (last 4), IEC (Platinum Plus), GST registration, business proof — deleted 30 days post-verification
Pearl Economy Data	Pearl Wallet balance(s), earn trigger history, spend/redemption history, wallet lifecycle events
Gamification & Activity Data	Login streaks, game participation, prize draw entries/outcomes, Maha Jackpot eligibility, Season Pass XP, Clan membership, course completion, selling activity metrics
Technical Data	Device ID (hashed), IP address, OS, app version, browser type, network type, crash logs, session duration, feature usage
Usage & Behavioural Data	Pages visited, features accessed, product categories viewed, share activity, referral clicks, notification interactions — used for platform improvement and fraud detection Anti-Fraud Framework (Bharatiya Nyaya Sanhita, 2023): Fraudulent chargebacks, false complaints, and identity fraud are offences under Sections 318-319 of the Bharatiya Nyaya Sanhita, 2023 (BNS 2023). Device fingerprint and behavioral data retained for fraud detection and legal proceedings.
Communications Data	Support tickets, WhatsApp Business messages, emails, in-app chat, agent call notes (not recordings)
Prize & Delivery Data	Delivery address (physical prize winners), courier tracking, prize claim status, TDS certificate details

2.2. Vendor Data

NEW IN v2.0 — Vendor Data Processing: SeekhoBecho now processes personal data of Type 1 (Brand Store Partner) and Type 2 (Bulk Purchase) Vendors as part of our formal vendor framework. See Section 13.2 for full details.

Vendor Data Category	Specific Points
Vendor Identity	Owner/director name, Aadhaar (last 4), PAN (masked)
Business Data	GSTIN, trade name, business registration, IEC (if applicable)
Financial Data	Bank account (masked), IFSC, MSME registration (if applicable)
Onboarding Data	Brand authorization letter, product listing authorization, NDA signed copy
Operational Data	Order history, dispatch logs, SLA performance records, quality inspection records
Communication Data	Email, WhatsApp, phone — coordination with VIREN/ARYAN/RM agents

2.3. What We Do NOT Collect

• Full Aadhaar number — only last 4 digits stored;

• Full bank account number — masked version only;

• Full PAN — last 4 digits only after verification;

• Payment card numbers, CVV, or banking passwords — processed entirely by Razorpay, never transmitted to us;

• Biometric data (fingerprints, facial recognition);

• Health, religion, caste, political views, or sexual orientation data;

• Voice recordings of agent calls (only written notes are retained);

• Full Aadhaar XML/DigiLocker data — KYC documents deleted 30 days post-verification.

2.4. Children's Data

MINOR PROTECTION · We do not knowingly collect data from persons under 18. Platform is 18+ only. If we discover minor data was collected, it is deleted immediately. Contact privacy@seekhobecho.com if you believe a minor has registered.

SECTION 3 · HOW WE COLLECT YOUR DATA

3.1. Directly From You

• Account registration (mobile OTP, email, name);

• KYC document submission (PAN, Aadhaar, bank details, IEC, GSTIN);

• Subscription plan activation and renewal;

• Pearl Recharge payments;

• Prize claim forms (address, PAN for TDS);

• Support tickets and in-app chat;

• Course enrolment and exam completion;

• Referral programme participation;

• Onboarding calls with agents (SHAURYA, VIVAAN, VIREN, ARYAN, RM);

• Vendor onboarding forms and brand authorization submissions.

3.2. Automatically / Technically

• App usage logs (login timestamps, session duration, features accessed);

• Device data (device ID, OS, app version) on app launch;

• IP address on every Platform access;

• Cookies and similar tracking technologies (see Section 12);

• Push notification interaction logs;

• Pearl Economy system logs (every earn/spend event time-stamped);

• Crash reports and error logs (anonymised — via App Store/Play Store).

3.3. From Third Parties

Source	Data Received
Razorpay (payment gateway)	Transaction status, payment method type, chargeback/refund notices — not card/UPI details
KYC Verification Partner	Verification status (pass/fail) only — original documents not retained post-verification
Apple App Store / Google Play	App installation source, crash reports, in-app purchase confirmation
WhatsApp Business API (Meta)	Message delivery status, opt-in/opt-out confirmation
Delivery Partners	Shipment tracking status, delivery confirmation, RTO notifications
Amazon.com (Platinum Plus)	Seller account verification status, listing approval — governed by Amazon's own privacy policy

SECTION 4 · WHY WE PROCESS YOUR DATA — PURPOSE LIMITATION (DPDP ACT S.4)

4.1. Processing Purposes

Purpose	Data Categories Used
Account creation and management	Identity, contact, technical
KYC verification and subscriber onboarding	Identity, financial, KYC documents
Subscription delivery and plan management	Identity, contact, account, financial
Pearl Economy operation (earn, spend, expiry, forfeiture)	Pearl Economy, account, activity
Gamification and prize draws	Gamification, identity (prize KYC)
Prize disbursement, TDS (S.194B), delivery	Identity, financial, prize/delivery
Course delivery and progress tracking	Account, gamification/activity
Customer support and grievance resolution	Identity, communications, account
Vendor onboarding and operational management	Vendor data (Section 2.2)
Referral programme management	Identity, contact, account
Fraud detection, abuse prevention, platform security	Technical, device, Pearl Economy, IP logs
Anti-abuse and chargeback defence	All relevant — IT Act / BNS 2023
Marketing communications (with consent)	Contact (mobile, email, WhatsApp)
Platform improvement and analytics	Usage, behavioural (aggregated/anonymised)
Legal and regulatory compliance	Identity, financial, KYC
Dispute resolution and legal proceedings	All relevant categories as required
GST/invoice generation	Identity, financial, GSTIN
	Employee identity, financial, attendance, performance (Section 13.3)
AI feature personalization (with opt-out)	Usage, behavioural (Section 13.5)

4.2. No Secondary Processing

We will not use your personal data for any purpose not listed in Section 4.1 without obtaining fresh, specific, and informed consent. You may withdraw consent at any time — see Section 9.5 for consequences.

SECTION 5 · LEGAL BASIS FOR PROCESSING (DPDP ACT SS.6–7)

5.1. Consent (DPDP Act Section 6)

Primary legal basis. Given freely, specifically, informedly, and unambiguously at account registration (OTP-verified), plan activation, and KYC submission. Consent recorded electronically with timestamp and IP address. Marketing consent is separate and independently withdrawable.

5.2. Legitimate Uses (DPDP Act Section 7)

We may process without explicit consent under legitimate uses including: (a) performance of contract (subscription services); (b) legal obligations (TDS, GST, CERT-In, PMLA); (c) safety and security (fraud detection, account protection); (d) court orders, regulatory directions.

5.3. Marketing Consent

Transactional communications (OTP, prize notifications, KYC alerts, invoice) — no additional consent required. Marketing communications (offers, upgrades, gamification promotions) — require explicit opt-in. Opt-out anytime: click "Unsubscribe" in email; message STOP to WhatsApp Business; toggle in Account Settings → Notifications.

SECTION 6 · TRANSACTIONAL vs MARKETING COMMUNICATIONS — TRAI / WHATSAPP COMPLIANCE

6.1. Communication Categories

Communication Type	Category \| Consent Required?
OTP messages	Transactional — No additional consent
Payment confirmations, invoices	Transactional — No additional consent
KYC verification alerts	Transactional — No additional consent
Prize notifications, TDS certificates	Transactional — No additional consent
Subscription renewal reminders (7-day advance)	Transactional — No additional consent
Support ticket updates	Transactional — No additional consent
Plan upgrade / new feature promotions	Marketing — Explicit opt-in required
Pearl Economy offers, Lucky Hour alerts	Marketing — Explicit opt-in required
Gamification promotions, event invitations	Marketing — Explicit opt-in required
Agent follow-up calls (SHAURYA/VIVAAN/VIREN/ARYAN/RM)	Operational — covered by subscription acceptance; DND: 11 PM – 6 AM IST

6.2. DND and Communication Limits

DND Hours: 11:00 PM – 6:00 AM IST. No agent calls, WhatsApp messages, or push notifications during this window. Maximum communications: 3 push notifications/day; 2 WhatsApp messages/day per subscription. TRAI DND Registry compliance for SMS. WhatsApp Business Policy compliance for messaging.

SECTION 7 · HOW WE SHARE YOUR DATA — DATA PROCESSORS AND THIRD PARTIES

7.1. Data Processors

Processor	Purpose / Data Shared / DPA Status
Razorpay	Payment processing. Transaction status, payment method type. Card/bank details never reach us. DPA: In place. Razorpay RBI-regulated.
KYC Verification Partner	PAN/Aadhaar verification status only. Original documents not retained post-verification. DPA: In place.
Cloud Infrastructure (India)	Hosting all Platform data within India. Data encrypted at rest (AES-256) and in transit (TLS 1.3). DPA: In place.
WhatsApp Business API (Meta)	Transactional/marketing message delivery. Mobile number + message content only. See cross-border disclosure, Section 8.2. DPA: Meta Business Terms govern.
SMS / Push Notification Provider	OTP, alerts, gamification notifications. Phone number, message content. DPA: In place.
Email Service Provider	Transactional emails, invoices, prize notifications. Email address only. DPA: In place.
Logistics Partners (prize delivery)	Subscriber name, delivery address, contact number — for prize last-mile delivery. DPA: In place.
Analytics Provider	Platform usage analytics — anonymised/aggregated only. No PII shared. DPA: In place.
Amazon.com / Amazon.in / Meesho / Flipkart (relevant plans)	Seller account data for listing facilitation — only data necessary for listing setup. Platform-to-platform API. Governed by respective marketplace privacy policies.
Shopify / WooCommerce (Diamond Plan)	Website hosting and e-commerce infrastructure for Subscriber's website. See Section 8.4 for details.

7.2. Data Processing Agreements (DPAs)

NEW IN v2.0 — DPA Commitment: RLS Retail Private Limited has entered into Data Processing Agreements (DPAs) with all contracted data processors listed in Section 7.1 (or relies on processor-published Data Processing Terms where DPAs are platform-standard, e.g., Meta Business Terms, Shopify DPA). All DPAs require processors to: (a) process data only per our documented instructions; (b) implement equivalent security measures; (c) not sub-process without our consent; (d) notify us of breaches within 24 hours; (e) delete or return data on contract termination.

7.3. No Sale of Personal Data

ABSOLUTE COMMITMENT · We do NOT sell, rent, trade, or commercially exploit your personal data to any third party for their own marketing or commercial purposes. Your data is never monetised by us. SeekhoBecho.com is an ad-free platform — no advertiser pays to access or influence our processing of your data.

7.4. Disclosure to Authorities

We disclose personal data to government authorities, regulatory bodies, courts, or law enforcement where required by: applicable law; court order; CERT-In directive; DPDP Act direction from the Data Protection Board; Income Tax authority (TDS compliance); or legitimate government direction. Where legally permitted, we notify you before such disclosure.

7.5. Business Transfers

In a merger, acquisition, restructuring, or asset sale, your personal data may transfer to the successor entity — bound by equivalent data protection obligations. We will notify you of any such transfer via email and in-app notification with at least 15 days' advance notice where feasible.

SECTION 8 · CROSS-BORDER DATA TRANSFERS — FULL DISCLOSURE

8.1. India-Only Storage (Default)

All personal data collected from Indian users is stored exclusively within India on India-based servers in compliance with data localisation norms as recommended by MeitY. We do not transfer personal data to foreign servers for primary storage purposes.

8.2. WhatsApp and Meta — Incidental Cross-Border Routing

DISCLOSURE: WhatsApp Business API is operated by Meta Platforms Inc. (USA) and Meta Platforms Ireland Ltd. (EU). WhatsApp messages — including content and metadata — route through Meta's global server infrastructure (US + EU servers). This constitutes incidental cross-border data transfer in the course of message delivery. Data shared with Meta: your WhatsApp-registered mobile number + message content + delivery status ONLY. We do NOT share subscription details, Pearl balances, KYC data, or financial data through WhatsApp API. Meta's Privacy Policy governs Meta's processing: www.facebook.com/policy.php | www.whatsapp.com/legal/privacy-policy. Opt out of WhatsApp communications: message STOP to our WhatsApp Business number.

8.3. Apple App Store and Google Play Store

8.3.1 Apple (iOS): App analytics, crash reports, IDFA (subject to ATT consent), in-app purchase confirmation processed by Apple Inc. (USA). Apple's Privacy Policy: www.apple.com/legal/privacy. ATT permission requested before IDFA access — you may decline without affecting Platform functionality.

8.3.2 Google (Android): App analytics, GAID (opt-out available), crash reports processed by Google LLC (USA). Opt out: Settings → Google → Ads → Reset/Opt-out of Advertising ID. Google's Privacy Policy: policies.google.com/privacy.

8.4. Amazon.com USA — Platinum Plus Plan

For Platinum Plus Subscribers: Your Amazon.com seller account data is processed through Amazon.com Inc.'s (USA) global infrastructure. Data shared with Amazon: only listing-specific product data required for seller account activation. No personal identity data shared with Amazon beyond what is mandatory for seller onboarding. Amazon.com's Privacy Policy governs their processing. USD sales proceeds credited directly to Subscriber's bank account by Amazon per their payment schedule.

8.5. Meta Pixel and Google Analytics — Diamond Plan (NEW)

NEW IN v2.0 — DIAMOND PLAN DISCLOSURE: Diamond Plan Professional tier includes setup of Meta Pixel, Google Ads Conversion Tracking, GA4 (Google Analytics 4), and Meta Conversion API on the Subscriber's website. Important disclosures: (a) These tools collect your CUSTOMERS' behaviour data on the Subscriber's website — NOT the Subscriber's own personal data directly. (b) Meta Pixel routes data through Meta Platforms Inc. (USA) servers. Google Analytics routes through Google LLC (USA) servers. (c) The Subscriber, as website owner, is the Data Fiduciary for their customers' data collected through these tools — NOT SeekhoBecho. Subscribers must include appropriate disclosures in their own website's privacy policy. (d) SeekhoBecho provides setup and advisory services only — it does not access, process, or store the Subscriber's end-customer data through these tools. (e) Opt-out: The Subscriber may request Diamond Plan without Pixel/GA4 integration (Standard/Business tier only). The Company's liability for Subscriber's compliance with data protection laws on their own website is expressly excluded.

SECTION 9 · YOUR RIGHTS UNDER THE DPDP ACT, 2023

9.1. Right to Access (DPDP Act Section 11)

Request a summary of: (a) personal data we hold about you; (b) purposes for which it is being processed; (c) identities of Data Processors it has been shared with. Response within 30 days of verified request. Submit at: privacy@seekhobecho.com with subject "Data Access Request."

9.2. Right to Correction and Erasure (DPDP Act Section 12)

Right to: (a) correct inaccurate or incomplete data; (b) request erasure of data no longer necessary for the stated purpose. Processed within 30 days, subject to legal retention requirements (Section 11). Update basic data in Account Settings directly.

9.3. Right to Grievance Redressal (DPDP Act Section 13)

Grievance Officer: Venjula | grievance@seekhobecho.com. Acknowledge within 48 hours. Resolve within 30 business days.

9.4. Right to Nominate (DPDP Act Section 14)

Right to nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Register at: privacy@seekhobecho.com with subject "Data Nomination."

9.5. Right to Withdraw Consent — Full Consequences

You may withdraw consent at any time. However, withdrawal has specific consequences:

(a) Active subscription mid-term: Services terminate immediately. ZERO REFUND of Subscription Fee or Pearl Recharge — the absolute no-refund policy applies regardless of consent withdrawal.

(b) Marketplace services (Platinum/Platinum Plus/Diamond): KYC data withdrawal = immediate cancellation of marketplace listing services. Active listings may be delisted. Dedicated agent support ceases.

(d) Legal processing continues: TDS compliance (S.194B), GST records (7-year retention), court orders — processing continues regardless of consent withdrawal.

(e) How to withdraw: Email privacy@seekhobecho.com with subject "Consent Withdrawal Request" + Customer ID. Processed within 30 days.

NO REFUND ON WITHDRAWAL · Withdrawing consent does NOT entitle you to any refund. The no-refund policy is independent of and survives consent withdrawal. Withdrawal terminates services — not payment obligation.

9.6. Right to Data Portability

Under DPDP Act Section 14 — request your personal data in a structured, machine-readable format (JSON/CSV). Submit at privacy@seekhobecho.com. Processed within 30 days.

9.7. Right to Complain to Data Protection Board

If unsatisfied with our response, you may approach the Data Protection Board of India (constituted under DPDP Act, 2023) for redressal. Board complaint details available at the official government portal.

9.8. How to Exercise Rights — Summary

Right	How to Exercise
Access your data	Email privacy@seekhobecho.com — "Data Access Request"
Correct data	Account Settings or email privacy@seekhobecho.com
Delete data	Email privacy@seekhobecho.com — "Account Deletion Request"
Withdraw consent	Email privacy@seekhobecho.com — "Consent Withdrawal Request"
Raise grievance	Email grievance@seekhobecho.com (Venjula — Grievance Officer)
Opt out of marketing	Account Settings → Notifications → Preferences; or STOP on WhatsApp
Data portability	Email privacy@seekhobecho.com — "Data Portability Request"
Nominate representative	Email privacy@seekhobecho.com — "Data Nomination"
DPB complaint	Official Data Protection Board portal (government)

SECTION 10 · DATA SECURITY AND BREACH NOTIFICATION PROTOCOL

10.1. Technical Security Measures

• AES-256 encryption at rest for all sensitive data;

• TLS 1.3 encryption in transit (HTTPS enforced);

• Tokenisation of sensitive financial data (PAN, bank account, Aadhaar);

• OTP-based authentication for account access, plan activation, prize claims;

• Role-based access controls (RBAC) — minimum necessary access principle;

• Device fingerprinting and session monitoring for fraud detection;

• Secure deletion of KYC documents 30 days post-verification;

• Annual third-party security audits and penetration testing;

• Regular vulnerability assessments per CERT-In directives;

• Two-factor authentication (2FA) for Company internal systems.

10.2. Data Breach Internal Escalation Protocol (NEW)

NEW IN v2.0 — INTERNAL BREACH PROTOCOL: This protocol is mandatory for all employees. Detection of any actual or suspected data breach must follow this sequence:

Step	Action / Timeline / Responsible
Step 1 — Detection	Any employee, contractor, or system alert detecting a suspected breach must immediately notify IT Security and the Grievance Officer (Venjula). Timeline: WITHIN 2 HOURS of detection. Channel: grievance@seekhobecho.com + direct call.
Step 2 — Containment	IT Security takes immediate steps to contain the breach — isolate affected systems, reset credentials, block unauthorized access. Timeline: Within 4 hours of detection.
Step 3 — Assessment	IT Security + Legal & Compliance assess: (a) type and scope of data affected; (b) number of Data Principals affected; (c) likely harm/risk level; (d) whether breach qualifies as "material" under DPDP Act. Timeline: Within 6 hours (per CERT-In 6-hour reporting window).
Step 4 — CERT-In Reporting	If breach involves any cybersecurity incident as per CERT-In Directions April 2022 — report to CERT-In within 6 hours of discovery. Channel: www.cert-in.org.in. Responsible: IT Security + Legal.
Step 5 — DPB Notification	If personal data breach likely to cause harm to Data Principals — notify Data Protection Board of India within 72 hours per DPDP Act. Include: nature of breach, categories/volume of data, likely consequences, remedial measures taken. Responsible: Legal & Compliance.
Step 6 — User Notification	Where required by DPB directions or where breach poses high risk to individuals — notify affected users per DPB instructions. Channel: Email + in-app notification. Timeline: As directed by DPB or within 72 hours where self-notification is required.
Step 7 — Remediation	Full remediation: patch vulnerabilities, enhanced monitoring, credential resets. Post-incident report for internal records. Responsible: IT Security.
Step 8 — Documentation	Complete incident report filed in breach register. Retained for 5 years per CERT-In directive. Responsible: Legal & Compliance.

10.3. User Security Responsibilities

You are responsible for: (a) keeping account credentials confidential; (b) logging out on shared devices; (c) immediately notifying compliance@seekhobecho.com of suspected unauthorized access; (d) NOT sharing OTPs with anyone — we NEVER ask for your OTP.

SECTION 11 · DATA RETENTION — PERIODS AND DELETION

11.1. Retention Schedule

Data Category	Retention Period / Basis
Account and identity data	Active account duration + 3 years post-closure (legal/regulatory compliance)
KYC documents (original images)	DELETED within 30 days of successful verification. Non-negotiable security standard.
KYC status record (masked data)	7 years (Companies Act, Income Tax Act requirements)
Financial and payment data	7 years (GST Act, Income Tax Act, Companies Act)
Pearl Economy transaction logs	Account duration + 3 years post-closure
Gamification and prize records	7 years (prize draw records — regulatory/TDS)
TDS records (prize winners)	7 years (Income Tax Act, 1961)
Support communications	3 years from last contact
Technical and device data	12 months rolling (fraud detection) + CERT-In 5-year log retention
Marketing consent records	3 years from last consent or withdrawal
Dispute resolution records	7 years from resolution
Acceptance logs (clickwrap/OTP)	7 years from acceptance event
Vendor KYC and operational records	7 years (MSME Act, GST, Income Tax)
Employee HR data	7 years post-exit (IT Act, PF Act, Income Tax)
Physical toy prize delivery address	DELETED within 30 days of confirmed delivery or 90 days from prize claim if undelivered
Agent call notes	3 years from call date

11.2. Post-Retention Deletion

On retention period expiry: data is securely deleted using cryptographic erasure or data overwriting, preventing reconstruction. Anonymised data (which cannot identify any individual) may be retained indefinitely for aggregated analytics.

SECTION 12 · COOKIES AND TRACKING TECHNOLOGIES

12.1. Cookie Types

Cookie Type	Purpose / Opt-Out?
Strictly Necessary	Essential: login sessions, OTP verification, payment processing, security. CANNOT be disabled without breaking Platform.
Functional	Remember preferences (notification settings, plan type, language). Can be disabled — some features affected.
Analytics	Platform usage analytics — page views, feature usage, session duration. Anonymised only. Opt-out via cookie settings.
Security / Fraud Detection	Device fingerprinting, IP tracking for fraud prevention. Cannot disable without compromising security.
Marketing / Retargeting	Show relevant ads on Meta/Google to Platform visitors. Opt-out via cookie preferences or device settings.

12.2. Mobile App Permissions

Permission	Purpose / Required?
Camera	KYC document capture, profile photo upload. Required for KYC — optional otherwise.
Storage/Files	Download invoices, certificates, product catalogues. Required for catalogue download features.
Notifications	Pearl Economy updates, prize alerts, renewal reminders, Lucky Hour notifications. Optional — disabling may miss time-sensitive alerts.
Phone/Mobile Number	OTP-based authentication. Required for account security.
Internet	Core Platform functionality. Always required.
Biometric (optional)	Fingerprint/Face ID for faster login if user enables. Never stored by us — processed by device OS only.

12.3. Managing Cookies and App Permissions

Website cookies: via browser settings or cookie consent banner at www.seekhobecho.com. App permissions: via device Settings → Apps → SeekhoBecho → Permissions. Account-level notification preferences: Account Settings → Notifications. Note: disabling strictly necessary cookies will impair Platform functionality.

SECTION 13 · SPECIFIC DATA PROCESSING CONTEXTS

13.1. Pearl Economy and Gamification Data

All Pearl Economy activity — earn triggers, wallet balances, spend events, gamification participation, RKI entries, Maha Jackpot eligibility, Season Pass progression — is recorded in tamper-proof server-side logs. These logs: (a) operate the Pearl Economy accurately; (b) detect fraud; (c) resolve disputes (constitute conclusive evidence under IT Act 2000). Retained: account duration + 3 years post-closure.

Pearl Economy Data Note: Pearl transaction logs are tamper-proof server-side records. They constitute conclusive evidence of all Pearl activity. Disputes about Pearl balances will be resolved by reference to these records, not user-side screenshots or memories.

13.2. Vendor Personal Data Processing (NEW)

NEW IN v2.0 — VENDOR DATA: SeekhoBecho now processes personal data of Type 1 (Brand Store Partner) and Type 2 (Bulk Purchase) Vendors. Specific processing:

Collection: Vendor name, PAN (masked), Aadhaar (last 4), GSTIN, bank account (masked), IEC, business proof documents, brand authorization, KYC status. Purpose: Vendor onboarding, product listing authorization, order management, payment settlement, quality compliance. Retention: 7 years (GST, MSME, Income Tax requirements). Sharing: VIREN/ARYAN/RM agents (operational); payment settlement team; legal proceedings if required. Deletion: Original KYC documents deleted 30 days post-verification. Vendor NDA provisions govern additional confidentiality obligations.

13.4. SeekhoBecho Doll — Pearl Fairy + Celestial Prince — NOT AI

Pearl Fairy (female) and Celestial Prince (male) are fictional animated characters — NOT AI agents, chatbots, or automated data processors. The Doll does NOT: (a) collect, process, or transmit any personal data independently; (b) learn from or profile user behaviour; (c) provide data-driven advice. Character interactions = static pre-programmed animations. App usage logging occurs as normal during character screen — no additional processing. Physical soft toy prize: delivery address collected for fulfilment, deleted within 30 days of confirmed delivery (or 90 days from claim if undelivered). See Section 13.6.

13.5. AI Tools — Training Data and Personalisation (NEW)

NEW IN v2.0 — AI DATA USAGE TRANSPARENCY: SeekhoBecho uses AI tools for Platform features including recommendation personalisation, course suggestions, and support automation. Disclosures: (a) USER DATA FOR AI TRAINING: We do NOT use identified subscriber personal data to train third-party AI models without explicit separate consent. Platform usage data used for improving SeekhoBecho's own AI features is anonymised and aggregated before any model training. (b) AI PERSONALISATION: Course recommendations, product suggestions, and gamification feature timing may be influenced by AI analysis of your usage patterns. This constitutes profiling per DPDP Act — see Section 13.8. (c) OPT-OUT: You may opt out of AI-based personalisation via Account Settings → Privacy → AI Personalisation. Opting out does not affect access to courses, gamification, or subscription services — it reduces personalisation of recommendations. (d) AI FEATURES DO NOT PROCESS SENSITIVE DATA: AI tools do not access KYC documents, financial data, or Aadhaar/PAN information. They operate only on usage/behavioural data.

13.6. Physical Toy Prize Delivery Data (Enhanced)

Winners of the SeekhoBecho Doll physical soft toy (Pearl Fairy or Celestial Prince) provide: (a) delivery address; (b) contact number for courier; (c) PAN for TDS if prize value exceeds ₹10,000. This data is: shared only with the delivery partner for last-mile fulfilment; DELETED within 30 days of confirmed delivery; DELETED within 90 days from prize claim date if undelivered. Prize data is not used for any marketing purpose. Not shared with any third party other than the delivery partner. Retained only for the minimum period necessary for fulfilment and legal compliance.

13.7. KYC Data Handling

KYC document images submitted during plan activation or prize claim: (a) transmitted via secure encrypted channels (TLS 1.3); (b) verified by authorised personnel or automated verification only; (c) ORIGINAL DOCUMENT IMAGES DELETED within 30 days of successful verification — non-negotiable security standard; (d) only verification status ("PAN Verified," "Aadhaar Verified") and masked data (last 4 digits of PAN/Aadhaar) retained post-verification. We do not store full Aadhaar numbers.

13.8. Automated Decision-Making and Profiling (NEW)

NEW IN v2.0 — AUTOMATED DECISION-MAKING DISCLOSURE per DPDP Act 2023: SeekhoBecho uses automated systems that analyse your usage data and may influence your Platform experience. This constitutes profiling. Full disclosure:

Automated System	Data Used / Decision Made / Opt-Out
Pearl Economy Fraud Detection	Login patterns, device fingerprints, Pearl earn velocity, IP address — flags suspicious activity for manual review. Not a fully automated final decision — flags escalate to human review. No opt-out (security essential).
Course Recommendation Engine	Course completion history, subscription plan, gamification level — recommends next course. Does not affect access to courses. Opt-out: Account Settings → Privacy → AI Personalisation.
Gamification Engagement Signals	Login streaks, Lucky Hour timing, push notification optimisation — used to optimise gamification timing. Does not affect Pearl balances or prize eligibility. Opt-out: Account Settings → Notifications.
Anti-Abuse Account Scoring	Multi-account detection, device fingerprint matching, OTP pattern analysis — flags potential policy violations for human review. Not fully automated — all flags reviewed by compliance team before action. No opt-out (integrity essential).
Subscription Renewal Prediction	Usage frequency, Pearl activity, plan engagement — triggers renewal reminder at optimal time. Does not affect renewal fee or terms. Opt-out: Account Settings → Notifications → Renewal Reminders.

Human Oversight Commitment: No automated system makes a final adverse decision (account termination, Pearl forfeiture, prize disqualification) without human review by the Compliance team. All automated flags are reviewed within 48 working hours. Right to contest: If you believe an automated decision adversely affected you, contact compliance@seekhobecho.com for human review.

13.9. Agent Call Records

Agents (SHAURYA, VIVAAN, VIREN, ARYAN, RM) maintain written call notes only — we do NOT record voice calls. Call notes: (a) used for service continuity, agent training, dispute resolution; (b) retained for 3 years; (c) accessible only to the assigned agent, their team lead, HR, and Legal. Subscribers may request a summary of call notes about their account at privacy@seekhobecho.com.

SECTION 14 · PRIVACY BY DESIGN AND DEFAULT (NEW)

13.10. Employee False Representations — Company Not Liable | No Refund

This Platform Privacy Policy governs the collection and processing of personal data of external users (visitors, subscribers, customers, and vendors) only. Employment-related data processing is governed separately by internal HR policies.

ABSOLUTE RULE — EMPLOYEE FALSE REPRESENTATION:

If any employee, agent, contractor, onboarding associate, sales representative, or any person acting on behalf of the Company makes any false statement, unauthorized promise, misleading representation, incorrect commitment, or inaccurate claim to a customer or subscriber — including but not limited to: false promises about plan features, guaranteed income or sales, refund availability, service scope beyond what is published, or any other unauthorized assurance — the following applies unconditionally:

(a) The Company is NOT liable for such false or unauthorized statements. No false employee representation creates a contractual obligation on the Company beyond the published Master Terms of Service, applicable Plan Agreement, and Platform Policies.

(b) The Company will provide full cooperation and support to the affected customer in investigating and taking appropriate action against the employee or agent responsible for the false representation, including internal disciplinary proceedings and, where warranted, legal action.

(c) NO REFUND shall be issued in any such case. The absolute no-refund policy applies in full regardless of any false or unauthorized promise made by any employee or agent. Payment once made is irrevocably non-refundable under all circumstances.

(d) Customers who believe they have been misled by a Company representative must report the matter immediately to: compliance@seekhobecho.com or grievance@seekhobecho.com. The Company will investigate promptly and take appropriate corrective action against the responsible individual.

(e) The fact that an employee may have made a false representation does not create a right to services, benefits, features, or refunds not published in the applicable Plan Agreement. The published policies are the sole binding framework — no verbal, WhatsApp, or informal promise overrides them.

CUSTOMER PROTECTION NOTE: While the Company does not refund on account of employee misrepresentation, it takes such incidents extremely seriously. Disciplinary action up to and including termination will be taken against any employee found to have deliberately misled customers. Report to compliance@seekhobecho.com — all reports treated with confidentiality.

NEW IN v2.0: RLS Retail Private Limited commits to Privacy by Design as a core platform development principle, aligned with DPDP Act 2023 best practices and NITI Aayog's Responsible AI Principles.

14.1. Privacy by Design Commitments

• New Feature Review: Every new Platform feature, gamification mechanic, Pearl Economy change, or data collection practice undergoes a Privacy Impact Assessment (PIA) before launch. Technology and Legal & Compliance teams jointly conduct the PIA.

• Data Minimisation: Only data strictly necessary for the stated purpose is collected. No speculative or "in case useful" data collection.

• Privacy-Preserving Defaults: Maximum privacy settings are the default. Users must opt-in to additional data sharing — opt-out is never required to maintain privacy.

• Purpose Limitation by Architecture: Technical systems enforce purpose limitation — Pearl Economy data is only accessible to the Pearl Economy module; KYC data is only accessible during verification and masked post-verification.

• Retention Automation: Automated deletion schedules enforce retention periods in Section 11 — KYC documents auto-delete at 30 days; toy delivery addresses auto-delete at 30 days post-delivery.

• Vendor Privacy Review: All new vendor integrations and Data Processing Agreements undergo privacy review before go-live.

• Annual Privacy Audit: Annual internal privacy audit + periodic independent security audit per IT Act Section 43A.

SECTION 15 · RECORD OF PROCESSING ACTIVITIES (RoPA) (NEW)

NEW IN v2.0: RLS Retail Private Limited maintains a Record of Processing Activities (RoPA) as an internal compliance document — aligned with DPDP Act 2023 accountability requirements and global privacy best practices.

15.1. RoPA Contents

The internal RoPA document records for each data processing activity:

(a) Name and nature of processing activity;

(b) Categories of personal data processed;

(d) Purposes of processing and legal basis;

(e) Data Processors involved and DPA references;

(f) Cross-border transfer details (where applicable);

(g) Retention period and deletion schedule;

(h) Security measures in place;

(i) Date of last Privacy Impact Assessment.

15.2. RoPA Maintenance

The RoPA is owned by Legal & Compliance and updated: (a) on launch of any new data processing activity; (b) on material change to an existing activity; (c) quarterly review. The RoPA is an internal compliance document — not published externally but available to regulators, Data Protection Board, and auditors on request.

SECTION 16 · PAYMENT INFORMATION AND FINANCIAL DATA SECURITY

16.1. Payment Processing — Razorpay

All subscription fee and Pearl Recharge payments are processed by Razorpay (RBI-regulated payment aggregator). Your card number, CVV, UPI PIN, or net banking credentials are entered directly on Razorpay's secure interface — these are NEVER transmitted to SeekhoBecho's servers.

What we receive from Razorpay: transaction status (success/failure/refund), payment method type (UPI/card/netbanking — not the specific card/UPI number), transaction ID, and dispute/chargeback notices.

PCI-DSS: Razorpay maintains PCI-DSS Level 1 compliance for all card data. Tokenisation: Razorpay tokenises card data per RBI mandate — no raw card details stored by Razorpay either.

SECTION 17 · DATA ANONYMISATION AND AGGREGATION

17.1. Anonymised Analytics

For platform improvement, business reporting, and investor communications, we use anonymised and aggregated data that cannot identify any individual. Methods: data masking, pseudonymisation, generalisation, differential privacy techniques. Examples: "70% of Gold Plan subscribers complete Module 3 within 7 days" — no individual identifiable. Anonymised data is DPDP Act-exempt from most personal data obligations but treated responsibly per DPDP Act Section 9.

We do NOT: sell anonymised data to third parties for their commercial use. Share individual-level data in anonymised form where re-identification risk exists.

SECTION 18 · THIRD-PARTY LINKS AND EXTERNAL PLATFORMS

18.1. External Platform Links

The Platform may contain links to Amazon, Meesho, Flipkart, Facebook, Instagram, WhatsApp, Shopify, WooCommerce, and other third-party platforms. This Privacy Policy does NOT apply to those platforms. Review their privacy policies before sharing any data. We are not responsible for third-party data practices.

18.2. Social Media Sharing

When you share Platform content on social media (FB, IG, WhatsApp, Twitter/X, YouTube), those platforms process your data per their own policies. We have no control over or responsibility for social media data practices.

SECTION 19 · UPDATES TO THIS PRIVACY POLICY

19.1. Update Notification

Material updates notified: in-app notification at least 7 days before effective date; email to registered address; prominent website notice. Non-material updates (clarifications, formatting) may be made without specific advance notice.

Continued use of the Platform after the effective date of any updated Privacy Policy constitutes acceptance. If you do not accept the updated Policy, stop using the Platform and request account deletion per Section 9.2.

SECTION 20 · GRIEVANCE OFFICER, DPO AND CONTACT INFORMATION

20.1. Grievance Officer (IT Rules 2021 + DPDP Act 2023)

Detail	Information
Name	Venjula
Designation	Grievance Officer, RLS Retail Private Limited
Email	grievance@seekhobecho.com
Privacy Queries	privacy@seekhobecho.com
Compliance / Legal	compliance@seekhobecho.com
Address	Plot-76-D, Phase IV, Udyog Vihar, Sector 18, Gurugram, Haryana – 122001
Response Commitment	48 hours acknowledgement · 30 business days resolution
Working Hours	9 AM – 7 PM IST, Monday to Saturday
Data Protection Board	DPB India (official government portal) for unresolved complaints
CERT-In	www.cert-in.org.in (cybersecurity incidents)

APPENDIX A · DATA FLOW SUMMARY — WHO GETS WHAT

This Appendix forms part of the Privacy Policy (LEG-04 v2.0).

Your Action	Data Flow / Who Receives What
Register + OTP	SeekhoBecho: name, mobile, email, IP, device. → OTP Provider: mobile number only.
KYC submission	SeekhoBecho: PAN/Aadhaar last-4 status + masked data. → KYC Partner: full document (verification status returned, documents deleted 30 days). → NO other sharing.
Plan payment	Razorpay: card/UPI details (never reach us). → SeekhoBecho: transaction ID, status, amount only.
WhatsApp messages	Meta (WhatsApp Business API): mobile number + message content. → Routes through Meta US/EU servers. → NOT subscription/Pearl/KYC data.
App install	Apple/Google: device ID (hashed), crash reports, install source. → ATT/GAID opt-out available.
Prize win + claim	SeekhoBecho: PAN (TDS). → Delivery Partner: name + address (deleted 30 days post-delivery). → Income Tax Dept: TDS data.
Platinum Plus (USA)	Amazon.com: seller account data (listing facilitation only). → Governed by Amazon Privacy Policy.
Diamond Plan Pixel setup	Meta/Google: YOUR customers' behaviour on YOUR website. → You are the Data Fiduciary for your customer data, not SeekhoBecho.
Vendor onboarding	SeekhoBecho: PAN (masked), Aadhaar (last-4), GSTIN, bank (masked). → Payment settlement: bank details (masked) for weekly settlement.
Support ticket	SeekhoBecho agents: ticket content, account history. → Retained 3 years for service quality and disputes.

SeekhoBecho.com | LEG-04 — Privacy Policy v2.0 | RLS Retail Private Limited | CIN: U52609HR2019PTC078962 | Gurugram, Haryana – 122001

"Seekho → Becho → Jeeto" | Your data. Our responsibility. | "Integrity Builds Trust" | Policy retained for 7 years