1. Information we collect

We collect personal and non-personal information that helps us deliver fresh, healthy, affordable and tasty experiences:

• Identity & contact data: name, phone number, email, delivery address, birthday preferences – gathered through order forms, loyalty sign-ups, franchise queries and customer support interactions.
• Transaction data: order history, payment method (tokenised), invoice numbers processed through PCI-DSS compliant payment gateways. BunZo never stores full card details.
• Technical data: IP address, browser, device identifiers, cookies, app usage analytics to optimise performance.
• Marketing & preference data: opt-ins for SMS/email, feedback surveys, social media engagement, contest submissions.

We do not intentionally collect sensitive personal data (financial account numbers, biometric identifiers etc.). When unavoidable (for example GST invoices), we process such data strictly under DPDP consent and retention norms.

2. Why we process your data

Processing is limited to legitimate purposes permitted under DPDP Act Section 4, IT Rules and GDPR Article 6:

• Contractual necessity: creating accounts, preparing orders, arranging deliveries, issuing invoices, resolving service tickets.
• Legitimate interests: improving recipes, store formats, digital products, detecting fraud, keeping BunZo experiences consistently fresh and hygienic.
• Consent-based marketing: newsletters, SMS offers, franchise newsletters (unsubscribe anytime via link or email).
• Legal obligations: responding to lawful requests, tax filings, FSSAI/GST compliance, recall notices.

3. Data sharing & disclosures

We never sell personal information. Limited sharing occurs with:

• Delivery & logistics partners (Swiggy, Zomato, Dunzo, trusted riders) to ensure on-time fulfilment.
• Payment aggregators & banks for secure transactions.
• Cloud hosting, CRM, analytics tools headquartered in jurisdictions adhering to ISO 27001 / SOC 2 frameworks.
• Auditors, consultants or legal advisors bound by confidentiality agreements.
• Regulatory authorities when mandated under the DPDP Act, IT Act, or court orders.

In case of mergers or franchise transfers, we will notify data principals before ownership changes as required under Section 8(7) of the DPDP Act.

4. Data storage, localisation & security

• Primary servers are hosted in India with encrypted backups in DPDP-approved jurisdictions.
• Security controls follow IT Rules 2011, ISO 27001, PCI-DSS (for payments), periodic VAPT assessments and zero-trust access policies.
• Incident response includes notifying impacted users and Data Protection Board of India within legally prescribed timelines.
• Retention schedules: order data – 8 years (per GST); marketing consents – until withdrawal; CCTV footage – 30 days unless required longer for dispute resolution.

5. Cookies & tracking choices

BunZo uses first-party and third-party cookies for session management, personalisation, Google Analytics, Meta pixel and ad attribution. You can refuse non-essential cookies using the banner or browser settings. Essential cookies (DPDP “legitimate uses”) remain active to keep carts, forms and logins functional.

6. Your rights as a Data Principal

Under Section 11 of the DPDP Act and Articles 15-22 GDPR, you may:

• Request access, correction, portability or deletion of your personal data.
• Withdraw marketing consent or object to legitimate-interest processing.
• Nominate another individual to exercise rights on your behalf.
• Raise grievances with BunZo’s Data Protection Officer (DPO) and escalate to the Data Protection Board of India if unresolved.

To action these rights, write to privacy@bunzo.co.in with the subject “Data Request”. We respond within 72 working hours and close requests inside the statutory period of 30 days.

7. Children’s privacy

BunZo services are intended for persons aged 13+. We do not knowingly collect data from children below 18 without verifiable parental consent, in line with Section 9 of the DPDP Act and the IT Rules. Parents may email us to delete any inadvertent submissions.

8. Third-party links & platforms

Our website may link to microsites, delivery apps or partner pages governed by their own privacy statements. BunZo does not control those practices and recommends reviewing each provider’s policy before sharing information.

9. Updates to this policy

We review this policy annually and whenever legal changes occur. The “last updated” date will reflect the current version. Material updates will be communicated via email, push notification or prominent on-site banners, as mandated by Rule 5 of the IT Rules.