Privacy Policy

GoldShopper is India's #1 Cloud ERP platform purpose-built for the jewellery industry. We are incorporated under the laws of India and operate from India. Our registered email for all privacy-related matters is support@goldshopper.in.

As a Data Fiduciary under the Digital Personal Data Protection Act, 2023, we determine the purpose and means of processing your personal data and are responsible for its lawful processing.

We collect information in the following categories:

We use the information we collect for the following purposes:

• To create, manage, and maintain your GoldShopper account and subscription
• To provide and operate all ERP features including billing, inventory, accounting, and GST compliance modules
• To display real-time gold rates and sync them across your account
• To generate HUID, barcode, and BIS-compliant tagging reports
• To send transactional communications such as invoices, receipts, and support replies
• To send service updates, feature announcements, and usage tips (you can opt out)
• To process payments and manage subscriptions
• To detect, investigate, and prevent fraud, security incidents, and abuse
• To improve our platform through analytics, crash reporting, and user feedback
• To comply with legal obligations under Indian law (GST Act, IT Act, DPDPA)
• To provide customer support and onboarding assistance

Under the Digital Personal Data Protection Act, 2023 (DPDPA), we process your data on the following lawful bases:

• Consent: When you register, accept our Terms, or grant app permissions (e.g., camera, location)
• Contract: To fulfil our obligations under your subscription agreement with us
• Legal Obligation: To comply with GST filing requirements, IT Act mandates, and court orders
• Legitimate Interest: To improve platform security, detect fraud, and enhance our services — without overriding your rights

We do not share your personal data with third parties except in the following limited circumstances:

• Service Providers: Trusted vendors who help us operate (e.g., cloud hosting on AWS/Azure, SMS gateways for OTPs, payment processors). These parties are bound by data processing agreements and cannot use your data for other purposes.
• Government & Regulatory Bodies: When required by law, court order, or a valid government request under Indian law.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred. You will be notified in advance.
• With Your Consent: For any other sharing not listed here, we will ask for your explicit consent first.

Our Services may integrate with third-party platforms. Each of these has its own privacy policy which we encourage you to review:

• Google Analytics / Firebase: For usage analytics and crash reporting
• Payment Gateways (Razorpay / PayU / Others): For processing subscription payments securely
• SMS / WhatsApp Providers: For OTPs, invoices, and notifications sent to your number
• Cloud Hosting (AWS / Azure / GCP): For secure, encrypted data storage within India
• GST Portal API: For auto-filing and data validation with government systems

We vet all third-party service providers for security and compliance before integration. We are not responsible for the privacy practices of external websites you may navigate to from our platform.

We retain your data for as long as your account is active and for a period thereafter as required by law or our legitimate business needs:

• Account Data: Retained for the duration of your subscription plus 3 years after account closure (for legal/tax purposes under GST Act)
• Business / Transaction Data: Retained for 7 years as mandated under Indian accounting and tax regulations
• Support & Communication Logs: Retained for 2 years
• Device & Usage Logs: Retained for 90 days for security and debugging
• Deleted Data: Removed from active systems within 30 days of account deletion; backup purge within 90 days

We implement industry-standard technical and organizational measures to protect your data:

• All data transmitted between your device and our servers is encrypted using TLS 1.2 / TLS 1.3
• Data at rest is encrypted using AES-256 encryption
• Access to production systems is restricted to authorized personnel only, with multi-factor authentication (MFA) enforced
• We conduct regular security audits and vulnerability assessments
• Automated daily backups with geo-redundant storage within India
• Role-based access controls (RBAC) for your team members within GoldShopper

Under the DPDPA 2023 and applicable law, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal retention requirements)
• Right to Data Portability: Request your data in a machine-readable format
• Right to Withdraw Consent: Withdraw consent at any time for optional processing (e.g., marketing emails); withdrawal will not affect prior lawful processing
• Right to Grievance Redressal: Lodge a complaint with our Grievance Officer (see Section 15)
• Right to Nominate: Nominate another individual to exercise your rights in case of incapacity

To exercise any of these rights, email us at support@goldshopper.in with the subject line "Data Rights Request". We will respond within 30 days.

GoldShopper is a business ERP platform intended solely for adults (persons aged 18 and above) operating jewellery businesses. We do not knowingly collect personal data from individuals under the age of 18.

If you believe a minor has provided us with personal information, please contact us immediately at support@goldshopper.in and we will delete such information promptly. Under the DPDPA 2023, processing of children's data requires verifiable parental consent, which our platform does not solicit.

Our Business App, B2B App, and B2C App (available on Google Play Store and Apple App Store) may request the following device permissions. All permissions are optional unless explicitly stated, and you can manage them in your device settings at any time:

Our website (goldshopper.in) uses cookies and similar tracking technologies:

• Essential Cookies: Required for the website and app to function (session management, authentication). Cannot be disabled.
• Analytics Cookies: Help us understand how visitors use our site (e.g., Google Analytics). You can opt out via browser settings or the Google Analytics opt-out extension.
• Preference Cookies: Remember your settings and preferences (e.g., language, theme).
• Marketing Cookies: Used for retargeting ads on third-party platforms. We only use these if you consent. You can opt out at any time.

You can control cookies through your browser settings. Disabling essential cookies may affect website functionality. Our mobile apps use Firebase SDK for crash analytics and performance monitoring — this does not use browser cookies.

GoldShopper is an India-first platform. We store all primary customer and business data on servers located within India, in compliance with RBI and SEBI data localisation guidelines where applicable.

Certain third-party service providers (such as analytics platforms) may process data outside India. When this occurs, we ensure that adequate contractual protections are in place and that the transfer complies with applicable Indian data protection law, including the DPDPA 2023.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes:

• We will update the "Last Updated" date at the top of this page
• For material changes, we will notify you via email or an in-app notification at least 14 days before the change takes effect
• For minor changes, posting the updated policy on this page constitutes sufficient notice
• Your continued use of the Services after the effective date constitutes your acceptance of the updated policy

We encourage you to review this page periodically. All previous versions of this policy are available upon request.

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer:

If you are not satisfied with our resolution, you may escalate to the Data Protection Board of India once constituted under the DPDPA 2023.

For any questions, requests, or concerns about this Privacy Policy or our data practices, reach out through any of the following channels: