Buy Now

Data Policy

Effective Date: August 29, 2025 | Last Updated: August 29, 2025

Introduction

This Data Policy ("Policy") sets out the principles and procedures adopted by Kutoot Innovations Pvt. Ltd. ("Kutoot", "we", "our", or "us") in relation to the collection, processing, storage, disclosure, retention, and deletion of personal data of users ("User", "you") who access or use our platforms, namely www.kutoot.com (the "Digital Shopping voucher and Rewards Platform") and shop.kutoot.com (the "E-Commerce Marketplace"), collectively referred to as the "Platforms."

This Policy has been drafted in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000 (as amended), the rules framed thereunder, and other applicable Indian laws and regulations. It supplements and should be read together with our Privacy Policy and Terms & Conditions.

By using the Platforms, you consent to the practices described in this Policy.

1. Data Fiduciary Responsibility

Kutoot acts as the Data Fiduciary under the DPDPA, determining the purpose and means of processing your personal data. Vendors, service providers, and partners engaged by Kutoot act as Data Processors and are contractually bound to comply with this Policy, confidentiality obligations, and applicable data protection laws.

We appoint a Data Protection Officer (DPO) who is responsible for oversight, compliance, grievance redressal, and coordination with the Data Protection Board of India.

2. Data Collection and Lawful Basis

We collect personal data directly from you, automatically through your interactions, and indirectly from vendors or third parties. The lawful bases for such collection include:

  • Consent: As obtained at the time of registration, campaign participation, or cookie use.
  • Contractual Necessity: For delivering services such as account creation, transaction processing, and reward fulfilment.
  • Legal Obligation: For compliance with taxation, KYC, and reporting obligations.
  • Legitimate Interest: For fraud detection, service improvements, and secure operations.

Sensitive personal data (such as Aadhaar or PAN for reward verification) is collected only when strictly necessary and with explicit consent.

3. Use and Processing of Data

The personal data collected is processed strictly for legitimate purposes, including but not limited to:

  • Facilitating account creation, login, and authentication.
  • Enabling the purchase and redemption of Kutoot Coins.
  • Managing promotional campaigns, coupons, and reward distribution.
  • Processing e-commerce transactions with Vendors.
  • Providing customer support and grievance redressal.
  • Meeting tax and regulatory compliance requirements, including TDS deductions on rewards.
  • Enhancing user experience through personalization and analytics.
  • Conducting audits, security checks, and fraud prevention.
  • Reporting aggregated, anonymized impact data for CSR and transparency.

4. Data Retention

Data TypeRetention Duration
Account DataRetained for the duration of the account's existence and deleted within ninety (90) days of account closure, unless retention is mandated by law.
Transaction DataRetained for a minimum of seven (7) years from the date of transaction to comply with the Income Tax Act, 1961, the Companies Act, 2013, and audit obligations.
KYC DataRetained until the completion of verification and reward distribution, and thereafter archived for a statutory period of eight (8) years, after which it is securely deleted.
Cookies and Analytics DataRetained for periods not exceeding two (2) years, unless otherwise extended by consent.

5. Data Deletion and Erasure

Users may request the deletion of their personal data by submitting a verified request to dpo@kutoot.com. Kutoot shall, subject to applicable legal obligations, delete or anonymize such data within a reasonable period, generally within thirty (30) days of verification.

Data shall not be deleted if its retention is required for:

  • Compliance with applicable laws and legal processes.
  • Enforcement of contractual rights and obligations.
  • Fraud detection, investigation, or dispute resolution.
  • Preservation of evidence in ongoing investigations or litigation.

Deletion shall be carried out using secure, industry-standard methods to ensure that the data cannot be reconstructed or retrieved. Users will receive written confirmation of deletion or the reasons for lawful retention.

6. Data Storage and Security

All personal data is stored on servers located within India, in compliance with localisation requirements under Indian law. International transfers, if any, shall be made only in accordance with the safeguards prescribed by the DPDPA.

Kutoot implements appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data, including:

  • Encryption, firewalls, role-based access
  • Regular penetration testing and staff training

In the event of a personal data breach, Kutoot shall notify affected users and the Data Protection Board of India within the statutory timelines prescribed by law.

7. Sharing and Disclosure of Data

Personal data may be disclosed under the following limited circumstances:

  • To Vendors and Partners for order fulfilment, reward delivery, or transaction verification.
  • To Service Providers such as payment gateways, cloud hosting providers, and analytics platforms, bound by contractual confidentiality and DPDPA compliance.
  • To Regulators, Law Enforcement, or Courts in compliance with legal obligations or lawful requests.
  • To Successors in Business Transactions such as mergers or acquisitions, with appropriate safeguards.
  • To third parties with your explicit consent for specific services such as referrals or social sharing.

Under no circumstances shall Kutoot sell your personal data.

8. User Rights

As a data principal under the DPDPA, you are entitled to exercise the following rights:

  • The right to obtain a summary of your personal data processed by Kutoot.
  • The right to correction, updating, or completion of inaccurate or incomplete data.
  • The right to erasure of data when no longer necessary, subject to legal exceptions.
  • The right to withdraw consent for specific processing activities.
  • The right to nominate another person to exercise rights in the event of your death or incapacity.
  • The right to grievance redressal before Kutoot's DPO, with escalation to the Data Protection Board if unresolved.

Requests must be sent to dpo@kutoot.com, accompanied by verification documents. Kutoot will respond within thirty (30) days or such period as prescribed by the DPDPA.

9. Children's Data

The Platforms are not directed at individuals under eighteen (18) years of age. Kutoot does not knowingly collect or process personal data of minors. If we become aware that such data has been collected, it shall be deleted promptly. Parents or guardians may contact us if they believe a minor has accessed our Platforms without consent.

10. Governance and Enforcement

This Policy is subject to the oversight of Kutoot's Data Protection Officer. Internal audits are conducted periodically to ensure compliance with applicable laws and this Policy. Violations by employees, vendors, or service providers may result in:

  • Disciplinary action
  • Termination of contracts
  • Legal proceedings

11. Governing Law and Jurisdiction

This Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising from or relating to this Policy shall be subject to the exclusive jurisdiction of the competent courts at Bengaluru, Karnataka.

12. Contact Information

For data-related queries, deletion requests, or grievances, you may contact:

Data Protection Officer

Kutoot Innovations Pvt. Ltd.

No. 59, 1st Floor, Chowdeshwari Arcade, Opp. Metro Station, Rajajinagar, Bengaluru – 560086, India.

Email: dpo@kutoot.com