Privacy Policy

Kutoot Innovations Pvt. Ltd. ("Kutoot", "we", "our", "us") respects and protects the privacy of every individual who interacts with our platforms. This Privacy Policy ("Policy") describes how we collect, use, process, disclose, and safeguard your personal data when you access or use our services, including:

• www.kutoot.com – our digital voucher platform offering Shopping Coins, rewards and promotional platform; and
• shop.kutoot.com – our e-commerce marketplace for products and services.

(collectively referred to as the "Platforms" or "Services").

This Policy is framed in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000 (as amended), and all other applicable Indian laws. By using our Services, you consent to the practices outlined herein. If you do not agree, please discontinue your use of the Services.

Kutoot may revise this Policy from time to time. Updates will be reflected with a new “Last Updated” date. Where changes are material, we will notify you via email or announcements on the Platforms. Continued use after such updates constitutes acceptance.

Kutoot Innovations Pvt. Ltd. acts as the data fiduciary responsible for your personal data.

For privacy concerns or to exercise your rights, contact our Data Protection Officer (DPO):

We respond to valid privacy requests within 30 days, or within such time as mandated under DPDPA.

We collect and process only the personal data necessary for delivering and improving our Services, in compliance with consent and lawful bases.

2.1 Information You Provide

• Account Details: Name, email ID, mobile number, date of birth (for age verification), and login credentials (e.g., OTP or linked social media).
• Transactions: Payment confirmations (processed through secure third-party gateways), order history, Kutoot Coin balances, and redemption activity.
• Promotions: Referral participation, coupon claims, and campaign participation records.
• User Communications: Queries, complaints, feedback, and customer support interactions.
• KYC Information: PAN, Aadhaar, and bank details (mandatory for reward distribution exceeding ₹10,000 under tax regulations).

2.2 Information Collected Automatically

• Device Data: IP address, device identifiers, browser type, operating system, and app version.
• Usage Patterns: Pages visited, time spent, clickstreams, and navigation flows.
• Location Data: Approximate location derived from IP or GPS (with explicit consent), used for geo-restrictions and localized offers.
• Cookies & Trackers: Information gathered through cookies, pixels, and analytics tools.

2.3 Information from Third Parties

• Vendors: Order and delivery confirmations from e-commerce vendors.
• Social Media: Public profile data if you choose to log in via social accounts.
• Analytics Tools: Aggregated insights provided by service providers such as Google Analytics.

Sensitive personal data (such as health or biometrics) is not collected unless required for a specific lawful purpose and with your explicit consent.

Your personal data is used only for legitimate business and compliance purposes, including:

• Service Delivery: Creating accounts, enabling Kutoot Coin transactions, processing redemptions, issuing coupons, managing campaigns, and distributing rewards.
• Personalization: Providing customized recommendations, offers, and promotional messages.
• Transaction Fulfilment: Facilitating secure payments, vendor deliveries, and refunds (where applicable).
• Legal & Tax Compliance: Verifying identity, deducting and depositing TDS, and maintaining statutory records.
• Security & Fraud Prevention: Detecting and preventing suspicious or unauthorized activity.
• Platform Improvement: Analysing aggregated usage data to optimize functionality and enhance user experience.
• Marketing & Communication: Sending updates on features, campaigns, offers, or new partnerships, with opt-out options available.
• CSR Reporting: Publishing anonymized reports on charitable contributions and social impact.

Personal data is retained only as long as necessary for these purposes, or as required by law (e.g., seven years for financial records). Post-retention, data is securely anonymized or deleted.

Kutoot does not sell or rent personal data. Sharing is restricted to legitimate purposes:

• Vendors & Logistics Providers: To fulfill redemptions, deliveries, or reward dispatches.
• Service Providers: Payment processors (e.g., Razorpay), hosting services (e.g., AWS), analytics providers, and auditors, all bound by confidentiality obligations.
• Legal Authorities: Where disclosure is mandated by law, judicial orders, or regulatory requests.
• Business Transactions: In case of mergers, acquisitions, or restructuring, with due notice to affected users.
• With Consent: For specific user-approved features such as social sharing, referrals, or integrations.

Data storage and processing occur primarily within India. Any cross-border transfer, if required, will comply with DPDPA safeguards.

We employ administrative, technical, and organizational measures to safeguard your data, including:

• End-to-end encryption of data in transit and at rest.
• Multi-layered access controls and authentication protocols.
• Regular penetration testing and vulnerability assessments.
• Employee training and restricted access on a need-to-know basis.

Despite our efforts, no system is immune to risks. In the event of a data breach, Kutoot will notify affected users and authorities as required under DPDPA.

As a data principal, you have the following rights:

• Right to Access: Obtain a summary of personal data held about you.
• Right to Correction: Rectify inaccurate or incomplete personal information.
• Right to Deletion: Request erasure when data is no longer needed (subject to statutory retention).
• Right to Nominate: Assign a nominee to exercise rights in the event of death or incapacity.
• Right to Withdraw Consent: Revoke consent for optional processing (may restrict Service availability).
• Right to Redressal: File grievances with our DPO; escalate unresolved matters to the Data Protection Board of India.

To exercise your rights, please contact dpo@kutoot.com with appropriate verification. Requests will be processed within statutory timelines.

The Services are not designed for individuals under the age of 18. We do not knowingly collect data from minors. If such data is inadvertently collected, it will be deleted upon discovery. Parents or guardians who become aware of unauthorized use must notify us immediately.

Kutoot uses cookies and similar tools for:

• Essential Functions: Maintaining login sessions and navigation.
• Performance Monitoring: Measuring traffic, load times, and error rates.
• Functionality Enhancements: Remembering user preferences and settings.
• Targeted Promotions: Serving relevant campaigns or offers.

Users can manage or disable cookies through browser settings. Certain Services may not function optimally if cookies are disabled.

Our Platforms may contain links to third-party websites or vendor portals. Kutoot is not responsible for the privacy practices of such external sites. Users are advised to review the privacy policies of those sites before sharing personal data.

Kutoot reserves the right to update this Policy at any time. Updated versions will be posted on our Platforms with a revised "Last Updated" date.

For material changes, we will provide prominent notice or direct communication to users.

This Policy shall be governed by and construed in accordance with the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts at Bengaluru, Karnataka, in accordance with our Terms & Conditions.