Data Protection Policy

1. Our Commitment to Data Protection

At ibuluxe, we recognize that your personal data is a valuable asset that deserves the highest level of protection. This Data Protection Policy outlines our commitment to safeguarding your information and ensuring compliance with applicable Indian data protection laws.

We are committed to:

Processing your data lawfully, fairly, and transparently
Collecting data only for specified, explicit, and legitimate purposes
Ensuring data accuracy and keeping it up to date
Storing data securely with appropriate technical measures
Retaining data only as long as necessary
Respecting your rights over your personal data

2. Legal Framework

Our data protection practices comply with the following Indian laws and regulations:

2.1 Information Technology Act, 2000

Section 43A - Compensation for failure to protect data
Section 72A - Disclosure of information in breach of lawful contract
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

2.2 Digital Personal Data Protection Act, 2023

We are committed to compliance with the Digital Personal Data Protection Act (DPDPA), 2023, and its rules as they come into force, including:

Obtaining informed consent before processing personal data
Providing clear notice about data collection and use
Respecting data principal rights
Implementing appropriate security safeguards
Reporting data breaches as required

2.3 Other Applicable Laws

Consumer Protection Act, 2019
Indian Contract Act, 1872
RBI Guidelines for Payment Data Storage (for payment information)

3. Data Controller Information

Under applicable data protection laws, ibuluxe is the "Data Fiduciary" or "Data Controller" responsible for your personal data.

Data Controller: ibuluxe

Registered Address: Delhi, India

Data Protection Officer Email: dpo@ibuluxe.com

4. Data Protection Principles

We adhere to the following core principles in all our data processing activities:

Lawfulness & Fairness

Data is processed lawfully with valid legal basis and in a fair manner.

Transparency

Clear communication about how we collect, use, and protect your data.

Purpose Limitation

Data collected only for specific, legitimate purposes disclosed to you.

Data Minimization

Only essential data is collected - nothing more than what's needed.

Accuracy

We maintain accurate data and provide means to update it.

Storage Limitation

Data retained only as long as necessary for the stated purpose.

Integrity & Confidentiality

Appropriate security measures to protect against unauthorized access.

Accountability

We take responsibility and can demonstrate compliance.

5. Technical Security Measures

We implement robust technical measures to protect your data:

5.1 Encryption

Data in Transit: TLS 1.3 encryption for all data transmission
Data at Rest: AES-256 encryption for stored data
Password Storage: Bcrypt hashing (never stored in plain text)
Payment Data: Tokenization via PCI-DSS compliant gateways

5.2 Infrastructure Security

Cloud Platform: Google Cloud Platform (Firebase) with enterprise-grade security
Firewall Protection: Web Application Firewall (WAF) to prevent attacks
DDoS Protection: Cloud-based DDoS mitigation
Intrusion Detection: Real-time monitoring for suspicious activities

5.3 Authentication Security

Firebase Authentication: Secure, industry-standard authentication
Password Requirements: Strong password policy (10+ characters, mixed case, numbers, special characters)
Session Management: Secure session handling with automatic timeouts
Account Protection: Account lockout after multiple failed attempts

5.4 Database Security

Google Cloud Firestore: NoSQL database with built-in security
Security Rules: Granular access control rules
Data Isolation: User data segregated and access-controlled
Regular Backups: Automated backups with encryption

6. Organizational Measures

6.1 Access Control

Role-based access control (RBAC) for employees
Principle of least privilege - access only as needed
Regular access reviews and audits
Immediate revocation upon role change or termination

6.2 Employee Training

Mandatory data protection training for all employees
Regular security awareness programs
Phishing simulation exercises
Incident response training

6.3 Vendor Management

Due diligence before engaging third-party processors
Data processing agreements with all vendors
Regular security assessments of critical vendors
Termination clauses for data return/deletion

6.4 Security Audits

Regular internal security assessments
Periodic vulnerability scans
Annual penetration testing
Compliance audits as required

7. Third-Party Data Processors

We carefully select and monitor third-party service providers who process your data:

Service Provider	Purpose	Data Processed	Compliance
Google Firebase	Authentication & Database	Account data, User profiles	ISO 27001, SOC 2
Razorpay	Payment Processing	Transaction data (tokenized)	PCI-DSS Level 1, RBI Licensed
Cashfree	Payment Processing	Transaction data (tokenized)	PCI-DSS Level 1, RBI Authorized
Logistics Partners	Order Delivery	Name, Address, Phone	Data Processing Agreements
Email/SMS Providers	Communications	Email, Phone, Name	TRAI Compliance, DPAs

All third-party processors are bound by data processing agreements that ensure:

Processing only on our documented instructions
Confidentiality obligations on personnel
Appropriate security measures
Assistance with data subject rights
Notification of breaches

8. Data Breach Protocol

In the event of a data breach, we follow a structured response protocol:

8.1 Detection & Containment

Immediate investigation upon detection
Containment measures to prevent further damage
Preservation of evidence for forensic analysis

8.2 Assessment

Determine the nature and scope of the breach
Identify affected individuals and data types
Assess potential harm to affected individuals

8.3 Notification

Regulatory Authorities: Notification to Data Protection Board of India (when operational) within prescribed timeframe
Affected Individuals: Direct notification without undue delay when breach poses high risk
Law Enforcement: If criminal activity is suspected

8.4 Remediation

Root cause analysis
Implementation of corrective measures
Policy and procedure updates
Additional training if needed

9. Your Data Rights

Under Indian data protection laws, you have the following rights:

Right to Information

Know what personal data we collect and how it's used.

Right to Access

Obtain a copy of your personal data held by us.

Right to Correction

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data (subject to legal obligations).

Right to Withdraw Consent

Withdraw consent for data processing at any time.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Grievance Redressal

Lodge complaints with our Grievance Officer or regulatory authorities.

Right to Nominate

Nominate a person to exercise rights on your behalf.

10. Data Subject Requests

To exercise any of your data rights:

10.1 How to Submit a Request

Email: Send your request to dpo@ibuluxe.com
Account Settings: Use self-service options in your account dashboard
Written Request: Send to our registered address

10.2 Verification

To protect your data, we will verify your identity before processing requests. This may include:

Verification via registered email
OTP verification to registered phone
Additional identity verification for sensitive requests

10.3 Response Time

Acknowledgment within 48 hours
Response within 30 days of verification
Extension of 15 days for complex requests (with notification)

10.4 Limitations

We may not be able to fully comply with requests in certain situations:

Legal obligations to retain data (tax records, invoices)
Pending disputes or legal proceedings
Rights and freedoms of other individuals
Legitimate business interests where permitted

11. Grievance Redressal

11.1 Grievance Officer

As per the Information Technology Act, 2000, we have appointed a Grievance Officer:

Grievance Officer

Email: grievance@ibuluxe.com

Response Time: Within 24 hours (acknowledgment) / 30 days (resolution)

11.2 Escalation

If you are not satisfied with the resolution:

Escalate to our Data Protection Officer at dpo@ibuluxe.com
Approach the Data Protection Board of India (once operational)
File a complaint with appropriate Consumer Forum
Approach the courts of competent jurisdiction in Delhi

11.3 Dispute Resolution

All disputes related to data protection shall be subject to the exclusive jurisdiction of courts in Delhi, India.

12. Contact Information

For any data protection related queries:

Data Protection Officer

DPO Email: dpo@ibuluxe.com

Privacy Email: privacy@ibuluxe.com

Grievance Email: grievance@ibuluxe.com

Phone: +91 98765 43210

Address: Delhi, India

Related Policies

This Data Protection Policy should be read in conjunction with: