CREVINGS - PRIVACY POLICY

1. COMPANY INFORMATION AND JURISDICTION

1.1. Data Fiduciary Designation

CREVINGS MARKETPLACE PRIVATE LIMITED declares itself the primary Data Fiduciary responsible for determining the purposes and means of processing personal data as applicable under law.

1.2. Contact & Support

The Company has established dedicated communication channels for Food Partners and Data Principals to raise queries, exercise data rights, or report issues related to data protection.

• •Email: support@crevings.com

Communications to the Company's support contact shall be acknowledged within fifteen (15) working days, and a substantive response or resolution will be provided within thirty (30) working days, subject to identity verification and lawful constraints.

1.3. Governing Legal Framework

This Privacy Policy shall be governed by the substantive and procedural laws of the Republic of India, including without limitation the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and all associated rules and subordinate legislation. All disputes arising from or in relation to this Policy shall be subject to the exclusive jurisdiction of the courts situated within the National Capital Territory of Delhi, India.

2. SCOPE OF THIS POLICY AND DATA PRINCIPALS

This Policy pertains to all natural and juridical persons whose data is processed by the Company ("Data Principals"), including but not limited to:

• •Food Partner Representatives (Proprietary Data Principals): Owners, directors, authorized signatories, and other representatives providing KYC and KYB documentation during onboarding and compliance verification.
• •Food Partner Staff (Accessory Data Principals): Employees and agents whose login credentials and role-based access permissions are furnished to the Company by the Food Partner for secure use of Partner-facing interfaces.
• •Food Partner Entity (Juridical Data Principal): The commercial entity (e.g., restaurant, cloud kitchen, café, franchise) whose non-personal corporate and operational data is collected and archived.
• •Partner's Customers (Offline Subordinate Data Principals): End-customers whose data is provided to the Company by the Food Partner for the purposes of executing marketing campaigns and related services; in such cases the Food Partner remains the primary Data Fiduciary and the Company acts as Data Processor insofar as it processes such customer records.

3. INFORMATION WE COLLECT AND RETAIN

The Company collects, processes, and retains a comprehensive corpus of information necessary to provide services and fulfill legal obligations. Categories include, but are not limited to:

• •Identity & Compliance Data (KYC/KYB): Aadhaar, PAN (where applicable), GST registration, Corporate Identification Number (CIN), FSSAI License Number, registered legal address, official legal entity name, and financial instrument particulars (bank account details) required for verification, statutory compliance, and settlement.
• •Operational & Location Data: Internal system identifiers (e.g., restaurant_id), trade/display names, full physical addresses, geocoordinates (latitude/longitude), declared operating hours, establishment classification (e.g., cloud kitchen, dine-in, café), photographic and video assets of premises, logos, and described amenities.
• •Contact & Access Credentials: Proprietor and authorized user names, primary business telephone numbers, verified email addresses, and other access-related identifiers used for secure credentialing, account notifications, and administrative communication.
• •Financial & Transactional Data: Order-level transaction records, revenue metrics, payout banking details, payout disbursement histories, and ancillary financial data maintained for payment execution, accounting, taxation, and statutory reporting.
• •Food Partner Staff Data: Employee identifiers, role/titles, business contact information, securely hashed authentication credentials, and assigned application access permissions.
• •Inventory & Menu Data: Comprehensive menu enumerations, stock and inventory levels, consumption and ordering histories, item categorization, and transactional behavior contributing to predictive analytics and inventory forecasting.
• •Aggregated & Derived Performance Metrics: Offline sales reports as reported by Partners, temporal demand analyses, best-selling item indicators, inferred customer demographic approximations, and aggregated statistics generated for performance improvement and automated campaign targeting. Such derived data may be aggregated and anonymized for analytic uses.

4. LEGAL BASIS AND PURPOSE(S) OF PROCESSING

Personal data is processed for legitimate, specific, and documented purposes, including:

• •Onboarding & Regulatory Compliance: Verification of Partner identity and credentials to satisfy KYC/KYB obligations and comply with FSSAI, GST, taxation, and other regulatory reporting requirements.
• •Service Delivery & Operational Support: Maintenance of marketplace visibility, order management, delivery routing (utilizing geocoordinates), customer support, technical maintenance, and provision of core platform functionality.
• •Financial Settlement & Reporting: Execution of accurate payout disbursements, maintenance of ledgers, reconciliation, statutory accounting, and tax filings.
• •Business Analysis, Advisory & Optimization: Combine inventory/menu, transactional, and offline performance data to diagnose operational deficiencies, recommend menu engineering, pricing strategies, inventory procurement improvements, and other prescriptive enhancements to augment Partner competitiveness.
• •Staff Management & Security: Administer role-based access controls and secure authentication for Partner staff, as authorized by the Food Partner.
• •Marketing Campaigns (Processor Role): Where the Company processes Partner-supplied customer data to execute marketing campaigns, the Company acts as Data Processor and processes such data strictly per Partner instructions and contractual Data Processing Agreements.
• •Algorithmic Enhancement & Product Improvement: Use of aggregated, anonymized data subsets to improve internal analytics, predictive models, and proprietary algorithmic services. Such usage shall exclude identifiable personal data unless specific consent has been obtained.

5. DATA SHARING, DISCLOSURE, AND INTERCHANGE

The Company shall not disclose personal data to external parties except as necessary for service delivery, under lawful compulsion, or pursuant to protective contractual safeguards:

• •Third-Party Service Providers: Minimal data necessary for payment settlement and financial processing may be shared with regulated banks, payment gateways, and authorized financial intermediaries bound by confidentiality and contractual data protection obligations.
• •Affiliates & Group Entities: Aggregated or anonymized analytical data may be shared with the Company's affiliates, subsidiaries, or group companies for operational planning and product development, subject to equivalent protective commitments.
• •Legal & Regulatory Disclosure: Personal data may be disclosed in response to legally enforceable orders, valid governmental or judicial requests, or regulatory investigations where disclosure is required by law.
• •Corporate Transactions: In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity under contractual assurances that the receiving party will adhere to privacy obligations materially equivalent to those in this Policy, and where required, Data Principals will be notified as required by law.
• •Cross-Border Processing & Storage: Personal data is primarily stored on secure infrastructure within the territorial jurisdiction of India. Where processing or storage outside India is necessary (for instance, use of global cloud infrastructure), the Company shall ensure the implementation of protections equivalent to those required under applicable law and shall disclose such transfers in accordance with regulatory standards.

6. DATA RETENTION AND DESTRUCTION

• •Retention Principle: Personal data will be retained only for the period necessary to fulfil the lawful purpose for which it was collected, or as required for compliance with statutory obligations (whichever is longer).
• •Post-Contract Retention Period: Certain categories of data, notably financial records, KYC/KYB documentation, and tax-related records, shall be retained for a period of seven (7) years following the cessation of the contractual relationship or account termination, or for such longer period as required by applicable law.
• •Deletion & Destruction: Upon expiration of the retention period, data will be disposed of securely using irreversible cryptographic erasure for electronic records and physical shredding for hard-copy documents. The Company shall maintain auditable deletion logs to evidence compliance with destruction obligations.

7. CONSENT, RIGHTS, AND WITHDRAWAL

• •Consent: By providing personal data or by continuing to use the Company's services and platforms, Data Principals consent to the collection and processing of their personal data in accordance with this Policy and the lawful bases herein described.
• •Withdrawal of Consent: Data Principals may withdraw consent at any time by sending an explicit request to support@crevings.com, subject to verification and the Company's legal obligations. Upon valid withdrawal, the Company shall cease relevant processing within a commercially reasonable timeframe unless retention is required by law.
• •Data Subject Rights: Data Principals may exercise rights of access, rectification, erasure, portability, objection to processing, and grievance by contacting support@crevings.com. Requests shall be acknowledged within fifteen (15) working days and substantively addressed within thirty (30) working days, unless extension is warranted by complexity or legal constraint, in which case the Company will communicate the reasons for delay and the expected resolution timeframe.

8. PROCESSING OF CHILDREN'S PERSONAL DATA

The Company does not knowingly solicit, collect, or process personal data of children under the age of eighteen (18) years. In the event that the Company becomes aware that personal data of a minor has been collected without verifiable parental or guardian consent, the Company shall promptly delete such data from its active systems and take reasonable steps to notify the relevant Partner or Data Principal, where ascertainable, and to purge such records from backups in accordance with lawful constraints.

Age Restriction for Food Partner Onboarding: Individuals under 18 years of age are strictly prohibited from being onboarded as Crevings Food Partners, restaurant operators, franchise participants, or any merchant category within the Crevings Partner ecosystem.

9. DATA SECURITY AND BREACH PROTOCOL

• •Security Controls: The Company implements reasonable technical and organisational measures to secure personal data, including encryption at rest and in transit, role-based access control, multi-factor authentication for privileged accounts, secure coding practices, network perimeter defenses, and periodic security audits and assessments.

In the event of a material personal data breach, the Company will promptly initiate containment, forensic analysis, and mitigation measures. Where required by law, the Company shall notify the relevant regulatory authority (including the Data Protection Board of India) and the affected Data Principals without undue delay and provide information regarding the nature of the breach, the categories of data affected, the remedial actions taken, and recommended mitigation steps for affected individuals. All such incidents will be logged and reviewed to effectuate corrective controls.

10. POLICY UPDATES AND VERSIONING

The Company reserves the right to amend this Privacy Policy at any time to reflect changes in legal requirements, operational practices, or technological developments. Material modifications will be denoted by an updated Effective Date and shall be published on the Company's official website.

Notification of Updates: Whenever the Privacy Policy is updated, all registered Food Partners shall be informed through push notifications within the Partner App, WhatsApp messages, and official email communication.

Continued use of the Company's services following such updates constitutes acceptance of the revised Policy.

11. CONTACT AND COMMUNICATION

For inquiries, complaints, or to exercise your data rights, contact:

• •Email: support@crevings.com