Privacy Policy

Haatzo, operated as a sole proprietorship by Lohit, is the Data Fiduciary for the personal data you share with us through the Platform.

We collect personal data you directly provide and data generated through your use of the Platform.

Information you provide:

• Account details: name, email address, username, password (stored as a salted hash), phone number, profile photo.
• Shipping addresses you save for orders.
• Seller onboarding details: business name, KYC documents (e.g. PAN), bank account details for payouts.
• Content you create: live show metadata, product listings, chat messages, bids, reviews.
• Payment information: handled by Razorpay; we receive only transaction confirmations and the last four digits of payment instruments.

Information collected automatically:

• Technical data: IP address, browser type, device information, operating system, referring URL.
• Usage data: pages visited, features used, watch time on live shows, bid history.
• Cookies and similar technologies (see § 7).

We process your personal data for the following purposes:

• Account & service delivery — to create and operate your account, fulfil orders, run auctions, and process payments.
• Communication — to send transactional emails (order confirmations, payment receipts, dispute notifications) and, where you have consented, marketing communications you may opt out of at any time.
• Safety & fraud prevention — to detect and prevent fraud, abuse, and unauthorised access, including identity verification of Sellers.
• Improvement & analytics — to understand usage patterns and improve the Platform.
• Legal compliance — to comply with applicable laws, court orders, and regulatory requests.

We process personal data on the basis of your consent (which you provide when registering and using the Platform) or for the performance of a contract you have with us. For certain processing — including fraud detection and legal compliance — we rely on legitimate uses recognised under the DPDP Act.

You may withdraw consent at any time by contacting our Grievance Officer (see § 11). Withdrawal does not affect processing carried out before withdrawal and may require us to discontinue providing services that rely on the withdrawn consent.

We share personal data only as needed to operate the Platform:

• Sellers and Buyers— when you purchase or bid, the relevant Seller receives your shipping address and contact details so they can fulfil your order. Similarly, Buyers see Sellers’ public shop name and ratings.
• Service providers — payment processing (Razorpay), email delivery, hosting (Hetzner Online GmbH, Germany), and similar infrastructure providers, all bound by contractual data-protection obligations.
• Legal authorities — when required by law, court order, or to protect the rights, safety, or property of users or the public.
• Business transfers — if Haatzo is acquired, merged, or transferred, your data may be transferred to the successor entity, subject to a continuation of equivalent privacy protections.

We do not sell your personal data.

Some of our service providers (notably hosting and CDN infrastructure) are located outside India. By using the Platform, you understand and consent to your data being transferred to and processed in jurisdictions outside India, subject to safeguards consistent with the DPDP Act.

We use cookies and similar technologies to remember your login session, keep your cart, measure how the Platform is used, and personalise the experience. Strictly necessary cookies are required for the Platform to function; others can be disabled in your browser settings, though some features may not work without them.

We retain personal data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Account data — retained until you delete your account, then archived for up to 12 months for fraud prevention and legal compliance.
• Transaction records (orders, payments, invoices) — retained for at least 8 years to comply with the Income Tax Act and GST law.
• Live show recordings and chat logs — retained for up to 90 days unless required for ongoing dispute resolution.
• KYC documents — retained for 5 years after account closure or as required by applicable financial regulations.

Under the DPDP Act, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Erase your data, subject to legal retention obligations.
• Withdraw consent for processing based on consent.
• Nominate another individual to exercise your rights in case of your death or incapacity.
• Lodge a grievancewith our Grievance Officer (§ 11) or with the Data Protection Board of India.

To exercise these rights, email us at lohit@haatzo.com.

We employ reasonable security practices including encrypted connections (HTTPS/TLS), salted password hashing, access controls, and isolated infrastructure. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but commit to notifying you and the Data Protection Board of India of any personal data breach affecting your data, in accordance with the DPDP Act.

In accordance with the DPDP Act, IT Act, and IT Rules, the designated Grievance Officer for privacy concerns is:

We acknowledge grievances within 24 hours and aim to resolve them within 15 days as required by law.

The Platform is not intended for users under 18. We do not knowingly collect personal data from minors. If we learn we have collected data from a minor without verifiable parental consent, we will delete it promptly. If you believe a minor has provided us data, please contact our Grievance Officer.

We may update this Privacy Policy from time to time. We will notify you of material changes via email and/or a prominent notice on the Platform. The “Last updated” date at the top of this page reflects the most recent version.