Privacy Policy

We respect your privacy and are committed to protecting your personal data. This policy explains how Primo Rewards collects, uses, and safeguards information under India's Digital Personal Data Protection Act 2023 (DPDP Act).

Effective date: 1 June 2026

Last updated: 26 May 2026

Governing law: India (DPDP Act 2023)

1. Who We Are

Primo Rewards is a digital loyalty rewards platform for local businesses in India, operated by Primo Rewards (the "Company", "we", "us", or "our"). Our platform allows business owners ("Merchants") to offer a branded loyalty card to their end customers ("Customers").

For the purposes of the DPDP Act 2023, Primo Rewards is the Data Fiduciary — we determine the purpose and means of processing your personal data.

2. What Data We Collect

2.1 From Merchants (shop owners who enroll)

Identity data: Full name, business name
Contact data: Email address, mobile phone number, city
Business data: Chosen loyalty plan, reward rule configuration, shop slug
Payment data: Payment transaction ID (via Razorpay — we do not store card numbers or bank details)

2.2 From Customers (end users of a shop's loyalty card)

Identity data: First name
Contact data: Last 4 digits of mobile number (used as a lightweight identifier — full number optionally provided for WhatsApp alerts, on consent)
Activity data: Stamp history, redemption history, date enrolled
Optional data: Birthday (used only for optional birthday rewards)

2.3 Automatically collected data

Browser type and version (via standard HTTP headers)
Page visit timestamps
We do not use cookies for tracking. We do not use Google Analytics or any third-party analytics tracker.

3. Why We Collect This Data (Purpose Limitation)

We collect personal data only for the following specific, lawful purposes:

Service delivery: Provisioning your loyalty card page, processing stamps and redemptions
Payment processing: Collecting the one-time setup fee and monthly subscription through Razorpay
Communications: Sending your shop link, onboarding guide, and platform updates via email
WhatsApp notifications: Only when a Customer provides their full mobile number and explicitly consents to WhatsApp messages from their shop
Security and fraud prevention: Detecting bot submissions and protecting against misuse

We do not sell, rent, or share your personal data with third parties for marketing purposes. We never have and never will.

4. Legal Basis for Processing (DPDP Act 2023)

Under the DPDP Act 2023, we process your personal data on the following lawful bases:

Consent: You explicitly agree to our Privacy Policy and Terms before submitting any form. Customers consent when they enroll in a shop's loyalty program.
Contract: Processing necessary to deliver the service you have signed up for.
Legitimate interests: Security monitoring, abuse prevention, and platform integrity.

5. Data Storage and Security

All personal data is stored in Supabase (hosted on AWS ap-southeast-2, Sydney), a SOC 2 Type II certified infrastructure provider. Data is encrypted at rest and in transit (TLS 1.3).

We enforce Row Level Security (RLS) on our database — each shop can only access its own customers' data; no cross-shop data access is possible at the database level.

Payment processing is handled exclusively by Razorpay (PCI DSS Level 1 certified). We never store full card numbers, CVV, or bank account details on our systems.

6. Data Sharing

Supabase Inc. — database and serverless functions hosting
Razorpay Software Pvt. Ltd. — payment processing (Merchants only)
Resend Inc. — transactional email delivery
Vercel Inc. — website hosting and CDN

7. Data Retention

Active Merchant accounts: Data retained for the duration of the subscription
After cancellation: All data retained for 90 days to allow reactivation, then permanently deleted
Customer loyalty data: Retained as long as the Merchant's shop is active; deleted within 30 days of shop deletion
Payment records: Retained for 7 years as required by Indian financial regulations (GST compliance)

8. Your Rights Under DPDP Act 2023

Right to access: Request a copy of the personal data we hold about you
Right to correction: Request correction of inaccurate or incomplete personal data
Right to erasure: Request deletion of your personal data (subject to our legal retention obligations)
Right to grievance redressal: Raise a complaint with our Grievance Officer (see Section 11)
Right to withdraw consent: Withdraw consent at any time

9. Children's Data

Our service is intended for business owners and their adult customers. We do not knowingly collect personal data from individuals under the age of 18.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Merchants via email at least 14 days before they take effect.

11. Grievance Officer

Grievance Officer — Primo Rewards

Name: Primo Rewards Privacy Team

Email: privacy@primorewards.in

Response time: Within 30 days of receipt