Privacy Policy

Jhaazi Privacy Policy

Effective from: 14.06.2026

Last updated: 14.06.2026

Operator: Varsha Ryali, sole proprietor, trading as “Jhaazi” (referred to in this policy as “Jhaazi”, “we”, “us”, or “our”).

Applicable to: every visitor and registered user of the websites, mobile applications, and other digital interfaces operated under the trade name “Jhaazi” (the “Platform”), and to vendors registered to sell on the Platform.

1. Why we publish this policy

We are an online marketplace for clothing. To run the Platform, we collect, use, and share certain information about you. This policy explains, in plain language, what we collect, why we collect it, how we use and share it, how long we keep it, what choices you have, and how you can exercise your rights. This policy is written to comply with the Digital Personal Data Protection Act 2023 (“DPDPA”) and the Digital Personal Data Protection Rules 2025 (“DPDP Rules”), the Information Technology Act 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (“IT Rules 2021”), the Consumer Protection (E-Commerce) Rules 2020, and the Telecom Commercial Communications Customer Preference Regulations 2018 (“TCCCPR”). To the extent that any provision of the DPDPA or the DPDP Rules has not been notified or is otherwise not in force when you read this, the corresponding provisions of the SPDI Rules apply during the transition. If you do not agree with this policy, please do not use the Platform.

2. The terms we use

We use a small set of defined terms in this policy. Personal Data means data about a person who is identified or identifiable from that data, as defined in the DPDPA. It includes things like your name, email, phone number, address, and order history. Sensitive Personal Data or Information (“SPDI”) under the SPDI Rules includes passwords, financial information (such as bank account or card details), physical/physiological/mental health condition, sexual orientation, medical records, and biometric information. Data Principal means the individual to whom Personal Data relates (in plain English, “you”). Data Fiduciary means a person who alone or with others determines the purpose and means of processing of Personal Data. In respect of Personal Data we collect through the Platform, we are the Data Fiduciary. Data Processor means a person who processes Personal Data on behalf of a Data Fiduciary. Vendor means a person registered on the Platform to sell products to you. Buyer means a person who creates an account on the Platform to buy products through it.

3. The Personal Data we collect

We collect Personal Data in three ways: information you give us directly, information generated by your use of the Platform, and information from third parties.

3.1 Information you give us directly

When you create an account, place an order, contact us, or interact with the Platform, you may give us:

1. Account information: name, email, mobile number, password (stored as a salted hash, never in clear text), date of birth (only where you tell us; we do not require it), gender (optional);

2. Address and contact information: shipping addresses, billing addresses, alternative contact numbers, pin code;

3. Booking, order, and transaction information: Drops you have viewed, Items you have claimed, the status of each Booking (pending, confirmed, expired), payment instrument summary (card last four digits, UPI handle, wallet name, but never the full card number, CVV, or PIN), payment status and provider reference, order history, the limited returns history that arises from valid claims under Section 9 of our Terms of Use, and refund history;

4. Communications with us: messages you send through the Platform, email correspondence, chat transcripts, customer-care call recordings (with notice at the start of the call), grievance submissions;

5. Reviews and ratings: text reviews, star ratings, and any other feedback you choose to publish on a Vendor’s product page;

6. Identity and KYC information (Vendors only): legal name, address, PAN, Aadhaar number (with masking and consent as required), GSTIN, IEC, bank account details, business registration documents.

3.2 Information generated by your use of the Platform

We collect information about how you use the Platform, including:

7. Device and connection information: device model, operating system, IP address, browser type, screen size, network carrier;

8. Usage information: Drops opened, items viewed, claim taps, payment-CTA taps, payment outcomes, sold-state views, notification opens, search queries, click-through behaviour, time on page, referrer URL (including referral context if you arrived through a Share Link distributed externally);

9. Cookies and similar technologies: see Section 8 below; and

10. Location information: approximate location derived from IP address. We do not collect precise GPS-level location unless you grant explicit permission for a feature that requires it (and we do not currently operate any such feature).

3.3 Information from third parties

We may receive information about you from:

11. Payment Aggregator: confirmation of a successful or failed payment, last four digits of the card or UPI handle used, fraud-screening signals;

12. Couriers and logistics partners (engaged by Vendors): tracking events, delivery status, delivery exceptions;

13. Communication providers (SMS, OTP, email, WhatsApp Business): delivery and read receipts of transactional messages we send to you;

14. Analytics, marketing measurement, and fraud-prevention providers: aggregated and anonymised usage analytics, fraud signals, attribution events;

15. Other Buyers and Vendors: where you communicate with another user through the Platform and they relay or escalate the communication to us; and

16. Public sources, regulators, and law-enforcement agencies: where required for legal compliance or in response to a lawful request.

3.4 What we do not collect

We do not collect, and we do not encourage you to provide, information about your sexual orientation, religious beliefs, caste, political affiliation, biometric identifiers (other than via Aadhaar masking for Vendor KYC), or health condition.

4. Why we collect Personal Data and the lawful basis we rely on

We collect and use Personal Data for the purposes listed below. The lawful basis under the DPDPA is your consent, which you give when you accept this policy at sign-up. Where the DPDPA recognises certain “legitimate uses” (Section 7) that do not require consent (for instance, performance of a function under a law, compliance with a court order, response to a medical emergency), we rely on those bases to the extent applicable.

1. Account creation and authentication: to set up your account, log you in, recover your account, and prevent unauthorised access.

2. Order processing: to receive your order, transmit it to the relevant Vendor, route the payment through our Payment Aggregator, share your shipping address with the Vendor and its courier so the Product reaches you, and update you on the order status.

3. Customer service and grievance handling: to respond to your queries and complaints, including under the IT Rules 2021 and the Consumer Protection (E-Commerce) Rules 2020.

4. Returns, refunds, and disputes: to assess and resolve return claims under the returns mechanic published in our Terms of Use, to process refunds through the PA, and to mediate Buyer-Vendor disputes.

5. Personalisation of the Platform: to show products you are likely to be interested in, remember your size and address preferences, and reduce friction in checkout. We do not engage in profiling that produces legal or similarly significant effects on you, and we do not engage in behavioural advertising directed at children (and our Platform is not intended for children, see Section 13).

6. Communications: to send you transactional messages (order confirmations, dispatch updates, OTPs, refund confirmations) and, where you have opted in, promotional messages.

7. Security and fraud prevention: to detect and prevent fraud, account compromise, abuse of returns, payment fraud, identity theft, and similar.

8. Legal compliance: to comply with our obligations under the IT Act, the GST Act, the Income-tax Act, the FEMA framework, the Consumer Protection Act, the BSA (and its electronic-records evidentiary rules), the BNS, the Prevention of Money-laundering Act (where applicable to our Payment Aggregator’s KYC processes), and CERT-In incident reporting directions.

9. Improvement and analytics: to understand how the Platform is used and to improve it. We use aggregated and anonymised data wherever possible.

10. Mergers, acquisitions, or business restructuring: if Jhaazi as a sole proprietorship is converted into a Private Limited Company (which we intend to do), or if there is any other restructuring or transfer of the business, your Personal Data may be transferred to the successor entity, in which case this policy will continue to apply.

5. How we share your Personal Data

We share your Personal Data only with the parties listed below, only for the purposes listed, and only to the extent necessary.

5.1 Vendors

When you place an order, we share your name, shipping address, mobile number, and order details with the Vendor whose Product you are buying. The Vendor needs this to ship and to provide post-Sale support. Vendors are bound by our Vendor Agreement to use your Personal Data only for fulfilling your order and providing customer service, and to apply reasonable security and retention practices. Vendors who use your Personal Data for any independent purpose (such as their own marketing) may do so only with your separate consent obtained directly by them.

5.2 Payment Aggregator and payment ecosystem

Our Payment Aggregator (currently Cashfree) processes your payment, holds funds in its RBI-mandated escrow account, and settles to the Vendor and to us. We share with the PA the information needed for this (your name, contact, the order amount). The PA, in turn, may share information with the relevant card networks, banks, and UPI infrastructure providers. The PA’s own privacy practices apply to its processing.

5.3 Couriers and logistics partners

Couriers engaged by the Vendor to ship your Product receive your name, shipping address, contact number, and the order details. They use this for delivery and tracking only.

5.4 Communication providers

We use third-party providers for SMS, email, OTP, and WhatsApp Business communications. They process your contact information solely as our processor.

5.5 Analytics, fraud, and infrastructure providers

We use third-party providers for hosting (cloud infrastructure such as Amazon Web Services, Microsoft Azure, or Google Cloud Platform), email delivery, analytics (such as Google Analytics 4 or comparable), error monitoring (such as Sentry), customer support tools, and fraud-prevention tools. These providers process Personal Data only as our processors and only on our instructions, under written contracts that include security and confidentiality obligations.

5.6 Professional advisers

We may share Personal Data with our auditors, lawyers, accountants, and tax advisers under their professional confidentiality obligations, only to the extent reasonably necessary.

5.7 Regulators, courts, and law enforcement

We may share Personal Data with regulators, courts, or law-enforcement agencies (a) in response to a lawful order or notice, (b) where compelled by law, (c) where reasonably necessary to investigate fraud or wrongdoing on the Platform, or (d) to assert or defend our legal rights.

5.8 Successor entity on conversion or restructuring

If we incorporate a Private Limited Company and transfer the business of “Jhaazi” to it, or if we otherwise restructure the business, your Personal Data may be transferred to the successor. The successor will continue to be bound by this policy or by a successor policy with materially equivalent terms. We will notify you before any such transfer takes effect.

5.9 We do not sell Personal Data

We do not sell your Personal Data to data brokers or to third parties for their independent marketing.

6. Security

We implement reasonable security safeguards to protect Personal Data from unauthorised access, alteration, disclosure, or destruction. The measures we apply include: TLS encryption in transit; encryption at rest for sensitive fields; salted-and-hashed storage for passwords; role-based access controls; access logs; periodic security reviews; vulnerability management; vendor security assessments for processors; and personnel training. We benchmark our practices against the IS/ISO/IEC 27001 family of standards consistent with Rule 8 of the SPDI Rules and the security requirements under Section 8(5) of the DPDPA and Rule 6 of the DPDP Rules. If a personal data breach occurs that is likely to result in risk to you, we will notify the Data Protection Board and you, in accordance with Section 8(6) of the DPDPA and Rule 7 of the DPDP Rules, in the manner and within the timelines prescribed. No security control is perfect, and no platform can guarantee that its security cannot be defeated. We are honest about that. What we promise is that we apply the practices we have described and that we work to improve them continuously.

7. How long we keep Personal Data

We keep Personal Data for as long as we need it for the purpose for which it was collected, plus any minimum retention period required by Applicable Laws. Specific retention periods include:

1. Buyer account data: for as long as your account is active. If you delete your account, we delete or anonymise account-level data within ninety days, except where retention is required by Applicable Laws (see (b) below).

2. Order, invoice, and tax records: at least seven years from the date of the relevant transaction, in line with Section 36 of the CGST Act 2017 and the corresponding income-tax record-retention requirements.

3. Communications related to grievances: for at least three years from resolution.

4. KYC records (Vendors): at least seven years from the cessation of the Vendor’s relationship with us, under the PMLA framework as applied through our Payment Aggregator.

5. Logs (security, access, audit): for periods between ninety days and three years depending on the log category.

6. Marketing-related Personal Data: until you withdraw consent or for two years from your last interaction with us, whichever is earlier.

After the applicable retention period, we delete or anonymise Personal Data so that it is no longer associated with you.

8. Cookies and similar technologies

We use cookies and similar technologies (local storage, pixels, SDKs) for: keeping you logged in, remembering your cart, measuring how the Platform is used, preventing fraud, and (where you have opted in) measuring marketing effectiveness. The categories we use are: Category Purpose Examples Can you turn off? Strictly necessary Required for the Platform to work: login session, security tokens, cart contents, fraud screening, load balancing. Session ID; CSRF token; cart cookie; bot-detection cookie. No. Without these the Platform cannot function. Functional Remember your preferences and improve usability: language, region, recently viewed items, saved size preference. Language preference; size selector memory; recently-viewed list. Yes, in cookie preferences. The Platform may behave less helpfully if turned off. Analytics Help us understand how the Platform is used so we can improve it. Aggregated and pseudonymised wherever possible. Google Analytics 4 (or equivalent); error monitoring (Sentry-style); page-load performance. Yes, in cookie preferences and in the cookie banner shown on first visit. Marketing measurement Measure the effectiveness of our own marketing (whether an advertisement led to a Platform visit). Used only where you have opted in. Conversion pixel; UTM-tracking cookie. Yes, opt-in basis. Off by default. We do not place behavioural-advertising cookies. We do not allow third-party advertisers to drop their own tracking cookies on our pages.

8.1 Future session and screen recording

We may, in the future, introduce session and screen recording for product analytics and debugging. When and if this is introduced, we will (a) update this Privacy Policy with prominent advance notice and the identity of the recording vendor, (b) seek your consent through a notice that aligns with DPDPA Section 5 and Section 6 (and provides easy opt-out), (c) automatically mask sensitive fields from recordings (full name on auto-fill, full mobile number, postal address, card details, UPI ID, OTPs, and any free-text field that may contain PII), (d) suppress recording on Payment Aggregator screens and other sensitive flows, (e) cap retention, (f) restrict access to replay tools to a small set of authorised personnel and log every replay viewing for audit, and (g) maintain a written data-processing agreement with the recording vendor consistent with DPDPA Section 8 and Rule 6 of the DPDP Rules. Until we make this update, no session or screen recording is in operation.

9. Marketing communications

We will send you transactional messages (order confirmations, OTPs, dispatch and delivery updates, refund confirmations, grievance acknowledgements, security alerts, account notices) regardless of marketing preferences, because they are necessary to provide the service. For promotional messages (offers, recommendations, new collections), we send these only where you have opted in. You can opt out at any time through (a) the unsubscribe link in any promotional email, (b) the “Communications” section in your account settings, (c) replying STOP to a promotional SMS, or (d) writing to support@jhaazi.com. We comply with the TCCCPR framework: our SMS templates are registered on the relevant Distributed Ledger Technology platform, we honour DND preferences, and our principal-entity registration is current.

10. Cross-border transfer of Personal Data

Your Personal Data may be processed on cloud infrastructure located outside India (for example, in Singapore, the United States, or the European Union) where our hosting and processor partners operate. The DPDPA permits transfer of Personal Data outside India to any country that is not on a list of restricted countries notified by the Central Government under Section 16 of the DPDPA. As of the date of this policy, no country has been notified as restricted. If a country is later notified as restricted, we will not transfer Personal Data to that country and we will adjust our processor relationships accordingly. We rely on contractual and technical safeguards (including data-processing agreements with foreign processors and encryption in transit and at rest) to protect your Personal Data while it is being processed outside India.

11. Your rights as a Data Principal

The DPDPA gives you the rights set out below. We will honour these rights without undue delay (and within any timelines prescribed by the DPDP Rules, where the relevant section is in force).

1. Right to access: you can ask us for a summary of the Personal Data we are processing about you, the purposes of processing, and the identities of the Data Fiduciaries and Data Processors with whom we have shared your Personal Data.

2. Right to correction and erasure: you can ask us to correct inaccurate or incomplete Personal Data and to erase Personal Data that is no longer necessary for the purpose for which it was processed, subject to legal retention obligations.

3. Right to grievance redressal: you can raise a grievance with our Grievance Officer (Section 14 below). We will acknowledge within twenty-four hours and resolve within fifteen days, in accordance with the IT Rules 2021. If you are not satisfied with our response, you can approach the Data Protection Board.

4. Right to nominate: you can nominate another person to exercise your rights in the event of your death or incapacity.

5. Right to withdraw consent: where we process Personal Data on the basis of your consent, you can withdraw consent at any time, with the same ease with which you gave it. Withdrawal does not affect the lawfulness of processing before withdrawal. After you withdraw consent, we will stop processing your Personal Data for the corresponding purpose, unless we are required or permitted to continue under Applicable Laws.

To exercise any of these rights, please write to support@jhaazi.com or use the in-app “Privacy Rights” feature once it is available. We may need to verify your identity before acting on a request. 11A. Automated decision-making We do not use solely-automated processing, profiling, or algorithmic scoring to make decisions that produce legal effects on you (such as denying you an account or excluding you from the Platform) or that significantly affect you in a similar way. Specifically, our anti-fraud, anti-abuse, and risk controls may be automated as a first step but a human reviewer is involved before any account closure, payment hold, or similar significant action takes effect. We do not use your Personal Data to set personalised pricing.

12. Vendors: your data on the Platform

If you are a Vendor, this Section applies in addition to the rest of the policy. We collect KYC information about you (and, where applicable, your partners, designated partners, directors, or beneficial owners) under our Payment Aggregator’s KYC obligations. The basis for this processing is (a) your consent at onboarding, (b) the requirements of the RBI Master Direction on KYC and the PMLA framework as applied through our PA partner, and (c) the requirements of the GST and Income-tax frameworks for invoicing, TCS, and TDS. We share KYC and contact information with our PA, with regulators when required, and with any successor entity to which our business is transferred. We do not share KYC information with Buyers; what Buyers see is the information you choose to display on your storefront, which we display in accordance with the Consumer Protection (E-Commerce) Rules 2020. Where you provide an Aadhaar number for KYC, we and our PA mask the Aadhaar number in storage so that only the last four digits are visible, in line with the UIDAI Information Security Policy and the Aadhaar (Sharing of Information) Regulations 2016. Aadhaar authentication is performed by the PA in offline-XML or comparable consented mode; we do not perform Aadhaar authentication directly. We retain KYC records for at least seven years from the date you cease to be a Vendor on the Platform.

13. Children

The Platform is not intended for, directed at, or marketed to persons under the age of eighteen years. We do not knowingly collect Personal Data from children. If you become aware that a child has provided Personal Data to us, please contact us at support@jhaazi.com and we will delete it promptly.

14. Grievance redressal: how to reach us

If you have a question, complaint, or request relating to your Personal Data, please contact our Grievance Officer. Grievance Officer Name: Venkata Murali Krishna Ryali Designation: Grievance Officer (under Rule 3(2) of the IT Rules 2021 and Rule 4(4) of the Consumer Protection (E-Commerce) Rules 2020) Email: support@jhaazi.com Postal address: 2nd floor, #93, 1st stage, 4th cross, Arekere Mico layout, BG road, Bengaluru - 560076 We will acknowledge your communication within twenty-four hours and respond substantively within fifteen days. If you are not satisfied with the response, you can escalate to the Data Protection Board (once operational complaints are accepted) or, for consumer issues, the relevant Consumer Disputes Redressal Commission. If, in due course, the Central Government classifies us as a Significant Data Fiduciary under Section 10 of the DPDPA, we will appoint a Data Protection Officer and update this Section accordingly.

15. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the policy will reflect the latest revision. If a change is material (for instance, a new category of Personal Data we collect, a new purpose that requires fresh consent, a new processor that processes outside India), we will give you reasonable advance notice through the Platform, by email, or by SMS, and (where required) we will seek fresh consent.

16. Disclaimer about scope

This policy describes our practices in respect of Personal Data we collect through the Platform. It does not cover Personal Data you provide directly to a Vendor outside the Platform (for instance, on the Vendor’s own website, in physical stores, or through social media). The Vendor’s own privacy practices apply in those situations.

End of Privacy Policy.