Mandee BusinessMandee

Privacy Policy

Last updated: 1 May 2026 · Version 1.0

Published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA") of India.

1. Identity of the Data Fiduciary

Mandee is operated by Tanvrit Pvt. Ltd. ("Tanvrit", "we", "us"), the data fiduciary for the purposes of the DPDPA.

Registered office: 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.

2. Data Protection Officer

Until a separate DPO is appointed, Vivek Singh (founder) acts as the DPO under DPDPA Section 8(9).

Email: dpo@tanvrit.com

3. Personal Data We Collect

CategoryExamplesPurposeRetention
AccountOwner name, business name, mobile, email, GSTIN, store locations.Provision your multi-store account; identify operators across devices.Life of account + 90 days post deletion.
AuthenticationPassword hashes, OTPs, magic-link tokens, passkey credentials, refresh tokens.Verify identity and prevent account takeover.OTP / magic-links: 10 minutes. Auth audit logs: 365 days.
Device & telemetryDevice model, OS, app version, IP address, crash logs, usage events.Diagnose crashes and measure aggregate feature usage.90 days raw events.
TransactionalInvoices, GST line items, UPI VPA / handle (never the PIN), payment-processor reference IDs, refund records.Run point-of-sale and comply with Indian Income Tax / GST audit obligations.7 years (Income Tax Act, GST Act).
Customer records (your data)Contact details of your customers that you upload to run loyalty / billing.Stored on your behalf as a data processor; we do not market to your customers.Until you delete the records or close the account.
CommunicationsSupport emails, in-app chats with our team.Respond to your queries.3 years after the case closes.

We never store full payment-card numbers, CVV, or UPI PINs.

4. Lawful Basis

Under DPDPA Section 4, we rely on:

  • Consent (Section 6) for account creation, optional marketing, and non-essential analytics.
  • Certain legitimate uses (Section 7) for fulfilling a transaction you initiate, complying with legal obligations, and responding to emergencies.

5. Sharing & Cross-Border Transfers

We do not sell personal data. We use the following processors:

  • Google Cloud Run (asia-south1, Mumbai) — application servers; data stays in India.
  • MongoDB Atlas — primary database.
  • Cloudflare — global CDN and DDoS protection.
  • Razorpay (India) — UPI, cards, netbanking.
  • Stripe Inc. (United States) — recurring international subscriptions where applicable.
  • Twilio Inc. (US, with Indian DLT partners) — transactional SMS / OTP delivery.

Cross-border transfers are performed under safeguards permitted by DPDPA Section 16. We do not transfer data to countries notified by the Central Government as restricted.

6. Your Rights as a Data Principal (DPDPA Section 11)

  • Access a summary of personal data we process.
  • Correction or erasure of inaccurate data.
  • Nominate another individual to exercise your rights.
  • Grievance redressal.
  • Withdraw consent (where consent is the basis of processing).

Email dpo@tanvrit.com from your registered address, or use the deletion form at /account/delete. We respond within 30 days.

7. Children's Data

Mandee is built for adult merchants. We do not knowingly collect data from users under 18. If a parent or guardian becomes aware that a child has signed up, write to dpo@tanvrit.com and we will delete the account and refrain from any behavioural tracking.

8. Security

  • TLS 1.3 in transit.
  • AES-256-GCM encryption at rest for personal-data fields.
  • JWT auth with mutex-protected refresh-token rotation.
  • OTP rate limiting and passkey replay protection.
  • Role-based access controls and admin audit trails.

We do not currently hold ISO 27001 or SOC 2 attestations and do not claim a public uptime SLA. Availability is best-effort and will be backed by a public status page once operational.

9. Breach Notification

We will notify the Data Protection Board of India and every affected data principal within 72 hours of detecting a personal-data breach, in line with DPDPA Section 8(6) and rules thereunder.

10. Retention

  • Financial / tax records: 7 years.
  • Inactive accounts after a deletion request: 90 days.
  • Authentication logs: 365 days.
  • Analytics events: 90 days raw; aggregate counts longer.

11. Cookies & Local Storage

We store the following client-side state:

  • auth_token, refresh_token (localStorage) — session continuity; cleared on logout.
  • tanvrit_app_id (localStorage) — remembers the active store / context.
  • Cloudflare anti-bot cookies (__cf_bm) — security; set by Cloudflare.

12. Updates to this Policy

Material changes are notified to registered users by email at least 30 days in advance.

13. Grievance Redressal & Contact

  • Tanvrit Pvt. Ltd., 168 Plot No 945, Gayatri Mandir se Purab, New Ariya, Sasaram, Bihar 821115, India.
  • DPO: dpo@tanvrit.com
  • Product support: hello@mandee.io
  • Phone: +91 901 680 11 01