Privacy Policy

Last updated: 2026-05-25 · Sevasannidhi LLP, Bangalore, India

Plain summary:We collect only the data we need to run sevas safely (your name, contact, sankalpa details for the priest, payment confirmation). We don’t sell your data, don’t advertise on third-party networks using it, and don’t keep it longer than required. You can ask us to show, correct, or erase your data any time via grievance@sevacart.com.

1. Who we are (Data Fiduciary)

Under the Digital Personal Data Protection Act, 2023, the Data Fiduciary for personal data collected via SevaCart is:

Sevasannidhi LLP
No. 30, Nirman Layout, Koppa Village, Bangalore 560105, Karnataka, India
Contact: support@sevacart.com · +91 99160 84455

2. What data we collect

2.1. Account data — name, email address, phone number, language preference, encrypted password (or OAuth identifier when you sign in via Google).

2.2. Seva booking data— devotee name, gotra, nakshatra, parents’ names, sankalpa text (the spiritual intent / purpose you state), seva selection, booking date.

2.3. Address & delivery data — only when you opt to receive physical prasada or printed receipts.

2.4. Payment data — handled by Cashfree Payments India Private Limited (RBI authorised payment aggregator). SevaCart stores only the last 4 digits and the transaction reference. We do NOT store full card numbers, CVV, UPI PINs, or bank account passwords.

2.5. Device & usage data — IP address (kept for 90 days for fraud and abuse prevention), browser/device type, app version, broad geographic region inferred from IP. We do not store precise location.

2.6. Communications — messages you exchange with a Partner or priest via the in-app inbox, dispute notes, and the contents of receipts and proof uploaded by Partners.

2.7. Children’s data.SevaCart is not intended for users under 18. We do not knowingly collect children’s data without verifiable parental consent (DPDP §9).

3. Purpose of processing & legal basis

We process your data only for the following specific purposes:

• To deliver the seva you booked — share sankalpa with the performing priest (DPDP §6 consent).
• To process payment and issue receipts — share transaction details with Cashfree (DPDP §7(a) contract performance).
• To send confirmations and reminders — booking confirmation, dakshina receipts, festival reminders you opted into (DPDP §6 consent; opt-out at any time).
• To prevent fraud and protect the platform — IP retention, rate limiting, security event logging (DPDP §7(b) legitimate interest).
• To comply with law — GST and accounting books, fraud disclosure to authorities, court orders (DPDP §7(g) legal obligation).

4. Who we share data with

4.1. The Partner you booked with — the listed temple, priest, or institute receives your name, sankalpa details, gotra, nakshatra, and contact (so they can perform the seva and reach you about the booking). The Partner becomes a Data Fiduciary for any data they download or store outside SevaCart.

4.2. Cashfree Payments— for payment processing. Cashfree’s privacy notice: cashfree.com/privacy-policy.

4.3. ZeptoMail (transactional email) and MSG91 (SMS, when enabled) — for delivering confirmations and OTPs. They process only the contact field and the message body.

4.4. Government, regulators, courts — when legally compelled, or when necessary to prevent fraud or protect safety.

4.5. We do NOT sell your data. We do not share it with advertising networks, data brokers, or unrelated third parties for marketing purposes.

5. Where your data is stored

Personal data is hosted in India (Supabase infrastructure, Mumbai region ap-south-1). Operational backups are encrypted at rest. We do not transfer personal data to countries that DPDP §16 designates as restricted, unless lawful and disclosed to you.

6. How long we keep your data

• Account data — until you delete your account or remain inactive for 36 months, whichever is sooner.
• Abandoned partner signups — deleted automatically after 10 days of no activity (reminders at days 2, 4, 6, 8).
• Booking records — retained for 7 financial years to comply with GST and Income Tax record-keeping rules.
• Payment metadata — last4, reference, amount retained for 7 financial years for tax compliance; full card data is never stored.
• IP addresses — 90 days for fraud / abuse prevention, then deleted automatically by daily cron.
• Sankalpa text + family details — retained on the booking record for the lifetime of that record (so you can re-print the receipt later).
• Security event logs — 12 months.

7. Your rights (DPDP §11)

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or out-of-date data.
• Erasure — ask us to delete your data, subject to legal retention obligations (e.g. GST records for 7 years).
• Withdraw consent — at any time, for processing based on consent. This will not affect lawful processing carried out before withdrawal.
• Nominate — appoint another individual to exercise your rights in the event of your death or incapacity (DPDP §13).
• Grievance — raise a complaint to our Grievance Officer (Section 10 below).

To exercise any of these rights, email grievance@sevacart.com with the subject line “DPDP request”. We will acknowledge within 48 hours and respond within 30 days.

8. Security measures

We follow reasonable security practices as required by IT Act §43A and the SPDI Rules 2011:

• HTTPS everywhere; HSTS preload.
• Encrypted database storage; encrypted backups.
• Row-Level Security (Supabase RLS) enforced on all tables.
• Service-role keys held server-side only; never exposed to the browser.
• Bot defence at the edge (Cloudflare Turnstile on sign-up forms; rate limiting on APIs).
• OWASP-aligned input validation, SVG MIME blocked at upload boundary, file-size limits.
• Intrusion-detection cron + automatic IP blocking on suspicious activity.
• Quarterly review of access logs, dependency upgrades.

No system is perfectly secure. If we discover a personal-data breach affecting you, we will notify you and the Data Protection Board of India as required by DPDP §8(6).

9. Cookies & trackers

We use only strictly-necessary cookies (authentication session, CSRF token, language preference, security challenge). We do not use third-party advertising cookies, behavioural tracking scripts, or cross-site fingerprinting. A minimal in-house analytics counter aggregates pageviews without storing personal identifiers in browser cookies.

10. Grievance Officer (DPDP §10)

Grievance Officer
Email: grievance@sevacart.com
Phone: +91 99160 84455
Address: No. 30, Nirman Layout, Koppa Village, Bangalore 560105, Karnataka, India

If you are not satisfied with our resolution, you may approach the Data Protection Board of India under DPDP §27.

11. Changes to this policy

We may update this Policy from time to time. Material changes will be notified to you via the in-app inbox and to your registered email at least thirty (30) days before the effective date, so you can withdraw consent or close your account if you do not agree.

Note: This Privacy Policy is a starting template prepared by Sevasannidhi LLP for transparency. It does not constitute legal advice. If you are uncertain about your rights or our obligations, consult a qualified lawyer. Material changes will be communicated as required by Section 11.