Last updated: 2026-07-03 · Sevasannidhi LLP, Shimoga, India
Plain summary: We collect only the data we need to run sevas safely (your name, contact, sankalpa details for the priest, payment confirmation). We don't sell your data, don't advertise on third-party networks using it, and don't keep it longer than required. You can ask us to show, correct, or erase your data any time via grievance@sevacart.com.
1. Who we are (Data Fiduciary)
Under the Digital Personal Data Protection Act, 2023, the Data Fiduciary for personal data collected via SevaCart is:
Sevasannidhi LLP No. 53, Mutaguppe Village Post, Soraba Taluk, Shimoga District, Karnataka 577434 Contact: support@sevacart.com
2. What data we collect
2.1. Account data — name, email address, phone number, language preference, encrypted password (or OAuth identifier when you sign in via Google).
2.2. Seva offering data — devotee name, gotra, nakshatra, parents' names, sankalpa text (the spiritual intent / purpose you state), seva selection, offering date.
2.3. Date of birth (used only to compute a tithi, not stored). Where a seva needs a Vedic birth detail (for example a birthday/janma-nakshatra sankalpa), you may give a date of birth. We use it only to derive the corresponding Hindu tithi / paksha / masa on our server, and we do not store the raw date of birth — it is discarded immediately after the tithi is computed. The same rule applies to any departed-family remembrance entry: a death date you provide is converted to its tithi and the raw date is not retained.
2.4. Address & delivery data — only when you opt to receive physical prasada or printed receipts. Collected solely to fulfil and deliver that parcel.
2.5. Payment data — handled by Cashfree Payments India Private Limited (RBI authorised payment aggregator). SevaCart stores only the last 4 digits and the transaction reference. We do NOT store full card numbers, CVV, UPI PINs, or bank account passwords.
2.6. Device & usage data — IP address (kept for 90 days for fraud and abuse prevention), browser/device type, app version, broad geographic region inferred from IP. We do not store precise location.
2.7. Communications — messages you exchange with a Partner or priest via the in-app inbox, dispute notes, and the contents of receipts and proof uploaded by Partners.
2.8. Children's data. SevaCart is not intended for users under 18. We do not knowingly collect children's data without verifiable parental consent (DPDP §9).
3. Purpose of processing & legal basis
We process your data only for the following specific purposes:
- To deliver the seva you offered — share sankalpa with the performing priest (DPDP §6 consent).
- To process payment and issue receipts — share transaction details with Cashfree (DPDP §7(a) contract performance).
- To send confirmations and reminders — offering confirmation, dakshina receipts, festival reminders you opted into (DPDP §6 consent; opt-out at any time).
- To prevent fraud and protect the platform — IP retention, rate limiting, security event logging (DPDP §7(b) legitimate interest).
- To comply with law — GST and accounting books, fraud disclosure to authorities, court orders (DPDP §7(g) legal obligation).
4. Who we share data with
4.1. The Partner you offered to — the listed temple, priest, or institute receives your name, sankalpa details, gotra, nakshatra, and contact (so they can perform the seva and reach you about the offering). The Partner becomes a Data Fiduciary for any data they download or store outside SevaCart.
4.2. Cashfree Payments — for payment processing. Cashfree's privacy notice: cashfree.com/privacy-policy.
4.3. ZeptoMail (transactional email) and our SMS / WhatsApp processors — Satzilio (STPL) and MSG91 Communications (MSG91 is also our WhatsApp Business Service Provider) — for delivering offering confirmations and one-time passwords (OTPs). They process only the contact field (your email or phone number) and the message body.
4.4. Prasad courier / logistics partner — when you opt to receive physical prasada or a printed receipt, the delivery address and recipient name/phone are shared with the courier or logistics provider (the institution's own courier, or a postal / courier service) strictly to deliver that parcel. They receive only what delivery requires.
4.5. Government, regulators, courts — when legally compelled, or when necessary to prevent fraud or protect safety.
4.6. We do NOT sell your data. We do not share it with advertising networks, data brokers, or unrelated third parties for marketing purposes.
5. Where your data is stored
Personal data is hosted in India (Supabase infrastructure, Mumbai region ap-south-1). Operational backups are encrypted at rest. We do not transfer personal data to countries that DPDP §16 designates as restricted, unless lawful and disclosed to you.
6. How long we keep your data
| Data category | Retention period | Legal basis |
|---|---|---|
| Account data (name, email, phone) | Until account deletion or 36 months inactivity, whichever is sooner | DPDP §7(a) contract; §6 consent |
| Abandoned partner signups | 10 days from last activity (auto-deleted) | Minimal-data principle |
| Offering records & sankalpa | 7 financial years | GST Act §36; Income Tax Act §44AA; DPDP §7(g) |
| Payment metadata (last4, reference, amount) | 7 financial years | Tax record-keeping; full card data never stored |
| FCRA declaration records | 7 financial years | FCRA §17 (records of foreign contribution) |
| IP addresses | 90 days (auto-deleted by daily cron) | Fraud prevention; DPDP §7(b) legitimate interest |
| Security event logs | 12 months | IT Act §43A; IT Rules 2021 |
Note: a raw date of birth or death date is never retained — only the derived tithi (see §2.3) is stored with your offering record.
7. Your rights (DPDP §§11–14)
You have the right to:
- Access (§11) — request a copy of the personal data we hold about you and the identities of the Partners, processors, and payment partner it was shared with.
- Correction & erasure (§12) — ask us to correct inaccurate or out-of-date data, or to delete your data, subject to legal retention obligations (e.g. GST records for 7 years).
- Withdraw consent (§6) — at any time, for processing based on consent. This will not affect lawful processing carried out before withdrawal.
- Nominate (§14) — appoint another individual to exercise your rights in the event of your death or incapacity.
- Grievance (§13) — raise a complaint to our Grievance Officer (Section 10 below).
To exercise any of these rights, email grievance@sevacart.com with the subject line "DPDP request". We will acknowledge within 24 hours and resolve within 15 days (IT Rules 2021 §3(2)).
8. Security measures
We follow reasonable security practices as required by IT Act §43A and the SPDI Rules 2011:
- HTTPS everywhere; HSTS preload.
- Encrypted database storage; encrypted backups.
- Row-Level Security (Supabase RLS) enforced on all tables.
- Service-role keys held server-side only; never exposed to the browser.
- Bot defence at the edge (Cloudflare Turnstile on sign-up forms; rate limiting on APIs).
- OWASP-aligned input validation, SVG MIME blocked at upload boundary, file-size limits.
- Intrusion-detection cron + automatic IP blocking on suspicious activity.
- Quarterly review of access logs, dependency upgrades.
No system is perfectly secure. If we discover a personal-data breach affecting you, we will notify you and the Data Protection Board of India as required by DPDP §8(6).
9. Cookies & trackers
We use only strictly-necessary cookies (authentication session, CSRF token, language preference, security challenge). We do not use third-party advertising cookies, behavioural tracking scripts, or cross-site fingerprinting. A minimal in-house analytics counter aggregates pageviews without storing personal identifiers in browser cookies.
10. Grievance Officer (DPDP §13) & escalation to the Data Protection Board
If you have any complaint about how your personal data is handled, contact our Grievance Officer first (this is the mandatory first step under DPDP §13):
Grievance Officer: Manjunatha M V Bhat Email: grievance@sevacart.com Phone: Address: No. 53, Mutaguppe Village Post, Soraba Taluk, Shimoga District, Karnataka 577434
We acknowledge grievances within 24 hours and resolve them within 15 days (IT Rules 2021 §3(2)).
Escalation. If you are not satisfied with our response, or we do not respond within the stated period, you may escalate to the Data Protection Board of India under the Digital Personal Data Protection Act, 2023 (§27). You must ordinarily exhaust the Grievance Officer route above before approaching the Board.
11. Changes to this policy
We may update this Policy from time to time. Material changes will be notified to you via the in-app inbox and to your registered email at least thirty (30) days before the effective date, so you can withdraw consent or close your account if you do not agree.
_This Policy is governed by the laws of India. For data-rights requests or complaints, write to grievance@sevacart.com. Material changes will be communicated as required by Section 11._