Privacy Policy
Effective Date: 1 January 2026 · Biddit India Private Limited DPDP Act 2023 Compliant
Biddit India Private Limited (hereinafter referred to as the "Company", "We", "Us", or "Data Fiduciary") is committed to the highest standards of data protection and privacy in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 and the Information Technology Act, 2000. This document outlines the rigorous protocols for the collection, processing, and retention of personal data belonging to users, bidders, and sellers (the "Data Principals").
1. Data Collection & Authentication Protocols
1.1 Identity Verification
Access to the Arena is strictly prohibited for individuals under the age of 18. We mandate the submission of Permanent Account Number (PAN) and/or Aadhaar details to verify the age of majority and legal capacity to enter into binding contracts.
1.2 Financial Data
All high-value transactions are processed via Razorpay. We do not store raw card numbers; however, we retain transaction tokens and historical logs of all bid-related deposits (EMD).
1.3 Technical Telemetry
To ensure the integrity of the "Popcorn Logic" auction timer, we collect millisecond-level telemetry, including IP addresses, device identifiers (IMEI/MAC), and latency data.
{{-- Section 2 --}}2. Arena Transactional Monitoring
2.1 Behavioral Profiling
We monitor bidding aggression and patterns to detect automated bot activity. Users consent to such profiling as a prerequisite for Arena entry.
2.2 Handover Telemetry
During the physical asset transfer, we log the precise GPS coordinates and IP address of the OTP Handover event. This serves as the irrefutable proof of asset receipt.
{{-- Section 3 --}}3. Data Sharing & Localization
3.1 Infrastructure
We utilise global cloud regions (AWS / Google Cloud) for high-availability database management. Data Principals acknowledge that data may reside on global servers while remaining under Biddit's fiduciary control.
3.2 Legal Disclosure
We reserve the right to share transaction metadata and KYC documents with the Income Tax Department, GST Authorities, and Law Enforcement Agencies without prior notice to the user, where required by applicable Indian law.
3.3 Meta / WhatsApp Integration
We utilise the official WhatsApp Business API for transactional alerts (overtaken bids, winning notices, OTP delivery). Phone numbers are shared with Meta Platforms Inc. for this sole purpose and are not used for advertising.
{{-- Section 4 --}}4. Retention & Erasure
4.1 Statutory Retention
KYC and financial logs are retained for a minimum period of eight (8) years to comply with Indian tax and corporate audit requirements. Transaction records cannot be deleted on user request within this window.
4.2 Video Purge
Inspection and unboxing videos are retained for a maximum of fifteen (15) days post-delivery. If no dispute is raised within this window, the media is irrevocably purged from our servers.
{{-- Section 5 --}}5. Your Rights (DPDP Act 2023)
Under India's Digital Personal Data Protection Act 2023, you have the following rights as a Data Principal:
- Right of Access: Request a summary of personal data we hold about you.
- Right to Correction: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion of data, subject to statutory retention obligations (see §4.1).
- Right to Withdraw Consent: Withdraw consent for non-essential processing at any time. This may restrict access to certain platform features.
- Right to Grievance Redressal: Raise complaints with our designated Grievance Officer (see §8).
- Right to Nominate: Nominate another individual to exercise your rights in the event of death or incapacity.
To exercise any of these rights, email privacy@biddit.in from your registered email address with the specific request.
{{-- Section 6 --}}6. Data Security
We implement industry-standard security measures including TLS 1.3 encryption for all data in transit, bcrypt password hashing, rate-limiting on all authentication endpoints, and strict access controls limiting internal visibility of personal data. Security incidents are reported to the relevant authority within 72 hours as required by the DPDP Act 2023.
If you suspect a security breach or unauthorised access, notify us immediately at security@biddit.in.
{{-- Section 7 --}}7. Cookies
We use session cookies to maintain your login state and preference cookies to remember your settings (e.g. dismissed banners). We do not use third-party tracking cookies for advertising. You may configure your browser to reject cookies; however, this will prevent login and platform access.
{{-- Section 8 --}}8. Grievance Officer
In accordance with the Information Technology Act 2000 and the DPDP Act 2023, we have designated a Grievance Officer to address data-related complaints:
9. Contact Us
For any privacy-related questions or requests, write to us at privacy@biddit.in or at:
Biddit India Private Limited, Jaipur, Rajasthan – 302001, India.
This policy is a legally binding instrument. Usage of biddit.in constitutes express consent to these terms. Biddit India Private Limited reserves the right to amend this policy at any time. Material changes will be communicated to registered users by email.