grabzo

Privacy Policy

Website: https://grabzo.app

Last Updated: February 2026

Grabzo (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use the Grabzo website at grabzo.app, mobile application, and related services (collectively, the “Platform”).

This Privacy Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

By using the Platform, you consent to the collection, use, and processing of your personal data as described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: When you create an account, we collect your name, email address, and profile picture (if you sign in via Google).
  • UPI / Payment Details: If you choose to redeem Grabzo Rewards via UPI transfer, we collect your UPI ID or linked bank account details at the time of redemption. We do not store full bank account numbers or card details.
  • Communication Data: If you contact us for support or feedback, we may collect your email address and the content of your communication.

1.2 Information Collected Automatically

  • Usage Data: We collect information about how you use the Platform, including your search queries, products viewed, products clicked, pages visited, and time spent on the Platform.
  • Device Information: We collect device type, operating system, browser type, screen resolution, and unique device identifiers.
  • IP Address & Location: We collect your IP address and may derive approximate location (city/state level) to provide location-relevant results.
  • Cookies & Similar Technologies: We use cookies, local storage, and similar tracking technologies to maintain your session, remember preferences, and analyse usage patterns. See Section 7 for details.

1.3 Information from Third Parties

  • Google Sign-In: If you use Google to create your account, we receive your name, email address, and profile photo from Google, as permitted by your Google account settings.
  • Affiliate Partners: We may receive order confirmation data (order ID, product category, order amount, commission status) from our affiliate partners (Amazon, Flipkart, Myntra, Nykaa, Ajio, and others via VCommission) to process Grabzo Rewards.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing Services: To operate the AI shopping assistant, display product results, process affiliate clicks, and provide personalised recommendations.
  • Grabzo Rewards: To track qualifying purchases, calculate rewards, manage your wallet balance, and process reward redemptions (UPI transfers or gift cards).
  • Account Management: To create and manage your account, authenticate your identity, and maintain your search history and wishlists.
  • Improvement & Analytics: To analyse usage patterns, improve our AI recommendations, enhance the Platform experience, and fix bugs. We use PostHog for product analytics.
  • Communication: To send transactional notifications (reward confirmations, account updates), and with your consent, promotional communications about deals or platform updates.
  • Legal Compliance: To comply with applicable laws, prevent fraud, protect our legal rights, and respond to legal requests.

3. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following limited circumstances:

  • Affiliate Partners: When you click an affiliate link, a tracking identifier (which may include a hashed user ID and session ID) is passed to the e-commerce platform to enable commission tracking and reward attribution. We do not share your name, email, or contact details with affiliate partners.
  • Payment Processors: If you redeem Grabzo Rewards, your UPI ID or payment details are shared with our payment processing partner (such as Razorpay or Cashfree) to facilitate the transfer. These providers are contractually obligated to protect your data.
  • Analytics Providers: We use PostHog for product analytics. Usage data is processed to understand how the Platform is used and to improve our services. This data is anonymised or pseudonymised where possible.
  • Hosting & Infrastructure: Your data is stored on servers provided by Supabase (database) and Vercel (application hosting). These providers maintain industry-standard security practices.
  • Legal Requirements: We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure user safety.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Platform before your information is subject to a different privacy policy.

4. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specific retention periods are as follows:

  • Account Data: Retained until you delete your account.
  • Search History & Wishlists: Retained until you delete them or delete your account.
  • Reward & Transaction Data: Retained for a minimum of 8 years from the date of the transaction, as required under Indian tax and accounting regulations.
  • Usage & Analytics Data: Retained in anonymised or aggregated form indefinitely for analytical purposes.
  • Communication Records: Retained for 3 years from the date of communication.

When personal data is no longer required, we will securely delete or anonymise it.

5. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest.
  • Row-level security (RLS) policies on our database to ensure users can only access their own data.
  • Secure authentication via Supabase Auth with support for email and Google sign-in.
  • Regular security reviews and access controls for our team.
  • Secure handling of UPI/payment details through PCI-compliant payment processors.

While we strive to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but will notify you promptly in the event of a data breach as required by applicable law.

6. Your Rights Under the DPDP Act, 2023

Under the Digital Personal Data Protection Act, 2023 and other applicable laws, you have the following rights:

  • Right to Access: You may request access to the personal data we hold about you.
  • Right to Correction: You may request correction of any inaccurate or incomplete personal data.
  • Right to Erasure: You may request deletion of your personal data, subject to our legal retention obligations.
  • Right to Withdraw Consent: You may withdraw your consent to the processing of your personal data at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to Grievance Redressal: You have the right to file a complaint with our Grievance Officer or with the Data Protection Board of India.
  • Right to Nominate: You have the right to nominate another individual who may exercise your rights in the event of your death or incapacity.

To exercise any of these rights, please contact us at admin@grabzo.app. We will respond to your request within 30 days.

7. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies:

  • Essential Cookies: Required for the Platform to function (session management, authentication). These cannot be disabled.
  • Analytics Cookies: Used by PostHog to understand how users interact with the Platform. These help us improve our service.
  • Preference Cookies: Store your preferences such as theme (dark/light mode) and language settings.

You can manage cookies through your browser settings. However, disabling essential cookies may prevent the Platform from functioning correctly. We do not use advertising or third-party tracking cookies.

8. Children’s Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take immediate steps to delete such information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at admin@grabzo.app.

9. Cross-Border Data Transfers

Your data is primarily stored and processed in India using Supabase and Vercel infrastructure. Some of our service providers (such as analytics tools) may process data in other jurisdictions. Where data is transferred outside India, we ensure that adequate safeguards are in place in accordance with the DPDP Act, 2023 and applicable regulations.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated Privacy Policy on the Platform with a revised “Last Updated” date, and where appropriate, by sending you an email notification.

Your continued use of the Platform after the posting of changes constitutes your acceptance of the updated Privacy Policy.

11. Grievance Officer

In compliance with the Information Technology Act, 2000 and the DPDP Act, 2023, we have appointed a Grievance Officer to address your concerns:

The Grievance Officer will acknowledge your complaint within 48 hours and resolve it within 30 days of receipt.

12. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at: