1. Who we are & scope
This Privacy Policy describes how FreshOn (operated by [REGISTERED LEGAL ENTITY NAME]) (“FreshOn”, “we”, “us”) collects and processes personal data when you use the FreshOn website, web app and mobile apps (the “Service”). We are the data fiduciary for that processing under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000 and rules made under it.
2. Data we collect
Information you give us
- Account & contact: mobile number (used for OTP login), name, and email if provided.
- Delivery details: delivery addresses, landmark notes, and the geographic location/coordinates you select or share to set an address.
- Orders & wallet: items ordered, order history, wallet top-ups and balance, and refunds.
- Payments: payment is processed by our gateways (Razorpay, ICICI UPI). We receive transaction status, a payment reference and the amount — we do not collect or store your full card number, UPI PIN, CVV or bank credentials.
- Communications & content: support messages, reviews, ratings, and the messages you send to our AI assistant.
Information collected automatically
- Device & app: device identifier, device/OS type, app platform and version, and a push-notification (FCM) token.
- Usage & technical: IP address, log data, pages/screens viewed, actions taken, and approximate location derived from your IP or device for serviceability and fraud prevention.
- Location: with your permission, precise device location to set a delivery address and estimate delivery. You can change location permissions in your device settings at any time.
Information from third parties
- Payment confirmation and status from payment gateways; delivery status from our logistics partners.
3. How & why we use your data
We process personal data to:
- create and secure your account and verify you via OTP;
- take, process, pack, deliver and invoice your orders;
- process payments, wallet, refunds and prevent fraud;
- send transactional messages (order updates) by SMS and push notification;
- provide customer support and the AI assistant;
- operate, secure, debug and improve the Service; and
- comply with legal, tax (GST) and regulatory obligations.
Our legal bases under the DPDP Act are your consent (which you may withdraw), the necessity of processing to perform our contract with you (fulfilling orders), and other legitimate uses and legal obligations permitted by law. We send promotional messages only where permitted and you can opt out.
4. AI processing
The Service uses AI features (an in-app assistant and automated tools built on machine-learning and large language models) to answer questions, help you shop, summarise orders and support customer care. In connection with these features:
- What we process: the messages and context you provide to the AI, plus relevant account/order data needed to give a useful, accurate response.
- Who processes it: we use trusted third-party AI/LLM providers as our processors, acting on our instructions under contractual confidentiality and security terms. Your inputs may be transmitted to and processed by these providers solely to generate the response and operate the feature.
- No sale; limited training: we do not sell your personal data. We do not use your identifiable AI conversations to train third-party public foundation models, and we instruct our providers not to use your data to train their models. We may use de-identified/aggregated interaction data to evaluate and improve quality and safety.
- Retention: AI interaction logs are retained only as long as needed for the conversation, safety, abuse-prevention, debugging and quality, after which they are deleted or de-identified.
- Your choices: the AI is optional — you can use the rest of the Service without it, and you should avoid entering sensitive personal data into AI chats. AI output may be inaccurate; verify important details (see our Terms, “AI-powered features”).
5. When we share data
We share personal data only as needed, with:
- Payment processors — Razorpay and ICICI Bank — to take payments and process refunds;
- Delivery & logistics partners — to fulfil and deliver your order;
- Communication providers — our SMS gateway and Google Firebase Cloud Messaging (push notifications);
- Maps & location providers — to display maps and resolve delivery addresses;
- AI/LLM providers — as described in “AI processing” above;
- Cloud hosting & infrastructure — to run the Service securely;
- Professional advisers, authorities and acquirers — where required by law, to enforce our terms, protect rights and safety, or in connection with a merger or business transfer.
Our partners are bound to use the data only for the purposes we specify and to protect it. We do not sell your personal data.
6. International transfers
Some of our processors (e.g., cloud, push-notification or AI providers) may process data outside India. Where they do, we take steps required by applicable law and contractual safeguards to protect your data, and transfer only as permitted under the DPDP Act.
7. How long we keep data
We keep personal data only as long as needed for the purposes above and to meet legal obligations. Order and tax records (e.g., GST invoices) are retained for the statutory period (generally up to 8 years). When data is no longer needed, we delete or de-identify it. See our Data & Account Deletion Policy.
8. Security
We use reasonable technical and organisational measures — encryption in transit (HTTPS), access controls, tokenised authentication, and segregated payment handling — to protect your data. No method of transmission or storage is perfectly secure, but we work to protect your information and will notify you and the authorities of a reportable breach as required by law.
9. Your rights
Subject to applicable law, you can:
- access and obtain a summary of the personal data we process about you;
- correct or update inaccurate or incomplete data;
- request erasure of your data and deletion of your account (see our Data & Account Deletion Policy);
- withdraw consent for processing that relies on consent;
- opt out of promotional communications;
- nominate another individual to exercise your rights in the event of death or incapacity, as provided by the DPDP Act; and
- raise a grievance with our Grievance Officer and, if unresolved, with the Data Protection Board of India.
To exercise any right, contact us at privacy@freshon.in. We may verify your identity (e.g., via your registered mobile number) before acting.
10. Children
The Service is intended for users aged 18 and above and is not directed at children. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
11. Cookies & local storage
We use cookies and similar local-storage technologies to keep you signed in, remember preferences, secure the Service, and understand usage. You can control cookies through your browser settings; some features may not work without them.
12. Changes to this policy
We may update this Privacy Policy. We will revise the “Last updated” date and, for material changes, provide notice in the app. Please review it periodically.
Contact & grievances
FreshOn (operated by [REGISTERED LEGAL ENTITY NAME])
#17, 80ft Ring Road, Kengeri Road, Mallathahalli, Bengaluru, Karnataka — 560056, India
General: support@freshon.in · Privacy: privacy@freshon.in
[NAME], Grievance & Data Protection Officer: grievance@freshon.in
We acknowledge grievances within 24 hours and aim to resolve them within 15 days, as required under the Consumer Protection (E-Commerce) Rules and the DPDP Act, 2023.
