§ 01
Data Fiduciary identity
Bidzo Technologies LLP, a Limited Liability Partnership incorporated in India under the Limited Liability Partnership Act, 2008 on 24 December 2025 (LLPIN: ACT-8005, PAN: ABGFB1300D, TAN: JLDB05512D), with its registered office at First Floor, Gill Complex, Chandigarh Rd, opposite Punjab National Bank, Kohara, Ludhiana, Punjab 141112, India, is the Data Fiduciary for personal data processed through bidzo.app and related services. References to 'we', 'us', 'our', or 'Bidzo' in this disclosure mean Bidzo Technologies LLP. Bidzo is not currently classified as a Significant Data Fiduciary under Section 10 of the Act; this status will be reviewed if MeitY notifies Bidzo or thresholds change.
§ 02
Data Protection Officer / contact for queries
Rahul Singh serves as the contact for all DPDP-related queries, requests, and grievances. Reach him at [email protected]. The DPO is the first point of contact for exercising any right described below; responses are issued within ninety (90) days as required by the Rules.
§ 03
Categories of personal data we process
Identification and contact data (name, email, phone, organization, role); authentication data (password hashes, OAuth tokens, session metadata); platform-generated data (bid records, documents you upload, CRM contacts, AI conversation history, audit events, messaging activity); technical data (IP address, user-agent, timestamps) collected for security and abuse prevention. We do not knowingly process sensitive categories such as biometric, financial-account, or health data outside what you voluntarily provide for tender execution. Documents you upload for tender execution may contain financial details, identification numbers (PAN, Aadhaar, GSTIN), or bank-account details of your business or its authorised representatives — you retain control of such documents and may delete them via the platform's document-management interface at any time, subject to retention obligations described below.
§ 04
Purposes of processing and lawful basis
Personal data is processed for: (a) account creation and authentication, on the basis of your consent at signup; (b) operating the procurement, CRM, messaging, and intelligence modules you enable, as a necessary incident of the services you have requested; (c) sending transactional notifications (verification, invites, system alerts) under legitimate use; (d) aggregated analytics and security monitoring under legitimate use; (e) compliance with applicable Indian law. Each purpose is itemized in the consent notice you see at signup.
§ 05
Your rights as a Data Principal
You have the right to: (1) access a summary of personal data we hold about you and the processing performed; (2) correct inaccurate data; (3) update changed details such as address or contact; (4) request erasure when no longer required for the purpose collected; (5) nominate another individual to exercise these rights on your behalf in case of incapacity; (6) raise a grievance with our DPO and, if unresolved, escalate to the Data Protection Board of India and the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). All rights requests are addressed within ninety (90) days.
§ 06
Withdrawal of consent
Consent given for optional processing may be withdrawn at any time by writing to [email protected] or through the in-app consent panel under Settings → Privacy (post-launch). Withdrawal does not affect lawful processing carried out before withdrawal, and may limit your ability to use features that depend on the withdrawn data category.
§ 07
Children's data
Bidzo is a B2B procurement platform and is not directed at children under 18. We do not knowingly collect personal data of children. If a Data Fiduciary using Bidzo processes a child's personal data through our platform, that fiduciary is responsible for obtaining verifiable parental consent as required by Section 9 of the Act, except where the processing relates to essential services such as healthcare, education, or real-time safety.
§ 08
Persons with disabilities
Where a Data Principal is a person with a disability who cannot independently take legal decisions even with support, consent must be provided by their lawful guardian as verified under the Rights of Persons with Disabilities Act, 2016. Contact the DPO at [email protected] for assistance with any guardian-mediated request.
§ 09
Cross-border transfers
Primary data storage is in India through Supabase Postgres on Indian infrastructure. Some processors may store transactional metadata outside India (e.g., Resend for email delivery, Razorpay for domestic payments — subject to its own RBI-regulated localization, PayPal for international payments once active, Google Workspace for business email correspondence, Sentry for error telemetry, AI providers used for in-app assistant features). Transfers occur only to jurisdictions not restricted by MeitY notification under Section 16 of the Act. The current list of sub-processors, with the data category and processing region for each, is maintained at /trust/sub-processors.
§ 10
Retention
Personal data is retained as long as your account is active or as needed to deliver the services you have engaged. After account closure, identifying data is deleted within 90 days unless retention is required by law (e.g., GST and tax records under the Income Tax Act, 1961 — typically eight years). Audit-log entries and evidence bundles tied to bid execution may be retained for the contractual retention window of the underlying engagement.
§ 11
Security safeguards
We employ encryption in transit (TLS) and at rest, role-based access control, row-level security in Postgres, audit logging of significant actions, and routine dependency vulnerability review. The full security posture is described at /trust/security. Per the DPDP Act, failure to maintain reasonable security safeguards may attract a penalty of up to ₹250 crore — we treat security as a board-level priority.
§ 12
Personal data breach notification
On detection of a personal data breach affecting your account, Bidzo will notify you without undue delay in plain language describing what happened, the nature and scope of impact, mitigation steps already taken, what you can do to protect yourself, and the contact for further help. We will also notify the Data Protection Board of India in the form and timeline prescribed by the Rules.
§ 13
Grievance redressal escalation path
Step 1 — write to the DPO at [email protected]. Step 2 — if unresolved within 90 days or you are dissatisfied, file a complaint with the Data Protection Board of India through the Board's official portal once operational. Step 3 — appeals against the Board's decisions are heard by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Bidzo will cooperate fully with any inquiry or directive from the Board.
§ 14
Updates to this disclosure
These disclosures will be updated as the DPDP Rules, 2025 enter their phased compliance window (eighteen months from notification on 14 November 2025) and as Bidzo's data-handling practices evolve. The 'last updated' timestamp at the bottom of this page reflects the most recent material change. We recommend reviewing it periodically.