Privacy Policy

Access Rules

Guidelines

Usage Terms

Our Privacy Policy

Active From: July 2025

1. INTRODUCTION, PURPOSE & LEGAL STATUS

1.1 This Privacy Policy (“Policy”) sets out in exhaustive detail the manner in which Glatro Technologies Private Limited, a company incorporated under the provisions of the Companies Act, 2013 and having its registered office at WeWork DLF Forum, Cyber City Phase III, DLF QE, Gurgaon – 122002, Haryana (“Glatro”, “Company”, “we”, “us”, or “our”), collects, receives, records, stores, processes, uses, shares, transfers, discloses, retains, archives, anonymises, and otherwise handles personal data, information, records, and metadata of Users.

1.2 This Policy applies to all interactions with the Glatro platform, whether direct or indirect, including but not limited to:

(a) access to and use of mobile applications, web platforms, APIs, or related services;
(b) browsing without account creation;
(c) registration and account maintenance;
(d) placement, fulfilment, or cancellation of orders;
(e) communications with customer support, grievance officers, or compliance teams;
(f) participation as a Customer, Vendor, Retailer, Delivery Partner, service provider, consultant, or visitor.

1.3 This Policy is issued in compliance with applicable Indian laws, including but not limited to the Information Technology Act, 2000, rules framed thereunder, and the Digital Personal Data Protection Act, 2023, and shall be interpreted accordingly.

1.4 This Policy forms an integral, inseparable, and legally binding part of the Terms of Use available at https://glatro.com/terms-of-use, and shall be read in conjunction therewith., Vendor Agreement, Delivery Partner Agreement, and all other platform policies, guidelines, notices, and contractual documents issued by Glatro from time to time.

1.5 In the event of any inconsistency, conflict, or ambiguity between this Policy and any other document, the interpretation most favourable to Glatro shall prevail, to the maximum extent permitted under applicable law.

(a) expressly acknowledges having read and understood this Policy; you also acknowledge that such use is governed by the Terms of Use available at https://glatro.com/terms-of-use, which shall be read together with this Privacy Policy.
(b) agrees to be bound by its terms;
(c) provides free, informed, specific, and unconditional consent to the processing of personal data as described herein;
(d) waives any objection to such processing, except where prohibited by law.

1. INTRODUCTION, PURPOSE & LEGAL STATUS

1.2 This Policy applies to all interactions with the Glatro platform, whether direct or indirect, including but not limited to:

(a) access to and use of mobile applications, web platforms, APIs, or related services;
(b) browsing without account creation;
(c) registration and account maintenance;
(d) placement, fulfilment, or cancellation of orders;
(e) communications with customer support, grievance officers, or compliance teams;
(f) participation as a Customer, Vendor, Retailer, Delivery Partner, service provider, consultant, or visitor.

(a) expressly acknowledges having read and understood this Policy; you also acknowledge that such use is governed by the Terms of Use available at https://glatro.com/terms-of-use, which shall be read together with this Privacy Policy.
(b) agrees to be bound by its terms;
(c) provides free, informed, specific, and unconditional consent to the processing of personal data as described herein;
(d) waives any objection to such processing, except where prohibited by law.

2.1 Statutory Compliance Framework

This Privacy Policy has been drafted, structured, and implemented in accordance with the applicable legal and regulatory framework in India, including but not limited to the following statutes, subordinate legislation, rules, notifications, circulars, and judicial interpretations, as amended from time to time:

(a) The Information Technology Act, 2000, including all rules, regulations, notifications, and guidelines issued thereunder, governing electronic records, data protection, intermediary obligations, cyber security, and liability of online platforms;
(b) The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, insofar as they regulate the collection, processing, storage, disclosure, and protection of sensitive personal data or information;
(c) The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, including obligations relating to due diligence, grievance redressal, content moderation, and lawful disclosures;
(d) The Digital Personal Data Protection Act, 2023, to the extent applicable, including provisions relating to Data Principals, lawful processing, consent, legitimate use, retention, and enforcement mechanisms;
(e) The Consumer Protection Act, 2019, including e-commerce rules framed thereunder, insofar as they impose obligations relating to transparency, disclosures, and grievance handling;
(f) Any other applicable statute, regulation, guideline, circular, advisory, or order issued by competent governmental, regulatory, or judicial authorities in India.

2.2 Dynamic Compliance & Interpretative Authority

Glatro expressly acknowledges that data protection and privacy laws in India are evolving, and therefore reserves the right to:

(a) interpret and implement this Policy in a manner consistent with the most recent statutoryrequirements, regulatory guidance, or judicial precedents

(b) amend, modify, or supplement this Policy to ensure ongoing compliance without prior notice,except where mandatory notice is required by law

(c) rely upon exemptions, safe harbours, legitimate use provisions, and statutory defences available under applicable law.

2.3 Lawful Bases for Processing of Personal Data

Glatro processes personal data strictly on lawful grounds, including one or more of the following bases, as recognised under Indian law:

2.3.1 Consent-Based Processing

Where required, Glatro processes personal data on the basis of free, informed, specific, and unambiguous consent provided by the User, whether expressly or through clear affirmative action, including continued use of the Platform.

2.3.2 Contractual Necessity

Processing is necessary for the performance of contractual obligations, including but not limited to account creation, order fulfilment, delivery coordination, payment processing, settlement, dispute resolution, and enforcement of platform policies.

2.3.3 Legal and Regulatory Compliance

Processing is necessary for compliance with legal obligations, including statutory record-keeping, tax compliance, audit requirements, regulatory inquiries, law enforcement cooperation, and court orders.

2.3.4 Legitimate Business Interests

Processing is necessary for Glatro’s legitimate business interests, including fraud prevention, platform security, service improvement, analytics, internal reporting, risk management, and protection of legal rights, provided such interests do not override the fundamental rights of Users under applicable law.

2.4 Explicit Consent & Withdrawal

2.4.1 Where explicit consent is required under law, Glatro shall obtain such consent in a manner prescribed by applicable statutes or regulations.

2.4.2 Users acknowledge and agree that withdrawal of consent may:

(a) restrict access to certain features or services

(b) result in suspension or termination of accounts

(d) not override statutory or regulatory retention obligations.

2.4.3 Glatro reserves the right to continue processing personal data despite withdrawal of consent, where such processing is permitted or mandated by law.

2.5 Jurisdictional Limitation

2.5.1 This Policy is intended to comply with Indian laws only. Glatro makes no representation regarding compliance with foreign data protection laws unless expressly stated.

2.5.2 Users accessing the Platform from outside India do so at their own risk and are solely responsible for compliance with local laws.

2.6 Supremacy of Statutory Provisions

In the event of any conflict between this Policy and any applicable law, regulation, or binding judicial order, the statutory provision shall prevail, and this Policy shall be deemed modified to the extent necessary to ensure compliance.

3. DEFINITIONS

3.1 Purpose of Definitions

3.1.1 The definitions set out in this Section are provided for the purposes of interpretation, clarity, and uniform application of this Privacy Policy.

3.1.2 These definitions shall apply throughout this Policy, including all annexures, schedules, operational policies, and related documents, unless the context expressly requires otherwise.

3.1.3 In the event of any ambiguity or uncertainty in interpretation, the interpretation most favourable to Glatro and consistent with applicable Indian law shall prevail.

3.2 “Personal Data”

3.2.1 “Personal Data” means any data, information, or combination of information, whether true or not, and whether recorded in a material form or not, which relates to an identified or identifiable natural person, directly or indirectly, including through reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such person.

3.2.2 For the avoidance of doubt, Personal Data includes, without limitation:

(a) information voluntarily provided by the User;

(b) information automatically collected through technical means;

3.2.3 Personal Data shall continue to be treated as such until irreversibly anonymised in accordance with this Policy and applicable law.

3.3 “Sensitive Personal Data”

3.3.1 “Sensitive Personal Data” shall have the meaning assigned to it under applicable Indian law, including but not limited to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as amended or replaced from time to time.

3.3.2 Without limiting the generality of the foregoing, Sensitive Personal Data may include:

(a) passwords and authentication credentials;

(b) financial information such as bank account details (where lawfully collected);

(d) any other category of data notified as sensitive under applicable law.

3.3.3 Glatro does not intentionally collect Sensitive Personal Data unless such collection is:

(a) expressly permitted by law;

(b) necessary for lawful verification, compliance, or payment settlement; and

3.4 “Processing”

3.4.1 “Processing” means any operation or set of operations performed on Personal Data or Sensitive Personal Data, whether or not by automated means.

3.4.2 Processing includes, without limitation:

(a) collection, recording, organisation, structuring;

(b) storage, adaptation, alteration, retrieval, consultation;

(d) alignment, combination, restriction;

(e) retention, archiving, anonymisation, or deletion.

3.4.3 Processing may be carried out directly by Glatro or indirectly through authorised third-party processors acting on Glatro’s behalf.

3.5 “Data Principal”

3.5.1 “Data Principal” shall have the meaning assigned under the Digital Personal Data Protection Act, 2023, and refers to the individual to whom the Personal Data relates.

3.5.2 For the purposes of this Policy:

(a) Customers, Vendors, Delivery Partners, and Users may all qualify as Data Principals;

(b) where a User acts on behalf of an entity, the individual whose data is provided shall be deemed the Data Principal.

3.5.3 Nothing in this Policy shall be construed as conferring any rights upon a Data Principal beyond those expressly mandated under applicable law.

3.6 “Data Processor” and “Third-Party Processor”

3.6.1 “Data Processor” or “Third-Party Processor” means any person, entity, service provider, contractor, or affiliate that processes Personal Data on behalf of Glatro pursuant to contractual arrangements.

3.6.2 Such processors may include, without limitation:

(a) payment gateway providers;

(b) cloud hosting and infrastructure providers;

(d) analytics, fraud detection, and security vendors;

(e) communication service providers.

3.6.3 All processors engaged by Glatro are subject to confidentiality and data protection obligations, however Glatro shall not be liable for acts or omissions of such processors beyond what is required under law.

3.7 “Platform”

3.7.1 “Platform” means and includes:

(a) Glatro’s mobile applications (for Customers, Vendors, and Delivery Partners);

(b) websites (when launched);

(d) all associated features, services, and functionalities.

3.7.2 Any reference to the Platform shall be deemed to include future upgrades, modifications, or replacements thereof.

3.8 “User”

3.8.1 “User” includes any individual or entity that accesses, browses, registers, or otherwise interacts with the Platform in any capacity.

3.8.2 Users include, without limitation:

(a) Customers;

(b) Vendors or Retailers;

(d) visitors or unregistered users;

(e) service providers interacting with the Platform.

3.9 Interpretative Rules

3.9.1 Headings and section titles are inserted for convenience only and shall not affect interpretation.

3.9.2 Words importing the singular shall include the plural and vice versa.

3.9.3 Any capitalised term not defined herein shall have the meaning assigned to it in the Terms of Use or under applicable law.

3.9.4 In case of doubt, the interpretation adopted by Glatro shall be final and binding, subject to mandatory statutory provisions.

4. CATEGORIES OF DATA COLLECTED

4.1 General Principle of Data Collection

4.1.1 Glatro collects personal data strictly on a need-to-collect basis, determined by operational, contractual, security, compliance, and legal requirements.

4.1.2 The categories of data described below are illustrative and non-exhaustive, and Glatro reserves the right to collect additional categories of data where such collection is:

(a) permitted under applicable law;

(b) necessary for platform operations; or

4.1.3 Users expressly acknowledge that certain data may be collected automatically, without direct action by the User, through technical or system-level processes.

4.2 Identity & Contact Data

4.2.1 Glatro may collect and process basic identity and contact information, including but not limited to:

(a) full name;

(b) mobile number;

(d) username or account identifier;

(e) profile photograph (if uploaded);

(f) preferred language or communication settings.

4.2.2 Such data is collected for purposes including account creation, authentication, communication, customer support, grievance handling, and fraud prevention.

4.2.3 Glatro shall not be responsible for inaccuracies arising from information provided directly by Users.

4.3 Transactional & Order-Related Data

4.3.1 Glatro may collect, generate, and retain transactional data relating to orders placed through the Platform, including but not limited to:

(a) order identifiers and reference numbers;

(b) order timestamps;

(d) pricing details, discounts, and applied promotions;

(e) cancellation records and reasons;

(f) refund requests, approvals, denials, and histories.

4.3.2 Transactional data may be retained for extended periods to comply with tax laws, accounting standards, audit requirements, dispute resolution, and legal defence.

4.4 Delivery & Location Data

4.4.1 In order to facilitate logistics and fulfilment, Glatro may collect and process delivery and location-related data, including:

(a) delivery addresses provided by Users;

(b) geo-coordinates (approximate) derived from device or mapping services;

(d) delivery timestamps, proof of delivery, and acceptance confirmations.

4.4.2 Location data may be collected in real-time or periodically, subject to device permissions and platform functionality.

4.4.3 Glatro disclaims liability for inaccuracies in location data caused by device settings, network issues, or third-party mapping services.

4.5 Payment Metadata

4.5.1 Glatro may collect limited payment-related metadata strictly necessary for transaction processing, reconciliation, and compliance, including:

(a) transaction reference numbers;

(b) payment method indicators (e.g., UPI, card, wallet);

(d) refund reference identifiers.

4.5.2 IMPORTANT DISCLAIMER:

Glatro does not store or process:

(a) debit or credit card numbers;

(b) CVV or PIN details;

4.5.3 All payment transactions are processed through RBI-compliant third-party payment gateways, and Glatro shall not be liable for breaches occurring within such external systems.

4.6 Vendor & Delivery Partner KYC Data

4.6.1 For Vendors and Delivery Partners, Glatro may collect enhanced verification data, including but not limited to:

(a) Permanent Account Number (PAN);

(b) Goods and Services Tax Identification Number (GSTIN), where applicable;

(d) government-issued identification documents;

(e) verification results and risk assessments.

4.6.2 Such data is collected for onboarding, compliance with anti-money laundering norms, fraud prevention, payout processing, and enforcement of contractual obligations.

4.6.3 Glatro reserves the right to retain such data even after termination, as permitted by law.

4.7 Device, Technical & Usage Data

4.7.1 Glatro may automatically collect technical and usage data, including but not limited to:

(a) IP address;

(b) device identifiers and hardware information;

(d) app usage logs and interaction metrics;

(e) crash reports, diagnostics, and error logs.

4.7.2 Such data is collected for security monitoring, system optimisation, analytics, troubleshooting, and abuse detection.

4.7.3 Users acknowledge that blocking or restricting such data collection may impair Platform functionality.

4.8 Communications & Support Data

4.8.1 Glatro may collect and retain records of communications between Users and Glatro, including:

(a) customer support chats and emails;

(b) call recordings (where permitted by law);

(d) internal notes and investigation records.

4.8.2 Such communications may be monitored, recorded, or reviewed for quality assurance, training, compliance, dispute resolution, and legal defence.

4.9 Inferred, Derived & Aggregated Data

4.9.1 Glatro may generate derived or inferred data based on analysis of User interactions, including:

(a) risk scores;

(b) fraud indicators;

(d) preference segments.

4.9.2 Aggregated or anonymised data that does not identify an individual may be retained indefinitely and used for analytics, reporting, and business intelligence.

4.10 Third-Party Data

4.10.1 Glatro may receive personal data from third-party sources, including payment partners, verification agencies, or service providers, where permitted by law.

4.10.2 Glatro shall not be responsible for accuracy of data obtained from third parties.

4.11 Accuracy & Responsibility

4.11.1 Users are responsible for ensuring that personal data provided is accurate, complete, and up to date.

4.11.2 Glatro shall not be liable for consequences arising from inaccurate or outdated data supplied by Users.

5. PURPOSES OF PROCESSING

5.1 Overarching Principle

5.1.1 Glatro processes personal data strictly for lawful, specified, and legitimate purposes, as permitted under applicable Indian law, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023.

5.1.2 The purposes described in this Section are illustrative and non-exhaustive, and Glatro reserves the right to process personal data for additional purposes where such processing is:

(a) reasonably connected to the original purpose of collection;

(b) necessary for platform operations, safety, or compliance; or

5.1.3 Users expressly acknowledge that processing of personal data is integral to the functioning of the Platform, and restriction of such processing may result in partial or complete denial of services.

5.2 Account Creation, Authentication & Management

5.2.1 Personal data is processed to:

(a) create and maintain User accounts;

(b) authenticate Users during login and access;

(d) manage account preferences, settings, and permissions.

5.2.2 Glatro may use multi-factor authentication, OTP verification, and risk-based access controls as part of its security framework.

5.2.3 Failure to provide accurate data may result in suspension or termination of access without liability.

5.3 Order Fulfilment & Platform Operations

5.3.1 Personal data is processed to:

(a) enable placement, confirmation, modification, and cancellation of orders;

(b) coordinate with Vendors and Delivery Partners;

(d) ensure timely fulfilment and delivery tracking.

5.3.2 Glatro may retain order-related data for extended periods to ensure auditability, dispute resolution, and legal defence.

5.4 Payments, Settlements & Financial Reconciliation

5.4.1 Personal data and payment metadata are processed to:

(a) facilitate payment transactions through authorised gateways;

(b) reconcile payments, refunds, and settlements;

(d) comply with accounting, tax, and audit requirements.

5.4.2 Glatro disclaims liability for failures attributable to third-party payment systems.

5.5 Vendor & Delivery Partner Verification

5.5.1 Enhanced personal data may be processed for:

(a) onboarding and KYC verification;

(b) risk profiling and eligibility assessment;

(d) payout processing and recovery actions.

5.5.2 Glatro reserves the right to re-verify such data periodically or upon suspicion of risk.

5.6 Fraud Prevention, Abuse Detection & Security

5.6.1 Personal data may be processed to:

(a) detect fraudulent transactions or activities;

(b) prevent misuse of promotions, refunds, or platform features;

(d) protect the integrity and security of the Platform.

5.6.2 Glatro may deploy automated tools, monitoring systems, and internal investigations for these purposes.

5.6.3 Users acknowledge that such processing may result in account restrictions or enforcement actions.

5.7 Customer Support, Communications & Grievance Handling

5.7.1 Personal data is processed to:

(a) respond to queries, complaints, and support requests;

(b) investigate grievances and disputes;

(d) improve customer experience and service quality.

5.7.2 Communications may be recorded, stored, and reviewed for quality assurance, training, and legal defence.

5.8 Legal Compliance, Audits & Enforcement

5.8.1 Personal data may be processed to:

(a) comply with statutory obligations;

(b) respond to court orders, regulatory notices, or law enforcement requests;

(d) enforce contractual rights and pursue legal remedies.

5.8.2 Such processing may continue even after account deletion, where required or permitted by law.

5.9 Analytics, Research & Platform Improvement

5.9.1 Personal data, including aggregated or anonymised data, may be processed for:

(a) analytics and reporting;

(b) performance measurement;

(d) internal research and development.

5.9.2 Insights derived from such processing are proprietary to Glatro.

5.10 Business Continuity & Risk Management

5.10.1 (a) ensure business continuity;

5.10.1 (b) manage operational risks;

5.10.1 (c) conduct internal investigations;

5.10.1 (d) protect Glatro’s legal, financial, and reputational interests.

5.10.2 Such processing shall not give rise to enforceable rights in favour of Users.

5.11 Marketing, Promotions & Communications

5.11.1 Subject to applicable law and consent requirements, Glatro may process personal data to:

(a) inform Users of offers, promotions, or updates;

(b) personalise content or recommendations;

5.11.2 Users may opt out of certain communications, however service-related communications shall continue.

5.12 Limitation of Purpose-Based Claims

5.12.1 Users expressly waive any claim against Glatro arising solely from lawful processing of personal data for the purposes outlined in this Section.

5.12.2 Glatro’s determination of the necessity or relevance of processing for a particular purpose shall be final, subject to mandatory statutory provisions.

6. AUTOMATED DECISION-MAKING, PROFILING & RISK ASSESSMENT

6.1 Use of Automated Systems

6.1.1 Glatro may deploy automated tools, algorithms, rule-based engines, and machine-assisted decision-making systems for the purpose of operating, securing, and optimising the Platform.

6.1.2 Such automated systems may be used across multiple functional areas, including but not limited to:

(a) fraud detection and prevention;

(b) risk scoring and behavioural analysis;

(d) payment validation and anomaly detection;

(e) eligibility assessment for promotions, offers, or incentives;

(f) operational efficiency and platform integrity.

6.1.3 The deployment of such systems is undertaken in Glatro’s legitimate business interest and for the protection of Users, Vendors, Delivery Partners, and the Platform as a whole.

6.2 Profiling Activities

6.2.1 Glatro may create profiles of Users based on observed behaviour, transaction history, usage patterns, and other relevant data points.

6.2.2 Profiling may involve:

(a) categorisation of Users into risk or trust tiers;

(b) identification of anomalous or suspicious activity;

(d) assessment of compliance with platform policies.

6.2.3 Profiling outcomes may be used to:

(a) restrict or enhance access to certain features;

(b) apply additional verification measures;

(d) determine eligibility for promotional or commercial benefits.

6.3 Automated Enforcement Actions

6.3.1 Based on automated assessments, Glatro may take enforcement actions including, without limitation:

(a) temporary or permanent account suspension;

(b) limitation of services or features;

(d) cancellation of orders or transactions;

(e) blacklisting across devices, identifiers, or accounts.

6.3.2 Users expressly acknowledge and agree that such actions may be taken without prior notice, where permitted by law, in order to protect the Platform and its stakeholders.

6.4 Human Oversight & Discretion

6.4.1 While automated systems may assist in decision-making, Glatro reserves the right to:

(a) review automated outcomes manually;

(b) override, confirm, or modify such outcomes;

6.4.2 Glatro is under no obligation to provide detailed explanations of automated logic, scoring methodologies, or internal thresholds, except where expressly required by law.

6.5 No Enforceable Rights Created

6.5.1 The use of automated decision-making or profiling does not create any enforceable rights in favour of Users, including any right to:

(a) demand disclosure of algorithms or logic;

(b) challenge risk scores or internal classifications;

6.5.2 Any benefit, access, or privilege extended by Glatro may be withdrawn at its discretion.

6.6 Statutory Compliance & Limitations

6.6.1 To the extent applicable, Glatro’s use of automated decision-making shall comply with mandatory provisions of Indian law, including the Digital Personal Data Protection Act, 2023.

6.6.2 Nothing in this Policy shall be construed as restricting Glatro’s ability to:

(a) prevent fraud or unlawful activity;

(b) comply with legal obligations;

6.7 Waiver of Claims

6.7.1 Users expressly waive any claims, demands, or causes of action against Glatro arising solely from:

(a) lawful automated processing;

(b) profiling-based decisions;

6.7.2 This waiver shall apply to the maximum extent permitted under applicable law.

7. DATA SHARING, DISCLOSURE & TRANSFER

7.1 General Principle of Data Disclosure

7.1.1 Glatro does not sell, rent, or commercially exploit personal data of Users.

7.1.2 Notwithstanding the foregoing, Users expressly acknowledge and agree that Glatro may disclose, share, transfer, or provide access to personal data strictly on a need-to-know basis, where such disclosure is:

(a) necessary for Platform operations;

(b) required for performance of contractual obligations;

(d) required to protect Glatro’s legal, commercial, or security interests.

7.1.3 All disclosures are made in good faith and in accordance with applicable Indian law.

7.2 Disclosure to Vendors, Retailers & Delivery Partners

7.2.1 In order to facilitate order fulfilment and delivery, Glatro may share limited personal data with Vendors, Retailers, and Delivery Partners, including:

(a) Customer name and contact details;

(b) delivery address and instructions;

7.2.2 Such recipients are contractually obligated to use personal data solely for fulfilment purposes and in compliance with applicable law.

7.2.3 Glatro shall not be responsible for unauthorised use of personal data by such third parties beyond its reasonable control.

7.3 Disclosure to Third-Party Service Providers

7.3.1 Glatro may engage third-party processors and service providers to perform functions on its behalf, including but not limited to:

(a) payment processing;

(b) cloud hosting and infrastructure;

(d) fraud detection and analytics;

(e) customer communication services.

7.3.2 Such service providers are granted limited access to personal data strictly for the purpose of performing contracted services.

7.3.3 While Glatro undertakes reasonable diligence in selecting such providers, it shall not be liable for acts or omissions of third-party processors except to the extent required by law.

7.4 Disclosure for Legal, Regulatory & Law Enforcement Purposes

7.4.1 Glatro may disclose personal data, without prior notice to the User, where such disclosure is required or permitted under applicable law, including in response to:

(a) court orders, subpoenas, or judicial directions;

(b) statutory notices from governmental or regulatory authorities;

(d) emergency situations involving threat to life or public safety.

7.4.2 Glatro may also proactively disclose data where it reasonably believes that such disclosure is necessary to:

(a) prevent fraud or unlawful activity;

(b) protect the rights, property, or safety of Glatro, Users, or the public;

7.4.3 Any disclosure made in good faith pursuant to this clause shall not give rise to liability towards Users.

7.5 Corporate Transactions & Business Transfers

7.5.1 In the event of a merger, acquisition, restructuring, sale of assets, or similar corporate transaction, Glatro may transfer personal data as part of such transaction, subject to applicable legal safeguards.

7.5.2 Users acknowledge that such transfers are a legitimate business necessity and consent to continued processing by the successor entity.

7.6 Cross-Border Data Transfers

7.6.1 Personal data may be stored or processed on servers located within or outside India, subject to compliance with applicable Indian laws.

7.6.2 Where cross-border transfers occur, Glatro shall take reasonable steps to ensure that:

(a) such transfers are lawful;

(b) appropriate contractual or technical safeguards are in place;

7.6.3 Users accessing the Platform from outside India do so at their own risk and consent to cross-border processing.

7.7 Data Minimisation & Access Controls

7.7.1 Glatro implements access controls to ensure that personal data is accessible only to authorised personnel and service providers.

7.7.2 Access is granted strictly on a role-based and purpose-limited basis.

7.8 No User Control Over Disclosures

7.8.1 Except where expressly mandated by law, Users shall have no right to object to or restrict disclosures made in accordance with this Section.

7.8.2 Glatro’s determination regarding necessity or lawfulness of disclosure shall be final, subject to mandatory statutory provisions.

8. DATA RETENTION

8.1 Overarching Retention Philosophy

8.1.1 Glatro retains personal data only for as long as is reasonably necessary to fulfil the purposes for which such data was collected, processed, or otherwise lawfully handled, as described in this Privacy Policy and the Terms of Use.

8.1.2 Retention periods are determined based on a combination of:

(a) statutory and regulatory requirements under Indian law;

(b) contractual obligations;

(d) legitimate business interests of Glatro;

(e) the need to establish, exercise, or defend legal claims.

8.1.3 Users expressly acknowledge that immediate deletion of personal data is neither feasible nor legally permissible in many circumstances.

8.2 Retention Beyond Account Deletion

8.2.1 Deletion, deactivation, or termination of a User account does not automatically result in deletion of all personal data associated with such account.

8.2.2 Glatro may retain personal data beyond account deletion where such retention is:

(a) required to comply with applicable laws, including tax, accounting, and audit obligations;

(b) necessary for investigation or prevention of fraud, abuse, or unlawful activity;

(d) necessary to enforce contractual rights or pursue legal remedies;

(e) otherwise permitted or mandated under applicable law.

8.2.3 Users expressly waive any claim against Glatro arising solely from lawful retention of data beyond account deletion.

8.3 Statutory & Regulatory Retention Obligations

8.3.1 Glatro may be required to retain certain categories of data for prescribed minimum periods under:

(a) tax laws and GST regulations;

(b) corporate, accounting, and audit standards;

(d) IT Act obligations and intermediary due-diligence requirements;

(e) limitation periods under Indian civil and criminal law.

8.3.2 Such statutory retention obligations override any User request for deletion, to the extent permitted by law.

8.4 Retention for Legal Defence & Enforcement

8.4.1 Personal data may be retained for the purpose of:

(a) responding to or defending against legal claims;

(b) complying with court orders or legal process;

(d) preserving evidence in anticipation of litigation.

8.4.2 Retention for such purposes may continue until:

(a) final resolution of proceedings; and

(b) expiry of applicable limitation periods thereafter.

8.5 Internal Reviews, Audits & Risk Management

8.5.1 Glatro may retain personal data for internal audits, compliance reviews, and risk assessments.

8.5.2 Such retention is necessary to:

(a) demonstrate regulatory compliance;

(b) evaluate operational effectiveness;

8.6 Anonymisation & Aggregation

8.6.1 Where personal data is no longer required in identifiable form, Glatro may:

(a) irreversibly anonymise such data; or

(b) aggregate such data in a manner that does not identify an individual.

8.6.2 Anonymised or aggregated data may be retained indefinitely for analytics, reporting, and business intelligence.

8.7 Technical Backups & Residual Data

8.7.1 Users acknowledge that personal data may continue to exist in:

(a) system backups;

(b) disaster recovery systems;

8.7.2 Such residual data shall be securely isolated and deleted in accordance with Glatro’s internal backup retention schedules.

8.7.3 Glatro shall not be liable for temporary retention of such residual data.

8.8 Reference to Annexure I

8.8.1 Detailed retention periods applicable to specific data categories are set out in Annexure I – Data Retention Matrix & Record Management Policy.

8.8.2 In the event of any inconsistency, Annexure I shall prevail, to the extent permitted by law.

8.9 Finality of Retention Decisions

8.9.1 Glatro’s determination regarding the necessity, scope, and duration of data retention shall be final and binding, subject only to mandatory statutory provisions.

8.9.2 Users acknowledge that Glatro shall not be obligated to provide individualised justifications for retention decisions.

9. USER RIGHTS

9.1 General Principle Governing User Rights

9.1.1 Any rights exercisable by Users in relation to their personal data arise solely from applicable Indian law and not from this Privacy Policy.

9.1.2 Nothing contained in this Policy shall be construed as:

(a) granting additional rights beyond those expressly mandated under law;

(b) limiting Glatro’s statutory exemptions, defences, or discretionary powers;

9.1.3 All User rights are subject to:

(a) verification of identity;

(b) compliance with statutory conditions;

9.2 Right to Access

9.2.1 Subject to applicable law, Users may request access to personal data held by Glatro.

9.2.2 Such access may be:

(a) limited in scope;

(b) provided in summary form;

• prejudice legal proceedings;

• compromise security;

• infringe rights of other individuals;

• reveal proprietary systems or internal assessments.

9.2.3 Glatro shall not be obligated to provide:

(a) internal notes, risk scores, or profiling data;

(b) confidential business information;

9.3 Right to Correction or Updating

9.3.1 Users may request correction of inaccurate or incomplete personal data.

9.3.2 Glatro may require:

(a) supporting documentation;

(b) independent verification;

9.3.3 Glatro reserves the right to reject correction requests where:

(a) data accuracy cannot be reasonably verified;

(b) data is generated internally for security or compliance purposes;

9.4 Right to Deletion / Erasure

9.4.1 Users may request deletion of personal data only to the extent permitted under applicable law.

9.4.2 Deletion requests shall be denied where retention is required for:

(a) statutory or regulatory compliance;

(b) tax, accounting, or audit obligations;

(d) dispute resolution or legal defence;

(e) enforcement of contractual rights.

9.4.3 Deletion, where permitted, may be:

(a) partial;

(b) deferred;

9.4.4 Users expressly acknowledge that no absolute right to deletion exists under Indian law.

9.5 Right to Restrict or Object to Processing

9.5.1 Users may request restriction of processing only where expressly recognised under applicable law.

9.5.2 Glatro may deny such requests where processing is:

(a) necessary for contract performance;

(b) required for legal compliance;

(d) based on legitimate business interests.

9.5.3 Objections to processing shall not affect processing already lawfully carried out.

9.6 Verification & Abuse Prevention

9.6.1 Glatro reserves the right to:

(a) verify the identity of the requesting User;

(b) request additional documentation;

9.6.2 Failure to satisfactorily verify identity shall result in rejection of the request without liability.

9.7 Timeframes & Procedural Discretion

9.7.1 User requests shall be addressed within a reasonable timeframe, subject to:

(a) complexity of the request;

(b) volume of requests received;

9.7.2 Indicative timelines do not constitute binding commitments.

9.8 Fees & Administrative Burden

9.8.1 To the extent permitted by law, Glatro reserves the right to:

(a) charge reasonable administrative fees; or

(b) refuse to act on requests that impose disproportionate burden.

9.9 Finality of Decisions

9.9.1 Glatro’s decision in relation to any User request shall be final and binding, subject only to mandatory statutory remedies.

9.9.2 Users expressly waive any claim against Glatro arising from lawful denial or limitation of rights under this Section.

10. CHILDREN’S DATA (STRICT PROHIBITION)

10.1 Platform Not Intended for Minors

10.1.1 The Platform and all services offered by Glatro are intended solely for individuals who are eighteen (18) years of age or older and who are legally competent to enter into binding contracts under Indian law.

10.1.2 Glatro does not knowingly permit individuals below the age of eighteen (18) years to:

(a) register on the Platform;

(b) create or maintain user accounts;

(d) act as Vendors or Delivery Partners;

(e) otherwise access or use the Platform in any manner.

10.1.3 Any access or use of the Platform by a minor shall be deemed unauthorised and in violation of this Privacy Policy and the Terms of Use.

10.2 No Intentional Collection of Children’s Data

10.2.1 Glatro does not knowingly collect, solicit, or process personal data of minors.

10.2.2 The Company relies on:

(a) User representations regarding age; and

(b) technical and procedural safeguards reasonably available to prevent the onboarding of minors.

10.2.3 Glatro shall not be held responsible for misrepresentation of age or identity by Users or third parties.

10.3 Inadvertent Collection & Remedial Action

10.3.1 In the event that Glatro becomes aware, or has reason to believe, that personal data of a minor has been inadvertently collected or processed, Glatro shall, subject to applicable law:

(a) take reasonable steps to delete or anonymise such data;

(b) suspend or terminate the associated account;

10.3.2 Such remedial actions shall be taken at Glatro’s discretion and shall not create any obligation to provide notice, explanation, or compensation.

10.4 Parental Responsibility & Waiver

10.4.1 Parents or legal guardians are solely responsible for monitoring and supervising the online activities of minors under their care.

10.4.2 To the maximum extent permitted by law, Glatro disclaims all liability arising from:

(a) unauthorised access to the Platform by minors;

(b) misrepresentation of age by Users;

10.4.3 Any claims relating to minors’ data shall be subject to mandatory statutory remedies only, and no additional contractual rights are created.

10.5 Compliance with Indian Law

10.5.1 This Section is intended to comply with applicable Indian laws, including the Digital Personal Data Protection Act, 2023, to the extent relating to children’s data.

10.5.2 In the event of any change in legal requirements relating to children’s data, Glatro reserves the right to modify this Policy accordingly without prior notice.

11. DATA SECURITY & INCIDENT RESPONSE

11.1 Commitment to Reasonable Security Practices

11.1.1 Glatro implements and maintains reasonable administrative, technical, and organisational security practices and procedures designed to protect personal data against unauthorised access, alteration, disclosure, loss, misuse, or destruction.

11.1.2 Such security measures are implemented having regard to:

(a) the nature and sensitivity of the personal data processed;

(b) the volume and complexity of data handling operations;

(d) technological feasibility;

(e) cost of implementation.

11.1.3 Glatro’s security practices are aligned with requirements prescribed under applicable Indian laws, including the Information Technology Act, 2000 and rules framed thereunder.

11.2 Technical & Organisational Safeguards

11.2.1 Security safeguards may include, without limitation:

(a) access control mechanisms and role-based permissions;

(b) encryption of data in transit and, where appropriate, at rest;

(d) firewalls, intrusion detection, and monitoring systems;

(e) periodic security reviews and audits;

(f) employee access controls and confidentiality obligations.

11.2.2 Access to personal data is restricted to authorised personnel and service providers strictly on a need-to-know basis.

11.2.3 Users acknowledge that no security system is infallible and that absolute security cannot be guaranteed.

11.3 User Responsibilities in Data Security

11.3.1 Users are responsible for maintaining the confidentiality of their login credentials, passwords, OTPs, and account access information.

11.3.2 Glatro shall not be liable for any unauthorised access, data loss, or misuse resulting from:

(a) User negligence;

(b) sharing of credentials;

(d) malware or phishing attacks beyond Glatro’s control.

11.4 Incident Detection & Response

11.4.1 Glatro maintains internal procedures for identifying, assessing, and responding to potential data security incidents or breaches.

11.4.2 Upon becoming aware of a data security incident, Glatro may, subject to applicable law:

(a) investigate the nature and scope of the incident;

(b) take reasonable steps to contain and mitigate impact;

11.4.3 Incident response measures shall be determined at Glatro’s discretion, taking into account operational, legal, and security considerations.

11.5 Notification of Data Breaches

11.5.1 Where required under applicable Indian law, Glatro shall notify:

(a) affected Users; and/or

(b) relevant regulatory or governmental authorities,

of a data breach within the timelines prescribed by law.

11.5.2 Notification may be delayed or limited where permitted by law, including where such notification may:

(a) impede investigation;

(b) compromise security measures;

11.5.3 Failure to notify in circumstances not mandated by law shall not give rise to liability.

11.6 Third-Party Security

11.6.1 Glatro may rely on third-party service providers for infrastructure, payment processing, analytics, or security services.

11.6.2 While Glatro undertakes reasonable diligence in selecting such providers, it does not control their internal security practices.

11.6.3 Glatro shall not be liable for security incidents arising from third-party systems beyond its reasonable control, except where mandated by law.

11.7 No Absolute Guarantee of Security

11.7.1 Users expressly acknowledge that:

(a) transmission of data over the internet is inherently risky;

(b) no platform can guarantee complete security;

11.7.2 To the maximum extent permitted by law, Glatro disclaims liability for:

(a) cyber-attacks;

(b) hacking incidents;

(d) force majeure events impacting security.

11.8 Limitation of Liability for Security Incidents

11.8.1 Glatro’s liability, if any, arising from a data security incident shall be limited strictly in accordance with applicable law.

11.8.2 Users expressly waive any claim for indirect, consequential, punitive, or exemplary damages arising from security incidents, to the maximum extent permitted by law.

11.9 Continuous Improvement

11.9.1 Glatro may periodically review and update its security practices to address emerging threats, technological developments, or regulatory requirements.

11.9.2 Such updates may be implemented without prior notice and shall be deemed effective upon deployment.

12. THIRD-PARTY LINKS & SERVICES

12.1 Presence of Third-Party Links and Integrations

12.1.1 The Platform may contain links to, integrations with, or access points for third-party websites, applications, tools, services, or content (“Third-Party Services”) that are owned, operated, or controlled by entities independent of Glatro.

12.1.2 Such Third-Party Services may include, without limitation:

(a) payment gateway providers;

(b) mapping and navigation services;

(d) analytics and marketing platforms;

(e) external websites or applications accessed through links or redirects.

12.1.3 The inclusion of any Third-Party Service on the Platform does not constitute endorsement, approval, sponsorship, or recommendation by Glatro.

12.2 No Control or Responsibility

12.2.1 Glatro does not control, monitor, or assume responsibility for:

(a) the content, accuracy, or availability of Third-Party Services;

(b) the privacy practices or data handling policies of third parties;

12.2.2 Users acknowledge that Third-Party Services operate independently and are governed by their own terms, conditions, and privacy policies.

12.3 User Responsibility & Due Diligence

12.3.1 Users are solely responsible for:

(a) reviewing the terms and privacy policies of Third-Party Services;

(b) assessing the risks associated with use of such services;

12.3.2 Any interaction, transaction, or data sharing between the User and a third party is conducted solely at the User’s own risk.

12.4 No Liability for Third-Party Actions

12.4.1 To the maximum extent permitted by law, Glatro disclaims all liability arising from:

(a) acts or omissions of Third-Party Services;

(b) data breaches, losses, or misuse occurring within third-party systems;

12.4.2 Any claims arising from Third-Party Services shall be resolved directly between the User and the relevant third party, without recourse to Glatro.

12.5 Termination of Access

12.5.1 Glatro reserves the right to add, remove, or disable access to any Third-Party Service at its discretion and without notice.

12.5.2 Removal or modification of third-party integrations shall not give rise to any claim or liability.

12.6 Statutory Carve-Out

12.6.1 Nothing in this Section shall limit any liability that cannot be excluded under applicable Indian law.

12.6.2 Subject to mandatory statutory provisions, this Section shall be interpreted in favour of limiting Glatro’s liability.

13. GRIEVANCE REDRESSAL OFFICER & COMPLAINT HANDLING MECHANISM

13.1 Statutory Appointment

13.1.1 In accordance with the provisions of the Information Technology Act, 2000, and the rules framed thereunder, including the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Glatro has appointed a Grievance Redressal Officer to address complaints, grievances, and concerns raised by Users in relation to:

(a) processing of personal data;

(b) alleged violations of this Privacy Policy;

(d) compliance with applicable data protection laws.

13.1.2 The Grievance Redressal Officer shall act as the designated point of contact for Users and regulatory authorities in respect of data protection and privacy-related grievances.

13.2 Contact Details

The details of the Grievance Redressal Officer are as follows:

Grievance Redressal Officer

Location: WeWork DLF Forum, Cyber City Phase III, DLF QE, DLF QE, Gurgaon – 122002, Haryana

Email: grievance@glatro.com

13.2.1 The above contact details may be updated from time to time and shall be deemed effective upon publication on the Platform.

13.3 Scope of Grievances

13.3.1 Users may raise grievances relating to:

(a) collection, processing, or retention of personal data;

(b) alleged non-compliance with this Privacy Policy;

(d) requests for exercise of statutory data protection rights.

13.3.2 Complaints unrelated to data protection or privacy may be redirected to appropriate internal teams or support channels.

13.4 Complaint Submission Requirements

13.4.1 Complaints must be submitted:

(a) from the registered email address of the User; or

(b) through officially designated in-app or platform channels.

13.4.2 Complaints should include:

(a) sufficient details of the grievance;

(b) supporting documents or information, where available;

13.4.3 Anonymous or incomplete complaints may not be entertained.

13.5 Acknowledgement & Resolution Timelines

13.5.1 Glatro shall acknowledge receipt of a valid grievance within 24 to 48 hours, in accordance with applicable rules.

13.5.2 Grievances shall be addressed and resolved within a reasonable timeframe, subject to:

(a) nature and complexity of the complaint;

(b) requirement of investigation or verification;

13.5.3 Indicative timelines do not constitute binding commitments.

13.6 Internal Review & Discretion

13.6.1 All grievances shall be reviewed internally by Glatro’s compliance or legal teams, as deemed appropriate.

13.6.2 Glatro reserves the right to:

(a) seek additional information from the complainant;

(b) reject grievances that are frivolous, repetitive, or abusive;

13.6.3 Decisions taken by Glatro in relation to grievances shall be final and binding, subject to mandatory statutory remedies.

13.7 Limitation of Liability

13.7.1 Submission or processing of a grievance shall not create:

(a) any admission of liability by Glatro; or

(b) any contractual or fiduciary obligation beyond statutory requirements.

13.7.2 To the maximum extent permitted by law, Glatro disclaims liability for delays or outcomes arising from grievance handling, except where mandated by law.

14. CHANGES TO POLICY

14.1 Right to Modify, Amend or Update

14.1.1 Glatro expressly reserves the unrestricted right, at its sole discretion, to modify, amend, update, revise, supplement, or replace this Privacy Policy, in whole or in part, at any time.

14.1.2 Such changes may be made to reflect, inter alia:

(a) changes in applicable laws or regulations;

(b) issuance of new judicial interpretations or regulatory guidance;

(d) technological developments or security requirements;

(e) internal policy or compliance enhancements.

14.1.3 Glatro shall not be obligated to provide individual notice of such changes unless expressly required under applicable law.

14.2 Manner of Communication of Changes

14.2.1 Updated versions of this Privacy Policy may be communicated by:

(a) publication on the Platform;

(b) in-app notifications;

(d) any other method deemed appropriate by Glatro.

14.2.2 The “Last Updated” date displayed on the Policy shall indicate the effective date of such changes.

14.3 Continued Use Constitutes Acceptance

14.3.1 Users expressly acknowledge and agree that continued access to or use of the Platform after the effective date of any modification shall constitute:

(a) deemed acceptance of the revised Privacy Policy;

(b) renewed consent to processing of personal data in accordance with the updated terms.

14.3.2 If a User does not agree with any modification, the User’s sole and exclusive remedy is to discontinue use of the Platform.

14.3.3 Continued use shall override any prior objections, unless withdrawal of consent is expressly exercised in accordance with applicable law.

14.4 No Retroactive Claims

14.4.1 Users waive any right to challenge amendments on the ground that:

(a) prior notice was not received;

(b) individual consent was not separately obtained;

14.4.2 Amendments shall apply prospectively and, where permitted by law, to ongoing processing activities.

14.5 Statutory Override

14.5.1 Nothing in this Section shall limit any rights or obligations that cannot be waived or modified under applicable Indian law.

14.5.2 In the event of any conflict between this Policy and mandatory statutory provisions, the statutory provisions shall prevail, and this Policy shall be deemed modified to the minimum extent necessary for compliance.

14.6 Survival

14.6.1 This Privacy Policy, including all amendments, shall survive termination of the User’s account to the extent necessary for:

(a) legal compliance;

(b) dispute resolution;

(d) statutory retention obligations.

ANNEXURE I — DATA RETENTION MATRIX & RECORD MANAGEMENT POLICY

A. PURPOSE AND LEGAL OBJECTIVE

A.1 This Annexure sets out Glatro’s internal and external policy governing the retention, storage, archival, anonymisation, and deletion of personal data, transactional data, operational records, and business information collected or generated through the Platform.

A.2 This Annexure is framed to ensure compliance with:

(a) Information Technology Act, 2000;

(b) Digital Personal Data Protection Act, 2023;

(d) limitation periods under Indian civil and criminal law;

(e) regulatory, investigative, and enforcement requirements.

A.3 This Annexure shall be read as an integral and inseparable part of the Privacy Policy. In case of conflict, this Annexure shall prevail to the extent permitted by law.

B. FUNDAMENTAL RETENTION PRINCIPLES

B.1 Glatro follows a risk-based, compliance-driven retention model, under which data is retained only where there exists a lawful, regulatory, operational, or defensive justification.

B.2 Retention decisions are guided by:

(a) statutory minimum retention periods;

(b) likelihood of disputes, audits, or investigations;

(d) necessity to defend or enforce legal rights;

(e) platform security and fraud-prevention needs.

B.3 Users expressly acknowledge that data minimisation does not equate to immediate deletion, and that retention may lawfully continue even after cessation of services.

C. RETENTION BEYOND ACCOUNT DELETION

C.1 Deletion, deactivation, suspension, or termination of a User account does not automatically trigger deletion of all associated data.

C.2 Glatro may continue to retain data where necessary for:

(a) statutory or regulatory compliance;

(b) tax filings, GST reconciliation, or audits;

(d) dispute resolution, litigation defence, or evidence preservation;

(e) internal compliance reviews or risk assessments.

C.3 Any retention beyond account deletion shall be deemed lawful, reasonable, and necessary, and Users expressly waive objections to such retention.

D. DATA RETENTION CATEGORIES (DETAILED)

D.1 Customer Account Data

Includes profile details, contact information, authentication logs.

• Retention: Minimum 7 years from last activity

• Legal Basis: IT Act, limitation law, contractual defence

D.2 Order & Transaction Records

Includes invoices, order IDs, timestamps, pricing, refunds.

• Retention: 7–10 years

• Legal Basis: Tax laws, accounting standards, audits

D.3 Payment Metadata

Includes transaction references, settlement logs.

• Retention: 7 years

• Legal Basis: RBI norms, accounting compliance

D.4 Vendor KYC & Compliance Records

Includes PAN, GSTIN, bank details, verification results.

• Retention: 8 years post termination

• Legal Basis: AML, fraud prevention, enforcement

D.5 Delivery Partner Records

Includes onboarding documents, payout logs, misconduct history.

• Retention: 8 years post termination

• Legal Basis: risk management, legal defence

D.6 Logs, Security & Technical Records

Includes IP logs, device identifiers, audit trails.

• Retention: 1–3 years

• Legal Basis: security, investigation, compliance

D.7 Grievance & Legal Records

Includes complaints, notices, internal notes.

• Retention: Until final resolution + limitation period

• Legal Basis: litigation defence

E. ARCHIVAL, ANONYMISATION & DELETION

E.1 Upon expiry of retention periods, data may be:

(a) securely deleted using industry-standard methods;

(b) irreversibly anonymised;

E.2 Anonymised or aggregated data ceases to be personal data and may be retained indefinitely.

E.3 Users acknowledge that technical backups may retain residual data for limited periods.

F. FINALITY OF RETENTION DECISIONS

F.1 Glatro’s determination regarding what data to retain, for how long, and in what form shall be final and binding, subject only to mandatory statutory requirements.

F.2 No User shall have the right to demand immediate deletion contrary to this Annexure.

ANNEXURE II — DATA SUBJECT REQUEST (DSR) WORKFLOW

A. OBJECTIVE AND SCOPE

A.1 This Annexure sets out the internal policy, workflow, controls, and limitations applicable to requests made by Users (Data Principals).

A.2 This Annexure is framed to ensure compliance with:

• Digital Personal Data Protection Act, 2023

• Information Technology Act, 2000

• Applicable rules, regulations, and regulatory guidance

A.3 This Annexure applies to requests relating to:

(a) access to personal data;

(b) correction or updating of personal data;

(d) restriction or objection to processing;

(e) withdrawal of consent.

B. GENERAL PRINCIPLES GOVERNING USER REQUESTS

B.1 All DSRs shall be processed strictly in accordance with applicable law and this Policy.

B.2 Submission of a DSR does not guarantee acceptance or fulfillment.

B.3 Glatro reserves the right to:

(a) limit the scope of responses;

(b) refuse unlawful, excessive, or abusive requests;

B.4 Nothing herein grants rights beyond those expressly provided under Indian law.

C. MODE OF SUBMISSION

C.1 DSRs must be submitted through:

(a) the registered email address of the User; or

(b) officially designated in-app support channels.

C.2 Requests via unauthorised channels shall not be entertained.

C.3 Glatro is not responsible for lost, delayed, or misdirected requests due to User error.

D. INFORMATION REQUIRED FOR PROCESSING

D.1 Each request must include:

(a) full name of the User;

(b) registered mobile number and/or email address;

(d) sufficient information to locate relevant data.

D.2 Glatro may require documentation to:

(a) verify identity;

(b) prevent unauthorised disclosure;

D.3 Failure to provide information may result in rejection without liability.

E. IDENTITY VERIFICATION

E.1 (a) OTP-based verification;

E.1 (b) government-issued ID (where necessary);

E.1 (c) internal authentication records.

E.2 Requests failing verification shall be rejected.

E.3 Glatro is not liable where verification fails.

F. REVIEW & DECISION-MAKING PROCESS

F.1 Requests shall be reviewed by:

(a) compliance teams;

(b) legal teams;

F.2 Glatro may accept, partially comply, deny, or seek clarification.

F.3 Grounds for denial include statutory retention, investigations, fraud prevention, legal rights, or disproportionate burden.

G. RESPONSE TIMELINES

G.1 Responses are generally within 30–45 days, subject to complexity, volume, and operational constraints.

G.2 Timelines may be extended where permitted by law.

G.3 Indicative timelines are not contractual commitments.

H. LIMITATIONS ON DISCLOSURE

H.1 (a) internal risk assessments or profiling data;

H.1 (b) proprietary algorithms or logic;

H.1 (c) confidential business information;

H.1 (d) data relating to other individuals.

H.2 Disclosure is limited to what is strictly required by law.

I. WITHDRAWAL OF CONSENT

I.1 Users may withdraw consent where applicable.

I.2 Withdrawal may result in:

(a) suspension or termination of services;

(b) restriction of features;

I.3 Withdrawal does not affect lawful prior processing.

J. ABUSE PREVENTION

J.1 (a) manifestly unfounded requests;

J.1 (b) repetitive or vexatious requests;

J.1 (c) requests imposing disproportionate burden.

K. FINALITY OF DECISIONS

K.1 Glatro’s decision on any DSR shall be final and binding, subject only to mandatory statutory remedies.

K.2 Users expressly waive claims arising from lawful refusal or limitation of DSRs.

ANNEXURE III — BLACKLISTING & ENFORCEMENT POLICY

A. OBJECTIVE & REGULATORY CONTEXT

A.1 This Annexure sets out Glatro’s internal and external policy governing the detection, prevention, investigation, and enforcement of fraud, abuse, manipulation, or misuse of the Platform by any User, including Customers, Vendors, Retailers, and Delivery Partners.

A.2 This Policy is framed to protect:

(a) the integrity and security of the Platform;

(b) the interests of genuine Users;

A.3 This Annexure shall be read in conjunction with:

• the Terms of Use;

• the Privacy Policy;

• Vendor Agreement;

• Delivery Partner Agreement;

and shall prevail in case of inconsistency, to the extent permitted by law.

B. ZERO-TOLERANCE POLICY

B.1 Glatro adopts a strict zero-tolerance approach towards fraud, abuse, manipulation, or bad-faith conduct.

B.2 Any act or omission that undermines platform trust, financial integrity, or operational stability shall invite immediate enforcement action, without prejudice to Glatro’s other legal remedies.

B.3 Users expressly acknowledge that intent is irrelevant; even negligent or reckless conduct may trigger enforcement action.

C. DEFINITION OF FRAUD & ABUSE (NON-EXHAUSTIVE)

For the purposes of this Annexure, “Fraud” or “Abuse” includes, without limitation:

(a) false, misleading, or fabricated refund or return claims;

(b) repeated chargebacks or payment disputes without legitimate basis;

(d) collusion between Customers, Vendors, or Delivery Partners;

(e) manipulation of delivery acceptance, verification, or confirmation flows;

(f) misuse of Wallet balances, credits, or promotional benefits;

(g) submission of forged, misleading, or invalid documents;

(h) circumvention of Platform safeguards or technical controls;

(i) unauthorised access, scraping, reverse engineering, or interference;

(j) any activity intended to cause financial loss to Glatro or other Users.

D. MONITORING, DETECTION & INVESTIGATION

D.1 Glatro may deploy automated systems, manual reviews, audits, and internal investigations to detect suspected fraud or abuse.

D.2 Monitoring may include:

(a) transaction pattern analysis;

(b) behavioural profiling;

(d) risk scoring and anomaly detection;

(e) internal or third-party audits.

D.3 Users acknowledge that monitoring may occur without prior notice and does not require User consent beyond that provided under the Privacy Policy.

E. ENFORCEMENT ACTIONS

E.1 Upon detection or reasonable suspicion of fraud or abuse, Glatro may, at its sole discretion and without prior notice:

(a) suspend or permanently terminate accounts;

(b) cancel or reverse transactions;

(d) withhold Vendor or Delivery Partner payouts;

(e) recover losses through set-off, adjustment, or legal action;

(f) blacklist Users across multiple identifiers.

E.2 Enforcement actions may be immediate and need not await completion of investigation.

F. BLACKLISTING POLICY

F.1 Blacklisting may be applied permanently or for a specified duration.

F.2 Blacklisting may be enforced across:

(a) phone numbers;

(b) email addresses;

(d) IP addresses;

(e) bank accounts and payment instruments;

(f) government-issued identification documents.

F.3 Blacklisted Users shall not be entitled to:

(a) re-registration;

(b) access to the Platform;

(d) explanation beyond what is legally required.

G. RECOVERY OF LOSSES

G.1 Glatro reserves the right to recover any losses, damages, costs, or expenses arising from fraud or abuse by:

(a) adjusting or withholding future payouts;

(b) debiting Wallet balances or credits;

(d) invoking indemnity provisions.

G.2 Glatro’s determination of loss amounts shall be final and binding, subject to mandatory statutory review.

H. LEGAL & REGULATORY ACTION

H.1 Glatro reserves the unrestricted right to:

(a) initiate civil proceedings;

(b) lodge criminal complaints or FIRs;

(d) share information with regulators, banks, or payment networks.

H.2 Users expressly waive any objection to such disclosures made in good faith.

I. NO OBLIGATION TO WARN OR EXPLAIN

I.1 Glatro is under no obligation to:

(a) provide advance warnings;

(b) issue show-cause notices;

(d) share internal findings or evidence.

I.2 Any communication provided shall be purely discretionary.

J. LIMITATION OF LIABILITY

J.1 To the maximum extent permitted by law, Glatro shall not be liable for:

(a) losses suffered due to enforcement actions;

(b) termination or suspension of accounts;

(d) reputational or business impact on Users.

J.2 Users expressly waive all claims arising from lawful enforcement under this Annexure.

K. FINALITY & SURVIVAL

K.1 All enforcement decisions taken under this Annexure shall be final and binding, subject only to mandatory statutory remedies.

K.2 This Annexure shall survive termination of accounts and agreements.

ANNEXURE IV

PAYMENT, SETTLEMENT & RECOVERY POLICY

A. OBJECTIVE & APPLICABILITY

A.1 This Annexure sets out the policies, principles, procedures, and limitations governing payments, settlements, credits, adjustments, deductions, recoveries, and reconciliations carried out on or through the Glatro Platform.

A.2 This Annexure applies to all financial interactions involving:

(a) Customers making payments for orders;

(b) Vendors receiving settlements for fulfilled orders;

(d) Wallet balances, promotional credits, refunds, or recoveries.

A.3 This Annexure shall be read in conjunction with the Terms of Use, Privacy Policy, Vendor Agreement, and Delivery Partner Agreement and shall prevail in case of inconsistency, to the extent permitted by law.

B. PAYMENT PROCESSING FRAMEWORK

B.1 All payments made by Customers are processed through authorised, RBI-compliant third-party payment gateways.

B.2 Glatro does not store sensitive payment credentials such as card numbers, CVV, PINs, or net-banking passwords.

B.3 Glatro shall not be liable for:

(a) payment failures caused by banks, gateways, or networks;

(b) incorrect details provided by Users;

B.4 Successful payment authorisation does not guarantee order acceptance, fulfilment, or availability.

C. WALLET, CREDITS & PROMOTIONAL BALANCES

C.1 The Platform may offer Wallet balances, credits, cashback, or promotional incentives.

C.2 Such balances are:

(a) non-transferable;

(b) non-withdrawable;

(d) usable only in accordance with applicable terms.

C.3 Glatro reserves the right to:

(a) modify, suspend, or withdraw Wallet features;

(b) reverse credits issued in error;

C.4 Wallet balances do not constitute legal tender, stored value instruments, or bank deposits.

D. VENDOR & DELIVERY PARTNER SETTLEMENTS

D.1 Settlements to Vendors and Delivery Partners are processed on a net basis, after deduction of:

(a) platform commissions or service fees;

(b) applicable taxes;

(d) chargebacks, refunds, or disputed amounts.

D.2 Settlement timelines displayed on the Platform are indicative only and may vary due to:

(a) banking delays;

(b) reconciliation requirements;

(d) force majeure events.

D.3 Glatro shall not be liable for settlement delays beyond its reasonable control.

E. ADJUSTMENTS, SET-OFF & WITHHOLDING RIGHTS

E.1 Glatro reserves the unrestricted right to:

(a) adjust future payouts;

(b) set-off amounts owed against amounts payable;

E.2 Such actions may be taken without prior notice where permitted by law.

E.3 Vendors and Delivery Partners expressly waive objections to lawful set-off or withholding.

F. REFUNDS, REVERSALS & CHARGEBACKS

F.1 Refunds to Customers shall be processed in accordance with platform policies and applicable law.

F.2 Glatro reserves the right to:

(a) reverse refunds issued in error;

(b) deny refunds in cases of abuse or fraud;

F.3 Chargebacks initiated through banks or payment networks may result in:

(a) immediate debit of corresponding amounts;

(b) additional administrative fees;

G. RECOVERY OF AMOUNTS & LOSSES

G.1 Glatro may recover any outstanding amounts, losses, or damages by:

(a) adjusting Wallet balances;

(b) deducting future settlements;

(d) initiating legal proceedings.

G.2 Recovery rights shall survive termination of accounts or agreements.

G.3 Glatro’s determination of amounts recoverable shall be final and binding, subject only to mandatory statutory remedies.

H. TAXATION & COMPLIANCE

H.1 All payments and settlements are subject to applicable Indian tax laws.

H.2 Users are solely responsible for their own tax compliance.

H.3 Glatro may deduct or collect taxes as required by law and shall not be liable for Users’ tax obligations.

I. DISPUTE RESOLUTION RELATING TO PAYMENTS

I.1 Payment-related disputes must be raised within prescribed timelines.

I.2 Failure to raise disputes within such timelines shall constitute waiver of claims.

I.3 Glatro’s internal reconciliation records shall prevail in case of discrepancies, subject to statutory review.

J. LIMITATION OF LIABILITY

J.1 To the maximum extent permitted by law, Glatro shall not be liable for:

(a) indirect or consequential losses arising from payment issues;

(b) loss of business, profits, or reputation;

J.2 Users expressly waive claims arising from lawful application of this Annexure.

K. FINALITY & SURVIVAL

K.1 All determinations under this Annexure shall be final and binding.

K.2 This Annexure shall survive termination of the User’s relationship with Glatro.

ANNEXURE V

COOKIE & TRACKING TECHNOLOGIES POLICY

A. PURPOSE & APPLICABILITY

A.1 This Annexure sets out Glatro’s policy regarding the use of cookies, pixels, software development kits (SDKs), log files, web beacons, and other tracking technologies (collectively, “Tracking Technologies”) deployed on or in connection with the Platform.

A.2 This Policy applies to all Users accessing the Platform through:

(a) mobile applications;

(b) web browsers;

A.3 This Annexure forms an integral part of the Privacy Policy and shall be read in conjunction therewith.

B. WHAT ARE COOKIES & TRACKING TECHNOLOGIES

B.1 Cookies are small text files placed on a User’s device to enable functionality, security, and analytics.

B.2 Tracking Technologies may include:

(a) session cookies;

(b) persistent cookies;

(d) mobile SDKs;

(e) server logs;

(f) pixels and tags.

B.3 Such technologies do not independently identify Users but may be linked to personal data held by Glatro.

C. CATEGORIES OF COOKIES USED

C.1 Strictly Necessary Cookies

Used to:

(a) authenticate Users;

(b) maintain sessions;

(d) enable core Platform functionality.

Disabling these cookies may render the Platform unusable.

C.2 Performance & Analytics Cookies

Used to:

(a) analyse usage patterns;

(b) measure performance and load;

(d) improve Platform features.

Data collected may be aggregated or anonymised.

C.3 Security & Risk Cookies

Used to:

(a) detect suspicious behaviour;

(b) enforce platform safeguards;

Such cookies are essential for Platform integrity.

C.4 Functional Cookies

Used to:

(a) remember preferences;

(b) personalise user experience;

D. PURPOSES OF USE

Tracking Technologies are used for:

(a) authentication and session continuity;

(b) fraud prevention and security monitoring;

(d) troubleshooting and debugging;

(e) legal compliance and audit trails.

E. THIRD-PARTY COOKIES & SDKs

E.1 Glatro may permit certain third-party service providers (e.g., analytics or security vendors) to place Tracking Technologies on the Platform.

E.2 Such third parties operate under their own privacy policies and are not controlled by Glatro.

E.3 Glatro shall not be liable for third-party Tracking Technologies beyond its reasonable control.

F. USER CONTROL & CONSENT

F.1 Users may control cookies through:

(a) device or browser settings;

(b) app permissions;

F.2 Disabling cookies may impair functionality or security.

F.3 Continued use of the Platform constitutes consent to the use of Tracking Technologies, to the extent permitted by law.

G. NO GUARANTEE OF COMPLETE OPT-OUT

G.1 Certain cookies and Tracking Technologies cannot be disabled without affecting essential services.

G.2 Glatro disclaims liability for degraded performance resulting from User-imposed restrictions.

H. DATA SECURITY & RETENTION

H.1 Data collected through Tracking Technologies is protected in accordance with the Data Security section of the Privacy Policy.

H.2 Retention periods are governed by Annexure I (Data Retention Matrix).

I. MODIFICATIONS TO THIS POLICY

I.1 Glatro reserves the right to modify this Annexure at any time.

I.2 Continued use of the Platform after modifications constitutes acceptance.

ANNEXURE VI

GOVERNMENT, REGULATORY & LAW ENFORCEMENT DISCLOSURE SOP

A. PURPOSE & GOVERNANCE

A.1 This Annexure establishes the standard operating procedure (“SOP”) governing disclosures of information by Glatro to government bodies, regulatory authorities, and law enforcement agencies.

A.2 The SOP is designed to:

(a) ensure compliance with applicable Indian laws;

(b) enable prompt cooperation with lawful requests;

(d) minimise risk of unlawful or excessive disclosures.

A.3 This Annexure forms an integral part of the Privacy Policy and shall be read in conjunction therewith.

B. DISCLOSURE AUTHORITY & LEGAL BASIS

B.1 Glatro may disclose information where such disclosure is:

(a) mandated by law;

(b) required pursuant to a valid court order, warrant, or subpoena;

(d) necessary to prevent or investigate fraud, cybercrime, or unlawful activity;

(e) required to protect life, property, or public safety.

B.2 Disclosures shall be made strictly in accordance with:

• Information Technology Act, 2000;

• IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021;

• Code of Criminal Procedure, 1973;

• applicable sectoral regulations and judicial precedents.

C. REQUEST VALIDATION & REVIEW

C.1 All requests for disclosure shall be subject to internal legal and compliance review prior to disclosure, except in emergency situations.

C.2 Glatro may verify:

(a) identity and authority of the requesting body;

(b) jurisdictional competence;

(d) legal validity of the request.

C.3 Requests that are vague, overbroad, or unsupported by lawful authority may be:

(a) limited;

(b) challenged; or

D. SCOPE OF DISCLOSURE

D.1 Disclosures shall be limited to the minimum data necessary to comply with the request.

D.2 Glatro shall not disclose:

(a) proprietary algorithms or source code;

(b) internal risk assessments or profiling logic;

D.3 Where permissible, data may be anonymised or redacted prior to disclosure.

E. EMERGENCY DISCLOSURES

E.1 In circumstances involving an imminent threat to life or public safety, Glatro may disclose information without prior notice or complete validation.

E.2 Such disclosures shall be:

(a) limited in scope;

(b) documented internally;

E.3 Emergency disclosures made in good faith shall not give rise to liability.

F. USER NOTICE & CONFIDENTIALITY

F.1 Where permitted by law, Glatro may notify Users of disclosures affecting them.

F.2 Glatro may withhold notice where:

(a) prohibited by law;

(b) notice would prejudice investigations;

G. RECORD-KEEPING & AUDIT

G.1 Glatro shall maintain internal records of:

(a) disclosure requests received;

(b) data disclosed;

(d) correspondence with authorities.

G.2 Such records may be retained in accordance with Annexure I.

H. NO LIABILITY & GOOD FAITH PROTECTION

H.1 Disclosures made in good faith and in compliance with this SOP shall not give rise to liability towards Users.

H.2 Users expressly waive claims arising from lawful disclosures.

I. FINALITY & MODIFICATION

I.1 Glatro’s determination regarding compliance with disclosure requests shall be final, subject to mandatory statutory obligations.

I.2 This SOP may be modified at any time to reflect changes in law or regulatory practice.

ANNEXURE VII

ARBITRATION PROCEDURE & RULES

A. OBJECTIVE & BINDING NATURE

A.1 This Annexure sets out the exclusive dispute resolution mechanism applicable to any disputes, claims, controversies, or differences arising out of or in connection with:

(a) the Platform;

(b) the Terms of Use;

(d) any ancillary policies, annexures, or agreements;

(e) the relationship between Glatro and any User.

A.2 This Annexure shall be binding on all Users, including Customers, Vendors, Retailers, Delivery Partners, and any other persons accessing or using the Platform.

B. MANDATORY PRE-ARBITRATION PROCESS

B.1 Prior to initiating arbitration, the aggrieved party shall make a good faith effort to resolve the dispute amicably by submitting a written notice of dispute to Glatro.

B.2 The notice shall contain:

(a) detailed description of the dispute;

(b) relief sought;

B.3 Glatro shall be afforded a minimum of 30 (thirty) days from receipt of notice to attempt resolution.

B.4 Failure to comply with this pre-arbitration requirement may result in dismissal or stay of arbitration proceedings.

C. AGREEMENT TO ARBITRATE

C.1 All disputes not resolved through amicable settlement shall be finally resolved by arbitration, in accordance with the provisions of the Arbitration and Conciliation Act, 1996, as amended.

C.2 Arbitration shall be the exclusive remedy, except where injunctive or interim relief is sought.

C.3 Users expressly waive the right to initiate or participate in class actions or representative proceedings, to the maximum extent permitted by law.

D. ARBITRAL TRIBUNAL

D.1 Arbitration shall be conducted by a sole arbitrator, appointed mutually by the parties.

D.2 In the event the parties fail to agree on the appointment of a sole arbitrator within 15 days, the arbitrator shall be appointed in accordance with the Arbitration and Conciliation Act, 1996.

D.3 The arbitrator shall:

(a) be legally qualified;

(b) have experience in commercial and technology disputes;

E. SEAT, VENUE & LANGUAGE

E.1 The seat and legal place of arbitration shall be Gurgaon, Haryana, India.

E.2 The venue may be Gurgaon or any other location as determined by the arbitrator.

E.3 The arbitration proceedings shall be conducted in the English language.

F. GOVERNING LAW

F.1 This Annexure, the arbitration proceedings, and all disputes shall be governed by and construed in accordance with the laws of India.

F.2 Indian substantive law shall apply to all matters, irrespective of the User’s location.

G. INTERIM & INJUNCTIVE RELIEF

G.1 Nothing in this Annexure shall prevent Glatro from seeking:

(a) interim relief;

(b) injunctive relief;

G.2 Courts at Gurgaon, Haryana shall have exclusive jurisdiction for such relief.

H. COSTS & FEES

H.1 The arbitrator shall have discretion to determine:

(a) costs of arbitration;

(b) legal fees;

H.2 Costs may be awarded against the losing party.

I. CONFIDENTIALITY

I.1 Arbitration proceedings, pleadings, evidence, and awards shall be confidential, except where disclosure is required by law.

J. FINALITY & ENFORCEMENT

J.1 The arbitral award shall be final and binding on the parties.

J.2 The award shall be enforceable in accordance with Indian law.

K. COURT FALLBACK & EXCLUSIVE JURISDICTION

K.1 Where arbitration is not permitted under law, or where interim relief is sought, courts at Gurgaon, Haryana shall have exclusive jurisdiction.

K.2 Users expressly waive objections to jurisdiction or forum convenience.

L. SURVIVAL

L.1 This Annexure shall survive termination of the User’s relationship with Glatro.

ANNEXURE VIII — DISCLAIMER, ACKNOWLEDGEMENTS & RISK ACCEPTANCE

A. PLATFORM PROVIDED ON “AS IS” AND “AS AVAILABLE” BASIS

A.1 The Platform, including all content, features, functionalities, services, software, and interfaces, is provided on an “as is”, “as available”, and “with all faults” basis.

A.2 Glatro makes no representations or warranties, express or implied, including but not limited to warranties of:

(a) merchantability;

(b) fitness for a particular purpose;

(d) uninterrupted or error-free operation;

(e) compatibility with any device or system.

A.3 Any reliance placed by Users on the Platform or its outputs is entirely at their own risk.

B. NO WARRANTY REGARDING PRODUCTS OR SERVICES

B.1 Glatro is a technology marketplace intermediary and does not:

(a) manufacture, stock, or own products;

(b) control Vendors’ inventory or quality;

B.2 All product-related representations, descriptions, pricing, availability, and legality are the sole responsibility of Vendors or Retailers.

B.3 Glatro expressly disclaims liability for:

(a) product defects or quality issues;

(b) mismatches between images and actual products;

C. USER ASSUMPTION OF RISK

C.1 Users expressly acknowledge and accept all risks associated with:

(a) accessing or using the Platform;

(b) placing orders or making payments;

(d) reliance on information or content displayed on the Platform.

C.2 Such risks include, without limitation:

(a) technical failures;

(b) third-party misconduct;

(d) data security incidents beyond reasonable control.

D. NO PROFESSIONAL OR COMMERCIAL ADVICE

D.1 Any information provided on the Platform, including recommendations, suggestions, analytics, or insights, is for general informational purposes only.

D.2 Nothing on the Platform constitutes legal, financial, tax, medical, or professional advice.

D.3 Users are solely responsible for obtaining independent professional advice where required.

E. LIMITATION OF LIABILITY

E.1 To the maximum extent permitted by law, Glatro shall not be liable for:

(a) indirect, incidental, consequential, special, or punitive damages;

(b) loss of profits, revenue, business, data, or goodwill;

E.2 Glatro’s aggregate liability, if any, shall be limited strictly to the extent mandated under applicable Indian law.

F. FORCE MAJEURE

F.1 Glatro shall not be liable for delays or failures arising from events beyond reasonable control, including but not limited to:

(a) natural disasters;

(b) pandemics or epidemics;

(d) network or power failures;

(e) strikes or labour disputes;

(f) acts of God or public enemy.

F.2 Performance obligations affected by force majeure shall be suspended for the duration of such events.

G. NO CLASS ACTIONS

G.1 To the maximum extent permitted by law, Users expressly waive the right to:

(a) initiate or participate in class actions;

(b) act as a representative plaintiff;

G.2 Disputes shall be resolved strictly on an individual basis.

H. INDEMNITY

H.1 Users agree to indemnify, defend, and hold harmless Glatro, its directors, officers, employees, and affiliates from all claims, losses, liabilities, damages, and expenses arising from:

(a) misuse of the Platform;

(b) violation of laws or third-party rights;

(d) fraudulent or unlawful conduct.

H.2 This indemnity shall survive termination of the User’s relationship with Glatro.

I. ACKNOWLEDGEMENT OF UNDERSTANDING

I.1 Users acknowledge that:

(a) they have read and understood these Policies;

(b) they have had the opportunity to seek independent legal advice;

I.2 Lack of awareness or understanding shall not be a defence.

J. STATUTORY OVERRIDE

J.1 Nothing in this Annexure shall exclude liability that cannot be excluded under applicable Indian law.

J.2 Subject thereto, this Annexure shall be interpreted in favour of limiting Glatro’s liability.

ANNEXURE IX — SEVERABILITY, WAIVER & INTERPRETATION

A. SEVERABILITY

A.1 If any provision of this Privacy Policy, including its Annexures, is held to be invalid, unlawful, unenforceable, or void by a court or competent authority, such provision shall be:

(a) deemed severed from the remaining provisions; and

(b) replaced, to the extent permissible, with a valid provision that most closely reflects the original intent.

A.2 The invalidity or unenforceability of any provision shall not affect the validity, legality, or enforceability of the remaining provisions.

A.3 The remaining provisions shall continue in full force and effect.

B. NO WAIVER

B.1 Any failure or delay by Glatro in exercising any right, power, or remedy under this Privacy Policy shall not constitute a waiver of such right, power, or remedy.

B.2 A waiver shall be effective only if:

(a) expressly granted in writing; and

(b) signed by an authorised representative of Glatro.

B.3 A waiver of any breach shall not be deemed a waiver of any subsequent or continuing breach.

C. ENTIRE AGREEMENT (PRIVACY CONTEXT)

C.1 This Privacy Policy, together with:

(a) the Terms of Use;

(b) all Annexures;

constitutes the entire understanding between the User and Glatro in relation to data protection and privacy.

C.2 This Policy supersedes all prior understandings, communications, or representations, whether oral or written, relating to personal data.

D. NO ASSIGNMENT BY USER

D.1 Users may not assign, transfer, or delegate any rights or obligations under this Privacy Policy without prior written consent of Glatro.

D.2 Glatro may freely assign or transfer this Policy as part of any corporate restructuring, merger, acquisition, or asset transfer.

E. SUCCESSORS & ASSIGNS

E.1 This Privacy Policy shall bind and inure to the benefit of:

(a) Glatro and its successors and assigns;

(b) Users and their lawful heirs, legal representatives, and permitted assigns.

F. INTERPRETATION RULES

F.1 Headings are for convenience only and shall not affect interpretation.

F.2 Words in the singular include the plural and vice versa.

F.3 The terms “including”, “without limitation”, and similar expressions shall be construed illustratively and not restrictively.

F.4 Any ambiguity shall be interpreted in favour of Glatro, to the maximum extent permitted by law.

H. GOVERNING LAW & JURISDICTION (RECONFIRMATION)

H.1 This Privacy Policy shall be governed by and construed in accordance with the laws of India.

H.2 Subject to the Arbitration Annexure, courts at Gurgaon, Haryana shall have exclusive jurisdiction over all matters arising out of or relating to this Policy.

I. SURVIVAL

I.1 Provisions relating to:

(a) data retention;

(b) disclosures;

(d) limitation of liability;

(e) dispute resolution;

(f) governing law;

shall survive termination of the User’s relationship with Glatro.

J. FINAL ACKNOWLEDGEMENT

J.1 Users expressly acknowledge that:

(a) they have read and understood this Privacy Policy in its entirety;

(b) they consent to the collection and processing of personal data as described;

J.2 Ignorance of the contents of this Policy shall not be a defence.

2.1 Statutory Compliance Framework

(a) The Information Technology Act, 2000, including all rules, regulations, notifications, and guidelines issued thereunder, governing electronic records, data protection, intermediary obligations, cyber security, and liability of online platforms;
(b) The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, insofar as they regulate the collection, processing, storage, disclosure, and protection of sensitive personal data or information;
(c) The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, including obligations relating to due diligence, grievance redressal, content moderation, and lawful disclosures;
(d) The Digital Personal Data Protection Act, 2023, to the extent applicable, including provisions relating to Data Principals, lawful processing, consent, legitimate use, retention, and enforcement mechanisms;
(e) The Consumer Protection Act, 2019, including e-commerce rules framed thereunder, insofar as they impose obligations relating to transparency, disclosures, and grievance handling;
(f) Any other applicable statute, regulation, guideline, circular, advisory, or order issued by competent governmental, regulatory, or judicial authorities in India.

2.2 Dynamic Compliance & Interpretative Authority

Glatro expressly acknowledges that data protection and privacy laws in India are evolving, and therefore reserves the right to:

(a) interpret and implement this Policy in a manner consistent with the most recent statutoryrequirements, regulatory guidance, or judicial precedents

(b) amend, modify, or supplement this Policy to ensure ongoing compliance without prior notice,except where mandatory notice is required by law

(c) rely upon exemptions, safe harbours, legitimate use provisions, and statutory defences available under applicable law.

2.3 Lawful Bases for Processing of Personal Data

Glatro processes personal data strictly on lawful grounds, including one or more of the following bases, as recognised under Indian law:

2.3.1 Consent-Based Processing

2.3.2 Contractual Necessity

2.3.3 Legal and Regulatory Compliance

2.3.4 Legitimate Business Interests

2.4 Explicit Consent & Withdrawal

2.4.1 Where explicit consent is required under law, Glatro shall obtain such consent in a manner prescribed by applicable statutes or regulations.

2.4.2 Users acknowledge and agree that withdrawal of consent may:

(a) restrict access to certain features or services

(b) result in suspension or termination of accounts

(d) not override statutory or regulatory retention obligations.

2.4.3 Glatro reserves the right to continue processing personal data despite withdrawal of consent, where such processing is permitted or mandated by law.

2.5 Jurisdictional Limitation

2.5.1 This Policy is intended to comply with Indian laws only. Glatro makes no representation regarding compliance with foreign data protection laws unless expressly stated.

2.5.2 Users accessing the Platform from outside India do so at their own risk and are solely responsible for compliance with local laws.

2.6 Supremacy of Statutory Provisions

3. DEFINITIONS

3.1 Purpose of Definitions

3.1.1 The definitions set out in this Section are provided for the purposes of interpretation, clarity, and uniform application of this Privacy Policy.

3.1.2 These definitions shall apply throughout this Policy, including all annexures, schedules, operational policies, and related documents, unless the context expressly requires otherwise.

3.1.3 In the event of any ambiguity or uncertainty in interpretation, the interpretation most favourable to Glatro and consistent with applicable Indian law shall prevail.

3.2 “Personal Data”

3.2.2 For the avoidance of doubt, Personal Data includes, without limitation:

(a) information voluntarily provided by the User;

(b) information automatically collected through technical means;

3.2.3 Personal Data shall continue to be treated as such until irreversibly anonymised in accordance with this Policy and applicable law.

3.3 “Sensitive Personal Data”

3.3.2 Without limiting the generality of the foregoing, Sensitive Personal Data may include:

(a) passwords and authentication credentials;

(b) financial information such as bank account details (where lawfully collected);

(d) any other category of data notified as sensitive under applicable law.

3.3.3 Glatro does not intentionally collect Sensitive Personal Data unless such collection is:

(a) expressly permitted by law;

(b) necessary for lawful verification, compliance, or payment settlement; and

3.4 “Processing”

3.4.1 “Processing” means any operation or set of operations performed on Personal Data or Sensitive Personal Data, whether or not by automated means.

3.4.2 Processing includes, without limitation:

(a) collection, recording, organisation, structuring;

(b) storage, adaptation, alteration, retrieval, consultation;

(d) alignment, combination, restriction;

(e) retention, archiving, anonymisation, or deletion.

3.4.3 Processing may be carried out directly by Glatro or indirectly through authorised third-party processors acting on Glatro’s behalf.

3.5 “Data Principal”

3.5.1 “Data Principal” shall have the meaning assigned under the Digital Personal Data Protection Act, 2023, and refers to the individual to whom the Personal Data relates.

3.5.2 For the purposes of this Policy:

(a) Customers, Vendors, Delivery Partners, and Users may all qualify as Data Principals;

(b) where a User acts on behalf of an entity, the individual whose data is provided shall be deemed the Data Principal.

3.5.3 Nothing in this Policy shall be construed as conferring any rights upon a Data Principal beyond those expressly mandated under applicable law.

3.6 “Data Processor” and “Third-Party Processor”

3.6.2 Such processors may include, without limitation:

(a) payment gateway providers;

(b) cloud hosting and infrastructure providers;

(d) analytics, fraud detection, and security vendors;

(e) communication service providers.

3.7 “Platform”

3.7.1 “Platform” means and includes:

(a) Glatro’s mobile applications (for Customers, Vendors, and Delivery Partners);

(b) websites (when launched);

(d) all associated features, services, and functionalities.

3.7.2 Any reference to the Platform shall be deemed to include future upgrades, modifications, or replacements thereof.

3.8 “User”

3.8.1 “User” includes any individual or entity that accesses, browses, registers, or otherwise interacts with the Platform in any capacity.

3.8.2 Users include, without limitation:

(a) Customers;

(b) Vendors or Retailers;

(d) visitors or unregistered users;

(e) service providers interacting with the Platform.

3.9 Interpretative Rules

3.9.1 Headings and section titles are inserted for convenience only and shall not affect interpretation.

3.9.2 Words importing the singular shall include the plural and vice versa.

3.9.3 Any capitalised term not defined herein shall have the meaning assigned to it in the Terms of Use or under applicable law.

3.9.4 In case of doubt, the interpretation adopted by Glatro shall be final and binding, subject to mandatory statutory provisions.

4. CATEGORIES OF DATA COLLECTED

4.1 General Principle of Data Collection

4.1.1 Glatro collects personal data strictly on a need-to-collect basis, determined by operational, contractual, security, compliance, and legal requirements.

4.1.2 The categories of data described below are illustrative and non-exhaustive, and Glatro reserves the right to collect additional categories of data where such collection is:

(a) permitted under applicable law;

(b) necessary for platform operations; or

4.1.3 Users expressly acknowledge that certain data may be collected automatically, without direct action by the User, through technical or system-level processes.

4.2 Identity & Contact Data

4.2.1 Glatro may collect and process basic identity and contact information, including but not limited to:

(a) full name;

(b) mobile number;

(d) username or account identifier;

(e) profile photograph (if uploaded);

(f) preferred language or communication settings.

4.2.2 Such data is collected for purposes including account creation, authentication, communication, customer support, grievance handling, and fraud prevention.

4.2.3 Glatro shall not be responsible for inaccuracies arising from information provided directly by Users.

4.3 Transactional & Order-Related Data

4.3.1 Glatro may collect, generate, and retain transactional data relating to orders placed through the Platform, including but not limited to:

(a) order identifiers and reference numbers;

(b) order timestamps;

(d) pricing details, discounts, and applied promotions;

(e) cancellation records and reasons;

(f) refund requests, approvals, denials, and histories.

4.3.2 Transactional data may be retained for extended periods to comply with tax laws, accounting standards, audit requirements, dispute resolution, and legal defence.

4.4 Delivery & Location Data

4.4.1 In order to facilitate logistics and fulfilment, Glatro may collect and process delivery and location-related data, including:

(a) delivery addresses provided by Users;

(b) geo-coordinates (approximate) derived from device or mapping services;

(d) delivery timestamps, proof of delivery, and acceptance confirmations.

4.4.2 Location data may be collected in real-time or periodically, subject to device permissions and platform functionality.

4.4.3 Glatro disclaims liability for inaccuracies in location data caused by device settings, network issues, or third-party mapping services.

4.5 Payment Metadata

4.5.1 Glatro may collect limited payment-related metadata strictly necessary for transaction processing, reconciliation, and compliance, including:

(a) transaction reference numbers;

(b) payment method indicators (e.g., UPI, card, wallet);

(d) refund reference identifiers.

4.5.2 IMPORTANT DISCLAIMER:

Glatro does not store or process:

(a) debit or credit card numbers;

(b) CVV or PIN details;

4.5.3 All payment transactions are processed through RBI-compliant third-party payment gateways, and Glatro shall not be liable for breaches occurring within such external systems.

4.6 Vendor & Delivery Partner KYC Data

4.6.1 For Vendors and Delivery Partners, Glatro may collect enhanced verification data, including but not limited to:

(a) Permanent Account Number (PAN);

(b) Goods and Services Tax Identification Number (GSTIN), where applicable;

(d) government-issued identification documents;

(e) verification results and risk assessments.

4.6.2 Such data is collected for onboarding, compliance with anti-money laundering norms, fraud prevention, payout processing, and enforcement of contractual obligations.

4.6.3 Glatro reserves the right to retain such data even after termination, as permitted by law.

4.7 Device, Technical & Usage Data

4.7.1 Glatro may automatically collect technical and usage data, including but not limited to:

(a) IP address;

(b) device identifiers and hardware information;

(d) app usage logs and interaction metrics;

(e) crash reports, diagnostics, and error logs.

4.7.2 Such data is collected for security monitoring, system optimisation, analytics, troubleshooting, and abuse detection.

4.7.3 Users acknowledge that blocking or restricting such data collection may impair Platform functionality.

4.8 Communications & Support Data

4.8.1 Glatro may collect and retain records of communications between Users and Glatro, including:

(a) customer support chats and emails;

(b) call recordings (where permitted by law);

(d) internal notes and investigation records.

4.8.2 Such communications may be monitored, recorded, or reviewed for quality assurance, training, compliance, dispute resolution, and legal defence.

4.9 Inferred, Derived & Aggregated Data

4.9.1 Glatro may generate derived or inferred data based on analysis of User interactions, including:

(a) risk scores;

(b) fraud indicators;

(d) preference segments.

4.9.2 Aggregated or anonymised data that does not identify an individual may be retained indefinitely and used for analytics, reporting, and business intelligence.

4.10 Third-Party Data

4.10.1 Glatro may receive personal data from third-party sources, including payment partners, verification agencies, or service providers, where permitted by law.

4.10.2 Glatro shall not be responsible for accuracy of data obtained from third parties.

4.11 Accuracy & Responsibility

4.11.1 Users are responsible for ensuring that personal data provided is accurate, complete, and up to date.

4.11.2 Glatro shall not be liable for consequences arising from inaccurate or outdated data supplied by Users.

5. PURPOSES OF PROCESSING

5.1 Overarching Principle

5.1.2 The purposes described in this Section are illustrative and non-exhaustive, and Glatro reserves the right to process personal data for additional purposes where such processing is:

(a) reasonably connected to the original purpose of collection;

(b) necessary for platform operations, safety, or compliance; or

5.2 Account Creation, Authentication & Management

5.2.1 Personal data is processed to:

(a) create and maintain User accounts;

(b) authenticate Users during login and access;

(d) manage account preferences, settings, and permissions.

5.2.2 Glatro may use multi-factor authentication, OTP verification, and risk-based access controls as part of its security framework.

5.2.3 Failure to provide accurate data may result in suspension or termination of access without liability.

5.3 Order Fulfilment & Platform Operations

5.3.1 Personal data is processed to:

(a) enable placement, confirmation, modification, and cancellation of orders;

(b) coordinate with Vendors and Delivery Partners;

(d) ensure timely fulfilment and delivery tracking.

5.3.2 Glatro may retain order-related data for extended periods to ensure auditability, dispute resolution, and legal defence.

5.4 Payments, Settlements & Financial Reconciliation

5.4.1 Personal data and payment metadata are processed to:

(a) facilitate payment transactions through authorised gateways;

(b) reconcile payments, refunds, and settlements;

(d) comply with accounting, tax, and audit requirements.

5.4.2 Glatro disclaims liability for failures attributable to third-party payment systems.

5.5 Vendor & Delivery Partner Verification

5.5.1 Enhanced personal data may be processed for:

(a) onboarding and KYC verification;

(b) risk profiling and eligibility assessment;

(d) payout processing and recovery actions.

5.5.2 Glatro reserves the right to re-verify such data periodically or upon suspicion of risk.

5.6 Fraud Prevention, Abuse Detection & Security

5.6.1 Personal data may be processed to:

(a) detect fraudulent transactions or activities;

(b) prevent misuse of promotions, refunds, or platform features;

(d) protect the integrity and security of the Platform.

5.6.2 Glatro may deploy automated tools, monitoring systems, and internal investigations for these purposes.

5.6.3 Users acknowledge that such processing may result in account restrictions or enforcement actions.

5.7 Customer Support, Communications & Grievance Handling

5.7.1 Personal data is processed to:

(a) respond to queries, complaints, and support requests;

(b) investigate grievances and disputes;

(d) improve customer experience and service quality.

5.7.2 Communications may be recorded, stored, and reviewed for quality assurance, training, and legal defence.

5.8 Legal Compliance, Audits & Enforcement

5.8.1 Personal data may be processed to:

(a) comply with statutory obligations;

(b) respond to court orders, regulatory notices, or law enforcement requests;

(d) enforce contractual rights and pursue legal remedies.

5.8.2 Such processing may continue even after account deletion, where required or permitted by law.

5.9 Analytics, Research & Platform Improvement

5.9.1 Personal data, including aggregated or anonymised data, may be processed for:

(a) analytics and reporting;

(b) performance measurement;

(d) internal research and development.

5.9.2 Insights derived from such processing are proprietary to Glatro.

5.10 Business Continuity & Risk Management

5.10.1 (a) ensure business continuity;

5.10.1 (b) manage operational risks;

5.10.1 (c) conduct internal investigations;

5.10.1 (d) protect Glatro’s legal, financial, and reputational interests.

5.10.2 Such processing shall not give rise to enforceable rights in favour of Users.

5.11 Marketing, Promotions & Communications

5.11.1 Subject to applicable law and consent requirements, Glatro may process personal data to:

(a) inform Users of offers, promotions, or updates;

(b) personalise content or recommendations;

5.11.2 Users may opt out of certain communications, however service-related communications shall continue.

5.12 Limitation of Purpose-Based Claims

5.12.1 Users expressly waive any claim against Glatro arising solely from lawful processing of personal data for the purposes outlined in this Section.

5.12.2 Glatro’s determination of the necessity or relevance of processing for a particular purpose shall be final, subject to mandatory statutory provisions.

6. AUTOMATED DECISION-MAKING, PROFILING & RISK ASSESSMENT

6.1 Use of Automated Systems

6.1.1 Glatro may deploy automated tools, algorithms, rule-based engines, and machine-assisted decision-making systems for the purpose of operating, securing, and optimising the Platform.

6.1.2 Such automated systems may be used across multiple functional areas, including but not limited to:

(a) fraud detection and prevention;

(b) risk scoring and behavioural analysis;

(d) payment validation and anomaly detection;

(e) eligibility assessment for promotions, offers, or incentives;

(f) operational efficiency and platform integrity.

6.1.3 The deployment of such systems is undertaken in Glatro’s legitimate business interest and for the protection of Users, Vendors, Delivery Partners, and the Platform as a whole.

6.2 Profiling Activities

6.2.1 Glatro may create profiles of Users based on observed behaviour, transaction history, usage patterns, and other relevant data points.

6.2.2 Profiling may involve:

(a) categorisation of Users into risk or trust tiers;

(b) identification of anomalous or suspicious activity;

(d) assessment of compliance with platform policies.

6.2.3 Profiling outcomes may be used to:

(a) restrict or enhance access to certain features;

(b) apply additional verification measures;

(d) determine eligibility for promotional or commercial benefits.

6.3 Automated Enforcement Actions

6.3.1 Based on automated assessments, Glatro may take enforcement actions including, without limitation:

(a) temporary or permanent account suspension;

(b) limitation of services or features;

(d) cancellation of orders or transactions;

(e) blacklisting across devices, identifiers, or accounts.

6.3.2 Users expressly acknowledge and agree that such actions may be taken without prior notice, where permitted by law, in order to protect the Platform and its stakeholders.

6.4 Human Oversight & Discretion

6.4.1 While automated systems may assist in decision-making, Glatro reserves the right to:

(a) review automated outcomes manually;

(b) override, confirm, or modify such outcomes;

6.4.2 Glatro is under no obligation to provide detailed explanations of automated logic, scoring methodologies, or internal thresholds, except where expressly required by law.

6.5 No Enforceable Rights Created

6.5.1 The use of automated decision-making or profiling does not create any enforceable rights in favour of Users, including any right to:

(a) demand disclosure of algorithms or logic;

(b) challenge risk scores or internal classifications;

6.5.2 Any benefit, access, or privilege extended by Glatro may be withdrawn at its discretion.

6.6 Statutory Compliance & Limitations

6.6.1 To the extent applicable, Glatro’s use of automated decision-making shall comply with mandatory provisions of Indian law, including the Digital Personal Data Protection Act, 2023.

6.6.2 Nothing in this Policy shall be construed as restricting Glatro’s ability to:

(a) prevent fraud or unlawful activity;

(b) comply with legal obligations;

6.7 Waiver of Claims

6.7.1 Users expressly waive any claims, demands, or causes of action against Glatro arising solely from:

(a) lawful automated processing;

(b) profiling-based decisions;

6.7.2 This waiver shall apply to the maximum extent permitted under applicable law.

7. DATA SHARING, DISCLOSURE & TRANSFER

7.1 General Principle of Data Disclosure

7.1.1 Glatro does not sell, rent, or commercially exploit personal data of Users.

(a) necessary for Platform operations;

(b) required for performance of contractual obligations;

(d) required to protect Glatro’s legal, commercial, or security interests.

7.1.3 All disclosures are made in good faith and in accordance with applicable Indian law.

7.2 Disclosure to Vendors, Retailers & Delivery Partners

7.2.1 In order to facilitate order fulfilment and delivery, Glatro may share limited personal data with Vendors, Retailers, and Delivery Partners, including:

(a) Customer name and contact details;

(b) delivery address and instructions;

7.2.2 Such recipients are contractually obligated to use personal data solely for fulfilment purposes and in compliance with applicable law.

7.2.3 Glatro shall not be responsible for unauthorised use of personal data by such third parties beyond its reasonable control.

7.3 Disclosure to Third-Party Service Providers

7.3.1 Glatro may engage third-party processors and service providers to perform functions on its behalf, including but not limited to:

(a) payment processing;

(b) cloud hosting and infrastructure;

(d) fraud detection and analytics;

(e) customer communication services.

7.3.2 Such service providers are granted limited access to personal data strictly for the purpose of performing contracted services.

7.3.3 While Glatro undertakes reasonable diligence in selecting such providers, it shall not be liable for acts or omissions of third-party processors except to the extent required by law.

7.4 Disclosure for Legal, Regulatory & Law Enforcement Purposes

7.4.1 Glatro may disclose personal data, without prior notice to the User, where such disclosure is required or permitted under applicable law, including in response to:

(a) court orders, subpoenas, or judicial directions;

(b) statutory notices from governmental or regulatory authorities;

(d) emergency situations involving threat to life or public safety.

7.4.2 Glatro may also proactively disclose data where it reasonably believes that such disclosure is necessary to:

(a) prevent fraud or unlawful activity;

(b) protect the rights, property, or safety of Glatro, Users, or the public;

7.4.3 Any disclosure made in good faith pursuant to this clause shall not give rise to liability towards Users.

7.5 Corporate Transactions & Business Transfers

7.5.2 Users acknowledge that such transfers are a legitimate business necessity and consent to continued processing by the successor entity.

7.6 Cross-Border Data Transfers

7.6.1 Personal data may be stored or processed on servers located within or outside India, subject to compliance with applicable Indian laws.

7.6.2 Where cross-border transfers occur, Glatro shall take reasonable steps to ensure that:

(a) such transfers are lawful;

(b) appropriate contractual or technical safeguards are in place;

7.6.3 Users accessing the Platform from outside India do so at their own risk and consent to cross-border processing.

7.7 Data Minimisation & Access Controls

7.7.1 Glatro implements access controls to ensure that personal data is accessible only to authorised personnel and service providers.

7.7.2 Access is granted strictly on a role-based and purpose-limited basis.

7.8 No User Control Over Disclosures

7.8.1 Except where expressly mandated by law, Users shall have no right to object to or restrict disclosures made in accordance with this Section.

7.8.2 Glatro’s determination regarding necessity or lawfulness of disclosure shall be final, subject to mandatory statutory provisions.

8. DATA RETENTION

8.1 Overarching Retention Philosophy

8.1.2 Retention periods are determined based on a combination of:

(a) statutory and regulatory requirements under Indian law;

(b) contractual obligations;

(d) legitimate business interests of Glatro;

(e) the need to establish, exercise, or defend legal claims.

8.1.3 Users expressly acknowledge that immediate deletion of personal data is neither feasible nor legally permissible in many circumstances.

8.2 Retention Beyond Account Deletion

8.2.1 Deletion, deactivation, or termination of a User account does not automatically result in deletion of all personal data associated with such account.

8.2.2 Glatro may retain personal data beyond account deletion where such retention is:

(a) required to comply with applicable laws, including tax, accounting, and audit obligations;

(b) necessary for investigation or prevention of fraud, abuse, or unlawful activity;

(d) necessary to enforce contractual rights or pursue legal remedies;

(e) otherwise permitted or mandated under applicable law.

8.2.3 Users expressly waive any claim against Glatro arising solely from lawful retention of data beyond account deletion.

8.3 Statutory & Regulatory Retention Obligations

8.3.1 Glatro may be required to retain certain categories of data for prescribed minimum periods under:

(a) tax laws and GST regulations;

(b) corporate, accounting, and audit standards;

(d) IT Act obligations and intermediary due-diligence requirements;

(e) limitation periods under Indian civil and criminal law.

8.3.2 Such statutory retention obligations override any User request for deletion, to the extent permitted by law.

8.4 Retention for Legal Defence & Enforcement

8.4.1 Personal data may be retained for the purpose of:

(a) responding to or defending against legal claims;

(b) complying with court orders or legal process;

(d) preserving evidence in anticipation of litigation.

8.4.2 Retention for such purposes may continue until:

(a) final resolution of proceedings; and

(b) expiry of applicable limitation periods thereafter.

8.5 Internal Reviews, Audits & Risk Management

8.5.1 Glatro may retain personal data for internal audits, compliance reviews, and risk assessments.

8.5.2 Such retention is necessary to:

(a) demonstrate regulatory compliance;

(b) evaluate operational effectiveness;

8.6 Anonymisation & Aggregation

8.6.1 Where personal data is no longer required in identifiable form, Glatro may:

(a) irreversibly anonymise such data; or

(b) aggregate such data in a manner that does not identify an individual.

8.6.2 Anonymised or aggregated data may be retained indefinitely for analytics, reporting, and business intelligence.

8.7 Technical Backups & Residual Data

8.7.1 Users acknowledge that personal data may continue to exist in:

(a) system backups;

(b) disaster recovery systems;

8.7.2 Such residual data shall be securely isolated and deleted in accordance with Glatro’s internal backup retention schedules.

8.7.3 Glatro shall not be liable for temporary retention of such residual data.

8.8 Reference to Annexure I

8.8.1 Detailed retention periods applicable to specific data categories are set out in Annexure I – Data Retention Matrix & Record Management Policy.

8.8.2 In the event of any inconsistency, Annexure I shall prevail, to the extent permitted by law.

8.9 Finality of Retention Decisions

8.9.1 Glatro’s determination regarding the necessity, scope, and duration of data retention shall be final and binding, subject only to mandatory statutory provisions.

8.9.2 Users acknowledge that Glatro shall not be obligated to provide individualised justifications for retention decisions.

9. USER RIGHTS

9.1 General Principle Governing User Rights

9.1.1 Any rights exercisable by Users in relation to their personal data arise solely from applicable Indian law and not from this Privacy Policy.

9.1.2 Nothing contained in this Policy shall be construed as:

(a) granting additional rights beyond those expressly mandated under law;

(b) limiting Glatro’s statutory exemptions, defences, or discretionary powers;

9.1.3 All User rights are subject to:

(a) verification of identity;

(b) compliance with statutory conditions;

9.2 Right to Access

9.2.1 Subject to applicable law, Users may request access to personal data held by Glatro.

9.2.2 Such access may be:

(a) limited in scope;

(b) provided in summary form;

• prejudice legal proceedings;

• compromise security;

• infringe rights of other individuals;

• reveal proprietary systems or internal assessments.

9.2.3 Glatro shall not be obligated to provide:

(a) internal notes, risk scores, or profiling data;

(b) confidential business information;

9.3 Right to Correction or Updating

9.3.1 Users may request correction of inaccurate or incomplete personal data.

9.3.2 Glatro may require:

(a) supporting documentation;

(b) independent verification;

9.3.3 Glatro reserves the right to reject correction requests where:

(a) data accuracy cannot be reasonably verified;

(b) data is generated internally for security or compliance purposes;

9.4 Right to Deletion / Erasure

9.4.1 Users may request deletion of personal data only to the extent permitted under applicable law.

9.4.2 Deletion requests shall be denied where retention is required for:

(a) statutory or regulatory compliance;

(b) tax, accounting, or audit obligations;

(d) dispute resolution or legal defence;

(e) enforcement of contractual rights.

9.4.3 Deletion, where permitted, may be:

(a) partial;

(b) deferred;

9.4.4 Users expressly acknowledge that no absolute right to deletion exists under Indian law.

9.5 Right to Restrict or Object to Processing

9.5.1 Users may request restriction of processing only where expressly recognised under applicable law.

9.5.2 Glatro may deny such requests where processing is:

(a) necessary for contract performance;

(b) required for legal compliance;

(d) based on legitimate business interests.

9.5.3 Objections to processing shall not affect processing already lawfully carried out.

9.6 Verification & Abuse Prevention

9.6.1 Glatro reserves the right to:

(a) verify the identity of the requesting User;

(b) request additional documentation;

9.6.2 Failure to satisfactorily verify identity shall result in rejection of the request without liability.

9.7 Timeframes & Procedural Discretion

9.7.1 User requests shall be addressed within a reasonable timeframe, subject to:

(a) complexity of the request;

(b) volume of requests received;

9.7.2 Indicative timelines do not constitute binding commitments.

9.8 Fees & Administrative Burden

9.8.1 To the extent permitted by law, Glatro reserves the right to:

(a) charge reasonable administrative fees; or

(b) refuse to act on requests that impose disproportionate burden.

9.9 Finality of Decisions

9.9.1 Glatro’s decision in relation to any User request shall be final and binding, subject only to mandatory statutory remedies.

9.9.2 Users expressly waive any claim against Glatro arising from lawful denial or limitation of rights under this Section.

10. CHILDREN’S DATA (STRICT PROHIBITION)

10.1 Platform Not Intended for Minors

10.1.2 Glatro does not knowingly permit individuals below the age of eighteen (18) years to:

(a) register on the Platform;

(b) create or maintain user accounts;

(d) act as Vendors or Delivery Partners;

(e) otherwise access or use the Platform in any manner.

10.1.3 Any access or use of the Platform by a minor shall be deemed unauthorised and in violation of this Privacy Policy and the Terms of Use.

10.2 No Intentional Collection of Children’s Data

10.2.1 Glatro does not knowingly collect, solicit, or process personal data of minors.

10.2.2 The Company relies on:

(a) User representations regarding age; and

(b) technical and procedural safeguards reasonably available to prevent the onboarding of minors.

10.2.3 Glatro shall not be held responsible for misrepresentation of age or identity by Users or third parties.

10.3 Inadvertent Collection & Remedial Action

10.3.1 In the event that Glatro becomes aware, or has reason to believe, that personal data of a minor has been inadvertently collected or processed, Glatro shall, subject to applicable law:

(a) take reasonable steps to delete or anonymise such data;

(b) suspend or terminate the associated account;

10.3.2 Such remedial actions shall be taken at Glatro’s discretion and shall not create any obligation to provide notice, explanation, or compensation.

10.4 Parental Responsibility & Waiver

10.4.1 Parents or legal guardians are solely responsible for monitoring and supervising the online activities of minors under their care.

10.4.2 To the maximum extent permitted by law, Glatro disclaims all liability arising from:

(a) unauthorised access to the Platform by minors;

(b) misrepresentation of age by Users;

10.4.3 Any claims relating to minors’ data shall be subject to mandatory statutory remedies only, and no additional contractual rights are created.

10.5 Compliance with Indian Law

10.5.1 This Section is intended to comply with applicable Indian laws, including the Digital Personal Data Protection Act, 2023, to the extent relating to children’s data.

10.5.2 In the event of any change in legal requirements relating to children’s data, Glatro reserves the right to modify this Policy accordingly without prior notice.

11. DATA SECURITY & INCIDENT RESPONSE

11.1 Commitment to Reasonable Security Practices

11.1.2 Such security measures are implemented having regard to:

(a) the nature and sensitivity of the personal data processed;

(b) the volume and complexity of data handling operations;

(d) technological feasibility;

(e) cost of implementation.

11.1.3 Glatro’s security practices are aligned with requirements prescribed under applicable Indian laws, including the Information Technology Act, 2000 and rules framed thereunder.

11.2 Technical & Organisational Safeguards

11.2.1 Security safeguards may include, without limitation:

(a) access control mechanisms and role-based permissions;

(b) encryption of data in transit and, where appropriate, at rest;

(d) firewalls, intrusion detection, and monitoring systems;

(e) periodic security reviews and audits;

(f) employee access controls and confidentiality obligations.

11.2.2 Access to personal data is restricted to authorised personnel and service providers strictly on a need-to-know basis.

11.2.3 Users acknowledge that no security system is infallible and that absolute security cannot be guaranteed.

11.3 User Responsibilities in Data Security

11.3.1 Users are responsible for maintaining the confidentiality of their login credentials, passwords, OTPs, and account access information.

11.3.2 Glatro shall not be liable for any unauthorised access, data loss, or misuse resulting from:

(a) User negligence;

(b) sharing of credentials;

(d) malware or phishing attacks beyond Glatro’s control.

11.4 Incident Detection & Response

11.4.1 Glatro maintains internal procedures for identifying, assessing, and responding to potential data security incidents or breaches.

11.4.2 Upon becoming aware of a data security incident, Glatro may, subject to applicable law:

(a) investigate the nature and scope of the incident;

(b) take reasonable steps to contain and mitigate impact;

11.4.3 Incident response measures shall be determined at Glatro’s discretion, taking into account operational, legal, and security considerations.

11.5 Notification of Data Breaches

11.5.1 Where required under applicable Indian law, Glatro shall notify:

(a) affected Users; and/or

(b) relevant regulatory or governmental authorities,

of a data breach within the timelines prescribed by law.

11.5.2 Notification may be delayed or limited where permitted by law, including where such notification may:

(a) impede investigation;

(b) compromise security measures;

11.5.3 Failure to notify in circumstances not mandated by law shall not give rise to liability.

11.6 Third-Party Security

11.6.1 Glatro may rely on third-party service providers for infrastructure, payment processing, analytics, or security services.

11.6.2 While Glatro undertakes reasonable diligence in selecting such providers, it does not control their internal security practices.

11.6.3 Glatro shall not be liable for security incidents arising from third-party systems beyond its reasonable control, except where mandated by law.

11.7 No Absolute Guarantee of Security

11.7.1 Users expressly acknowledge that:

(a) transmission of data over the internet is inherently risky;

(b) no platform can guarantee complete security;

11.7.2 To the maximum extent permitted by law, Glatro disclaims liability for:

(a) cyber-attacks;

(b) hacking incidents;

(d) force majeure events impacting security.

11.8 Limitation of Liability for Security Incidents

11.8.1 Glatro’s liability, if any, arising from a data security incident shall be limited strictly in accordance with applicable law.

11.8.2 Users expressly waive any claim for indirect, consequential, punitive, or exemplary damages arising from security incidents, to the maximum extent permitted by law.

11.9 Continuous Improvement

11.9.1 Glatro may periodically review and update its security practices to address emerging threats, technological developments, or regulatory requirements.

11.9.2 Such updates may be implemented without prior notice and shall be deemed effective upon deployment.

12. THIRD-PARTY LINKS & SERVICES

12.1 Presence of Third-Party Links and Integrations

12.1.2 Such Third-Party Services may include, without limitation:

(a) payment gateway providers;

(b) mapping and navigation services;

(d) analytics and marketing platforms;

(e) external websites or applications accessed through links or redirects.

12.1.3 The inclusion of any Third-Party Service on the Platform does not constitute endorsement, approval, sponsorship, or recommendation by Glatro.

12.2 No Control or Responsibility

12.2.1 Glatro does not control, monitor, or assume responsibility for:

(a) the content, accuracy, or availability of Third-Party Services;

(b) the privacy practices or data handling policies of third parties;

12.2.2 Users acknowledge that Third-Party Services operate independently and are governed by their own terms, conditions, and privacy policies.

12.3 User Responsibility & Due Diligence

12.3.1 Users are solely responsible for:

(a) reviewing the terms and privacy policies of Third-Party Services;

(b) assessing the risks associated with use of such services;

12.3.2 Any interaction, transaction, or data sharing between the User and a third party is conducted solely at the User’s own risk.

12.4 No Liability for Third-Party Actions

12.4.1 To the maximum extent permitted by law, Glatro disclaims all liability arising from:

(a) acts or omissions of Third-Party Services;

(b) data breaches, losses, or misuse occurring within third-party systems;

12.4.2 Any claims arising from Third-Party Services shall be resolved directly between the User and the relevant third party, without recourse to Glatro.

12.5 Termination of Access

12.5.1 Glatro reserves the right to add, remove, or disable access to any Third-Party Service at its discretion and without notice.

12.5.2 Removal or modification of third-party integrations shall not give rise to any claim or liability.

12.6 Statutory Carve-Out

12.6.1 Nothing in this Section shall limit any liability that cannot be excluded under applicable Indian law.

12.6.2 Subject to mandatory statutory provisions, this Section shall be interpreted in favour of limiting Glatro’s liability.

13. GRIEVANCE REDRESSAL OFFICER & COMPLAINT HANDLING MECHANISM

13.1 Statutory Appointment

(a) processing of personal data;

(b) alleged violations of this Privacy Policy;

(d) compliance with applicable data protection laws.

13.1.2 The Grievance Redressal Officer shall act as the designated point of contact for Users and regulatory authorities in respect of data protection and privacy-related grievances.

13.2 Contact Details

The details of the Grievance Redressal Officer are as follows:

Grievance Redressal Officer

Location: WeWork DLF Forum, Cyber City Phase III, DLF QE, DLF QE, Gurgaon – 122002, Haryana

Email: grievance@glatro.com

13.2.1 The above contact details may be updated from time to time and shall be deemed effective upon publication on the Platform.

13.3 Scope of Grievances

13.3.1 Users may raise grievances relating to:

(a) collection, processing, or retention of personal data;

(b) alleged non-compliance with this Privacy Policy;

(d) requests for exercise of statutory data protection rights.

13.3.2 Complaints unrelated to data protection or privacy may be redirected to appropriate internal teams or support channels.

13.4 Complaint Submission Requirements

13.4.1 Complaints must be submitted:

(a) from the registered email address of the User; or

(b) through officially designated in-app or platform channels.

13.4.2 Complaints should include:

(a) sufficient details of the grievance;

(b) supporting documents or information, where available;

13.4.3 Anonymous or incomplete complaints may not be entertained.

13.5 Acknowledgement & Resolution Timelines

13.5.1 Glatro shall acknowledge receipt of a valid grievance within 24 to 48 hours, in accordance with applicable rules.

13.5.2 Grievances shall be addressed and resolved within a reasonable timeframe, subject to:

(a) nature and complexity of the complaint;

(b) requirement of investigation or verification;

13.5.3 Indicative timelines do not constitute binding commitments.

13.6 Internal Review & Discretion

13.6.1 All grievances shall be reviewed internally by Glatro’s compliance or legal teams, as deemed appropriate.

13.6.2 Glatro reserves the right to:

(a) seek additional information from the complainant;

(b) reject grievances that are frivolous, repetitive, or abusive;

13.6.3 Decisions taken by Glatro in relation to grievances shall be final and binding, subject to mandatory statutory remedies.

13.7 Limitation of Liability

13.7.1 Submission or processing of a grievance shall not create:

(a) any admission of liability by Glatro; or

(b) any contractual or fiduciary obligation beyond statutory requirements.

13.7.2 To the maximum extent permitted by law, Glatro disclaims liability for delays or outcomes arising from grievance handling, except where mandated by law.

14. CHANGES TO POLICY

14.1 Right to Modify, Amend or Update

14.1.1 Glatro expressly reserves the unrestricted right, at its sole discretion, to modify, amend, update, revise, supplement, or replace this Privacy Policy, in whole or in part, at any time.

14.1.2 Such changes may be made to reflect, inter alia:

(a) changes in applicable laws or regulations;

(b) issuance of new judicial interpretations or regulatory guidance;

(d) technological developments or security requirements;

(e) internal policy or compliance enhancements.

14.1.3 Glatro shall not be obligated to provide individual notice of such changes unless expressly required under applicable law.

14.2 Manner of Communication of Changes

14.2.1 Updated versions of this Privacy Policy may be communicated by:

(a) publication on the Platform;

(b) in-app notifications;

(d) any other method deemed appropriate by Glatro.

14.2.2 The “Last Updated” date displayed on the Policy shall indicate the effective date of such changes.

14.3 Continued Use Constitutes Acceptance

14.3.1 Users expressly acknowledge and agree that continued access to or use of the Platform after the effective date of any modification shall constitute:

(a) deemed acceptance of the revised Privacy Policy;

(b) renewed consent to processing of personal data in accordance with the updated terms.

14.3.2 If a User does not agree with any modification, the User’s sole and exclusive remedy is to discontinue use of the Platform.

14.3.3 Continued use shall override any prior objections, unless withdrawal of consent is expressly exercised in accordance with applicable law.

14.4 No Retroactive Claims

14.4.1 Users waive any right to challenge amendments on the ground that:

(a) prior notice was not received;

(b) individual consent was not separately obtained;

14.4.2 Amendments shall apply prospectively and, where permitted by law, to ongoing processing activities.

14.5 Statutory Override

14.5.1 Nothing in this Section shall limit any rights or obligations that cannot be waived or modified under applicable Indian law.

14.6 Survival

14.6.1 This Privacy Policy, including all amendments, shall survive termination of the User’s account to the extent necessary for:

(a) legal compliance;

(b) dispute resolution;

(d) statutory retention obligations.

ANNEXURE I — DATA RETENTION MATRIX & RECORD MANAGEMENT POLICY

A. PURPOSE AND LEGAL OBJECTIVE

A.2 This Annexure is framed to ensure compliance with:

(a) Information Technology Act, 2000;

(b) Digital Personal Data Protection Act, 2023;

(d) limitation periods under Indian civil and criminal law;

(e) regulatory, investigative, and enforcement requirements.

A.3 This Annexure shall be read as an integral and inseparable part of the Privacy Policy. In case of conflict, this Annexure shall prevail to the extent permitted by law.

B. FUNDAMENTAL RETENTION PRINCIPLES

B.1 Glatro follows a risk-based, compliance-driven retention model, under which data is retained only where there exists a lawful, regulatory, operational, or defensive justification.

B.2 Retention decisions are guided by:

(a) statutory minimum retention periods;

(b) likelihood of disputes, audits, or investigations;

(d) necessity to defend or enforce legal rights;

(e) platform security and fraud-prevention needs.

B.3 Users expressly acknowledge that data minimisation does not equate to immediate deletion, and that retention may lawfully continue even after cessation of services.

C. RETENTION BEYOND ACCOUNT DELETION

C.1 Deletion, deactivation, suspension, or termination of a User account does not automatically trigger deletion of all associated data.

C.2 Glatro may continue to retain data where necessary for:

(a) statutory or regulatory compliance;

(b) tax filings, GST reconciliation, or audits;

(d) dispute resolution, litigation defence, or evidence preservation;

(e) internal compliance reviews or risk assessments.

C.3 Any retention beyond account deletion shall be deemed lawful, reasonable, and necessary, and Users expressly waive objections to such retention.

D. DATA RETENTION CATEGORIES (DETAILED)

D.1 Customer Account Data

Includes profile details, contact information, authentication logs.

• Retention: Minimum 7 years from last activity

• Legal Basis: IT Act, limitation law, contractual defence

D.2 Order & Transaction Records

Includes invoices, order IDs, timestamps, pricing, refunds.

• Retention: 7–10 years

• Legal Basis: Tax laws, accounting standards, audits

D.3 Payment Metadata

Includes transaction references, settlement logs.

• Retention: 7 years

• Legal Basis: RBI norms, accounting compliance

D.4 Vendor KYC & Compliance Records

Includes PAN, GSTIN, bank details, verification results.

• Retention: 8 years post termination

• Legal Basis: AML, fraud prevention, enforcement

D.5 Delivery Partner Records

Includes onboarding documents, payout logs, misconduct history.

• Retention: 8 years post termination

• Legal Basis: risk management, legal defence

D.6 Logs, Security & Technical Records

Includes IP logs, device identifiers, audit trails.

• Retention: 1–3 years

• Legal Basis: security, investigation, compliance

D.7 Grievance & Legal Records

Includes complaints, notices, internal notes.

• Retention: Until final resolution + limitation period

• Legal Basis: litigation defence

E. ARCHIVAL, ANONYMISATION & DELETION

E.1 Upon expiry of retention periods, data may be:

(a) securely deleted using industry-standard methods;

(b) irreversibly anonymised;

E.2 Anonymised or aggregated data ceases to be personal data and may be retained indefinitely.

E.3 Users acknowledge that technical backups may retain residual data for limited periods.

F. FINALITY OF RETENTION DECISIONS

F.1 Glatro’s determination regarding what data to retain, for how long, and in what form shall be final and binding, subject only to mandatory statutory requirements.

F.2 No User shall have the right to demand immediate deletion contrary to this Annexure.

ANNEXURE II — DATA SUBJECT REQUEST (DSR) WORKFLOW

A. OBJECTIVE AND SCOPE

A.1 This Annexure sets out the internal policy, workflow, controls, and limitations applicable to requests made by Users (Data Principals).

A.2 This Annexure is framed to ensure compliance with:

• Digital Personal Data Protection Act, 2023

• Information Technology Act, 2000

• Applicable rules, regulations, and regulatory guidance

A.3 This Annexure applies to requests relating to:

(a) access to personal data;

(b) correction or updating of personal data;

(d) restriction or objection to processing;

(e) withdrawal of consent.

B. GENERAL PRINCIPLES GOVERNING USER REQUESTS

B.1 All DSRs shall be processed strictly in accordance with applicable law and this Policy.

B.2 Submission of a DSR does not guarantee acceptance or fulfillment.

B.3 Glatro reserves the right to:

(a) limit the scope of responses;

(b) refuse unlawful, excessive, or abusive requests;

B.4 Nothing herein grants rights beyond those expressly provided under Indian law.

C. MODE OF SUBMISSION

C.1 DSRs must be submitted through:

(a) the registered email address of the User; or

(b) officially designated in-app support channels.

C.2 Requests via unauthorised channels shall not be entertained.

C.3 Glatro is not responsible for lost, delayed, or misdirected requests due to User error.

D. INFORMATION REQUIRED FOR PROCESSING

D.1 Each request must include:

(a) full name of the User;

(b) registered mobile number and/or email address;

(d) sufficient information to locate relevant data.

D.2 Glatro may require documentation to:

(a) verify identity;

(b) prevent unauthorised disclosure;

D.3 Failure to provide information may result in rejection without liability.

E. IDENTITY VERIFICATION

E.1 (a) OTP-based verification;

E.1 (b) government-issued ID (where necessary);

E.1 (c) internal authentication records.

E.2 Requests failing verification shall be rejected.

E.3 Glatro is not liable where verification fails.

F. REVIEW & DECISION-MAKING PROCESS

F.1 Requests shall be reviewed by:

(a) compliance teams;

(b) legal teams;

F.2 Glatro may accept, partially comply, deny, or seek clarification.

F.3 Grounds for denial include statutory retention, investigations, fraud prevention, legal rights, or disproportionate burden.

G. RESPONSE TIMELINES

G.1 Responses are generally within 30–45 days, subject to complexity, volume, and operational constraints.

G.2 Timelines may be extended where permitted by law.

G.3 Indicative timelines are not contractual commitments.

H. LIMITATIONS ON DISCLOSURE

H.1 (a) internal risk assessments or profiling data;

H.1 (b) proprietary algorithms or logic;

H.1 (c) confidential business information;

H.1 (d) data relating to other individuals.

H.2 Disclosure is limited to what is strictly required by law.

I. WITHDRAWAL OF CONSENT

I.1 Users may withdraw consent where applicable.

I.2 Withdrawal may result in:

(a) suspension or termination of services;

(b) restriction of features;

I.3 Withdrawal does not affect lawful prior processing.

J. ABUSE PREVENTION

J.1 (a) manifestly unfounded requests;

J.1 (b) repetitive or vexatious requests;

J.1 (c) requests imposing disproportionate burden.

K. FINALITY OF DECISIONS

K.1 Glatro’s decision on any DSR shall be final and binding, subject only to mandatory statutory remedies.

K.2 Users expressly waive claims arising from lawful refusal or limitation of DSRs.

ANNEXURE III — BLACKLISTING & ENFORCEMENT POLICY

A. OBJECTIVE & REGULATORY CONTEXT

A.2 This Policy is framed to protect:

(a) the integrity and security of the Platform;

(b) the interests of genuine Users;

A.3 This Annexure shall be read in conjunction with:

• the Terms of Use;

• the Privacy Policy;

• Vendor Agreement;

• Delivery Partner Agreement;

and shall prevail in case of inconsistency, to the extent permitted by law.

B. ZERO-TOLERANCE POLICY

B.1 Glatro adopts a strict zero-tolerance approach towards fraud, abuse, manipulation, or bad-faith conduct.

B.2 Any act or omission that undermines platform trust, financial integrity, or operational stability shall invite immediate enforcement action, without prejudice to Glatro’s other legal remedies.

B.3 Users expressly acknowledge that intent is irrelevant; even negligent or reckless conduct may trigger enforcement action.

C. DEFINITION OF FRAUD & ABUSE (NON-EXHAUSTIVE)

For the purposes of this Annexure, “Fraud” or “Abuse” includes, without limitation:

(a) false, misleading, or fabricated refund or return claims;

(b) repeated chargebacks or payment disputes without legitimate basis;

(d) collusion between Customers, Vendors, or Delivery Partners;

(e) manipulation of delivery acceptance, verification, or confirmation flows;

(f) misuse of Wallet balances, credits, or promotional benefits;

(g) submission of forged, misleading, or invalid documents;

(h) circumvention of Platform safeguards or technical controls;

(i) unauthorised access, scraping, reverse engineering, or interference;

(j) any activity intended to cause financial loss to Glatro or other Users.

D. MONITORING, DETECTION & INVESTIGATION

D.1 Glatro may deploy automated systems, manual reviews, audits, and internal investigations to detect suspected fraud or abuse.

D.2 Monitoring may include:

(a) transaction pattern analysis;

(b) behavioural profiling;

(d) risk scoring and anomaly detection;

(e) internal or third-party audits.

D.3 Users acknowledge that monitoring may occur without prior notice and does not require User consent beyond that provided under the Privacy Policy.

E. ENFORCEMENT ACTIONS

E.1 Upon detection or reasonable suspicion of fraud or abuse, Glatro may, at its sole discretion and without prior notice:

(a) suspend or permanently terminate accounts;

(b) cancel or reverse transactions;

(d) withhold Vendor or Delivery Partner payouts;

(e) recover losses through set-off, adjustment, or legal action;

(f) blacklist Users across multiple identifiers.

E.2 Enforcement actions may be immediate and need not await completion of investigation.

F. BLACKLISTING POLICY

F.1 Blacklisting may be applied permanently or for a specified duration.

F.2 Blacklisting may be enforced across:

(a) phone numbers;

(b) email addresses;

(d) IP addresses;

(e) bank accounts and payment instruments;

(f) government-issued identification documents.

F.3 Blacklisted Users shall not be entitled to:

(a) re-registration;

(b) access to the Platform;

(d) explanation beyond what is legally required.

G. RECOVERY OF LOSSES

G.1 Glatro reserves the right to recover any losses, damages, costs, or expenses arising from fraud or abuse by:

(a) adjusting or withholding future payouts;

(b) debiting Wallet balances or credits;

(d) invoking indemnity provisions.

G.2 Glatro’s determination of loss amounts shall be final and binding, subject to mandatory statutory review.

H. LEGAL & REGULATORY ACTION

H.1 Glatro reserves the unrestricted right to:

(a) initiate civil proceedings;

(b) lodge criminal complaints or FIRs;

(d) share information with regulators, banks, or payment networks.

H.2 Users expressly waive any objection to such disclosures made in good faith.

I. NO OBLIGATION TO WARN OR EXPLAIN

I.1 Glatro is under no obligation to:

(a) provide advance warnings;

(b) issue show-cause notices;

(d) share internal findings or evidence.

I.2 Any communication provided shall be purely discretionary.

J. LIMITATION OF LIABILITY

J.1 To the maximum extent permitted by law, Glatro shall not be liable for:

(a) losses suffered due to enforcement actions;

(b) termination or suspension of accounts;

(d) reputational or business impact on Users.

J.2 Users expressly waive all claims arising from lawful enforcement under this Annexure.

K. FINALITY & SURVIVAL

K.1 All enforcement decisions taken under this Annexure shall be final and binding, subject only to mandatory statutory remedies.

K.2 This Annexure shall survive termination of accounts and agreements.

ANNEXURE IV

PAYMENT, SETTLEMENT & RECOVERY POLICY

A. OBJECTIVE & APPLICABILITY

A.2 This Annexure applies to all financial interactions involving:

(a) Customers making payments for orders;

(b) Vendors receiving settlements for fulfilled orders;

(d) Wallet balances, promotional credits, refunds, or recoveries.

B. PAYMENT PROCESSING FRAMEWORK

B.1 All payments made by Customers are processed through authorised, RBI-compliant third-party payment gateways.

B.2 Glatro does not store sensitive payment credentials such as card numbers, CVV, PINs, or net-banking passwords.

B.3 Glatro shall not be liable for:

(a) payment failures caused by banks, gateways, or networks;

(b) incorrect details provided by Users;

B.4 Successful payment authorisation does not guarantee order acceptance, fulfilment, or availability.

C. WALLET, CREDITS & PROMOTIONAL BALANCES

C.1 The Platform may offer Wallet balances, credits, cashback, or promotional incentives.

C.2 Such balances are:

(a) non-transferable;

(b) non-withdrawable;

(d) usable only in accordance with applicable terms.

C.3 Glatro reserves the right to:

(a) modify, suspend, or withdraw Wallet features;

(b) reverse credits issued in error;

C.4 Wallet balances do not constitute legal tender, stored value instruments, or bank deposits.

D. VENDOR & DELIVERY PARTNER SETTLEMENTS

D.1 Settlements to Vendors and Delivery Partners are processed on a net basis, after deduction of:

(a) platform commissions or service fees;

(b) applicable taxes;

(d) chargebacks, refunds, or disputed amounts.

D.2 Settlement timelines displayed on the Platform are indicative only and may vary due to:

(a) banking delays;

(b) reconciliation requirements;

(d) force majeure events.

D.3 Glatro shall not be liable for settlement delays beyond its reasonable control.

E. ADJUSTMENTS, SET-OFF & WITHHOLDING RIGHTS

E.1 Glatro reserves the unrestricted right to:

(a) adjust future payouts;

(b) set-off amounts owed against amounts payable;

E.2 Such actions may be taken without prior notice where permitted by law.

E.3 Vendors and Delivery Partners expressly waive objections to lawful set-off or withholding.

F. REFUNDS, REVERSALS & CHARGEBACKS

F.1 Refunds to Customers shall be processed in accordance with platform policies and applicable law.

F.2 Glatro reserves the right to:

(a) reverse refunds issued in error;

(b) deny refunds in cases of abuse or fraud;

F.3 Chargebacks initiated through banks or payment networks may result in:

(a) immediate debit of corresponding amounts;

(b) additional administrative fees;

G. RECOVERY OF AMOUNTS & LOSSES

G.1 Glatro may recover any outstanding amounts, losses, or damages by:

(a) adjusting Wallet balances;

(b) deducting future settlements;

(d) initiating legal proceedings.

G.2 Recovery rights shall survive termination of accounts or agreements.

G.3 Glatro’s determination of amounts recoverable shall be final and binding, subject only to mandatory statutory remedies.

H. TAXATION & COMPLIANCE

H.1 All payments and settlements are subject to applicable Indian tax laws.

H.2 Users are solely responsible for their own tax compliance.

H.3 Glatro may deduct or collect taxes as required by law and shall not be liable for Users’ tax obligations.

I. DISPUTE RESOLUTION RELATING TO PAYMENTS

I.1 Payment-related disputes must be raised within prescribed timelines.

I.2 Failure to raise disputes within such timelines shall constitute waiver of claims.

I.3 Glatro’s internal reconciliation records shall prevail in case of discrepancies, subject to statutory review.

J. LIMITATION OF LIABILITY

J.1 To the maximum extent permitted by law, Glatro shall not be liable for:

(a) indirect or consequential losses arising from payment issues;

(b) loss of business, profits, or reputation;

J.2 Users expressly waive claims arising from lawful application of this Annexure.

K. FINALITY & SURVIVAL

K.1 All determinations under this Annexure shall be final and binding.

K.2 This Annexure shall survive termination of the User’s relationship with Glatro.

ANNEXURE V

COOKIE & TRACKING TECHNOLOGIES POLICY

A. PURPOSE & APPLICABILITY

A.2 This Policy applies to all Users accessing the Platform through:

(a) mobile applications;

(b) web browsers;

A.3 This Annexure forms an integral part of the Privacy Policy and shall be read in conjunction therewith.

B. WHAT ARE COOKIES & TRACKING TECHNOLOGIES

B.1 Cookies are small text files placed on a User’s device to enable functionality, security, and analytics.

B.2 Tracking Technologies may include:

(a) session cookies;

(b) persistent cookies;

(d) mobile SDKs;

(e) server logs;

(f) pixels and tags.

B.3 Such technologies do not independently identify Users but may be linked to personal data held by Glatro.

C. CATEGORIES OF COOKIES USED

C.1 Strictly Necessary Cookies

Used to:

(a) authenticate Users;

(b) maintain sessions;

(d) enable core Platform functionality.

Disabling these cookies may render the Platform unusable.

C.2 Performance & Analytics Cookies

Used to:

(a) analyse usage patterns;

(b) measure performance and load;

(d) improve Platform features.

Data collected may be aggregated or anonymised.

C.3 Security & Risk Cookies

Used to:

(a) detect suspicious behaviour;

(b) enforce platform safeguards;

Such cookies are essential for Platform integrity.

C.4 Functional Cookies

Used to:

(a) remember preferences;

(b) personalise user experience;

D. PURPOSES OF USE

Tracking Technologies are used for:

(a) authentication and session continuity;

(b) fraud prevention and security monitoring;

(d) troubleshooting and debugging;

(e) legal compliance and audit trails.

E. THIRD-PARTY COOKIES & SDKs

E.1 Glatro may permit certain third-party service providers (e.g., analytics or security vendors) to place Tracking Technologies on the Platform.

E.2 Such third parties operate under their own privacy policies and are not controlled by Glatro.

E.3 Glatro shall not be liable for third-party Tracking Technologies beyond its reasonable control.

F. USER CONTROL & CONSENT

F.1 Users may control cookies through:

(a) device or browser settings;

(b) app permissions;

F.2 Disabling cookies may impair functionality or security.

F.3 Continued use of the Platform constitutes consent to the use of Tracking Technologies, to the extent permitted by law.

G. NO GUARANTEE OF COMPLETE OPT-OUT

G.1 Certain cookies and Tracking Technologies cannot be disabled without affecting essential services.

G.2 Glatro disclaims liability for degraded performance resulting from User-imposed restrictions.

H. DATA SECURITY & RETENTION

H.1 Data collected through Tracking Technologies is protected in accordance with the Data Security section of the Privacy Policy.

H.2 Retention periods are governed by Annexure I (Data Retention Matrix).

I. MODIFICATIONS TO THIS POLICY

I.1 Glatro reserves the right to modify this Annexure at any time.

I.2 Continued use of the Platform after modifications constitutes acceptance.

ANNEXURE VI

GOVERNMENT, REGULATORY & LAW ENFORCEMENT DISCLOSURE SOP

A. PURPOSE & GOVERNANCE

A.1 This Annexure establishes the standard operating procedure (“SOP”) governing disclosures of information by Glatro to government bodies, regulatory authorities, and law enforcement agencies.

A.2 The SOP is designed to:

(a) ensure compliance with applicable Indian laws;

(b) enable prompt cooperation with lawful requests;

(d) minimise risk of unlawful or excessive disclosures.

A.3 This Annexure forms an integral part of the Privacy Policy and shall be read in conjunction therewith.

B. DISCLOSURE AUTHORITY & LEGAL BASIS

B.1 Glatro may disclose information where such disclosure is:

(a) mandated by law;

(b) required pursuant to a valid court order, warrant, or subpoena;

(d) necessary to prevent or investigate fraud, cybercrime, or unlawful activity;

(e) required to protect life, property, or public safety.

B.2 Disclosures shall be made strictly in accordance with:

• Information Technology Act, 2000;

• IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021;

• Code of Criminal Procedure, 1973;

• applicable sectoral regulations and judicial precedents.

C. REQUEST VALIDATION & REVIEW

C.1 All requests for disclosure shall be subject to internal legal and compliance review prior to disclosure, except in emergency situations.

C.2 Glatro may verify:

(a) identity and authority of the requesting body;

(b) jurisdictional competence;

(d) legal validity of the request.

C.3 Requests that are vague, overbroad, or unsupported by lawful authority may be:

(a) limited;

(b) challenged; or

D. SCOPE OF DISCLOSURE

D.1 Disclosures shall be limited to the minimum data necessary to comply with the request.

D.2 Glatro shall not disclose:

(a) proprietary algorithms or source code;

(b) internal risk assessments or profiling logic;

D.3 Where permissible, data may be anonymised or redacted prior to disclosure.

E. EMERGENCY DISCLOSURES

E.1 In circumstances involving an imminent threat to life or public safety, Glatro may disclose information without prior notice or complete validation.

E.2 Such disclosures shall be:

(a) limited in scope;

(b) documented internally;

E.3 Emergency disclosures made in good faith shall not give rise to liability.

F. USER NOTICE & CONFIDENTIALITY

F.1 Where permitted by law, Glatro may notify Users of disclosures affecting them.

F.2 Glatro may withhold notice where:

(a) prohibited by law;

(b) notice would prejudice investigations;

G. RECORD-KEEPING & AUDIT

G.1 Glatro shall maintain internal records of:

(a) disclosure requests received;

(b) data disclosed;

(d) correspondence with authorities.

G.2 Such records may be retained in accordance with Annexure I.

H. NO LIABILITY & GOOD FAITH PROTECTION

H.1 Disclosures made in good faith and in compliance with this SOP shall not give rise to liability towards Users.

H.2 Users expressly waive claims arising from lawful disclosures.

I. FINALITY & MODIFICATION

I.1 Glatro’s determination regarding compliance with disclosure requests shall be final, subject to mandatory statutory obligations.

I.2 This SOP may be modified at any time to reflect changes in law or regulatory practice.

ANNEXURE VII

ARBITRATION PROCEDURE & RULES

A. OBJECTIVE & BINDING NATURE

A.1 This Annexure sets out the exclusive dispute resolution mechanism applicable to any disputes, claims, controversies, or differences arising out of or in connection with:

(a) the Platform;

(b) the Terms of Use;

(d) any ancillary policies, annexures, or agreements;

(e) the relationship between Glatro and any User.

A.2 This Annexure shall be binding on all Users, including Customers, Vendors, Retailers, Delivery Partners, and any other persons accessing or using the Platform.

B. MANDATORY PRE-ARBITRATION PROCESS

B.1 Prior to initiating arbitration, the aggrieved party shall make a good faith effort to resolve the dispute amicably by submitting a written notice of dispute to Glatro.

B.2 The notice shall contain:

(a) detailed description of the dispute;

(b) relief sought;

B.3 Glatro shall be afforded a minimum of 30 (thirty) days from receipt of notice to attempt resolution.

B.4 Failure to comply with this pre-arbitration requirement may result in dismissal or stay of arbitration proceedings.

C. AGREEMENT TO ARBITRATE

C.1 All disputes not resolved through amicable settlement shall be finally resolved by arbitration, in accordance with the provisions of the Arbitration and Conciliation Act, 1996, as amended.

C.2 Arbitration shall be the exclusive remedy, except where injunctive or interim relief is sought.

C.3 Users expressly waive the right to initiate or participate in class actions or representative proceedings, to the maximum extent permitted by law.

D. ARBITRAL TRIBUNAL

D.1 Arbitration shall be conducted by a sole arbitrator, appointed mutually by the parties.

D.2 In the event the parties fail to agree on the appointment of a sole arbitrator within 15 days, the arbitrator shall be appointed in accordance with the Arbitration and Conciliation Act, 1996.

D.3 The arbitrator shall:

(a) be legally qualified;

(b) have experience in commercial and technology disputes;

E. SEAT, VENUE & LANGUAGE

E.1 The seat and legal place of arbitration shall be Gurgaon, Haryana, India.

E.2 The venue may be Gurgaon or any other location as determined by the arbitrator.

E.3 The arbitration proceedings shall be conducted in the English language.

F. GOVERNING LAW

F.1 This Annexure, the arbitration proceedings, and all disputes shall be governed by and construed in accordance with the laws of India.

F.2 Indian substantive law shall apply to all matters, irrespective of the User’s location.

G. INTERIM & INJUNCTIVE RELIEF

G.1 Nothing in this Annexure shall prevent Glatro from seeking:

(a) interim relief;

(b) injunctive relief;

G.2 Courts at Gurgaon, Haryana shall have exclusive jurisdiction for such relief.

H. COSTS & FEES

H.1 The arbitrator shall have discretion to determine:

(a) costs of arbitration;

(b) legal fees;

H.2 Costs may be awarded against the losing party.

I. CONFIDENTIALITY

I.1 Arbitration proceedings, pleadings, evidence, and awards shall be confidential, except where disclosure is required by law.

J. FINALITY & ENFORCEMENT

J.1 The arbitral award shall be final and binding on the parties.

J.2 The award shall be enforceable in accordance with Indian law.

K. COURT FALLBACK & EXCLUSIVE JURISDICTION

K.1 Where arbitration is not permitted under law, or where interim relief is sought, courts at Gurgaon, Haryana shall have exclusive jurisdiction.

K.2 Users expressly waive objections to jurisdiction or forum convenience.

L. SURVIVAL

L.1 This Annexure shall survive termination of the User’s relationship with Glatro.

ANNEXURE VIII — DISCLAIMER, ACKNOWLEDGEMENTS & RISK ACCEPTANCE

A. PLATFORM PROVIDED ON “AS IS” AND “AS AVAILABLE” BASIS

A.1 The Platform, including all content, features, functionalities, services, software, and interfaces, is provided on an “as is”, “as available”, and “with all faults” basis.

A.2 Glatro makes no representations or warranties, express or implied, including but not limited to warranties of:

(a) merchantability;

(b) fitness for a particular purpose;

(d) uninterrupted or error-free operation;

(e) compatibility with any device or system.

A.3 Any reliance placed by Users on the Platform or its outputs is entirely at their own risk.

B. NO WARRANTY REGARDING PRODUCTS OR SERVICES

B.1 Glatro is a technology marketplace intermediary and does not:

(a) manufacture, stock, or own products;

(b) control Vendors’ inventory or quality;

B.2 All product-related representations, descriptions, pricing, availability, and legality are the sole responsibility of Vendors or Retailers.

B.3 Glatro expressly disclaims liability for:

(a) product defects or quality issues;

(b) mismatches between images and actual products;

C. USER ASSUMPTION OF RISK

C.1 Users expressly acknowledge and accept all risks associated with:

(a) accessing or using the Platform;

(b) placing orders or making payments;

(d) reliance on information or content displayed on the Platform.

C.2 Such risks include, without limitation:

(a) technical failures;

(b) third-party misconduct;

(d) data security incidents beyond reasonable control.

D. NO PROFESSIONAL OR COMMERCIAL ADVICE

D.1 Any information provided on the Platform, including recommendations, suggestions, analytics, or insights, is for general informational purposes only.

D.2 Nothing on the Platform constitutes legal, financial, tax, medical, or professional advice.

D.3 Users are solely responsible for obtaining independent professional advice where required.

E. LIMITATION OF LIABILITY

E.1 To the maximum extent permitted by law, Glatro shall not be liable for:

(a) indirect, incidental, consequential, special, or punitive damages;

(b) loss of profits, revenue, business, data, or goodwill;

E.2 Glatro’s aggregate liability, if any, shall be limited strictly to the extent mandated under applicable Indian law.

F. FORCE MAJEURE

F.1 Glatro shall not be liable for delays or failures arising from events beyond reasonable control, including but not limited to:

(a) natural disasters;

(b) pandemics or epidemics;

(d) network or power failures;

(e) strikes or labour disputes;

(f) acts of God or public enemy.

F.2 Performance obligations affected by force majeure shall be suspended for the duration of such events.

G. NO CLASS ACTIONS

G.1 To the maximum extent permitted by law, Users expressly waive the right to:

(a) initiate or participate in class actions;

(b) act as a representative plaintiff;

G.2 Disputes shall be resolved strictly on an individual basis.

H. INDEMNITY

H.1 Users agree to indemnify, defend, and hold harmless Glatro, its directors, officers, employees, and affiliates from all claims, losses, liabilities, damages, and expenses arising from:

(a) misuse of the Platform;

(b) violation of laws or third-party rights;

(d) fraudulent or unlawful conduct.

H.2 This indemnity shall survive termination of the User’s relationship with Glatro.

I. ACKNOWLEDGEMENT OF UNDERSTANDING

I.1 Users acknowledge that:

(a) they have read and understood these Policies;

(b) they have had the opportunity to seek independent legal advice;

I.2 Lack of awareness or understanding shall not be a defence.

J. STATUTORY OVERRIDE

J.1 Nothing in this Annexure shall exclude liability that cannot be excluded under applicable Indian law.

J.2 Subject thereto, this Annexure shall be interpreted in favour of limiting Glatro’s liability.

ANNEXURE IX — SEVERABILITY, WAIVER & INTERPRETATION

A. SEVERABILITY

A.1 If any provision of this Privacy Policy, including its Annexures, is held to be invalid, unlawful, unenforceable, or void by a court or competent authority, such provision shall be:

(a) deemed severed from the remaining provisions; and

(b) replaced, to the extent permissible, with a valid provision that most closely reflects the original intent.

A.2 The invalidity or unenforceability of any provision shall not affect the validity, legality, or enforceability of the remaining provisions.

A.3 The remaining provisions shall continue in full force and effect.

B. NO WAIVER

B.1 Any failure or delay by Glatro in exercising any right, power, or remedy under this Privacy Policy shall not constitute a waiver of such right, power, or remedy.

B.2 A waiver shall be effective only if:

(a) expressly granted in writing; and

(b) signed by an authorised representative of Glatro.

B.3 A waiver of any breach shall not be deemed a waiver of any subsequent or continuing breach.

C. ENTIRE AGREEMENT (PRIVACY CONTEXT)

C.1 This Privacy Policy, together with:

(a) the Terms of Use;

(b) all Annexures;

constitutes the entire understanding between the User and Glatro in relation to data protection and privacy.

C.2 This Policy supersedes all prior understandings, communications, or representations, whether oral or written, relating to personal data.

D. NO ASSIGNMENT BY USER

D.1 Users may not assign, transfer, or delegate any rights or obligations under this Privacy Policy without prior written consent of Glatro.

D.2 Glatro may freely assign or transfer this Policy as part of any corporate restructuring, merger, acquisition, or asset transfer.

E. SUCCESSORS & ASSIGNS

E.1 This Privacy Policy shall bind and inure to the benefit of:

(a) Glatro and its successors and assigns;

(b) Users and their lawful heirs, legal representatives, and permitted assigns.

F. INTERPRETATION RULES

F.1 Headings are for convenience only and shall not affect interpretation.

F.2 Words in the singular include the plural and vice versa.

F.3 The terms “including”, “without limitation”, and similar expressions shall be construed illustratively and not restrictively.

F.4 Any ambiguity shall be interpreted in favour of Glatro, to the maximum extent permitted by law.

H. GOVERNING LAW & JURISDICTION (RECONFIRMATION)

H.1 This Privacy Policy shall be governed by and construed in accordance with the laws of India.

H.2 Subject to the Arbitration Annexure, courts at Gurgaon, Haryana shall have exclusive jurisdiction over all matters arising out of or relating to this Policy.

I. SURVIVAL

I.1 Provisions relating to:

(a) data retention;

(b) disclosures;

(d) limitation of liability;

(e) dispute resolution;

(f) governing law;

shall survive termination of the User’s relationship with Glatro.

J. FINAL ACKNOWLEDGEMENT

J.1 Users expressly acknowledge that:

(a) they have read and understood this Privacy Policy in its entirety;

(b) they consent to the collection and processing of personal data as described;

J.2 Ignorance of the contents of this Policy shall not be a defence.