Mitrotsav Mitrotsav
← Back to Home

Privacy Policy

Last updated: June 2026  |  Effective from: June 2026

This Privacy Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023 (DPDPA).

Table of Contents

  1. Who We Are
  2. Data We Collect
  3. How We Use Your Data
  4. Legal Basis for Processing
  5. Data Sharing and Third Parties
  6. Cross-Border Data Transfers
  7. Data Retention
  8. Children's Privacy
  9. Your Rights
  10. Data Security
  11. Cookies and Tracking
  12. Data Breach Notification
  13. Changes to This Policy
  14. Grievance Officer
  15. Contact Us

1. Who We Are

Mitrotsav ("we", "our", "us", "Company") is a social gifting and celebration platform operated by [Company Legal Name], a company incorporated under the Companies Act, 2013, with its registered office at [Registered Address, City, State, PIN], India. CIN: [CIN Number].

We operate the Mitrotsav mobile application ("App") and the website at mitrotsav.com (collectively, "Platform"). This Privacy Policy describes how we collect, use, store, share, and protect the personal data of users ("you", "User") of our Platform.

By downloading, installing, or using our App, you confirm that you have read, understood, and consent to the collection and use of your personal data as described in this Policy.

2. Data We Collect

2.1 Data You Provide Directly

  • Mobile number — for OTP-based login and account identification
  • Name — for your profile and friend identification
  • Date of birth — to determine age eligibility, apply minor protections, and personalise occasion reminders
  • Profile photo — optional, uploaded by you
  • Profession and bio — optional, for your public profile
  • Gender — optional
  • Delivery addresses — for order fulfilment
  • Messages and occasion content — text, images, and videos shared within the App
  • Wishlist items — products you add to your wishlist

2.2 Data Collected Automatically

  • Device information — device type, operating system version, device identifiers
  • FCM token — Firebase Cloud Messaging token for push notifications
  • IP address — for security, fraud prevention, and geographic compliance
  • App usage data — screens visited, features used, session duration
  • Crash reports and error logs — to diagnose and fix technical issues

2.3 Data from Third Parties

  • Payment data — Razorpay provides us with transaction status and masked payment method details. We do not store card numbers, UPI handles, or banking credentials.
  • Uploaded media — images and videos you upload are stored on Cloudinary's servers.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To create and manage your user account
  • To verify your identity via OTP
  • To enable friend connections, occasion management, wishlist sharing, and messaging
  • To process and fulfil orders and coordinate deliveries
  • To send you OTPs, order confirmations, occasion reminders, and push notifications
  • To enforce age verification — Mitrotsav is strictly an 18+ platform
  • To detect, investigate, and prevent fraudulent activity and policy violations
  • To comply with legal obligations, court orders, or government requests
  • To improve and personalise the Platform through usage analytics
  • To resolve disputes and enforce our Terms of Service

We will not use your personal data for purposes other than those stated above without your prior consent.

4. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following lawful bases:

  • Consent — When you register and use the App, you provide informed consent to data processing as described in this Policy.
  • Contractual necessity — Processing is necessary to provide you with the services you have requested (account creation, order fulfilment).
  • Legal obligation — Processing is required to comply with applicable Indian laws, including tax, consumer protection, and anti-fraud regulations.
  • Legitimate interests — We process certain data to protect the security of the Platform and prevent fraud, provided this does not override your rights.

5. Data Sharing and Third Parties

We do not sell your personal data. We share your data only in the following circumstances:

5.1 Service Providers

  • Razorpay Financial Solutions Pvt. Ltd. — Payment processing. They are governed by their own Privacy Policy at razorpay.com/privacy.
  • Cloudinary Inc. — Media storage and delivery for profile photos, messages, and promotion content.
  • Google Firebase (Google LLC) — OTP phone verification and push notifications (FCM). Google's Privacy Policy applies.
  • Sightengine SAS — Automated content moderation: profile photos and user-uploaded images are checked for prohibited content.
  • Upstash Inc. — Redis-based session management. OTPs are stored temporarily (auto-deleted within 5 minutes of use).
  • TiDB Cloud (PingCAP Ltd.) — Primary database hosting (US region).

5.2 Vendors

When you place an order, we share your delivery address and first name with the assigned vendor to fulfil the order. We do not share your full mobile number with vendors. Vendors are contractually bound to use this data only for order fulfilment.

5.3 Legal Disclosure

We may disclose your personal data if required by law, court order, or a government authority, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of Mitrotsav, our users, or the public.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our assets, user data may be transferred to the acquiring entity, subject to the same privacy protections.

6. Cross-Border Data Transfers

Some of our third-party service providers are located outside India. By using the Platform, you consent to the transfer of your personal data to servers located in:

  • United States — Firebase (OTP and notifications), TiDB Cloud (database), Upstash (session/OTP cache), Sightengine (content moderation), Cloudinary (media storage)

We ensure that any cross-border transfer is subject to appropriate safeguards, including contractual clauses consistent with the Digital Personal Data Protection Act, 2023.

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations. Specific retention periods:

  • Account data (name, mobile, profile) — retained for the lifetime of your account and deleted within 30 days of account deletion request
  • Messages — retained for 12 months from the date of the conversation, then purged
  • Wish cards — auto-deleted 30 days after the occasion date
  • Order and payment records — retained for 7 years as required by the Income Tax Act and consumer protection regulations
  • OTP cache — auto-deleted within 5 minutes of use (stored in Redis, not in our database)
  • Uploaded media (messages, promotions) — retained while the associated content exists; deleted when content is removed

8. Age Requirement — 18+ Only

Mitrotsav is strictly for users aged 18 and above. We do not permit use of the Platform by anyone under 18, and we do not knowingly collect personal data from users under 18.

  • Age is verified using your date of birth at the time of registration and on every subsequent login.
  • Your date of birth is permanently linked to your account and cannot be changed after it is first set, to prevent age falsification.
  • If we discover that a user under 18 has registered on the Platform, we will immediately suspend the account and delete all associated personal data within 72 hours.
  • If you believe an under-18 user has accessed the Platform, please report it immediately to our Grievance Officer at grievance@mitrotsav.com.

9. Your Rights

Under the Digital Personal Data Protection Act, 2023, and other applicable laws, you have the following rights regarding your personal data:

  • Right to access — Request a copy of the personal data we hold about you
  • Right to correction — Request correction of inaccurate or incomplete data (you can edit most data directly in the App)
  • Right to erasure — Request deletion of your account and associated personal data
  • Right to withdraw consent — Withdraw consent to data processing at any time (note: this may require account deletion)
  • Right to grievance redressal — Lodge a complaint with our Grievance Officer
  • Right to nominate — Nominate a person to exercise your rights in case of incapacity or death, as provided under DPDPA

To exercise any of these rights, email our Grievance Officer at the address listed in Section 14. We will respond within 30 days of receiving your request.

10. Data Security

We implement technical and organisational measures to protect your personal data:

  • Encryption at rest — Mobile numbers are encrypted using AES-256-GCM with a unique IV per record
  • Encryption in transit — All API communication uses HTTPS/TLS 1.2 or higher
  • Password hashing — Account passwords are hashed using bcrypt with a minimum of 10 rounds
  • Authentication — OTP-based login with rate limiting (3 attempts per 10 minutes), expiry (5 minutes), and maximum attempt lockout
  • Access controls — Role-based access; only authorised personnel access production data
  • Database security — Database hosted on TiDB Cloud with SSL connection and IP allowlist

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

11. Cookies and Tracking

The Mitrotsav mobile app does not use browser cookies. The Mitrotsav website (mitrotsav.com) uses only the following:

  • Essential functionality — No tracking or analytics cookies are set on this website
  • Google Fonts — Font files are loaded from Google servers; Google may set its own cookies as per their Privacy Policy

We do not currently use third-party advertising networks, behavioural tracking, or retargeting technologies.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will:

  • Notify the affected users within 72 hours of becoming aware of the breach
  • Report the breach to the Data Protection Board of India as required under DPDPA 2023
  • Take immediate steps to contain and remediate the breach
  • Provide you with information about the nature of the breach, data affected, and steps taken

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes:

  • We will update the "Last updated" date at the top of this page
  • We will notify registered users via a push notification or in-app message
  • Continued use of the Platform after the updated Policy is published constitutes acceptance of the changes

14. Grievance Officer

Grievance Officer — Mitrotsav

In accordance with the Information Technology Act, 2000 and Rules made thereunder, the name and contact details of the Grievance Officer are published below:

Name: [Grievance Officer Full Name]
Designation: Grievance Officer
Company: [Company Legal Name]
Address: [Registered Address, City, State, PIN]
Email: grievance@mitrotsav.com
Response time: Acknowledgement within 24 hours; resolution within 15 days of receipt

You may contact the Grievance Officer for any complaints related to privacy, data processing, content moderation, or violation of your rights under this Policy or applicable law.

15. Contact Us

For general privacy queries or to exercise your rights:

Email: support@mitrotsav.com
Website: mitrotsav.com
Address: [Registered Address, City, State, PIN — India]

Mitrotsav Mitrotsav

Legal

Privacy Policy Terms of Service Refund Policy
© 2026 Mitrotsav. All rights reserved. Made with ❤️ in India