Back to Merchant Login

Data Governance, Processing & Protection Policy

Kutoot Innovations Private Limited

Introduction

This Data Governance, Processing & Protection Policy ("Data Policy") is adopted and implemented by:

Kutoot Innovations Private Limited, a company incorporated under the laws of India, having its registered office at Delta Arcade, 22nd Cross, 18th Main, Sector 3, HSR Layout, Bengaluru – 560102 ("Kutoot", "Company", "we", "us", or "our").

This Data Policy governs the internal and external handling of data processed through Kutoot Business, the Kutoot customer platform, merchant dashboards, payment systems, analytics engines, and associated infrastructure (collectively, the "Platform").

1. PURPOSE AND OBJECTIVE

1.1

This Data Policy establishes a framework for:

  • lawful collection and processing of data
  • secure storage and transmission
  • responsible data sharing and disclosure
  • data lifecycle management
  • risk mitigation and compliance

1.2

This Policy is intended to:

  • ensure compliance with applicable laws including the Digital Personal Data Protection Act, 2023 and Information Technology Act, 2000
  • protect the interests of merchants, customers, and stakeholders
  • maintain integrity, confidentiality, and availability of data

2. APPLICABILITY

2.1

This Policy applies to:

  • all data processed by Kutoot
  • all employees, contractors, vendors, and partners
  • all systems, applications, and databases associated with the Platform

2.2

This Policy applies irrespective of:

  • data format (digital, physical, or hybrid)
  • location of processing

3. DEFINITIONS

3.1 "Personal Data"

Means any data relating to an identifiable individual.

3.2 "Business Data"

Means data relating to merchant operations, transactions, performance metrics, and analytics.

3.3 "Sensitive Data"

Includes financial data, KYC documents, authentication credentials, and data requiring enhanced protection.

3.4 "Processing"

Includes collection, recording, storage, use, sharing, analysis, or deletion of data.

3.5 "Data Lifecycle"

Means the stages through which data passes, including creation, storage, usage, archival, and deletion.

4. DATA CLASSIFICATION FRAMEWORK

Kutoot classifies data into the following categories:

4.1 Personal Data

  • Merchant personal details
  • Authorized representative data

4.2 Financial Data

  • Bank account details
  • Transaction records
  • Settlement data

4.3 Operational Data

  • Discounts created
  • Campaign participation
  • Walk-in and redemption data

4.4 Performance Data

  • Performance scores
  • Rankings and leaderboard positions
  • Conversion and retention metrics

4.5 Technical Data

  • Device identifiers
  • IP addresses
  • Logs and usage patterns

Each category shall be subject to appropriate safeguards based on sensitivity.

5. PRINCIPLES OF DATA PROCESSING

Kutoot adheres to the following principles:

5.1 Lawfulness, Fairness, and Transparency

Data shall be processed in a lawful and transparent manner.

5.2 Purpose Limitation

Data shall be collected only for specified and legitimate purposes.

5.3 Data Minimization

Only necessary data shall be collected and processed.

5.4 Accuracy

Reasonable steps shall be taken to ensure data accuracy.

5.5 Storage Limitation

Data shall not be retained longer than necessary.

5.6 Integrity and Confidentiality

Appropriate security measures shall be implemented.

6. DATA COLLECTION AND PROCESSING

6.1

Data may be collected through:

  • merchant onboarding through Kutoot Business
  • platform usage and transactions
  • customer interactions through Kutoot
  • third-party integrations including payment gateways and KYC providers

6.2

All data collection shall be:

  • authorized
  • logged
  • traceable

7. DATA USAGE AND PROCESSING

7.1

Data may be processed for:

  • functionality of Kutoot and Kutoot Business
  • payment facilitation and settlements
  • performance scoring and rankings
  • fraud detection and prevention
  • analytics and product improvements
  • operational insights and reporting

7.2

Automated systems may be used for:

  • performance scoring
  • rankings and visibility
  • risk assessment
  • fraud monitoring

8. PERFORMANCE DATA GOVERNANCE

8.1

Performance Data is a core component of Kutoot Business and related merchant systems, including:

  • scores
  • rankings
  • behavioural metrics
  • performance indicators

8.2

Kutoot may:

  • aggregate and analyse such data
  • display performance metrics publicly
  • use such data for benchmarking and insights

8.3

Performance Data:

  • shall not be treated as confidential business information when displayed as part of Platform functionality
  • may be used for comparative insights across merchants

9. DATA SHARING AND DISCLOSURE

9.1

Data may be shared with:

  • payment processors and banks
  • verification agencies
  • technology service providers
  • regulatory authorities
  • internal teams and authorized personnel

9.2

All third-party sharing shall be:

  • contractually governed
  • subject to confidentiality obligations

10. DATA STORAGE AND LOCALIZATION

10.1

Data shall be stored in secure environments including:

  • cloud infrastructure
  • encrypted databases

10.2

Where required, data shall be stored within India or in compliance with applicable laws.

11. DATA SECURITY CONTROLS

Kutoot shall implement:

11.1 Technical Controls

  • encryption at rest and in transit
  • firewalls and intrusion detection systems
  • access control mechanisms

11.2 Organizational Controls

  • role-based access
  • employee training
  • confidentiality agreements

11.3 Monitoring and Auditing

  • continuous monitoring
  • periodic audits

12. DATA RETENTION AND DELETION

12.1

Data shall be retained for the duration necessary to fulfil business and legal requirements.

12.2

Data may be:

  • deleted
  • anonymized
  • archived upon expiry

12.3

Certain data may be retained for:

  • legal compliance
  • dispute resolution
  • fraud prevention

13. DATA BREACH MANAGEMENT

13.1

A data breach includes unauthorized access, disclosure, or loss of data.

13.2

Kutoot shall:

  • detect and contain breaches
  • assess impact
  • notify affected stakeholders and authorities where required
  • implement corrective measures

14. ACCESS CONTROL AND AUTHORIZATION

14.1

Access to data shall be:

  • restricted based on role
  • logged and monitored

14.2

Unauthorized access may result in:

  • disciplinary action
  • legal consequences

15. THIRD-PARTY DATA PROCESSORS

15.1

All third-party processors shall:

  • enter into binding agreements
  • comply with security and data protection standards

15.2

Kutoot may conduct due diligence before engagement.

16. DATA SUBJECT RIGHTS HANDLING

Requests for:

  • access
  • correction
  • deletion
  • withdrawal of consent

shall be processed in accordance with applicable laws.

17. CROSS-BORDER DATA TRANSFER

17.1

Data transfers outside India shall:

  • comply with applicable legal requirements
  • be subject to reasonable safeguards

18. AUDIT AND COMPLIANCE

18.1

Kutoot may:

  • conduct internal audits
  • maintain compliance records

18.2

Non-compliance may result in:

  • disciplinary action
  • contractual termination

19. POLICY ENFORCEMENT

Violations of this Policy may result in:

  • suspension of access
  • termination of contracts
  • legal action

20. AMENDMENTS

Kutoot reserves the right to amend this Policy at any time.

Updated versions shall become effective upon publication.

21. GOVERNING LAW

This Policy shall be governed by the laws of India.

22. CONTACT AND ACCOUNTABILITY

For data-related concerns:

Email: legal@kutoot.com

Company: Kutoot Innovations Private Limited