Privacy Policy

Effective Date: 19 May 2026 · Last Updated: 19 May 2026 · Compliant with India's Digital Personal Data Protection (DPDP) Act, 2023

📋 Quick Index

1. Data we collect
2. How we use it
3. Sharing & disclosure
4. Cookies & local storage
5. Your rights (DPDP Act)
6. Data security
7. Data retention
8. Children's data
9. Contact for privacy

DigiMutual Goals Pvt. Ltd. ("DukanList", "we", "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use dukanlist.com.

This policy is governed by Indian law including the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable rules.

1. Data We Collect

1.1 Owner Data (you provide)

Mobile number — required for OTP verification and account login
Business details — shop name, owner name, category, USP/about, services, hours
Address — full address with state, district, city, locality, pincode
Contact info — WhatsApp number (optional), email (optional)
Photos — shop photos uploaded by you (max 5)

1.2 Customer / Visitor Data

Mobile number (hashed) — when submitting a review or report (SHA-256 hash stored, not the actual number)
Review content — rating + text you submit
Anonymous analytics — page views, search terms, click events (no PII)

1.3 Automatic Data

IP address (hashed with date for lead deduplication)
User agent (browser, OS — for compatibility)
Page interaction events (search, scroll, clicks)

2. How We Use It

Directory listing — your business info is shown publicly on dukanlist.com to help customers find you
OTP authentication — mobile number used only for OTP login (Supabase Phone Auth)
Verification trust score — pincode-city match, photo count contribute to your verification badge
Lead tracking — call/WhatsApp/direction clicks logged so you can see how many leads you got
Anti-spam — phone hash prevents duplicate reviews/reports from same number
Communication — important platform updates via WhatsApp/SMS (rare, opt-out anytime)

🚫 We do NOT: sell your data, share with advertisers, send marketing emails/SMS without consent, or use your data for any purpose outside operating DukanList.

Your data is shared only as follows:

Public display — your business profile (name, category, address, contact, photos, USP) is intentionally public so customers can find you
Hosting provider — data stored on Supabase (Postgres database in EU/Asia regions) and Vercel (static hosting). Both are DPDP-compliant infrastructure
Legal requirements — if compelled by valid court order or law enforcement in India
Business transfer — in case of merger/acquisition, with continuing privacy commitments

We do NOT share data with third-party advertisers, data brokers, or marketing companies.

4. Cookies & Local Storage

We use minimal browser storage:

Session cookies — to keep you logged in after OTP verification (Supabase Auth)
localStorage — language preference (EN/HI), pending registration drafts
No tracking pixels — we don't use Facebook Pixel, Google Analytics yet (may add anonymous analytics later with consent)

5. Your Rights Under DPDP Act 2023

As a Data Principal under the DPDP Act, you have the following rights:

Right to access — see what data we have about you
Right to correction — fix wrong info via your dashboard
Right to erasure — request deletion of your business and all data (account closure)
Right to grievance — complaint to our Grievance Officer (see contact below)
Right to nominate — appoint someone to exercise these rights on your behalf
Right to withdraw consent — opt out of communications anytime

To exercise any right, email privacy@dukanlist.com with your registered mobile number for verification. We respond within 30 days as required by law.

6. Data Security

HTTPS/TLS encryption for all data transmission
Database hosted on Supabase with Row-Level Security (RLS) policies
Phone numbers hashed (SHA-256) for review/report submissions
OTP-based authentication (no passwords stored)
Regular security audits and dependency updates

7. Data Retention

Active listings — data retained while your shop is active
Banned/removed listings — retained 90 days for audit, then deleted
Reviews — retained while business is active; deleted with business closure
Logs (leads, views) — retained 12 months for analytics
OTP/session data — auto-expires after 24 hours of inactivity

8. Children's Data

DukanList is intended for users 18+ (adult business owners and customers). We do not knowingly collect data from children under 18. If we discover such data, we will delete it immediately. Parents/guardians can contact us via the email below.

9. Contact for Privacy & Grievance

Grievance Officer / Data Protection Contact:
Deepak Singla, Founder
DigiMutual Goals Pvt. Ltd.
SCO-01, Near IndusInd Bank, Aastha Hospital Street,
Chotala Road, Mandi Dabwali — 125104,
District Sirsa, Haryana, India
Email: privacy@dukanlist.com
Phone/WhatsApp: +91 95412 23377

📝 Changes to this Policy: We may update this Privacy Policy. Material changes will be announced on the homepage and via email/SMS to registered owners. Continued use after changes constitutes acceptance.

By using dukanlist.com, you confirm you have read and understood this Privacy Policy.