Privacy Policy
Effective Date: 19 May 2026 · Last Updated: 26 June 2026 · Compliant with India's Digital Personal Data Protection (DPDP) Act, 2023
DigiMutual Goals Pvt. Ltd. ("DukanList", "we", "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use dukanlist.com.
This policy is governed by Indian law including the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable rules.
1. Data We Collect
1.1 Owner Data (you provide)
- Mobile number — required for OTP verification and account login
- Business details — business name, owner name, category, USP/about, services, hours
- Address — full address with state, district, city, locality, pincode
- Contact info — WhatsApp number (optional), email (optional)
- Photos — business photos uploaded by you (max 5)
1.2 Customer / Visitor Data
- Mobile number (hashed) — when submitting a review or report (SHA-256 hash stored, not the actual number)
- Review content — rating + text you submit
- Anonymous analytics — page views, search terms, click events (no PII)
1.3 Automatic Data
- IP address (hashed with date for lead deduplication)
- User agent (browser, OS — for compatibility)
- Page interaction events (search, scroll, clicks)
1.4 Professional Listing Data (regulated professions only)
If you register your listing under a regulated professional category (Chartered Accountant, Doctor, Lawyer, Company Secretary, Cost Accountant, Mutual Fund Distributor, Stock Broker / Authorized Person, Insurance Advisor), we additionally collect:
- Membership / Registration number (ICAI No., NMC Reg No., Bar Council Enrolment No., ARN, SEBI Reg., IRDAI Reg., etc.) — required to verify your professional credentials with the regulator's public lookup tool
- Qualification (CA, MBBS, MD, LLB, CS, CMA, etc.) — displayed on your public listing for client identification
- Areas of practice (e.g. Tax, Audit, GST; Cardiology, Internal Medicine; Criminal Law, Civil Litigation) — structured replacement for the promotional USP field
- Disclaimer acceptance timestamp — record of when you accepted the regulatory compliance disclaimer (kept for audit/evidentiary purposes per your regulator's Code of Conduct)
- Admin verification record — timestamp + admin reference when we cross-checked your membership number on the regulator's public lookup
Why we collect this: Indian regulators (ICAI, NMC, BCI, ICSI, ICMAI, AMFI, SEBI, IRDAI) restrict how their registered professionals can advertise. Your listing automatically runs in a compliance mode — no reviews, no ratings, no promotional badges — and the additional data above enables that compliance + admin verification. The data is shown publicly only as the relevant regulator's Code of Conduct permits.
2. How We Use It
- Directory listing — your business info is shown publicly on dukanlist.com to help customers find you
- OTP authentication — mobile number used only for OTP login (Supabase Phone Auth)
- Verification trust score — pincode-city match, photo count contribute to your verification badge
- Lead tracking — call/WhatsApp/direction clicks logged so you can see how many leads you got
- Anti-spam — phone hash prevents duplicate reviews/reports from same number
- Communication — important platform updates via WhatsApp/SMS (rare, opt-out anytime)
🚫 We do NOT: sell your data, share with advertisers, send marketing emails/SMS without consent, or use your data for any purpose outside operating DukanList.
3. Sharing & Disclosure
Your data is shared only as described below — never sold, never used for advertising.
3.1 Public Display (by your own choice)
- Your business profile (name, category, address, hours, contact, photos, USP, reviews, owner role) is intentionally public so customers can find you on dukanlist.com and search engines
- For professional listings: your membership/registration number, qualification, areas of practice and the regulator's compliance disclaimer are also displayed publicly. This is required by your regulator's Code of Conduct so that prospective clients can independently verify your credentials. Reviews, ratings, Top Rated badges and Featured promotion are not displayed for strict-tier professional listings — your regulator's rules supersede our default display.
- You can request takedown anytime by deleting your account (see Section 5.2)
3.2 Third-Party Service Providers (data processors)
We use the following trusted infrastructure providers strictly for app operation. Each is bound by their own privacy commitments and DPA agreements:
- Supabase (Singapore region) — Postgres database, authentication, file storage. SOC 2 Type II compliant. Used for storing your account and business data. supabase.com/privacy
- Vercel (USA) — Static website hosting and serverless functions (edge network). Used for serving web pages and APIs. vercel.com/legal/privacy-policy
- Google Play Services (Android app users only) — required to deliver app updates, push notifications via Firebase Cloud Messaging, and crash reports. No personal info beyond device/app version is shared. policies.google.com/privacy
- Cloudflare Turnstile (optional, when enabled) — anti-bot CAPTCHA on registration/login forms. Privacy-respecting alternative to reCAPTCHA. cloudflare.com/privacypolicy
- Groq AI (poster studio feature only) — when you tap "AI suggest" for poster captions, the category + day-of-week is sent to Groq's LLM API. No personal information is sent. groq.com/privacy-policy
- Google Input Tools (optional Hindi transliteration) — when you type your business name in English, transliterated Hindi suggestions come from Google's free public API. Only the text typed in the name field is sent, no identifiers
We do NOT use any third-party advertising networks, data brokers, marketing platforms, social media tracking pixels, or analytics that share data with advertisers.
3.3 Legal & Safety
- Legal compliance — if compelled by valid court order or written request from Indian law enforcement, we may disclose specific records (with notice to you where legally permitted)
- Safety enforcement — if we detect fraud, abuse, or threats to platform integrity, we may share necessary data with affected parties or authorities
- Business transfer — in case of merger, acquisition, or sale, your data transfers with continuing privacy commitments (you will be notified 30 days in advance)
4. Cookies & Local Storage
We use minimal browser storage:
- Session cookies — to keep you logged in after OTP verification (Supabase Auth)
- localStorage — language preference (EN/HI), pending registration drafts
- No tracking pixels — we don't use Facebook Pixel, Google Analytics yet (may add anonymous analytics later with consent)
4.5 Mobile App, Notifications & Permissions
The DukanList Android app (TWA / Progressive Web App wrapper) operates under these conditions:
- Permissions requested: Internet access (required), push notifications (optional, only after your explicit consent), file storage (only when you upload a photo)
- Permissions NOT requested: Camera, microphone, location (GPS), contacts, SMS, call logs, calendar, or any other sensitive sensor
- Push notifications are sent only with your explicit permission and only for: replies to your reviews/Q&A, new shop announcements in your area, important account alerts (security, deletion confirmation). You can disable anytime from system Settings → Apps → DukanList → Notifications
- App update mechanism: served through Google Play Store / Apple App Store automatic update channels. Service Worker handles website asset updates
- Telemetry collected by the app: none. We do not collect crash reports, app open events, device model, screen resolution, network type, or any other passive telemetry beyond what your browser/Android OS shares with Play Store
- Local data: language preference, login session token (encrypted by Supabase Auth), pending registration draft, saved shortlist (stored on your device only, not synced to our servers unless you log in)
5. Your Rights Under DPDP Act 2023
As a Data Principal under the DPDP Act, you have the following rights:
- Right to access — see what data we have about you (export available on request)
- Right to correction — fix wrong info anytime via your dashboard (panel/profile.html)
- Right to erasure — see Section 5.2 below for the in-app deletion flow
- Right to grievance — complaint to our Grievance Officer (see contact below)
- Right to nominate — appoint someone to exercise these rights on your behalf
- Right to withdraw consent — opt out of communications anytime
To exercise any right, email privacy@dukanlist.com with your registered mobile number for verification. We respond within 30 days as required by law.
5.1 Account Deletion (In-App, Web, or Without Login)
You can delete your DukanList account and all associated data through any of the methods below. All three lead to the same outcome — a 30-day grace period followed by permanent erasure.
Option A — In-app or web (recommended, no email needed):
- Log in to your account at panel/login.html
- Go to Profile → scroll to the bottom
- Find the red "⚠️ Danger Zone — Account Deletion" section
- Tap "🗑️ Delete My Account"
- Read the confirmation dialog, type
DELETE, and confirm
- Your data enters a 30-day grace period during which recovery is possible by writing to us at privacy@dukanlist.com or WhatsApp +91 9541223377
- After 30 days, all your data is permanently and irreversibly erased from our systems
Option B — Without installing the app or logging in:
Visit dukanlist.com/delete-account from any browser. Fill the form with your registered mobile number; we will verify by OTP and then start the same 30-day grace period. This option is provided so that anyone — including users who have uninstalled the app — can request deletion at any time.
Option C — By writing to us:
Email privacy@dukanlist.com from your registered email, or WhatsApp +91 9541223377 from your registered mobile. We verify identity and process within 7 days.
5.2 What Gets Deleted
When you delete your account, the following are removed within 30 days:
- Your business listing (name, address, hours, USP, FAQs, social URLs)
- All uploaded photos and gallery items
- Customer reviews you received (anonymized in public stats only)
- Pucho Bhai questions and answers you posted
- Saved shortlists and personal preferences
- Login credentials (email + password hash)
- Activity logs and personal analytics
5.3 Data Retained After Deletion (Required by Law)
- Anonymized aggregate metrics (e.g., "total businesses registered in Mandi Dabwali")
- Tax/financial records, if any monetary transaction occurred — retained 7 years per Income Tax Act
- Audit logs of the deletion event itself — retained 1 year for legal compliance
6. Data Security
- HTTPS/TLS encryption for all data transmission
- Database hosted on Supabase with Row-Level Security (RLS) policies
- Phone numbers hashed (SHA-256) for review/report submissions
- OTP-based authentication (no passwords stored)
- Regular security audits and dependency updates
7. Data Retention
Professional listings note: Disclaimer-acceptance timestamps and admin-verification records on professional listings are retained for the lifetime of the listing plus 7 years after deletion — as evidentiary record per your regulator's audit requirements (ICAI/NMC/BCI/etc. may inspect compliance evidence). Promotional content (USP text) that was auto-cleared from strict-tier listings is preserved in an internal admin-only audit table for the same 7-year period; it is not displayed publicly.
- Active listings — data retained while your business is active
- Banned/removed listings — retained 90 days for audit, then deleted
- Reviews — retained while business is active; deleted with business closure
- Logs (leads, views) — retained 12 months for analytics
- OTP/session data — auto-expires after 24 hours of inactivity
8. Children's Privacy
DukanList is intended for users aged 18 and above (adult business owners, professionals, and customers). The service is not directed at children under the age of 18.
We do not knowingly collect personal data from users under 18. If we become aware that a user under 18 has registered or submitted personal data, we will:
- Immediately suspend the account
- Delete all collected data within 7 days
- Notify the user (or guardian if reachable)
Parents or guardians who believe their child has registered or submitted information may contact us at privacy@dukanlist.com or WhatsApp +91 9541223377 with proof of guardianship, and we will delete the data within 7 days of verification.
Compliance: This commitment aligns with the Digital Personal Data Protection Act 2023 (India), the Children's Online Privacy Protection Act (COPPA, USA), and the EU General Data Protection Regulation (GDPR Article 8) where applicable.
Grievance Officer / Data Protection Contact:
Deepak Singla, Founder
DigiMutual Goals Pvt. Ltd.
SCO-01, Near IndusInd Bank, Aastha Hospital Street,
Chotala Road, Mandi Dabwali — 125104,
District Sirsa, Haryana, India
Email: privacy@dukanlist.com
Phone/WhatsApp: +91 95412 23377
📝 Changes to this Policy: We may update this Privacy Policy. Material changes will be announced on the homepage and via email/SMS to registered owners. Continued use after changes constitutes acceptance.
By using dukanlist.com, you confirm you have read and understood this Privacy Policy.