Privacy Policy

1. Data Fiduciary Information

Karozell operates as a Data Fiduciary under the DPDP Act, 2023. We determine the purpose and means of processing your personal data.

2. Lawful Basis for Processing & Consent

Under the DPDP Act, 2023, we process your personal data based on your free, specific, informed, unconditional, and unambiguous consent, which you provide at the time of registration. Specifically:

• Account creation consent: By checking the consent box during login, you agree to the collection and processing of your phone number, name, city, and email for platform operation.
• RC processing consent: Before uploading your Registration Certificate, you provide separate explicit consent for processing this sensitive document. The image is deleted immediately after verification.
• Communication consent: By using the in-app chat, you consent to message storage for facilitating buyer-seller communication.
• Notification consent: Push notifications and email notifications require separate opt-in consent, which can be withdrawn at any time.

You may withdraw your consent at any time by contacting us at privacy@karozell.com or by requesting account deletion through your profile settings. Withdrawal of consent does not affect the lawfulness of processing done prior to withdrawal.

3. Personal Data We Collect

We collect the following categories of personal data:

• Identity data: Full name, phone number (+91), email address
• Location data: City of residence (any city in India)
• Listing data: Car details, photos, descriptions you provide when creating a listing
• Verification data: Registration Certificate (RC) images — processed for name and model matching only, then immediately and permanently deleted
• Communication data: Messages exchanged through the in-app chat
• Technical data: Browser type, device type, IP address, pages visited
• Notification data: Push subscription tokens for delivering notifications

We do not collect Aadhaar numbers, PAN numbers, biometric data, financial data, or health data.

4. Purpose of Data Processing

Your personal data is processed for the following specific purposes:

• Account management: Creating and maintaining your user account
• Ownership verification: Matching RC owner name and car model against your profile and listing (image deleted after verification)
• Marketplace operation: Displaying your listings to potential buyers, facilitating search and discovery
• Communication: Enabling in-app chat between buyers and sellers
• Transactional notifications: Sending emails about listing status, chat messages, and account activity
• Fraud prevention: Detecting and preventing dealer/middleman accounts, enforcing owner-only policy
• Platform improvement: Anonymized analytics to improve user experience
• Legal compliance: Responding to lawful requests from government authorities

5. RC Document Handling (Sensitive Data)

Registration Certificate images are treated as sensitive personal data. Our handling process:

• Separate explicit consent is obtained before RC upload
• The image is processed to extract only the owner name and vehicle model
• These are matched against your profile name and listing details
• Only boolean match results (yes/no) are stored — never the RC content or image
• The RC image is permanently deleted immediately after processing
• We never share, sell, copy, or retain RC images in any form
• Consent for RC processing can be withdrawn, but existing verification results remain

6. Data Sharing & Data Processors

We do not sell your personal data. We share data only with the following categories of recipients, who act as Data Processors under the DPDP Act:

• Supabase Inc. (database, authentication, file storage) — Data stored on AWS infrastructure
• Resend Inc. (transactional email delivery) — Receives email addresses for sending platform emails only
• Vercel Inc. (hosting, serverless functions) — Processes requests and serves the application
• Altcha (proof-of-work captcha, self-hosted) — No data is sent to third parties; bot protection runs entirely on our servers
• Other platform users: Your name, city, and listing details are visible as part of marketplace functionality
• Government/legal authorities: When required by law, court order, or government regulation under Indian law

Note: Some data processors are located outside India. Data transfers are governed by contractual obligations ensuring equivalent protection as required under the DPDP Act.

7. Data Retention

• Account data: Retained as long as your account is active, or until you request deletion
• Listing data: Retained for 90 days after listing expiry, then anonymized
• Chat messages: Retained for 1 year after the last message in a conversation
• RC images: Deleted immediately after verification — zero retention
• Consent records: Retained for 5 years for legal compliance and audit purposes
• Push tokens: Automatically cleaned up when expired or on unsubscription

Upon account deletion request, all personal data is erased within 72 hours, except data required to be retained under applicable law.

8. Data Security (IT Act Compliance)

In compliance with the IT Act, 2000 and IT Rules, 2011, we implement reasonable security practices and procedures:

• All data in transit is encrypted via HTTPS/TLS
• Database-level encryption at rest (Supabase/AWS)
• Row Level Security (RLS) ensures users can only access their own data
• Admin access protected by JWT with 5-minute token expiry
• Security headers: Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options
• Rate limiting on authentication endpoints
• Proof-of-work captcha (Altcha) for bot and spam prevention, with no third-party data sharing
• Input sanitization to prevent injection attacks
• Session timeout after 5 minutes of inactivity

9. Your Rights Under DPDP Act

As a Data Principal, you have the following rights:

• Right to Access (Section 11): Request a summary of your personal data and processing activities. Contact privacy@karozell.com.
• Right to Correction (Section 12): Update inaccurate information via your profile page.
• Right to Erasure (Section 12): Request complete deletion of your account and data. Submit a request via your profile or email us. Processing within 72 hours.
• Right to Withdraw Consent (Section 6): Withdraw consent at any time. This will result in restricted platform access.
• Right to Nominate (Section 14): Nominate another person to exercise your rights in case of death or incapacity.
• Right to Grievance Redressal (Section 13): File a complaint with our Grievance Officer. If unresolved, escalate to the Data Protection Board of India.

10. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India without unreasonable delay
• Notify affected Data Principals (users) without unreasonable delay
• Provide details of the breach, data affected, and remedial measures taken
• Take immediate steps to mitigate the breach and prevent recurrence

11. Cookies & Local Storage

Karozell uses only essential/strictly necessary cookies and local storage for:

• Authentication session management (Supabase auth tokens)
• Admin session JWT tokens
• PWA install prompt dismissal preference
• Session timeout tracking

We do not use advertising cookies, analytics cookies, or third-party tracking cookies. Our captcha system (Altcha) is self-hosted and does not send any data to external services.

12. Push Notifications

Push notifications require separate opt-in consent via browser permission dialog. If granted:

• A push subscription token is stored to deliver real-time notifications
• Notifications cover: new chat messages, listing inquiries
• You can revoke permission at any time through browser settings
• Expired or revoked tokens are automatically cleaned up

13. Children's Data Protection

Karozell is not intended for persons under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will delete it immediately without requiring a request, in compliance with Section 9 of the DPDP Act.

14. Intermediary Status (IT Act)

Karozell operates as an intermediary under Section 2(1)(w) of the Information Technology Act, 2000. We:

• Do not initiate, select, or modify information transmitted between users
• Provide a platform for users to list and discover cars — we do not participate in transactions
• Comply with due diligence requirements under IT (Intermediary Guidelines) Rules, 2021
• Have appointed a Grievance Officer as required under Rule 3(2)
• Publish terms of service that prohibit unlawful content
• Act on valid legal orders and takedown requests within prescribed timelines

15. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be:

• Published on this page with an updated “Last updated” date and consent version
• Notified to registered users via email for material changes
• If changes affect the basis of consent, we will seek fresh consent before processing

16. Grievance Redressal & Contact