JB GrocersJB Grocers
JB GROCERS LLP · LLPIN: ACN-1099 · GSTIN: 27AAVFJ5003D1ZF · Gultekdi, Pune, Maharashtra, India
Legal

Privacy Policy

This notice explains how JB GROCERS LLP collects, uses, shares and protects your personal data, and the rights you have over it.

Last updated: 30 June 2026

This is a template for guidance and not legal advice — have it reviewed by counsel before relying on it.

1. Who we are (Data Fiduciary)

JB GROCERS LLP (LLPIN ACN-1099; GSTIN 27AAVFJ5003D1ZF), with its registered office at Gultekdi, Pune, Maharashtra, India, is the Data Fiduciary responsible for your personal data under the Digital Personal Data Protection Act, 2023 (“DPDP Act”). This notice is provided under sections 5–6 of the DPDP Act and Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).

2. Personal data we collect

  • Account & business data: name, business name, GSTIN, email address, phone number and delivery address.
  • Transaction data: orders, invoices, ledgers and payment status (card details are not stored by us — see §5).
  • Communications: contact-form messages, support queries and any careers applications you send us.
  • Technical data: cookies, device/browser information and aggregate analytics, governed by our Cookie Policy.

3. Why we use your data and our lawful basis

We process personal data for specified, itemised purposes, relying on your consent and on the legitimate uses permitted under section 7 of the DPDP Act:

  • Account & onboarding — to verify and approve your business account (legitimate use / contract).
  • Order fulfilment — to process, deliver and invoice orders and provide support (legitimate use / contract).
  • Legal compliance — to issue GST invoices and keep statutory financial and LLP records (legal obligation).
  • Service improvement & security — to operate, secure and improve the Services.
  • Marketing — only where you have opted in; you can withdraw at any time (§7).

4. Retention

We keep personal data only for as long as needed for the purpose collected, after which it is deleted or anonymised. Where statute requires longer retention — for example GST tax invoices and LLP/ financial records — we retain those records for the period prescribed by law even after you ask us to delete other data.

5. Sharing and processors

We do not sell your personal data. We share it only with processors and partners who help us run the Services, under appropriate contractual safeguards:

  • Razorpay — payment processing; card data is tokenised by the gateway and is not stored by us.
  • ERPNext / Frappe hosting — order, invoice and ledger processing (our system of record).
  • Hosting & communications providers — our VPS host and email/SMS providers.
  • Authorities — where disclosure is required by law or to protect rights and safety.

6. Your rights as a Data Principal

Under sections 11–14 of the DPDP Act — and, where you are in the EU/UK, on a GDPR-aligned basis — you have the right to:

  • Access a summary of the personal data we hold and how it is processed.
  • Correction, completion and updating of inaccurate or incomplete data.
  • Erasure of your personal data (subject to legal retention obligations).
  • Data export / portability — receive a machine-readable copy (JSON/CSV) of your profile, consents, orders and messages.
  • Grievance redressal and the right to nominate another individual to exercise your rights.
  • Withdraw consent at any time, as easily as it was given.

7. Exercising your rights — export, deletion, consent & unsubscribe

You can exercise these rights from Account Settings → Privacy or by emailing our Grievance Officer (§9). After we verify your identity:

  • Data export — we assemble a secure, machine-readable bundle (profile, consent history, orders and messages) within 30 days.
  • Deletion / erasure — we delete or anonymise your data within 30 days, except records we must retain by law (e.g. GST invoices), which we will tell you about.
  • Consent management — manage marketing, analytics and cookie consents, and view your consent history, from Account → Privacy.
  • Unsubscribe — one click in any marketing email, or the marketing toggle in your account, stops marketing messages; transactional and order-related messages continue.

We acknowledge requests within 48 hours and aim to fulfil them within 30 days.

8. Security and breach notification

As required of a Data Fiduciary under section 8 of the DPDP Act and the SPDI Rules, we apply reasonable security safeguards including TLS 1.3 in transit, role-based access control, audit logging and encryption of sensitive fields at rest. In the event of a personal-data breach we will notify the Data Protection Board of India and affected data principals as required by law, and act per our incident-response runbook.

9. Grievance Officer

In accordance with section 13 of the DPDP Act, the SPDI Rules and the Consumer Protection (E-Commerce) Rules, 2020, you may contact our Grievance Officer with any concern or to exercise your rights:

  • Grievance Officer: [Placeholder — to be appointed before go-live]
  • JB GROCERS LLP, Gultekdi, Pune, Maharashtra, India
  • Email: grievance@jbgrocers.com (interim: sachingoel24@gmail.com)
  • Phone: +91 8550999000
  • We acknowledge within 48 hours and resolve within 30 days.

If unresolved, you may escalate to the Data Protection Board of India (DPDP Act) or the relevant Consumer Disputes Redressal Commission.

10. Children

The Services are a B2B offering and are not directed to children. We do not knowingly collect the personal data of minors.

11. Changes to this notice

We may update this Privacy Policy from time to time. The current version is shown by the “Last updated” date above; material changes will be communicated through the Site or by email.