Privacy Policy
Effective Date: June 2026 | Version 1.0 | Last Updated: June 2026
Operated by: BLACK FORCE SERVICES | GSTIN: 07ABBFB3622R1Z9
1. Introduction
This Privacy Policy is drafted in strict compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act, 2023) and the Digital Personal Data Protection Rules, 2025. It applies to all personal data processed through the GemSetu Platform (www.gemsetu.com).
2. Data Fiduciary
BLACK FORCE SERVICES, a Partnership Firm, having its principal place of business at D-11, Sanjay Mohalla, Gali Number 2, Bhajanpura, New Delhi, North East Delhi, Delhi, 110053, India, GSTIN 07ABBFB3622R1Z9, is the Data Fiduciary under the DPDP Act, 2023.
3. Grievance Officer
Name: Rahul Jain
Designation: Grievance Officer
Email: [email protected]
Address: D-11, Sanjay Mohalla, Gali Number 2, Bhajanpura, New Delhi, North East Delhi, Delhi, 110053, India
The Grievance Officer shall acknowledge receipt within 72 hours and resolve grievances within 30 days.
4. Categories of Personal Data Collected
- Identity & Contact: Name, email, mobile, GSTIN, PAN, Aadhaar (voluntary), business name, address
- Business Data: GeM registration details, tender history, bid data, bank account details, digital signature info
- Technical Data: IP address, browser type, device identifiers, login timestamps, usage patterns, cookies
- Communication: Support chat logs, email correspondence, feedback
- Payment: Transaction history, billing info (card data processed by Razorpay — we do not store complete card numbers)
- AI Inputs: Product descriptions for HSN/SAC suggestion (no PII transmitted to AI)
5. Purposes of Processing
- Account creation and platform services
- GeM tender tracking, bid management, and analytics
- Payment processing and subscription management
- Customer support and communication
- Fraud prevention and security
- AI-assisted features (opt-in only)
- Legal and regulatory compliance
6. Consent Mechanism
Consent is free, specific, informed, unconditional, and unambiguous. We obtain granular consent for:
- Primary service provision
- Marketing communications (separate opt-in)
- AI-assisted features (separate opt-in)
- Cross-border data transfers to the United States (Resend, OpenAI)
You may withdraw consent at any time through account settings or by contacting the Grievance Officer. Withdrawal does not affect the legality of processing before withdrawal.
7. Data Processors & Sub-Processors
| Sub-Processor | Purpose | Data Region |
|---|---|---|
| Supabase | Database, auth, storage | Mumbai, India |
| Vercel | Hosting | Global (Mumbai POP) |
| Cloudflare | DNS, CDN, DDoS | Global |
| Resend | Email delivery | United States* |
| Upstash Redis | Rate limiting | Mumbai, India |
| Oracle Cloud | Scraper VM (no PII) | Mumbai, India |
| Razorpay | Payments | India |
| OpenAI | AI features (opt-in) | United States* |
* Cross-border transfers to the US require explicit consent and are governed by contracts incorporating DPDP Act obligations.
8. Cross-Border Data Transfers
Personal data is primarily stored and processed in India (Supabase Mumbai, Upstash Mumbai, Oracle Cloud Mumbai). Cross-border transfers are limited to:
- Resend (US): Transactional emails only. SOC 2 Type II compliant.
- OpenAI (US): AI feature inputs only (product descriptions, no PII). Training opt-out enabled.
We do not transfer personal data to countries notified as restricted by the Central Government.
9. Data Security
- AES-256 encryption at rest, TLS 1.3 in transit
- Row-level security (RLS) on Supabase
- Multi-factor authentication for admin access
- Rate limiting via Upstash Redis
- Cloudflare DDoS protection
- Audit logs retained for minimum 1 year
- Encrypted backups with tested restoration
10. Data Retention & Erasure
- Account data: Duration of account + 2 years
- Transaction/billing data: 7 years (GST compliance)
- Communication logs: 1 year
- AI input data: Deleted immediately after session (unless saved by user)
- Upon consent withdrawal: Erasure within 30 days (unless legally required to retain)
11. Your Rights (DPDP Act 2023)
- Right to Access (Section 11): Obtain confirmation and summary of your personal data
- Right to Correction & Erasure (Section 12): Request correction, completion, updating, or deletion
- Right to Grievance Redressal (Section 13): File grievance with our Grievance Officer
- Right to Nominate (Section 14): Nominate someone to exercise your rights in case of death/incapacity
- Right to Withdraw Consent (Section 6(4)): Withdraw at any time with comparable ease
Exercise your rights by contacting [email protected] or through your account settings.
12. AI Features & Automated Decision-Making
Our AI features (HSN/SAC suggestion, category mapping) use OpenAI GPT-4o-mini. These are entirely opt-in. The Platform is fully functional without AI features.
- No PII is transmitted to OpenAI (only product descriptions and seller vertical)
- Training opt-out is enabled on all API requests
- All AI outputs require human review before any GeM submission
- AI suggestions are guidance only, not legal/tax advice
13. Cookies
We use strictly necessary cookies (authentication, security), functional cookies (language preferences), analytics cookies (anonymised usage), and marketing cookies (with explicit consent). You can manage cookie preferences through the consent banner.
14. Children's Data
GemSetu is a B2B service for GeM-registered business entities. All signatories must be 18+. If we discover we are processing a child's data, we will immediately suspend the account and delete the data unless parental consent is obtained within 7 days.
15. Breach Notification
In the event of a personal data breach, we will notify the Data Protection Board of India within 72 hours and affected Data Principals without delay. We maintain comprehensive documentation of all breaches for minimum 5 years.
16. Amendments
Material changes to this Privacy Policy will be notified via email and in-app notification at least 15 days before the effective date. Continued use after the effective date constitutes acceptance.
17. Contact
For any queries, contact our Grievance Officer at [email protected].