Privacy Policy

How NG&NR Technologies Private Limited (“Revend”) collects, uses, protects, and shares your personal data across the Revend Customer App, Partner App (Service Provider & Merchant), and the revend.in website.

Effective Date: April 23, 2026

1. Data Controller

The “Data Fiduciary” (controller) for your personal data under India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) is:

NG&NR Technologies Private Limited
Operating the Revend platform at revend.in
Registered office: Bengaluru, Karnataka, India
Privacy queries: privacy@revend.in
Legal queries: legal@revend.in

Wherever this Policy refers to “we”, “us”, “our”, or “Revend”, it refers to NG&NR Technologies Private Limited.

2. Personal Data We Collect

We collect only the data needed to operate the Revend platform, verify your identity where required, enable secure communication, and meet legal obligations. The specific data we collect depends on how you use Revend.

2.1 Customer App

  • Account & Identity: mobile number (OTP-verified), name, email (optional), profile photo, password (stored as a bcrypt hash).
  • Device & Technical: device model, OS version, app version, IP address, crash logs, FCM push token.
  • Location: approximate or precise location (only when you grant permission) to surface nearby posts, merchants, and service providers.
  • Usage: posts you view, save, or favourite; searches you run; chats and calls you initiate.
  • Payment: payment metadata (order ID, status, amount) via our PCI-DSS compliant payment partners. Full card/UPI details never touch our servers.

2.2 Service Provider (SP)

  • All Customer data listed above.
  • KYC: Aadhaar-backed identity verification (via Surepass/UIDAI offline KYC), PAN, selfie/live photo for face match, business name, service category, years of experience, service area.
  • Portfolio: service images, certifications, work samples you choose to publish.
  • Engagement: quotes sent, leads received, ratings, reviews, and escrow transaction history.

2.3 Merchant

  • All Customer data listed above.
  • Business KYC: GSTIN, business PAN, business name, business address, proprietor/director Aadhaar verification, bank account details for settlement.
  • Catalogue: product listings, pricing, stock status, store images.
  • Transactional: orders, escrow lifecycle events, refunds, payouts.

4. How We Use Your Data

  • Create and secure your Revend account.
  • Verify your identity via KYC (SPs and Merchants).
  • Match Customers with nearby Merchants, SPs, and posts.
  • Operate in-app chat and calls, including call recording for trust & safety.
  • Process escrow payments, refunds, and settlements.
  • Detect fraud, spam, impersonation, and policy violations using automated and human review.
  • Run AI-based content moderation on posts, images, and chats (toxic-bert, Falconsai NSFW).
  • Send transactional notifications (OTP, order updates, escrow status, dispute notices).
  • Respond to legal requests and grievance complaints.
  • Improve the Revend platform through aggregated, de-identified analytics.

5. Sensitive Personal Data

We treat the following as sensitive and apply additional safeguards:

  • Aadhaar: We never store the plain 12-digit Aadhaar number. We store an irreversible HMAC-SHA256 hash (with a server-held key) for deduplication and fraud detection. The last 4 digits may be shown to you in masked form (e.g., XXXX-XXXX-1234) as required by UIDAI masking guidelines.
  • Biometrics (selfie / face match): processed in-session by our licensed KYC partner (Surepass / IDfy) and not stored on Revend servers. Only the match result (success/fail, confidence score) is retained.
  • UIDAI Compliance: Aadhaar verification uses Offline XML / e-KYC flows authorized by the Unique Identification Authority of India. We are not an AUA/KUA — our licensed partner is.
  • Financial: bank account, UPI VPA, and GST details are encrypted at rest (AES-256).

6. Call Recording

In-app voice and video calls on Revend use LiveKit WebRTC. Calls may be recorded for trust, safety, and dispute-resolution purposes.

  • Both parties see a persistent “Call is being recorded” indicator before the call connects.
  • Recordings are stored on AWS S3, ap-south-1 (Mumbai) with server-side encryption (SSE-KMS).
  • Retention period: 90 days, after which recordings are automatically and irrecoverably deleted, unless retained longer for an active dispute, grievance, or lawful order.
  • Recordings are accessible only to Revend’s Trust & Safety team and, where legally compelled, law-enforcement authorities.

7. Data Sharing & Disclosure

7.1 Within the Platform

Customers, SPs, and Merchants see each other’s name, profile photo, rating, and business information needed to transact. Phone numbers are never exposed — all calls and chats are proxied through Revend.

7.2 Third-Party Processors

We share the minimum data required with vetted processors who are contractually bound to Indian data-protection standards:

  • KYC: Surepass, IDfy (Aadhaar / PAN / GST verification)
  • Payments & Escrow: PCI-DSS compliant Indian payment aggregators
  • Cloud Infrastructure: AWS (ap-south-1 Mumbai only)
  • Communications: LiveKit (WebRTC), FCM (push), licensed SMS/email providers
  • Secrets Management: Doppler

7.3 Legal & Regulatory

We may disclose your data to Indian courts, regulators (RBI, UIDAI, MeitY), or law-enforcement agencies when compelled by a valid written order under Indian law.

7.4 Business Transfer

If Revend is part of a merger, acquisition, or asset sale, your data may be transferred to the acquirer subject to an equivalent privacy commitment. You will be notified in-app and by email.

We do not sell your personal data.

8. Data Retention

CategoryRetention
KYC & identity verification audit logs7 years (PMLA 2002)
Transaction / escrow / invoice data7 years (Income Tax Act 1961)
Call recordings90 days
Chat messages180 days
Account data (inactive)Deleted 3 years after last login, unless law requires longer
Marketing consent & preferencesUntil you withdraw consent

When you delete your account, non-regulatory data is erased within 30 days. Regulatory data (KYC, transactions) is retained only for the statutory period, in an access-controlled archival store.

9. Data Security

  • In transit: TLS 1.3 across all public endpoints and internal gRPC channels.
  • At rest: AES-256 for databases (MySQL, ArangoDB), S3 object storage, and backups.
  • Hashing: bcrypt for passwords; HMAC-SHA256 for Aadhaar and other tokenised identifiers.
  • gRPC PII interceptors: a platform-wide interceptor automatically masks mobile numbers, Aadhaar fragments, and other PII in logs and inter-service calls.
  • Role-Based Access Control (RBAC): least-privilege access for employees; sensitive operations require multi-person approval.
  • Monitoring: 24×7 anomaly detection, audit logs, and incident response playbooks.

No system is perfectly secure. If we detect a breach affecting your personal data, we will notify you and the Data Protection Board of India as required by the DPDPA 2023.

10. Your Rights Under DPDPA 2023

You (the “Data Principal”) have the following rights:

  • Right to Access: obtain a summary of the personal data we process about you and the recipients with whom it has been shared.
  • Right to Correction & Completion: correct inaccurate or incomplete data and update outdated information.
  • Right to Erasure: request deletion of personal data that is no longer necessary, subject to legal retention requirements.
  • Right to Withdraw Consent: withdraw any consent you previously gave (e.g., marketing, location). Withdrawal does not affect the lawfulness of prior processing.
  • Right to Nominate: nominate another person to exercise these rights on your behalf in the event of your death or incapacity.
  • Right to Grievance Redressal: see Section 16.

Exercise any right by writing to privacy@revend.in with “DPDPA Request” in the subject. We respond within 30 days.

11. Children’s Privacy

Revend is not intended for anyone under 18. We do not knowingly collect personal data from children. If we become aware that we hold personal data of a child without verifiable parental consent, we will delete it promptly. If you believe a child has created an account, email privacy@revend.in.

12. Data Localisation

All Revend personal data is stored and processed in AWS Mumbai (ap-south-1). We do not transfer personal data outside India. If Indian law in future permits cross-border transfer to a specific country, we will update this Policy and notify you before any such transfer begins.

13. Marketing & Notifications

  • Transactional notifications (OTP, order updates, escrow status, dispute notices, security alerts) are essential to the service and cannot be turned off while your account is active.
  • Promotional notifications (offers, new features, newsletters) are sent only with your explicit opt-in. You can opt out any time from in-app Settings → Notifications, or by emailing privacy@revend.in.
  • Ad-free declaration: Revend does not run third-party advertising SDKs, does not show in-app banner or interstitial ads, and does not sell user data to advertisers.

14. Cookies & Tracking

The Revend website and apps use only first-party, self-hosted analytics needed for session security, performance monitoring, and fraud prevention.

  • We do not use Google Analytics.
  • We do not embed advertising SDKs (AdMob, Facebook Audience Network, etc.).
  • We do not use cross-site tracking pixels.
  • Essential cookies keep you signed in and protect against CSRF. They cannot be disabled without breaking core functionality.

15. Third-Party Links

Revend may contain links to websites or services we do not operate (e.g., a merchant’s own website). We are not responsible for the privacy practices of those third parties. Please review their policies before sharing data with them.

16. Grievance Redressal

In line with the DPDPA 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Revend has a dedicated Grievance Officer:

Grievance Officer — Revend
NG&NR Technologies Private Limited
Bengaluru, Karnataka, India
Email: privacy@revend.in
Response time: acknowledgement within 48 hours; resolution within 30 days.

If you are not satisfied with our response, you may escalate to the Data Protection Board of India constituted under the DPDPA 2023.

17. Changes to This Privacy Policy

We may update this Policy to reflect changes in law, technology, or our services. The “Effective Date” at the top of this page will be updated. Material changes will be notified in-app and by email at least 7 days before they take effect. Your continued use of Revend after the effective date constitutes acceptance of the updated Policy.

18. Contact Us

For any privacy-related question or request:

See also our Terms & Conditions.