Privacy Policy

Version: 1.0

Last updated: 23 June 2025

Important — pre-incorporation status: The Nowx platform (the “Platform” or “Nowx”) is currently developed and operated by the founding team in a pre-incorporation phase. Until a legal entity is incorporated to operate the Platform, the founding team acts as the Data Fiduciary for purposes of this Privacy Policy.

Upon incorporation the operating entity will assume the Data Fiduciary responsibilities and this Policy will be updated.

Contact for privacy matters during pre-incorporation: contact@nowx.in (founder team).

1. Introduction, scope & acceptance

1.1 This Privacy Policy explains how personal data is collected, used, disclosed, retained and protected when you use the Nowx Platform (website, mobile apps, retailer dashboard, delivery/partner interfaces and related services).

1.2 By using or accessing the Platform you accept this Policy and our Terms of Use. If you do not agree, do not use the Platform.

1.3 This Privacy Policy covers all Users: Customers, Retailers (merchant partners), Retailer Personnel (delivery staff assigned by Retailers) and other visitors.

2. Key definitions (short)

Nowx / Platform — the digital marketplace and supporting systems developed and operated by the founding team (pre-incorporation).

User / Data Principal — any individual whose personal data is processed by the Platform (Customers, Retailers, Retailer Personnel).

Personal Data — any information relating to an identifiable individual.

Sensitive Personal Data — as per applicable law (e.g., government ID numbers, bank details, biometric data). We avoid collecting sensitive data unless strictly required for compliance, onboarding or safety verification.

3. What we collect — accurate to current implementation

We describe below precisely what Nowx currently collects and processes. This Policy intentionally avoids describing features or data flows that are not implemented. If we add new features (for example, precise GPS tracking, in-app audio/video recording, social login integrations, or integrated payment gateways), we will update this Policy in advance.

3.1 Customer data (we collect only what’s implemented)

Identity & contact: full name, mobile number, email (optional).

Delivery details: delivery address(es) and any user-entered address metadata (pincode, landmark, instructions).

Order & trial data: orders placed, items selected for trial/purchase, trial outcomes (keep/return), timestamps and order status.

Authentication data: OTPs used for verification are generated transiently (see §7). We do not store raw OTP values beyond the expiration window.

Service usage metadata: session identifiers, timestamps, pages visited while logged in, and aggregated platform usage (see §4).

Wallet / promotional metadata: trial points, free-cash balance, wallet ledger entries (if applicable). Financial instrument credentials (card numbers, UPI PINs) are not stored by Nowx.

We do not collect demographic body-measure data (age, gender, height, weight, clothing size) unless you explicitly provide them in optional profile fields. If those fields are added or enabled, we will disclose them clearly and seek explicit consent.

3.2 Retailer data

Business name, legal name, PAN, GSTIN (if provided), bank account details required for settlements (account number, IFSC, account holder name), store address and operating details, product catalogue information, business contact details, and compliance documents uploaded at onboarding (licenses appropriate to the retailer’s category).

Retailers must ensure they have lawful basis and consents for sharing any staff or third-party personal data with Nowx.

3.3 Retailer Personnel (delivery staff) data

Identity documents and verification materials supplied by the Retailer (PAN, Aadhaar number or masked copy where required, driver license URL, vehicle registration number, emergency contact), staff name and phone number, and records of assignment and performance where the staff use the Platform tools.

Important: Retailer Personnel are engaged by Retailers. Nowx verifies data only to enable secure access to platform features and does not employ Retailer Personnel.

3.4 Automatically collected technical & diagnostic data

Device & technical: device type, operating system, app version, browser, IP address (for fraud protection and rate limiting), approximate location inferred from IP or user-entered pincode (we do not collect precise GPS location currently).

Diagnostics & crash reports: limited telemetry and error reports via monitoring services (for example, Sentry). See §6 for details.

4. Purposes — why we process data

We process personal data for the limited purposes below, only to the extent necessary:

Provide and operate the Platform (account management, order placement, trial coordination).

Complete order fulfilment: share necessary order details with the relevant Retailer and Retailer Personnel so they can deliver or conduct trials.

Payments and settlements bookkeeping (COD metadata, wallet/trial point accounting; we do not hold card numbers).

Safety, fraud detection and platform security (rate limiting, login protection, verification).

Customer support, dispute resolution and incident investigation.

Monitoring, crash reporting and product improvement (diagnostic telemetry).

Legal / regulatory compliance (tax records, audit).

Data Portability:

Users may request a copy of personal data held by Nowx by contacting contact@nowx.in. Because the Platform is currently in an early development phase, automated self-service export tools are not yet available. Requests will be handled manually by the founding team. Where technically feasible and legally permissible, Nowx will provide requested data in a commonly readable electronic format within a reasonable time. Automated data export tools may be introduced in future updates of the Platform.

We will not use personal data for purposes that are incompatible with these lawful, contractually necessary, or consented purposes.

5. Lawful basis & consent

Where required by law, we rely on user consent for optional processing (marketing, personalization, optional safety features if/when introduced).

For core services (order fulfilment, payment reconciliation, legal compliance) processing is necessary to perform the contract between the User and the Retailer/Platform or to comply with legal obligations.

Where we process any sensitive personal data (e.g., identity documents for KYC), we do so only where necessary and with explicit lawful basis — typically to verify identity required for onboarding or regulatory compliance.

6. Third parties & processors

We share personal data only to the extent necessary and with processors under contract.

6.1 Typical third-party classes

Cloud hosting, database and storage providers (for example, cloud database services).

Error monitoring and observability providers (for example, Sentry).

Email and notification providers (transactional email services).

Analytics and performance monitoring (limited, aggregated; no advertising profiling in current build).

Identity and verification providers used by Retailers for staff onboarding.

6.2 What we share and with whom

Customers → Retailers: order details, delivery address and contact number so the Retailer can fulfil the order.

Retailers → Retailer Personnel: Retailer shares assignment details and necessary customer contact details with their staff to enable delivery/trial.

With processors: limited data required to provide services (transaction IDs, anonymised identifiers for monitoring, media files for product images).

Law enforcement / regulators: when required by law or court order.

7. Special technical notes (OTP, logs, monitoring)

7.1 OTPs

One-time passwords (OTPs) used for account verification or order confirmation are generated transiently and have a short automatic expiry (system TTL). Nowx does not permanently store raw OTP values beyond their expiration window; only authentication event metadata (timestamp, success/failure) may be retained for fraud detection.

7.2 Platform logs & evidence

Nowx maintains application logs, order timestamps, OTP verification event metadata and activity logs as required for dispute resolution, fraud prevention and regulatory compliance. Important: while metadata and audit trails are retained, certain ephemeral secrets (raw OTPs) are not permanently stored; this is documented in our retention table (see §9).

7.3 Error monitoring / observability (Sentry or similar)

Nowx uses error monitoring and observability services to detect and triage platform issues. These services may receive limited diagnostic data (stack traces, environment, anonymised request metadata). Nowx implements automated PII scrubbing before data is transmitted to monitoring tools and restricts access to monitoring dashboards to authorised staff under RBAC. See §10 (Security & Admin) for controls.

8. Cookies, tracking & marketing

8.1 Cookies and similar technologies

The Nowx Platform may use limited cookies or similar technologies necessary for authentication, security and basic platform functionality.

At present, the Platform primarily uses essential technical cookies required for login sessions, security protections and system stability.

A full cookie preference management system is not yet implemented because the Platform is in an early development stage.

If non-essential cookies or tracking technologies (such as advertising or analytics cookies) are introduced in future versions of the Platform, Nowx will implement an appropriate consent banner and update this Privacy Policy accordingly.

8.2 Advertising & tracking

As of this Policy date the Platform does not use advertising trackers, social login providers (Google/Facebook/Apple) or third-party ad networks. If this changes we will update the Policy and obtain required consents.

8.3 Marketing communications

At present, the Platform does not operate an automated marketing communication system.

Nowx may send limited service-related communications necessary for operation of the Platform, such as order confirmations, account notifications, or important service updates.

If marketing or promotional messaging systems are introduced in future versions of the Platform, users will be provided with appropriate opt-in and opt-out mechanisms before such communications are sent.

9. Retention — what we keep and for how long

We retain personal data only for the period necessary to fulfil the purposes described in this policy and to comply with applicable legal obligations. The following retention periods are typical and may be adjusted after confirmation from legal counsel.

Order records, invoices, and settlement metadata are retained for 8 years to comply with tax, audit, and statutory requirements. Customer account profile information is retained for the duration of the account being active and for 2 additional years afterward to ensure service continuity, after which the data may be archived or anonymised.

OTP raw values are stored only for 5 minutes using a time-to-live (TTL) mechanism and are automatically deleted after verification for security purposes. Authentication event metadata—such as timestamps and login success or failure—is retained for 3 years to support fraud detection and dispute resolution.

Detailed activity logs are typically stored for 90 days for operational monitoring and may be archived or anonymised sooner if no longer required. Monitoring and error events used for system observability are retained in raw form for 30 days, while aggregated metrics may be stored for up to 365 days to maintain product stability and performance insights; any events containing personal data are redacted where possible.

Records related to user consent and verification evidence are retained for 5 years after the end of the relationship to demonstrate the lawful basis for processing. Staff verification documents for retailer personnel are retained during their engagement and for 3 years afterward to meet employment and regulatory requirements.

Wallet and trial points ledger records are retained for 8 years to support financial recordkeeping and reconciliation. In cases involving legal holds or litigation, relevant data will be retained until release by legal counsel in order to preserve necessary evidence.

Notes: exact retention implementation will be documented in our internal retention schedule. If you request deletion and a legal obligation requires retention, we will retain the data to the extent required by law.

10. Security, monitoring & admin access

We implement technical and organisational measures to protect data: HTTPS in transit, authentication controls, role-based access control, logging and monitoring.

Monitoring tools are configured with automated PII scrubbing and limited retention. Raw monitoring data that may include identifiers is redacted prior to longer-term storage.

Administrative access requires strong authentication (MFA) and is audited. Access to sensitive logs requires documented justification and is time-limited.

If an administrator needs to export event data containing PII (for an investigation), an export record including who exported it, why, and a hash of the exported bundle will be retained.

11. International transfers

Nowx may store and process personal data using cloud services that have infrastructure outside India. Where data is transferred cross-border we will apply appropriate contractual and organisational safeguards. We will not transfer personal data to jurisdictions prohibited by law for specific categories of data. Users may request the list of subprocessors via contact@nowx.in.

12. Your rights (how to exercise them)

You have the following rights under applicable law. To exercise any right contact contact@nowx.in.

Access: request confirmation whether we process your data and request a copy.

Correction: request correction of inaccurate personal data.

Deletion / Erasure: request deletion subject to lawful retention obligations.

Portability: request a machine-readable export of personal data in common formats. (We will implement export tooling; please allow processing time.)

Consent withdrawal: withdraw consent for processing activities which are based on consent (marketing/optional features). Withdrawal is prospective and does not affect prior lawful processing.

Grievance redressal: see §13.

Response timelines

Acknowledgement: we will acknowledge receipt of a valid request within 3 business days.

Substantive response: we will respond and action valid requests within 30 calendar days; for complex requests needing coordination the period may be extended with notice, not exceeding 90 calendar days unless lawfully required.

13. Grievance Officer & contact (pre-incorporation)

Pre-incorporation contact: contact@nowx.in (founding team) — initial acknowledgement within 3 business days. We aim to resolve or provide a remediation plan within 30 calendar days. For complex matters we may extend up to 90 calendar days and will inform you.

When an operating legal entity is incorporated we will publish the official Grievance Officer details and contact information.

14. Data breaches & incident response

If a personal data breach is detected that is likely to cause harm to Data Principals we will: (a) contain and mitigate the breach, (b) notify affected individuals without undue delay, and (c) notify regulators where required. We maintain an incident response playbook; significant regulatory reports will be prepared as required and, where applicable, we will aim to provide an initial regulatory report within a conservative timeframe (for example, 72 hours) subject to prevailing law and guidance.

15. Special operational clarifications (features not in current build)

No precise GPS background tracking: Currently Nowx does not collect continuous precise GPS location or background location tracking for Users or Retailer Personnel. Delivery coordination is performed using delivery addresses and user-entered location details. If we introduce GPS tracking we will update this Policy and seek necessary permissions.

No in-app audio/video recording: Nowx does not currently offer in-app audio or video recording for trials or SOS features. If such safety features are introduced we will add explicit consent flows and update this Policy.

No social login or ad trackers (current build): Social logins and ad/marketing trackers are not used in the current codebase; we will disclose and seek consent before enabling them.

Payments: At present the Platform’s codebase supports COD metadata and retailer-managed settlement flows. If we integrate payment gateways (to collect payments on the Platform) we will update the Policy, publish processor details and obtain any required consents.

16. Children & minor data

The Platform is for users 18 years or older. By using the Platform you confirm you are 18 or older. If we become aware that a minor’s personal data was collected without lawful parental consent we will take steps to delete such data promptly. We recommend parents and guardians supervise their children’s online activity.

17. Evidence, logs & legal admissibility

Nowx maintains tamper-resistant logs and exportable audit bundles for operational and legal use. Where required by law for admissibility of electronic records (for example, legal evidentiary rules), Nowx will provide export bundles accompanied by custody metadata and hash values to support authenticity, subject to legal process and cooperation by Retailers where their records are relevant.

18. Changes to this Privacy Policy

We will update this Policy to reflect new features, legal requirements, or processor changes. Material changes affecting user rights will be notified via in-app notice or email. The “Last updated” date at the top indicates the current Policy version.

19. Subprocessors & more information

Nowx may use third-party service providers to support operation of the Platform, including cloud infrastructure, monitoring, communications and technical services.

Examples of categories of providers may include:

Cloud database and hosting providers
Monitoring and observability services (for example, Sentry)
Media storage providers
Email or notification service providers
Security and infrastructure services

Because Nowx is currently in a pre-incorporation development phase, a public subprocessors page has not yet been created.

Once the operating legal entity is incorporated, Nowx will publish a dedicated subprocessors disclosure page listing active third-party processors and update this Privacy Policy accordingly.

20. How to contact us

For privacy enquiries or to exercise your rights:

Email: contact@nowx.in

Pre-incorporation postal contact: To be updated upon incorporation; use email until then.

21. Miscellaneous & legal

This Policy is governed by applicable law. Where there is a conflict between the Policy and mandatory legal provisions, the law prevails. The founding team operates the Platform in a pre-incorporation phase and will transition responsibilities to the operating legal entity upon incorporation.