LEGAL BASIS & APPLICABILITY

• • Section 43A of the Information Technology Act, 2000
• • IT (Reasonable Security Practices & SPDI) Rules, 2011
• • Digital Personal Data Protection Act, 2023 (India)
• • This Policy applies only to Vendors / Restaurant Owners, data is governed by a separate privacy policy.

DEFINITIONS (DPDP ACT COMPLIANT)

• • Personal Data: Any data about an individual who is identifiable by or in relation to such data.
• • Sensitive Personal Data / Special Category Data: Financial information, government IDs, biometric data, etc., as applicable.
• • Data Principal: Vendors / Restaurant Owners.

PURPOSE OF PROCESSING OF PERSONAL DATA – RESTAURANT / VENDOR PARTNERS

• • Verify business ownership and authorized signatories
• • Validate FSSAI registration, GST, trade licenses, and other statutory approvals
• • Verify identity documents of restaurant owners or authorized representatives
• • Ensure compliance with food safety, taxation, and local regulatory requirements
• • This processing is necessary to determine the eligibility and legality of food business listings on the Platform.

• • Create and manage restaurant profiles on the Platform
• • Display restaurant name, cuisine type, menu items, pricing, availability, and operating hours
• • Enable order acceptance, preparation workflows, and serviceability configuration
• • Only business-related information necessary for customer discovery and ordering is displayed.

• • Share limited order-related information, including order ID, item details, quantities, and preparation instructions
• • Enable real-time order preparation and coordination of B2B2C logistics
Data Minimization Assurance:
• Customer Personal Data such as phone numbers, live location, or precise delivery addresses are not shared with Vendors, except where legally required or operationally necessary for order fulfilment.

• • Calculate commissions, platform fees, and net payable amounts
• • Process payouts to Vendor bank accounts
• • Maintain transaction records for reconciliation and audit purposes
• • Comply with statutory obligations including GST, TDS, invoicing, and financial reporting
• • Payment processing is carried out through RBI-compliant third-party payment gateways.

• • Communicate order updates, settlement statements, policy changes, and operational alerts
• • Provide customer support, dispute resolution, and grievance handling
• • Share service-related notifications essential for Platform operations
• • Promotional or marketing communications, if any, are sent only in accordance with applicable consent requirements.

• • Detect and prevent fraud, misuse, or unauthorized activity
• • Enforce Platform policies and contractual obligations
• • Respond to lawful requests from government authorities, courts, or regulators

• • With explicit consent obtained during onboarding and continued Platform usage; and/or
• • As a legitimate use necessary for providing Platform services, complying with legal obligations, and fulfilling contractual responsibilities, as permitted under the DPDP Act, 2023.
• • Withdrawal of consent may result in suspension or termination of Vendor access, subject to legal requirements.

• • Data is collected only to the extent necessary for the purposes defined above
• • Data is retained only for as long as required for operational, legal, taxation, or audit purposes
• • Upon termination, data is erased or anonymized unless retention is mandated by law

• • Live location tracking, delivery routing, rider safety data, and pickup/drop navigation are NOT applicable to Vendors
• • Vendors are not tracked in real time

CONSENT MANAGEMENT

• • Consent is obtained digitally during onboarding and app usage
• • Consent may be withdrawn at any time, subject to legal obligations
• • Withdrawal may limit or terminate access to Platform services
• • Consent withdrawal requests can be made via the App or email.

DISCLOSURE & DATA SHARING

• • Data is shared strictly on a need-to-know basis, including:

• • Business/service details
• • Restaurant location

• • Payment gateways
• • Cloud hosting providers
• • Communication service providers (SMS, Email, Push Notifications)

• • Where required by law, court order, or statutory obligation

• Personal Data of Vendors may be shared strictly on a need-to-know basis with entities that are directly or indirectly associated with the Platform, only for lawful and legitimate purposes, in accordance with Section 6 of the Digital Personal Data Protection Act, 2023.

• • Group companies, sister concerns, and affiliates
• • Non-Governmental Organizations (NGOs) and Co-operative Societies
• • Private Limited Companies, Limited Liability Partnerships (LLPs)
• • Partnership Firms and Sole Proprietorships
• • Franchisees, authorized representatives, and channel partners
• • Vendors, service partners, and subcontractors
• • Branch offices, associates, and operational units

• • Vendor onboarding, verification, and regulatory compliance
• • Restaurant listing, operational enablement, and order coordination
• • Payment processing, settlements, accounting, and audits
• • Statutory, tax, and legal compliance
• • Customer support, grievance handling, and dispute resolution
Consent & Safeguards
• • Such sharing is undertaken with explicit consent obtained during Vendor onboarding and continued Platform usage, or as a legitimate use permitted under the DPDP Act, 2023.
• • All recipient entities are contractually obligated to:
  • • Process Personal Data only for authorized purposes
  • • Maintain confidentiality and reasonable security practices
  • • Comply with applicable data protection laws

DATA RETENTION & ERASURE

• • Data is retained while the Delivery Partner account is active
• • Retained longer only if required by law (taxation, disputes, audits)
• • Upon request, data is erased or anonymized unless legally required otherwise

DATA SECURITY (SECTION 8 – IT ACT & DPDP ACT)

• • Encryption at rest and in transit
• • Secure servers and access controls
• • Periodic security audits
• • Role-based internal access
• • Despite safeguards, no system can guarantee absolute security.

DATA RETENTION & ERASURE

• • As long as the Vendor’s account is active
• • As required under applicable laws (taxation, disputes, audits)
• • Upon request, data will be erased or anonymized, unless retention is legally required.

RIGHTS OF DATA PRINCIPALS (DPDP ACT – CHAPTER III)

• • Access restaurant data
• • Correct or update inaccurate data
• • Withdraw consent
• • Request data erasure
• • Nominate another person to exercise rights in case of death/incapacity
• • File grievance or complaint
• • Requests will be addressed within reasonable timeframes as prescribed by law.

CONFIDENTIALITY OBLIGATIONS OF PARTNERS

• • Protect customer data received through the Platform
• • Use data only for service fulfillment
• • Not store, misuse, sell, or disclose customer data
• • Violation may lead to termination, penalties, and legal action.

PLATFORM VS VENDOR DATA ROLE DISCLAIMER

• Vendors act as independent business entities and do not function as Data Fiduciaries for customer Personal Data collected by the Platform. Vendors shall process customer information strictly for order fulfilment and in accordance with applicable data protection laws.

AGE RESTRICTION

• • Only individuals 18 years and above may register as Vendors.
• • Any violation results in immediate account termination.

CROSS-BORDER DATA TRANSFER

• • DPDP Act, 2023
• • Government-notified permitted jurisdictions

POLICY UPDATES

GRIEVANCE REDRESSAL (SECTION 8 – DPDP ACT)

• Grievance Officer: Praveen
• Email: info@vcojob.com
• Address: 903, 80 Feet Rd, 6th Block, Koramangala, Bengaluru – 560095
• Grievances will be acknowledged within 48 hours and resolved within statutory timelines.