ESHOPBOX E-COMMERCE PRIVATE LIMITED (“Eshopbox”) owns and manages the website www.eshopbox.com (“Website”). Eshopbox values your privacy and takes responsibilities in relation to your data seriously.
Section 43A of the Information Technology Act, 2000 (“IT Act”);
Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”); and
Rule 3(1) of the Information Technology (Intermediaries Guidelines) Rules, 2011.
What information is collected by Eshopbox;
How Eshopbox collects and uses that information;
How you can provide information selectively, and how you can access and update this information; and
How, Eshopbox processes, shares and protects your information.
1. PLEDGE ON PRIVACY
2. INFORMATION WE COLLECT
2.1 Eshopbox may collect information from:
Service providers that make user-generated content from their service available to others, such as local business reviews or public social media posts;
Communication service providers, including email providers and social networks, when you give Eshopbox permission to access your data on such third-party services or networks. If you choose to register to use the Website using your social network or any such other account details (e.g., Facebook, Website ID, Google), you will provide Eshopbox or allow your social network to provide Eshopbox with your username and public profile;
Non-personally identifiable information;
2.2 Information Eshopbox collects by automated means
If you use the Website, Eshopbox may collect the following information by automated means:
Internet Protocol (“IP”) address;
Information about your use of the Website;
2.3 Non- Personal Information
2.4 Website visitorship information
Eshopbox gathers information from the Website activity, such as data on the number of people who visit the Website, the pages they visit, the duration of their stay, etc. Website visitorship information inter alia includes:
Collected on an aggregate, anonymous basis, which means no personally identifiable information is associated with this data;
Gathered through the use of web server logs and cookies;
2.5 Personal Information
You may choose to provide Eshopbox with Personal Information through the Website, like:
Contact information, such as your telephone/mobile number and email address;
Your profile searches conducted by you and the reviews submitted by you;
Information obtained from the account you use to login to the Website such as your username, date of birth (wherever applicable), the information you disclose in your user profile, and your photograph or profile video;
Information about services received/ rendered on the Website;
2.6 Indirect Information
Your use of certain third party services on the Website also requires Eshopbox to collect such information as is considered necessary for that purpose (“Indirect Information”) ;
The IT Act and the SPDI Rules regulate the collection, usage, retention and disclosure of personal information, which is defined under the SPDI Rules as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying such person;
The SPDI Rules further define “Sensitive Personal Data or Information” (“SPDI”) of a person as Personal Information about that person relating to:
2. Financial information such as details of bank accounts, credit cards, debit cards or other payment instruments;
3. Physical, physiological and mental health conditions
4. Sexual orientation;
5. Medical records and history
6. Biometric information
7. Any detail relating to the above categories, as specified in this paragraph, as provided to the body corporate for providing services;
8. Any of the information received under the above categories, as specified in this paragraph, by a body corporate for processing, stored or processed under lawful contract or otherwise.
Eshopbox does not collect any of the aforesaid SPDI of any of the users of the Website.
3. USE OF INFORMATION COLLECTED
Most Eshopbox services do not require any form of registration, allowing you to visit Eshopbox Website without telling Eshopbox who you are. However, some services may require you to provide Eshopbox with Personal Information. In these situations, if you choose to withhold any Personal Information requested by Eshopbox, it may not be possible for you to gain access to certain parts of the Website and for Eshopbox to respond to your query.
Eshopbox may collect and use Personal Information to provide you with services that Eshopbox think may be of interest to you, or to communicate with you for other purposes which are evident from the circumstances or about which Eshopbox inform you when Eshopbox collect Personal Information from you.
Eshopbox is the controller of customer data and may process such data as may be required. Eshopbox stores the information collected from the Website, which is used to:
Improve Eshopbox product;
Enhance the end-user experience;
Provide, maintain and protect services, Website and Eshopbox Business;
Communicate with the customers in relation to technical and other administrative matters via emails and other modes of communication;
Personalisation of the product and the services;
Reporting and Business operations;
Conduct and undertake research in order to develop and provide search, learning and productivity tools and additional features to service better experience;
Ensure that you are old enough to use our Website (as required by law); and
Research wherein Eshopbox investigate and help prevent security issues and abuse.
The information is processed and analysed by automated means to offer a variety of features that you get from using the Website. The information will be used for advanced analytics to offer additional insightful features in future. Eshopbox may also anonymise (de-personalised) your information Eshopbox collect and combine it with other information sources for the purpose of advanced analytics and future use cases.
If you access third-party services, such as Facebook or Google, to login to the Website or to share information about your usage on the Website with others, these third-party services may be able to collect information about you, including information about your activity on the Website, and they may notify your connections on the third-party services about your use of the Website, in accordance with their privacy policies.
4. STORAGE AND MAINTENANCE OF INFORMATION COLLECTED
Your Communication Preferences: To help Eshopbox make e-mails more useful and informative, Eshopbox often receives a confirmation when you open an e-mail from Eshopbox if Your device supports such capabilities. If you do not want to receive e-mail or other mail from Eshopbox, you may adjust your customer communication preferences from the Website.
Eshopbox may be required to share the aforesaid information with government authorities and agencies for the purposes of verification of identity or for prevention, detection or investigation, including cyber incidents, prosecution and punishment of offences. You agree and provide Eshopbox consent to disclose your information, if so required, under applicable law.
5. DISCLOSURE OF INFORMATION
Eshopbox customer’s privacy is extremely important to Eshopbox. However, Eshopbox may disclose certain information obtained to the following:
To Eshopbox employees, in order to diagnose and resolve any problems or to provide support to you.
To any other person, who perform services on Eshopbox behalf, including billing, cashback, survey administration, reconciliation, complaint management, technical or customer support and provision of email and data analytics.
To the business partners, who can alert you about the new services. Upon receipt of any alert, if you desire to be removed from such alert list, you may inform the sender or unsubscribe from the list as provided in each mail alert.
In the event that Eshopbox engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of a part of Eshopbox assets or stock, financing, public offering of securities, acquisition of all or a portion of Eshopbox business, a similar transaction or proceeding, or steps in contemplation of such activities (such as due diligence), some or all other information may be shared or transferred, subject to standard confidentiality arrangements.
To engage third party companies or individuals as service providers or business partners to process other information and support Eshopbox business. These third parties may provide virtual computing and storage services. This may be with or without your consent.
With Eshopbox corporate affiliates, parents and/or subsidiaries with respect to other information provided by the customer;
To protect and defend the rights, property or safety of the Company or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
If Eshopbox is required to do so by law, regulation or legal process, such as a court order or in response to legal requests by government agencies or when Eshopbox believe disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss or in connection with an investigation of suspected or actual unlawful activity.
7. SECURITY OF DATA
Eshopbox takes the security of your data very seriously. Eshopbox works hard to protect the information you provide from loss, misuse, and unauthorised access or disclosure. In order to build Eshopbox Website and products, Eshopbox uses multiple sources of data however, Eshopbox does not use any of Your Personal Information for developing Eshopbox Website and products. Eshopbox maintains commercially reasonable measures to maintain information security and prevent unauthorized access. Given the nature of communications and information processing technology, Eshopbox cannot guarantee that any information, during transmission through the internet or while stored on Eshopbox systems or otherwise in Eshopbox care, will be absolutely safe from intrusion by others. Since no security is fool-proof and in case Eshopbox becomes aware of any breach of security of your information, Eshopbox will notify you using the email address that Eshopbox have. If you do not agree to the terms discussed above, you should exit Eshopbox Website or stop using the same. When you access Eshopbox Website, you acknowledge that you have read and agreed to abide by the terms described above. Eshopbox will, from time to time, include links to and from the Websites of our partner networks, advertisers and affiliates. If you follow a link to any of these Websites, please note that these Websites have their own privacy policies and that Eshopbox does not accept any responsibility or liability for these policies. Please check these policies before you submit any information to these Websites.
8. DATA TO THIRD PARTY WEBSITES
Eshopbox does not provide any Personal Information to advertisers or to a third party except for Amazon Web Server (AWS) which hosts Eshopbox servers for the Website.
9. FORCE MAJEURE
10. YOUR RIGHTS
Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their Personal Information. If you are a resident or a citizen of the European Union or the European Economic Area, Eshopbox will collect, store, process and control your information in accordance with our Data Protection Policy (DPA) provided under ‘Annexure A’ hereto. Subject to any exemptions provided by law, you may have the right to request access to information, as well as to seek to update, delete or correct this information. You can contact us for any help regarding the same.
If you are a resident or a citizen outside of the European Union or the European Economic Area, you have the following rights:
The right to request, for a nominal charge, (i) confirmation of whether Eshopbox process your personal data and (ii) access to a copy of the personal data retained;
The right to request proper rectification or removal of your personal data or restriction of the processing of your personal data;
Where the processing of your personal data is based on your consent, the right to withdraw your consent at any time without impact to data processing activities that have taken place before such withdrawal;
Where the processing of your personal data is either based on your consent or necessary for the performance of a contract with you and processing is carried out by automated means, the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to have your personal data transmitted directly to another company, where technically feasible (data portability);
The right to object to processing if Eshopbox is processing your personal data on the basis of our legitimate interest unless Eshopbox can demonstrate compelling legitimate grounds which may override your right. If you object to such processing, Eshopbox ask you to state the grounds of your objection in order for us to examine the processing of your personal data and to balance our legitimate interest in processing and your objection to this processing;
The right to object to processing your personal data for direct marketing purposes;
The right to lodge complaints before the competent data protection regulator.
Before Eshopbox can respond to a request to exercise one or more of the rights listed above, you may be required to verify your identity or your account details. Eshopbox shall have a duration of 1 month to respond to any or all of such exercising of your rights.
11. CHILDREN INFORMATION
Another part of our priority is adding protection for children while using the internet. Eshopbox encourages parents and guardians to observe, participate in, and/or monitor and guide their online activity. Eshopbox does not knowingly collect any personally identifiable information from children under the age of 18. If you think that your child provided this kind of information on the Website, Eshopbox strongly encourages you to contact us immediately and Eshopbox will do our best efforts to promptly remove such information from Eshopbox records.
In the event of a change in the law applicable to data protection in India, You hereby expressly consent to Eshopbox continued use, storage, collection and disclosure of Your Information including Personal Information to the fullest extent permitted under such applicable law. Eshopbox may reach out to You for obtaining additional consents and Websiterovals as required under the amended law and You will be required to comply with such requests. Should You choose to not provide Eshopbox with such additional consents and Websiterovals, Eshopbox may have to discontinue your access to the Websites.
You may choose to not provide Eshopbox with or withdraw any or all information included under Personal Information, but in the event that You do so, Eshopbox may be unable to allow you to access the Website or otherwise avail services for the provision of which your information is being collected or processed.
13. RETENTION OF INFORMATION
Eshopbox will put in place measures such that Your Personal Information, which is in Eshopbox possession or under Eshopbox control, is destroyed and/or anonymized as soon as and in any case, within 5 (five) years of it being reasonable to assume that (i) the purpose for which that Personal Information was collected is no longer being served by the retention of such Personal Information; and (ii) retention is no longer necessary for any other reason including applicable law.
Eshopbox, however, reserves the right to retain, store and use Your Information including Personal Information for Eshopbox business purposes, whether such information has been deleted or not. After a period of time, Your data may be anonymized and aggregated, and then maybe held by Eshopbox as long as necessary for Eshopbox to provide Eshopbox Services effectively.
Please note that Your withdrawal of consent to use Your Personal Information may result in Eshopbox not being able to provide You with access to the Websites, or terminate any existing relationship that Eshopbox may have with You.
You agree and undertake to indemnify Eshopbox in any suit or dispute by any third party arising out of disclosure of information by You to third parties either through Eshopbox Websites or otherwise, and Your use and access of Websites and resources of third parties. Eshopbox assumes no liability for any actions of third parties with regard to Your Information or Personal Information which You may have disclosed to such third parties.
17. GRIEVANCE OFFICER AND CONTACT INFORMATION
Name: Vallabh Daga
Tel: +91 9920982789
Physical Address: Eshopbox Ecommerce Pvt. Ltd, Plot No. 270, Garage Society, AIHP Executive Center, Udyog Vihar, Phase-II, Gurgaon
DATA PROTECTION POLICY
This Data Protection Policy (“DPA”) has been framed in compliance with GDPR issued by the European Parliament and Council. This DPA is applicable to every person that collects data from (“European Union”) EU residents, or processes data on behalf of a data controller, or any person based in the EU and has a contractual relationship with ESHOPBOX E-COMMERCE PRIVATE L, a company incorporated under the Companies Act, 2013 having its registered office at [ ](hereinafter referred to as “Company”/ “Eshopbox”/ “Eshopbox”/ “Eshopbox”).
This DPA is incorporated by reference into any and all agreements currently in place between you and the Company (“Agreement”). When you enter into any agreement with the Company, you accept, without limitation or qualification, the DPA set forth below. You hereby represent and warrant that you have the authority to legally bind yourself and all of Your personnel, representatives and/or Affiliates operating pursuant to any such Agreement referenced herein.
The Company reserves the right to modify or update this DPA at any time and changes will become effective immediately upon posting. You are requested to check for updates to the DPA periodically.
You hereby agree to comply with the following provisions with respect to any Personal Data of one or more Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with Data Protection Laws, including GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.
In this DPA, the following terms shall have the meanings set out below:
“Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
“Contracted Processor” means the duly appointed Data Processor or a Subprocessor;
“Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR;
“Data Subject” means the individual to whom the Personal Data relates;
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
“Security Breach” has the meaning set forth in Clause 7 of this DPA;
“Standard Contractual Clauses” means standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission Decision C (2004) 5271;
“Sub-processor” means any Processor or sub-processor engaged by the Data Controller for the Processing of Personal Data;
“Supervisory Authority” has the meaning set forth in Article 51 of the GDPR;
“Term” has the meaning set forth in Clause 12.1 of this DPA; and
The terms “Controller”, “Personal Data”, “Processor,” “Processed” and “Processing,” have the meanings given to them in applicable Data Protection Laws.
2. PROCESSING OF PERSONAL DATA
The parties to the Agreement hereby agree that they are independent Controllers with respect to the processing of the Personal Data. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Both the parties shall keep a record of all Processing activities with respect to Personal Data as required under GDPR.
Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data, including but not limited to: (i) providing accurate and up-to-date contact details of either party’s data protection officer to the other party; and (ii) providing reasonable information and assistance to the other party: (a) conducting data protection impact assessments as required under the Data Protection Laws; and (b) regarding consultations between that party and a Supervisory Authority.
The Data Processor shall Process the Personal Data in accordance with the requirements of the Data Protection Laws.
The Data Processor shall not Process any Personal Data other than with the written instructions of the Data Controller.
The Data Controller
A) Shall instruct the Data Processor and its Affiliates (and instruct the Data Processor and its Affiliates to instruct each Sub- Processor) to:
1. Process the Personal Data; and
2.In particular, transfer the Personal Data to any country or territory as reasonably necessary and consistent with the Agreement.
B) Hereby warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instructions set out in clause 2.5.1 above on behalf of its Affiliates.
The information regarding the Processing of Personal Data is set out under ‘Annexure 1’ of this DPA. The parties shall incorporate the terms of ‘Annexure 1’ as a part of the Agreement and such terms shall form an integral part of this DPA.
3. DATA SUBJECT RIGHTS
Each party is separately responsible for honouring Data Subject access requests under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from Data Subjects. Each party shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Clause 3.
Both the parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
The Data Controller hereby authorises the Data Processor to appointed Subprocessors in accordance with this Clause and any restrictions in the Agreement.
The Data Processor may continue to use those Subprocessors already engaged by the Data Processor as at the date of the Agreement, subject to the Data Processor as soon as practicable meeting the obligations set out in Clause 5.4 below.
The Data Processor shall neither appoint nor disclose any Personal Data to the proposed Sub-processor except with the prior written consent of the Data Controller.
With respect to each Sub-processor, the Data Processor shall:
1. Before the Subprocessor first Processes the Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for the Personal Data required by the Agreement; and
2. Ensure that the arrangement between the Data Processor and the Subprocessor is governed by a written contract including terms that offer at least the same level of protection for Personal Data as those set out in this DPA.
6. SECURITY AND AUDIT RIGHTS
The Data Controller shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA and the Agreement. The Data Controller will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
Both the parties will (taking into account the nature of the processing of Personal Data under the Agreement) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by (a) in the case of the Data Controller, implementing and maintaining appropriate security measures; and (b) complying with the terms of Clause 7 of this DPA.
Each party shall make available to the other party all information necessary to demonstrate compliance with the DPA and each Party may (or if mandated by a Supervisory Authority, will) allow for an audit by a mutually agreeable firm. To request an audit, the requestor must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. The auditor must be approved in advance by both the parties (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to both parties before conducting the audit. The audit must be conducted during regular business hours, subject to both the parties’ company policies, and may not unreasonably interfere with either company’s business activities. Any such audits shall be conducted at the expense of the party making the request for such an audit. Both the parties agree to share information with the other regarding any non-compliance discovered during the course of an audit.
7. SECURITY BREACH MANAGEMENT AND NOTIFICATION
If either party becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other party’s equipment or facilities under this DPA (“Security Breach”), such party will promptly notify the other party of the Security Breach. Notifications made pursuant to this section will take place within a reasonable time and certainly no longer than 3 (three) business days after discovery and shall describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and any recommended steps that either or both parties should take to address the Security Breach. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.
Both the parties agree that an unsuccessful Security Breach attempt will not be subject to this Clause 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to this DPA or to any of either party’s equipment or facilities storing Personal Data and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
Notifications of Security Breaches, if any, will be delivered to one or more of the other party’s business, technical or administrative contacts by any reasonable means, including via email. It is each party’s responsibility to ensure it keeps the other party updated with accurate contact information.
Any notification of or response to a Security Breach under this Clause 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.
The Data Controller shall implement reasonable technical and organizational security measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organisational measures are subject to technological development, either party is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Laws.
8. RETURN AND DELETION OF PERSONAL DATA
Both the parties will comply with instructions from the other party to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 (thirty) days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable) requires further storage.
On the expiry of the Agreement, both parties hereby instruct the other to delete all Personal Data (including existing copies) from their respective systems and discontinue processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable and within a maximum period of 60 (sixty) days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that the Personal Data has been archived on backup systems so long as such Personal Data is isolated and protected from any further processing except to the extent required by applicable law.
9. DATA TRANSFERS
Neither party shall transfer any Personal Data (nor permit any Personal Data to be transferred) to a territory outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Data Protection Laws.
Except with regard to the Personal Data transferred from one party to the other party in reliance on the appropriate transfer mechanism specified in Clause 9.1 above, the Standard Contractual Clauses shall apply to the recipient's processing of Personal Data in countries outside the EEA that do not provide an adequate level of data protection. To the extent that the parties transfer Personal Data in reliance on the Standard Contractual Clauses, the Standard Contractual Clauses shall be deemed completed and signed by the parties by the execution of the Agreement.
Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party as may be determined by the parties mutually.
Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
11. GOVERNING LAW AND JURISDICTION
The parties shall submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
This DPA will take effect on the date of execution of the Agreement (the “Effective Date”) and will remain valid until the deletion of all Personal Data under the Agreement by both the parties (“Term”).
Nothing in this DPA shall impact either party’s intellectual property rights with respect to Personal Data provided by either party under the Agreement except to the extent required by applicable law.
Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to the Agreement.