Privacy Policy
Last updated: 2026-07-09
Draft — pending legal review
This page is engineering-authored scaffolding written to satisfy Razorpay’s merchant policy requirements. It will be reviewed by an India-qualified lawyer for DPDP Act 2023, Consumer Protection Act 2019, and IT Act compliance before public launch. The launch gate blocks if any policy is unreviewed.
1. Data Fiduciary
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), SwapMyTech is the Data Fiduciary for personal data processed via the Service. Contact support@swapmytech.com for data-rights requests.
2. What we collect & why
| Category | Examples | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Identity | Name | Order, verification, contract | Consent / performance | Life of relationship + 8 yrs (tax) |
| Contact | Email, phone | Coordinate visit, payment link, support | Consent | Same |
| Google account | Email, name, profile pic, OAuth id | Sign-in | Consent | Until account deletion |
| Address & pincode | Full street address, pincode | Field-agent routing & visit | Consent / performance | Life of order + dispute window |
| Device data | Model, condition answers, photos, IMEI/serial | Valuation, anti-theft check | Consent / legitimate use | Life of order + audit retention |
| Transaction | Verified value, price difference, Razorpay payment id/status | Payment, accounting | Legal obligation (tax) | 8 yrs (Income Tax/GST) |
| Technical | IP, device/browser, rate-limit & bot signals | Security, fraud, abuse prevention | Legitimate use | 90–180 days |
| Analytics (opt-in) | Pages viewed, session activity (Google Analytics 4) | Understand usage & improve the site | Consent (off until you accept) | Up to 14 months (Google) |
| Never collected/stored | Card numbers, CVV, UPI PIN, bank credentials | — | — | Never |
The address and pincode are collected because a person physically visits your home for verification — without them we cannot perform the Service.
3. Google sign-in (OAuth)
If you sign in with Google we receive your name, email, profile picture, and a Google account identifier — and only those. We do not receive your Google password. We request the minimum scopes (basic profile + email). You can revoke our access at any time from myaccount.google.com. Guest checkout is available without Google sign-in.
4. Field visit & photos
The agent may photograph the Old Device for the verified valuation and audit trail. Photos are access-controlled and tied to the order.
5. How payment data is handled
Payments are processed by Razorpay; their privacy policy applies to that transaction. We store only references (payment id, status, amount) and never card or UPI credentials.
6. Sharing & processors
We share the minimum personal data needed with: Razorpay (payments), Google Workspace and Google OAuth (transactional email and sign-in), Google Analytics (site analytics — only if you accept analytics cookies; see the Cookie Policy), the dealer your Old Device is sold to (we do not pass your contact details unless legally required), the wholesaler/OEM for your New Product, and our VPS host. We do not sell personal data and do not run advertising profiling.
7. Cross-border transfers
Primary processing is in India. Some processors may operate globally; any transfers occur per DPDP rules.
8. Security
Role-based access controls (customer / agent / admin) are enforced server-side, transport is encrypted (TLS), secrets are environment-only, our VPS is hardened (UFW, Fail2ban, SSH-keys-only), the money state machine and audit log are immutable, backups are taken nightly off-server, and Razorpay webhooks are signature-verified.
9. Your rights as a Data Principal
Under the DPDP Act you may request access, correction, erasure, grievance, nominate a person, and withdraw consent (with effect on the Service). Email support@swapmytech.com. We will verify identity before acting; SLAs are 48h acknowledgement and 30 days resolution.
10. Retention & deletion
See the retention column in the data inventory. Tax and audit records are kept for the statutory ~8 years even after account deletion; security logs are purged on schedule.
Cancelled or abandoned orders: contact PII (name, email, phone, address) is anonymized 24 months after the last activity on the order. Non-identifying transaction records (order id, amounts, dates) are retained to satisfy Indian tax and accounting law. You can request earlier erasure at any time from /account/profile; we acknowledge within 48 hours and complete within 7 working days.
11. Cookies
Essential session/auth and security/anti-bot cookies, plus opt-in analytics cookies (Google Analytics) that load only if you accept them and can be withdrawn at any time. No third-party ad cookies. See the Cookie Policy for the full list and controls.
12. Children
The Service is for adults 18+; we do not knowingly process minors’ data.
13. Breach notification
We notify the Data Protection Board of India and affected Data Principals if and as required by the DPDP Act.
14. Changes & contact
Material changes are dated above. For privacy questions or complaints, write to support@swapmytech.com.