Privacy Policy for SHUBHANGAY EXIM PRIVATE LIMITED (Operating as ingrano.shop)

Welcome to Ingrano.shop (“ingrano.shop”, “we”, or “us”), your (“you”, or “individuals”, or “user”, “your”) premier source for ethnic (Indian) groceries, offering a convenient shopping experience with our same-day and next-day grocery delivery services in india. Our commitment extends beyond providing quality products at the lowest possible prices; we are dedicated to protecting the privacy and security of our customers. This Privacy Policy outlines our practices regarding the collection, use, and disclosure of your Personal Information. “Personal Information” is information about you that we collect when you browse or place orders for goods or services through our digital platforms, including our website (https://ingrano.shop), mobile application, social media handles, and in-person interactions at our store locations.

Table of Contents

1. Information We Collect...................................................................... 1
2. Use of Your Information..................................................................... 3
3. Sharing Your Information................................................................... 5
4. Data Storage and Security................................................................. 7
5. Legal and Compliance......................................................................... 9
6. User Consent and Rights................................................................... 11
7. Children’s Privacy............................................................................... 13
8. Contact and Communication.............................................................. 14
9. Changes to This Privacy Policy........................................................... 16

1. Information We Collect

We prioritize your privacy and are transparent about the types of information we collect from you and how it is used to enhance your shopping experience. Our collection practices are designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and are informed by the latest guidance on technology-related privacy topics.

1. Personal Information

We collect personal information that you voluntarily provide to us when you:

• Register for an account on our website or mobile application.
• Place an order or make a purchase.
• Contact us for support or inquiries.
• Subscribe to our newsletters or marketing communications.
• Participate in our promotions, surveys, or feedback initiatives.

This information includes but is not limited to

• Identity Data: Your first and last name, email address, phone number, physical address, birth anniversaries, marriage anniversaries, and their family member birthdays and anniversaries, and, if necessary, government-issued identification numbers for verification purposes.
• Financial Data: Payment information such as credit or debit card details, billing address, and purchase history, are processed securely through our payment partners.
• Health and Dietary Information: With your consent, we may collect details about your health, such as allergies or dietary preferences, to personalize your shopping experience and product recommendations.

1. Metadata and Digital Information

As you interact with our digital platforms, we automatically collect metadata and digital information that does not directly identify you but is crucial for improving our services, including:

• Device Information: Details about the devices you use to access our services, including hardware models, operating system versions, unique device identifiers, and mobile network information.
• Log Information: When you use our services, our servers automatically record information (log data), including your Internet Protocol (IP) address, browser type, and version, geographical location, device type, referral source, page views, website navigation paths, HTTP Headers as well as the dates and times of your visits.
• Cookies and Tracking Technologies: We use cookies, web beacons, and similar tracking technologies to gather information about your browsing activities and preferences. This data helps us understand your interests and enhance your user experience by providing personalized content, advertising, and special offers on the basis of consumer habits.

1. Biometric and IoT Device Data

For services that require or involve the use of biometric data (such as facial recognition for secure account access) or IoT devices (like smart refrigerators for inventory management), we will explicitly ask for your consent before collecting such data. This information will be used solely for the purpose it was collected, ensuring the highest level of security and privacy.

Consent and Choice

Your privacy is paramount. We collect, use, and disclose your personal information only with your knowledge and consent, except where otherwise permitted or required by law. You have the choice to provide, decline, or withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. The data collection will only be at the time you create an account with us or when you check out as a guest or when we run any marketing campaigns wherein we purposely collect certain information to be used for promotional purposes. We will explain the implications of withdrawing consent to ensure you are informed about any changes in the services we can provide.

Updates to Your Information

We strive to ensure that the personal information we hold is accurate, complete, and up-to-date. You can review, update, or correct your personal information at any time through your account settings or by contacting our customer support team.

2. Use of Your Information

We utilize the information we collect to provide, support, and enhance our services in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). Our use of your information is guided by the principle of limited purpose, ensuring that we only use your data for the reasons we've disclosed to you, unless you consent to a new purpose or it is required by law.

1. Service Provision and Personalization

• Order Fulfillment: We use your personal and financial information to process and deliver your orders efficiently.
• Customer Support: Your contact details enable us to offer personalized support and address any inquiries or issues you may encounter.
• Account Management: With your explicit consent, we utilize your information to manage your account, and user authentication, providing a seamless shopping experience and enabling features such as order history and preferences.

1. Improvement and Development

• Analytics and Performance Monitoring: Metadata and digital information collected through cookies and tracking technologies help us analyze how our services are used, identify trends, and improve the overall user experience.
• Product and Service Enhancement: Feedback and usage data guide us in developing new features and offerings tailored to your preferences and needs.

1. Marketing and Communication

• Direct Marketing: With your consent, we use your contact information to send you emails regarding promotional materials, offers, and newsletters that we believe will interest you.
• Customer Relationship Management: Information about your preferences and interactions with our services allows us to tailor our communication and marketing strategies to better engage with you, and improve our customer service support.

1. Security and Fraud Prevention

• Protecting Our Services: We use your information to detect and prevent fraudulent transactions, unauthorized access to accounts, and other security breaches.
• Compliance and Enforcement: Your data may be utilized to comply with legal obligations, respond to requests from law enforcement agencies, and protect our rights and the rights of others.

1. Research and Innovation

• Biometric Data and IoT Integration: Where explicit consent is given, we may use biometric data and information from IoT devices to explore innovative ways to enhance security, personalize your shopping experience, and develop new service models.
• Analytics and Business Intelligence: Where explicit consent is given, we may use your behavior on our platform, track website performance, and make data-driven business decisions to enhance the services that we offer to you.

Legal Basis for Processing

Our processing of your personal information is based on:

• Consent: We rely on your explicit consent for processing sensitive data, direct marketing, and certain types of cookies.
• Contractual Necessities: Processing necessary for the fulfillment of our services and contractual obligations.
• Legal Obligations: Processing required to comply with legal requirements.
• Legitimate Interests: We process data for purposes like fraud prevention, security, and improving our services, where such interests are not overridden by your data protection rights.

Your Control and Choices

ingrano.shop respects your rights and control over your personal information. You have the choice to opt-out of marketing communications, manage cookie settings, and access or update your information at any time.

3. Sharing Your Information

Currently, we do not share your information with third parties but plan to share relevant data with partners such as Shopify for web analytics, Google Analytics, Purolator for shipping & logistics, Square, Clover, and Razorpay for payment information, social media widgets, live chat services, and Odoo CRM.

1. Types of Third Parties

Your information may be shared with the following categories of third parties:

• Service Providers: To facilitate our service, to provide the service on our behalf, to perform Service-related services, or to assist us in analyzing how our service is used. This includes but is not limited to payment processors, delivery and logistics partners, and IT service providers.
• Business Partners: We may share your information with our business partners to offer you certain products, services, or promotions.
• Analytics and Advertising Partners: With your consent, we share metadata and digital information with partners that help us improve our website's functionality, analyze how our services are used, and tailor advertising to your interests.
• Legal and Regulatory Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

1. Consent for Sharing

• Explicit Consent: We will obtain your explicit consent before sharing your sensitive personal information, such as biometric data or health-related information, with any third parties.
• Opt-Out Option: For other types of information, such as metadata and digital information used for analytics and advertising, you will have the opportunity to opt-out of sharing with third parties.

1. International Transfers

• Cross-Border Data Transfers: Information, including personal information, may be stored and processed in any country where we have facilities or in which we engage service providers. By using our service, you consent to the transfer of information to countries outside of your country of residence, which may have data protection rules that are different from those of your country.
• Safeguards: In cases of international data transfers, we ensure that adequate safeguards, as required under PIPEDA and other relevant privacy laws, are in place. This may include the use of standard contractual clauses approved by the European Commission, adherence to the Privacy Shield framework, or reliance on a service provider’s Binding Corporate Rules.

1. Sharing with Consent

• Marketing and Third-Party Advertising: With your prior consent, we may share your personal information with third parties for marketing purposes, as permitted by law.
• Biometric and IoT Device Data: Any sharing of biometric or IoT device data will be subject to your explicit consent, detailing the purpose of such sharing and the parties involved.

Protection of Shared Information

We require all third parties with whom we share your information to respect the security of your personal data and to treat it in accordance with the law. We only permit them to process your personal data for specified purposes and in accordance with our instructions, and we ensure that appropriate measures are in place to maintain the confidentiality and integrity of your information.

4. Data Storage and Security

We store your data on cloud servers located in Canada, the United States, and India. We employ robust security measures, including strong encryption, access controls, multi-factor authentication, regular software updates, adherence to privacy laws, vendor security assessments, incident response plans, regular audits, data backups, and network security to protect your information. Also, for Third Parties, it will be the servers of the Third Parties such as Shopify,Google, etc.

1. Data Storage

• Location: Your personal information is stored on secure servers located in Canada. For operational reasons and to ensure redundancy, we may also use servers located in the United States and India. We carefully select our data storage providers to ensure they meet stringent security and privacy standards.
• Data Retention: We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. After this period, your personal information will be securely deleted or anonymized.

1. Security Measures

• Encryption: All data transmitted to and from our platforms is encrypted using strong encryption protocols and algorithms (e.g., AES) for data in transit and data at rest. We use HTTPS to secure communication between users and our website or application. Encrypted sensitive data is stored in databases to protect it from unauthorized access to ensure the secure transmission of your Personal Information.
• Access Control: We implement strict access controls and identity verification measures to restrict access to your personal information to authorized personnel only, based on their job roles. These Role-Based Access Controls (“RBAC”) restrict access to sensitive data based on job roles and responsibilities. The principle of least privilege is enforced to ensure that employees have access only to the data necessary for their tasks. These access controls are regularly reviewed and updated to access permissions as the job roles of employees change.
• Multi-Factor Authentication: We will require users and employees to use multi-factor authentication to add an additional layer of security beyond passwords. We will implement Multi-Factor Authentication for access to critical systems, databases, and sensitive information.
• Biometric Data: For services utilizing biometric data, we employ advanced security measures, including biometric encryption and secure storage, to protect such sensitive information.
• IoT Device Data: We ensure that any data collected from IoT devices is transmitted securely and stored on encrypted servers, with access strictly controlled and monitored.

1. Security Practices

• Regular Audits and Assessments: We conduct regular security audits and risk assessments to identify and remediate potential vulnerabilities in our systems and processes.
• Data Breach Response: In the unlikely event of a data breach, we have in place a robust incident response plan to promptly address and mitigate any potential harm. We will notify affected individuals and relevant authorities in accordance with legal requirements and our commitment to transparency.
• Vendor Security: We require all third-party vendors and service providers to adhere to our security standards and undergo regular security assessments to ensure the protection of any personal information they may handle on our behalf.

1. User Responsibilities

• Account Security: We encourage users to take steps to protect their account information, including using strong passwords, enabling two-factor authentication (where available), and being vigilant against phishing attacks.
• Privacy Settings: Users have control over their privacy settings and are encouraged to review and adjust them regularly to suit their preferences.

Compliance and Continuous Improvement

• Compliance with Privacy Laws: Our data storage and security practices are designed to comply with PIPEDA and other relevant privacy laws. We remain committed to continuously monitoring and updating our practices in response to evolving legal and technological landscapes.
• Training and Awareness: We provide regular privacy and security training to our employees to ensure they understand the importance of protecting personal information and know how to do so effectively.

5. Legal and Compliance

We comply with PIPEDA, CCPA, CDPA, CPA, and other applicable privacy regulations. We manage user requests for data access, correction, and deletion through our website’s profile and account management features, email preferences, and opt-out mechanisms in emails.

1. Compliance with PIPEDA

• Accountability: We have designated a Privacy Officer responsible for ensuring our compliance with PIPEDA, overseeing all aspects of our privacy policies and practices.
• Identifying Purposes: The purposes for which personal information is collected are specified at or before the time of collection. We ensure that these purposes are clear, lawful, and directly related to our operations.
• Consent: Consent is obtained for the collection, use, or disclosure of personal information, except where the law provides for exceptions. We provide mechanisms for obtaining and recording consent in a manner that is understandable and accessible.
• Limiting Collection, Use, Disclosure, and Retention: Personal information is not collected excessively and is limited to what is necessary for the identified purposes. Information is retained only for as long as necessary to fulfill these purposes or as required by law.
• Accuracy: We take steps to ensure that personal information is as accurate, complete, and up-to-date as necessary for the purposes for which it is used.
• Safeguards: Appropriate security measures are in place to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification.
• Openness and Transparency: Our privacy practices are documented and readily available to customers. We ensure that information about our policies and practices is accessible in a format that is easy to understand.
• Individual Access: Upon request, individuals are informed of the existence, use, and disclosure of their personal information and are given access to it. Individuals are able to challenge the accuracy and completeness of the information and have it amended as appropriate.
• Challenging Compliance: Individuals can address their concerns about our compliance with our Privacy Officer. We have procedures in place to receive and respond to complaints or inquiries about our handling of personal information.

1. Handling Metadata and Online Tracking

We are transparent about our collection and use of metadata and online tracking information. These practices are clearly outlined in our privacy policy, including the use of cookies and similar technologies.

1. Biometrics and IoT Device Data

For services that involve biometrics and IoT device data, we ensure that additional consent is obtained and that these data types are handled with enhanced privacy protections, reflecting their sensitivity.

1. International Data Transfers

In cases of cross-border data transfers, we ensure compliance with PIPEDA's requirements regarding the protection of personal information when it is transferred to third parties located in other jurisdictions.

Continuous Monitoring and Updating

ingrano.shop is dedicated to continuously monitoring privacy trends and legislative changes to ensure that our policies and practices remain in compliance with PIPEDA and other applicable laws, adapting as necessary to address new privacy challenges and technologies.

6. User Consent and Rights

Consent for data collection and processing is obtained through profile management, communication settings, and email opt-in/out clauses. Details on mechanisms for withdrawing consent will be communicated later.

1. Obtaining and Managing Consent

• Informed Consent: We ensure that consent is informed and voluntary, with clear explanations provided about the purposes for which personal information is collected, used, and disclosed. This information is presented in a manner that is easy to understand, using plain language.
• Mechanisms for Consent: Consent is obtained through various mechanisms, including but not limited to, online forms, checkboxes, settings in user accounts, or verbally for in-person interactions. We ensure that these mechanisms are easily accessible and understandable.
• Withdrawing Consent: Individuals have the right to withdraw their consent at any time, subject to legal or contractual restrictions. We provide clear instructions on how to withdraw consent, which can be done through user account settings, contacting our Privacy Officer, or following instructions provided in our communications.

1. Individual Rights

• Access to Personal Information: Individuals have the right to request access to their personal information held by us. Upon request, we will provide information about the existence, use, and disclosure of their personal information and will provide access to that information.
• Correction and Deletion: We provide individuals with the ability to correct inaccuracies or incomplete information in their personal data. Furthermore, individuals can request the deletion of their personal information, where appropriate, unless retention is required by law or for legitimate business purposes.
• Data Portability: Where technologically feasible, individuals have the right to request that their personal data be transferred to another organization, in a structured, commonly used, and machine-readable format.

1. Privacy Preferences and Opt-Outs

• Managing Preferences: Users can manage their privacy preferences, including marketing communications and sharing settings, through their account settings on our website or app.
• Opt-Outs: We offer clear opt-out options for individuals who do not wish their personal information to be used for certain purposes, such as direct marketing or third-party data sharing. Opt-out mechanisms are easily accessible and simple to use.

1. Responding to User Requests

• Procedure for Requests: We have established procedures for responding to requests from individuals regarding access to, correction of, or deletion of their personal information. Requests are addressed promptly, within the timeframes stipulated by PIPEDA.
• No Fee for Access: We do not charge a fee for processing requests for access to personal information, except in cases where requests are excessive or repetitive. In such cases, we will inform the individual of any fees prior to proceeding with the request.

Commitment to User Rights

ingrano.shop is committed to respecting and facilitating the exercise of individual rights under PIPEDA. We continuously review and update our processes to ensure they are aligned with best practices in privacy and data protection, reflecting our commitment to transparency, accountability, and the empowerment of our users in managing their personal information.

7. Children’s Privacy

We do not knowingly collect data from children, and as such, measures specific to children's privacy protection are not applicable.

1. Collection of Information

• Age Restrictions: We do not knowingly collect personal information from children under the age of 13 without the requisite parental consent. Our services are not directed to children under this age, and we implement measures to prevent the unintentional collection of data from children.
• Parental Consent: In situations where personal information of children under the age of 13 is collected, we take steps to ensure that parental consent is obtained. This may involve verifying the consent given by the parent or guardian through various means, such as a consent form, a phone call, or digital authentication methods.

1. Use and Disclosure

• Limited Use: Personal information collected from children is strictly limited to the purposes for which consent was provided. This typically includes participation in an educational program, contest, or other activity that requires personal information.
• No Disclosure: We do not disclose any personal information of children to third parties unless it is necessary for the provision of the service for which consent was obtained, and we ensure that all third parties are committed to protecting the privacy of the information.

1. Rights and Controls

• Parental Access: Parents or guardians have the right to review the personal information collected from their children. Upon verification of their identity, we provide access to such information and offer the option to request the correction or deletion of any inaccuracies.
• Withdrawal of Consent: Parents or guardians can withdraw their consent at any time, leading to the deletion of the child’s personal information from our records, except where retention is required by law.

Commitment to Children's Privacy

ingrano.shop is committed to operating in compliance with PIPEDA and respecting the sensitive nature of children's personal information. We continuously review and enhance our practices to ensure the highest level of protection for children's privacy, including employing age verification tools and engaging in educational efforts to raise awareness among parents, guardians, and children about online privacy risks and protections.

8. Contact and Communication

For any privacy concerns or data requests, please contact us via email, phone, our website, or the account management section on our website.

1. Contacting Our Privacy Officer

• Privacy Officer: For any privacy-related inquiries, including questions about our privacy practices or the information we hold about you, please contact our Privacy Officer at:
• Email: ecommerce@ingranoglobal.com
• Postal Address: 3rd Floor, 9th Avenue, Near, Rajpath Rangoli Rd, behind Rajpath Culb, Rajiv Nagar, Bodakdev, Ahmedabad, Gujarat 380054
• Telephone:  079 4918 4283

1. Making a Privacy Request

• Access, Correction, and Deletion: If you wish to access, correct, or delete any personal information we hold about you, or if you want to withdraw consent for future communications, please submit a detailed request to our Privacy Officer using the contact information provided above.
• Response Time: We aim to respond to all privacy-related requests within 30 days of receipt. Should we require more time to process your request, we will notify you of the expected timeframe for a response.

1. Feedback and Complaints

• Feedback: We welcome your feedback on our privacy practices. Please feel free to share your thoughts and suggestions with us.
• Complaints: If you have any concerns about how we handle your personal information, please contact our Privacy Officer. We take all complaints seriously and will investigate promptly.
• Escalation: If you are not satisfied with our response to your complaint, you have the right to escalate the issue to the Privacy Commissioner of Canada.

1. Communication Preference

• Communication Preferences: You can manage your communication preferences or opt-out of certain communications by adjusting your account settings on our website or app, or by contacting our Privacy Officer.

Commitment to Accessibility and Transparency

Ingrano.shop is dedicated to ensuring that our privacy practices are accessible, transparent, and understandable. We are committed to engaging with our users in a respectful and meaningful way, respecting your privacy rights and preferences at every step.

9. Changes to This Privacy Policy

We will notify you of any changes to our privacy policy through a modal window on our website and email notifications.

1. Notification of Changes

• Updates and Revisions: Whenever we make changes to our privacy policy that materially affect the way we handle your personal information, we will provide clear and prominent notice before the changes take effect. This may include direct communication through email, notification on our website, or other means designed to ensure you are aware of the modifications.
• Accessibility: The most current version of our privacy policy will always be accessible on our website. We encourage you to review it regularly to stay informed about our privacy practices and your rights.

1. Engaging Users in Changes

• Feedback Opportunity: Prior to implementing significant changes, we may offer opportunities for our users to provide feedback on proposed modifications. This reflects our commitment to transparency and user engagement in our privacy practices.
• Effective Date: The effective date of any changes to our privacy policy will be clearly stated at the beginning of the policy, allowing you to be aware of when the changes have been put into place.

1. Your Acceptance of Changes

Continued Use: By continuing to use our services after any changes to this privacy policy become effective, you agree to be bound by the revised policy. If you do not agree to the new terms, you should stop using our services and contact us to close any accounts you may have created.

Commitment to Privacy

ingrano.shop ongoing commitment to privacy involves ensuring that our policy reflects current practices and legal requirements. We are dedicated to protecting your personal information and to being clear about the ways in which that information is used. Should you have any questions about changes to our privacy policy or our privacy practices in general, we encourage you to contact our Privacy Officer.