Privacy Policy

This Privacy Policy explains how Truso Marketplace ("Truso", "we", "us", "our") collects, uses, shares, and protects your information when you use our website at truso.co.in, our application, or interact with us through WhatsApp, email, or any other channel we provide.

This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (collectively, "Applicable Law"). Truso Marketplace is a sole proprietorship registered as a Micro Enterprise under the Udyam Registration scheme of the Government of India and is the Data Fiduciary in respect of personal data processed under this Policy.

1. Who this policy applies to

This policy applies to:

• Buyers who search for suppliers, save favourites, request samples, request inspections, request transport, or message suppliers through Truso. Buyers include those engaged in industrial procurement, hospitality, trading, contracting, MSME operations, and similar commercial activities.
• Suppliers who claim a profile, publish products, respond to buyer messages, or receive bookings through Truso — including manufacturers, traders, and industrial suppliers.
• Visitors who browse Truso without creating an account.

2. Information we collect

We collect only what is necessary to operate the platform.

From buyers:

• WhatsApp / mobile number (used as your account identity and how suppliers reach you)
• Name (you provide)
• City and delivery address (when you create a booking)
• Email (optional)
• Messages and booking details you send through the platform
• Bookmarks, search history, and pages viewed (used to improve your experience and the platform)

From suppliers:

• WhatsApp / mobile number, name, business name, address, GST number (if provided), product catalogue, certifications, photos, videos, bank details (for settlement), and any other information uploaded to the supplier profile.

From visitors automatically (anonymous traffic):

• IP address, browser type, device type, pages viewed, referrer URL.
• Cookies set by analytics providers for traffic analysis, with IP anonymisation enabled where supported.

For supplier profiles created by Truso (managed marketplace):

Some supplier profiles are created and maintained by our team based on information from the supplier's own website and other publicly available business sources. Such listings are clearly marked as "Unclaimed" and offer the business owner the option to "Claim This Profile" or "Request Removal." Verified removal requests are honoured within 48 hours.

We do not collect biometric, health, or other categories of sensitive personal data.

3. How we use your information

• To operate the marketplace: show you suppliers, accept your bookings, deliver messages between buyers and suppliers.
• To verify suppliers: our operations team checks identity and documents, conducts shop visits where applicable, validates certifications, and records inspection results.
• To authenticate users via OTP (sent via WhatsApp or SMS).
• To send transactional notifications. We send these only when you initiate the underlying action.
• To detect fraud and abuse and to keep the platform safe.
• To improve the platform: aggregate, anonymised analytics on what's working and what isn't.

We do not use your data to:

• Sell leads to suppliers.
• Influence search ranking based on payment for ranking position.
• Send marketing messages to buyers who have not opted in.
• Share your contact details with suppliers you haven't explicitly chosen to contact.

4. WhatsApp and messaging

When you message a supplier through the Truso platform or contact us through our official WhatsApp number:

• Your WhatsApp number is used only to deliver that conversation. It is not added to any marketing list, sold, or shared with third parties beyond the supplier you have chosen to contact.
• Message content (including text, voice notes, and attachments) is stored on our servers for record-keeping, dispute resolution, and platform improvement.
• We send WhatsApp messages to you only in response to actions you have initiated — for example, an OTP for sign-in, a booking confirmation, a callback request you submitted, or a quote response from a supplier you contacted. We send marketing messages only to buyers who have explicitly opted in.
• You can stop receiving WhatsApp messages from us at any time by replying STOP, blocking the number, or contacting us at grievance@truso.co.in.

The WhatsApp Business API provider that we engage to send and receive these messages acts as a Data Processor on our behalf and is bound by our instructions and Applicable Law.

5. How we share your information

We share your information only as needed to operate the service:

• With the specific supplier you choose to contact. Your name, WhatsApp / mobile number, and message content are shared with that supplier. We do not blast your contact details to multiple suppliers.
• With our service providers (described in Section 6). These providers process data on our behalf under contract.
• For booking-based services: when you book a service through Truso, we share the necessary delivery and contact information with the supplier and, where applicable, with our partners coordinating that service.
• When required by law: we will share information if legally compelled (e.g., court order, regulatory request) and will notify you when we are permitted to do so.
• To protect our rights or those of our users (e.g., investigating fraud).

We do not sell, rent, or trade your personal data to anyone.

6. Service providers

We engage third-party service providers to operate the Platform. These providers process data on our behalf as Data Processors under our instructions and are bound by contractual obligations consistent with this Policy and Applicable Law. The categories of providers we engage include:

• Cloud hosting and content delivery providers (frontend and backend infrastructure)
• Database, authentication, and file-storage providers
• Analytics and platform-measurement providers, with anonymisation applied where appropriate
• Email, messaging, and communication providers (including WhatsApp Business API providers)
• Artificial-intelligence and content-processing providers, used to generate summaries, embeddings, and image processing for listings; personal data is not shared with these providers as part of such operations
• Payment processing providers (when paid services are activated)

We select providers with industry-standard security certifications and contractual data-protection obligations. The specific providers we engage may evolve as the Platform grows; the categories described above are representative.

7. Cross-border transfer of data

Some of our service providers store or process data outside India. Under the DPDP Act, 2023, by using our service you consent to such transfers for the purposes described in this Policy. We select providers that maintain industry-standard security certifications and contractual obligations to protect your information consistent with Applicable Law.

8. Cookies and similar technologies

We use cookies and local storage for:

• Keeping you signed in (authentication tokens)
• Remembering your bookmarks, recent searches, and preferences (local storage on your device)
• Anonymous analytics (IP-anonymised traffic measurement)

We do not use third-party advertising cookies. You can disable cookies via your browser settings; some features may not function properly without them.

9. Data retention

We retain your data for as long as your account is active and for up to 3 years after account closure, except where a longer period is required by law:

• Account information: until you close your account + 3 years
• Transactional and financial records (bookings, invoices): 7 years (Indian financial-record retention requirement)
• Anonymised analytics: up to 25 months
• Server logs: 90 days

If you ask us to delete your account before these periods end, we will do so where the law permits. Some financial records must be retained per Indian tax law.

10. Security & breach notification

We protect your data using:

• HTTPS/TLS encryption for all traffic
• Bcrypt password hashing — passwords are never stored in plaintext
• JWT-based session tokens with role-based access controls (separate buyer / supplier / team roles)
• Server-side OTP generation and verification — OTP values are never exposed to the client
• Database access restricted to authenticated server-side requests only
• Regular security review of our codebase

No system is perfectly secure, but we apply industry-standard practices to reduce risk. If we discover a personal data breach affecting you, we will notify you and the Data Protection Board of India within 72 hours of confirming the breach, in accordance with the DPDP Act, 2023 and applicable rules.

11. Your rights as a Data Principal

Under the DPDP Act, 2023 you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data (subject to legal retention requirements). Account deletion is available as a self-service option within your account settings; you may also email us.
• Withdraw consent for any processing based on consent.
• Nominate another individual to exercise your rights in case of incapacity.
• Lodge a grievance with our Grievance Officer (Section 14) and, if unsatisfied, with the Data Protection Board of India once constituted.

To exercise any right, write to grievance@truso.co.in with the subject "Data Rights Request" from the email or contact channel associated with your account. We will respond within 30 days.

12. Children

Truso is intended for use by individuals 18 years or older for business-to-business commerce. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, contact us at grievance@truso.co.in and we will delete it.

13. Changes to this policy

If we make material changes to this policy, we will:

• Update the "Last Updated" date at the top.
• Send a notice to active users via the channel you have registered (WhatsApp / email).
• For changes that materially expand how we use data, ask for fresh consent before applying them to your existing data.

Continued use of the platform after the effective date of changes constitutes acceptance of the updated policy.

14. Grievance Officer

In accordance with Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Section 8(9) of the DPDP Act, 2023, our designated Grievance Officer can be contacted at:

15. Contact

For privacy questions, data requests, or concerns:

• Privacy & Grievance: grievance@truso.co.in
• General Support: support@truso.co.in
• Address: Truso Marketplace, No. 23, 4th Floor, RI Building, 14th Main, 15th Cross Road, HSR Layout, Bengaluru — 560102, Karnataka, India