Data Protection Policy
Last updated: 13 July 2026
1. Scope
This policy explains how DefenceCart protects personal data and sensitive business records handled through the marketplace, including vendor KYC, buyer procurement activity, and platform telemetry. It is maintained by DefenceCart to answer common security and privacy questions about the platform.
2. Lawful basis
We process personal data on the basis of contract performance (operating the marketplace), legal obligation (KYC, tax and audit), legitimate interest (fraud prevention, product improvement) and consent (marketing communications).
3. Access controls
- Role-based access; least-privilege by default.
- Authentication with modern password hashing and multi-factor sign-in options.
- Row-level security policies on the database enforce tenant isolation.
4. Encryption
Data in transit is protected with TLS. Data at rest is encrypted by our managed hosting provider. Secrets and API keys are stored in a dedicated secret manager and are never checked into source control.
5. Subprocessors
We use vetted third-party services for hosting, database, email delivery and KYC verification (including GSTN, MCA and banking rails via Sandbox). Subprocessors are engaged under contracts that require appropriate confidentiality and security commitments.
6. Retention & deletion
Verification and transaction records are retained for the periods required by law and audit. Non-mandatory personal data may be deleted on request. Backups are rotated on a defined schedule and deleted at the end of their retention window.
7. Incident response
If we become aware of a security incident affecting personal data, we will investigate, contain, and notify affected users and regulators as required by applicable law within the timelines those laws prescribe.
8. Contact
Data protection queries and requests: dpo@defencecart.in.