Legal

Data Protection Policy

Last updated: 13 July 2026

1. Scope

This policy explains how DefenceCart protects personal data and sensitive business records handled through the marketplace, including vendor KYC, buyer procurement activity, and platform telemetry. It is maintained by DefenceCart to answer common security and privacy questions about the platform.

2. Lawful basis

We process personal data on the basis of contract performance (operating the marketplace), legal obligation (KYC, tax and audit), legitimate interest (fraud prevention, product improvement) and consent (marketing communications).

3. Access controls

  • Role-based access; least-privilege by default.
  • Authentication with modern password hashing and multi-factor sign-in options.
  • Row-level security policies on the database enforce tenant isolation.

4. Encryption

Data in transit is protected with TLS. Data at rest is encrypted by our managed hosting provider. Secrets and API keys are stored in a dedicated secret manager and are never checked into source control.

5. Subprocessors

We use vetted third-party services for hosting, database, email delivery and KYC verification (including GSTN, MCA and banking rails via Sandbox). Subprocessors are engaged under contracts that require appropriate confidentiality and security commitments.

6. Retention & deletion

Verification and transaction records are retained for the periods required by law and audit. Non-mandatory personal data may be deleted on request. Backups are rotated on a defined schedule and deleted at the end of their retention window.

7. Incident response

If we become aware of a security incident affecting personal data, we will investigate, contain, and notify affected users and regulators as required by applicable law within the timelines those laws prescribe.

8. Contact

Data protection queries and requests: dpo@defencecart.in.