← Back to Login

Data Privacy Policy

Last updated: February 2026

1. Data Controller

ShelfLyf acts as the data controller for personal data processed through the Platform. For inventory and product data uploaded by organisations, the respective organisation is the data controller and ShelfLyf acts as a data processor.

2. Legal Basis for Processing

We process personal data based on:

  • Contract performance: To provide our services as agreed when you create an account
  • Legitimate interest: To improve our services, prevent fraud, and ensure platform security
  • Consent: For optional communications such as marketing emails and newsletters
  • Legal obligation: To comply with applicable laws and regulations

3. Data Categories

  • Identity data: Name, email, phone number, job title
  • Organisation data: Company name, address, GSTIN, business type
  • Product data: SKU details, batch information, pricing, shelf life data
  • Transaction data: Offers, bids, negotiations, awards
  • Technical data: IP address, browser type, login timestamps, session data

4. Data Storage and Transfers

Your data is stored on secure cloud infrastructure (Google Cloud Platform) in the Asia South 1 (Mumbai) region. We implement encryption at rest and in transit. Data may be transferred to other regions only for backup and disaster recovery purposes, with equivalent security protections.

5. Data Retention Periods

  • Active account data: Retained while your account is active
  • Transaction records: Retained for 7 years for compliance purposes
  • Audit logs: Retained for 3 years
  • Deleted account data: Purged within 90 days of account deletion request

6. Your Data Rights

Under applicable data protection laws, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data (subject to legal retention requirements)
  • Restriction: Limit the processing of your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interest

7. Security Measures

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls with least-privilege principle
  • Regular vulnerability assessments and penetration testing
  • File upload antivirus scanning
  • Comprehensive audit logging

8. Breach Notification

In the event of a data breach that poses a risk to your rights, we will notify affected users within 72 hours of becoming aware of the breach, as required by applicable data protection laws.

9. Contact the Data Protection Officer

For data privacy inquiries or to exercise your data rights, contact our Data Protection Officer at dpo@shelflyf.com.