← Back to Login

Data Privacy Policy

Last updated: April 2026

1. Data Controller

ShelfLyf acts as the data controller for personal data processed through the Platform. For inventory and product data uploaded by organisations, the respective organisation is the data controller and ShelfLyf acts as a data processor.

2. Legal Basis for Processing

We process personal data based on:

  • Contract performance: To provide our services as agreed when you create an account
  • Legitimate interest: To improve our services, prevent fraud, and ensure platform security
  • Consent: For optional communications such as marketing emails and newsletters
  • Legal obligation: To comply with applicable laws and regulations

3. Data Categories

  • Identity data: Name, email, phone number, job title
  • Organisation data: Company name, address, GSTIN, business type
  • Product data: SKU details, batch information, pricing, shelf life data
  • Transaction data: Offers, bids, negotiations, awards
  • Technical data: IP address, browser type, login timestamps, session data

4. Data Storage and Transfers

Your data is stored on secure cloud infrastructure (Google Cloud Platform) in the Asia South 1 (Mumbai) region. Sensitive business fields are encrypted at rest with a per-organisation key (see Section 7) and all traffic is protected by TLS 1.3 in transit. Data may be transferred to other regions only for backup and disaster recovery purposes, with equivalent security protections.

5. Data Retention Periods

  • Active account data: Retained while your account is active
  • Transaction records: Retained for 7 years for compliance purposes
  • Audit logs: Retained for 3 years
  • Deleted account data: Purged within 90 days of account deletion request

6. Your Data Rights

Under applicable data protection laws, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data (subject to legal retention requirements)
  • Restriction: Limit the processing of your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interest

7. Security Measures

  • Zero-knowledge, per-organisation encryption: every sensitive business field (pricing, deal terms, bids, negotiations, invoices, PII) is encrypted with AES-256-GCM using a Data Encryption Key unique to your organisation. ShelfLyf staff cannot decrypt your data — one org's key cannot decrypt another's ("Chinese Wall").
  • Cloud KMS envelope encryption: per-org DEKs are wrapped by Google Cloud KMS, whose master key lives in FIPS 140-2 validated hardware security modules and cannot be exported.
  • Cryptographic erasure: account deletion destroys the org's DEK, rendering all encrypted rows unreadable — irreversibly.
  • TLS 1.3 encryption for all data in transit
  • Role-based access controls with least-privilege principle
  • Regular vulnerability assessments and penetration testing
  • File upload antivirus scanning
  • Comprehensive audit logging with sensitive values redacted

Full technical detail: Security page.

8. Breach Notification

In the event of a data breach that poses a risk to your rights, we will notify affected users within 72 hours of becoming aware of the breach, as required by applicable data protection laws.

9. Contact the Data Protection Officer

For data privacy inquiries or to exercise your data rights, contact our Data Protection Officer at dpo@shelflyf.in.