1. Introduction

This Privacy Policy ("Policy") is issued by Repraan Technologies Private Limited, a company incorporated under the Companies Act, 2013, having its registered and operational office at HD-572, WeWork Berger Delhi One, C-001/A2, Sector 16B, Noida, Uttar Pradesh – 201301, India, operating under the brand name "Resellpur" (hereinafter referred to as "Resellpur", "Company", "we", "us" or "our").

Resellpur operates the website https://resellpur.com and associated mobile and digital platforms (collectively, the "Platform"), which facilitates peer-to-peer (P2P) buying and selling of pre-owned goods between independent users.

This Policy describes how we collect, use, store, share, retain, disclose, and otherwise process personal data of individuals ("you", "your", "Data Principal", "User") who visit, register on, or transact through our Platform. We are committed to protecting your personal data in accordance with applicable Indian laws, including:

• The Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules");
• The Information Technology Act, 2000 and the rules framed thereunder, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules");
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021;
• The Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020; and
• Any other applicable Indian laws governing privacy, data protection, and electronic commerce.

This Policy is a standalone document and is independent of, and should be read in addition to, the Terms of Service of Resellpur. By accessing or using the Platform, you acknowledge that you have read and understood this Policy.

2. Identity and Contact Information of the Data Fiduciary

For the purposes of the DPDP Act, Repraan Technologies Private Limited is the "Data Fiduciary" responsible for determining the purposes and means of processing your personal data through the Platform.

2.1 Data Fiduciary Details

• Legal Name: Repraan Technologies Private Limited
• Brand Name: Resellpur
• Registered Office: HD-572, WeWork Berger Delhi One, C-001/A2, Sector 16B, Noida, Uttar Pradesh – 201301, India
• Email: admin@resellpur.com
• Phone: +91-8287118680
• Website: https://resellpur.com

2.2 Grievance Officer

In compliance with Section 10(2) of the DPDP Act, Rule 9 of the DPDP Rules, the SPDI Rules, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer:

• Name: Nehal Srivastava
• Designation: Grievance Officer
• Email: nehal@resellpur.com
• Phone: +91-8287118680
• Address: HD-572, WeWork Berger Delhi One, C-001/A2, Sector 16B, Noida, Uttar Pradesh – 201301, India
• Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST (excluding public holidays)

The Grievance Officer shall acknowledge your complaint within 24 hours and resolve it within 15 days from the date of receipt, in accordance with applicable law.

2.3 Right to File Complaint with the Data Protection Board

If you are not satisfied with our response, or if your grievance is not resolved within the stipulated timeline, you have the right to file a complaint with the Data Protection Board of India ("DPB") constituted under Section 18 of the DPDP Act, in accordance with Section 13 of the DPDP Act and the procedure prescribed under the DPDP Rules.

3. Personal Data We Collect

We collect only such personal data as is necessary for the specific purposes set out in this Policy. We follow the principle of data minimisation as mandated by Section 4 and Section 6(1) of the DPDP Act, and do not collect personal data "just in case" or for any unspecified future use.

3.1 Categories of Personal Data Collected

• Identity Information: full name, gender, date of birth, profile photograph, and government-issued identification details (where required for KYC).
• Contact Information: email address, mobile number, residential or shipping address, and pin code.
• Account Credentials: username, password (stored in encrypted form), security questions, and authentication tokens.
• Transaction Information: details of products listed, bought or sold, order history, invoices, receipts, and dispute records.
• Product Listing Information: photographs, descriptions, IMEI/serial numbers, condition reports, and pricing information of items listed for sale.
• Device and Technical Information: IP address, browser type and version, operating system, device identifiers, mobile network information, time zone setting, and screen resolution.
• Usage Information: pages visited, time spent on the Platform, click-stream data, search queries, referrer URL, and interaction with listings and advertisements.
• Location Information: approximate location derived from IP address, and precise geolocation only where you explicitly grant permission through your device settings.
• Communication Information: messages, queries, feedback, complaints, and call recordings (where applicable) exchanged with us or with other Users through the Platform.
• Cookies and Tracking Data: as described in Section 10 below.

3.2 Sensitive Personal Data or Information (SPDI)

To the extent we process "sensitive personal data or information" as defined under the SPDI Rules — such as financial information (bank account, payment instrument details), passwords, or government-issued identification — we do so with additional safeguards including encryption, restricted access, and contractual protections, and strictly for the purposes specified in this Policy.

Without limiting the foregoing, the International Mobile Equipment Identity (IMEI) numbers and serial numbers of electronic devices listed, sold or processed through the Platform are stored in encrypted form using industry-standard cryptographic algorithms, and are accessible only on a strict need-to-know basis to authorised personnel for the purposes of verification, fraud prevention, dispute resolution, and compliance with lawful requests of governmental or law-enforcement authorities.

3.3 Methods of Collection

• Directly from you when you register an account, list a product, place an order, complete KYC, fill in forms, submit queries, post comments, or otherwise interact with the Platform;
• Automatically through cookies, log files, web beacons, pixels, software development kits (SDKs), and similar tracking technologies when you access the Platform;
• From third-party sources, including payment gateways, logistics partners, KYC verification providers, social-media login providers (where you choose to sign in via such services), and publicly available sources, only to the extent permitted by law.

3.4 Children's Data

The Platform is intended only for individuals who are 18 years of age or older. We do not knowingly collect, store, or process the personal data of any child (defined as an individual below 18 years of age under the DPDP Act) without verifiable consent of the parent or lawful guardian, in accordance with Section 9 of the DPDP Act and Rule 10 of the DPDP Rules. If we become aware that we have inadvertently collected personal data from a child without verifiable parental consent, we shall delete such data immediately. Parents or guardians who believe that we may have collected such data may write to us at nehal@resellpur.com.

4. Purposes for Which We Process Your Personal Data

In accordance with the DPDP Act, we process your personal data only for specific, clearly stated, and lawful purposes that are directly linked to the goods and services we provide.

4.1 Specified Purposes

• Account Creation and Management: name, email, phone and password are used to create and secure your account, authenticate logins, and enable two-factor authentication.
• Listing and Transacting Goods: product details, photographs, IMEI/serial numbers, and pricing are used to publish listings and facilitate sales between buyers and sellers.
• Order Fulfilment and Delivery: name, address, phone and order details are shared with logistics partners to ship and deliver products.
• Payment Processing: payment information is used to process transactions, refunds, settlements to sellers, and chargebacks via authorised payment gateways.
• KYC and Fraud Prevention: identification details are used to verify Users, prevent fraud, detect stolen goods, and comply with our intermediary obligations.
• Customer Support: contact details and communications are used to respond to your queries, complaints, and grievances.
• Service Communications: email and phone are used to send transactional notifications, security alerts, dispute updates, and policy changes.
• Marketing and Promotions (optional): only with your specific opt-in consent, we may send you newsletters, promotional offers, and recommendations.
• Analytics and Service Improvement: usage data and device data are used to monitor performance, debug, analyse trends, and improve features and user experience.
• Legal and Regulatory Compliance: personal data may be processed to comply with applicable laws, court orders, tax obligations, and lawful requests of governmental or regulatory authorities.
• Safety, Security and Dispute Resolution: data is processed to investigate and prevent suspected fraud, theft, abuse, or violations of our Terms of Service.

4.2 No Secondary or Unrelated Use

We will not process your personal data for any purpose other than those specified in this Policy at the time of collection, unless we obtain a fresh and specific consent from you, or such processing is permitted under Section 7 of the DPDP Act (legitimate uses).

4.3 Legitimate Uses Without Consent

In limited circumstances, we may process your personal data without explicit consent where permitted under Section 7 of the DPDP Act, including:

• Where you voluntarily provide personal data for a specified purpose and have not indicated objection to such use;
• For compliance with any judgment, decree, or order issued under Indian law;
• For responding to a medical emergency involving a threat to your life or health;
• For taking measures to ensure safety or provide assistance during any disaster or breakdown of public order;
• For the performance by the State or its instrumentalities of any function under law; and
• For compliance with any law in force in India.

5. Consent and Withdrawal of Consent

5.1 Basis of Consent

We process your personal data on the basis of your free, specific, informed, unconditional and unambiguous consent, given through a clear affirmative action. Before or at the time of seeking your consent, we provide you with a notice describing the categories of personal data, the specified purposes, the manner in which you may exercise your rights, and the manner in which you may file a complaint with the DPB.

5.2 Granular and Purpose-Specific Consent

We seek consent separately for each distinct purpose. We do not bundle multiple purposes into a single checkbox. For example:

• Service delivery and account management — Required to use the Platform;
• Marketing and promotional communications — Optional;
• Non-essential analytics and personalisation — Optional;
• Cookies and trackers (non-essential) — Optional.

You may consent to some purposes and decline others without losing access to the core functionality of the Platform.

5.3 Right to Withdraw Consent

You have the right to withdraw your consent at any time, in accordance with Section 6(4) of the DPDP Act. Withdrawing your consent shall be as easy as giving it.

5.4 How to Withdraw Consent

• Sending a written request to Nehal@resellpur.com from your registered email address; or
• Contacting the Grievance Officer at the contact details set out in Section 2.2.

5.5 Consequences of Withdrawal

• We will cease processing your personal data for the specified purpose, and instruct our Data Processors to do the same;
• We will erase your personal data, unless retention is required to comply with any applicable law or for the establishment, exercise or defence of legal claims;
• Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal;
• Certain features of the Platform may become unavailable to you if the relevant consent was essential to their delivery.

6. Your Rights as a Data Principal

6.1 Right to Access Information About Personal Data

You have the right to obtain from us, upon request:

• A summary of the personal data we are processing about you and the processing activities undertaken;
• The identities of all Data Fiduciaries and Data Processors with whom your personal data has been shared, along with the categories of data shared; and
• Any other information related to such personal data and processing as may be prescribed.

6.2 Right to Correction, Completion, Updating and Erasure

• Correction of inaccurate or misleading personal data;
• Completion of incomplete personal data;
• Updating of personal data; and
• Erasure of your personal data, unless retention is required for the specified purpose or by law.

6.3 Right of Grievance Redressal

You have the right of readily available means of grievance redressal in respect of any act or omission by us regarding your personal data or the exercise of your rights. We will respond to your grievance within 15 days of receipt, as required by Rule 14 of the DPDP Rules.

6.4 Right to Nominate

You have the right to nominate any other individual who shall, in the event of your death or incapacity, exercise your rights under the DPDP Act in the manner prescribed.

6.5 How to Exercise Your Rights

You may exercise any of the above rights by:

• Sending a written request to nehal@resellpur.com from your registered email address; or
• Writing to the Grievance Officer at the address mentioned in Section 2.2.

To protect your personal data, we may need to verify your identity before acting on your request. We will respond to verified requests within 15 days, unless a longer period is permitted by law.

6.6 Duties of Data Principals

Under Section 15 of the DPDP Act, as a Data Principal you are required to: (a) comply with the provisions of all applicable laws while exercising your rights; (b) not impersonate another person while providing personal data; (c) not suppress any material information while providing personal data; (d) not register a false or frivolous grievance or complaint; and (e) furnish only such information as is verifiably authentic, when exercising the right to correction or erasure.

7. Sharing of Personal Data and Third-Party Processors

We do not sell, rent, or trade your personal data. We share your personal data only as described below and only to the extent necessary for the specified purposes.

7.1 Categories of Recipients (Data Processors)

• Cloud and Hosting Providers — for secure hosting of the Platform and storage of data;
• Payment Gateways and Banking Partners — for processing payments, refunds and settlements (e.g., Razorpay, PayU, or similar PCI-DSS compliant providers);
• Logistics and Courier Partners — for pickup, shipping and delivery of products;
• KYC and Identity Verification Providers — for verifying the identity of Users where required;
• Communication Service Providers — for sending transactional emails, SMS, WhatsApp messages and push notifications;
• Analytics Providers — such as Google Analytics, for understanding usage patterns;
• Advertising Partners — such as Google Ads (including remarketing), strictly subject to your consent;
• Customer Support and CRM Tools — for managing queries and complaints;
• Professional Advisors — such as auditors, lawyers, accountants and consultants, bound by confidentiality.

7.2 Purpose-Linked Sharing

Each Data Processor receives only such personal data as is strictly necessary for its specific function and is contractually bound to process such data solely for the purposes specified by us, and not for any independent or secondary purpose.

7.3 Contractual Safeguards

All Data Processors engaged by us are bound by a written Data Processing Agreement (DPA) that imposes obligations including confidentiality, encryption, role-based access controls, breach notification, sub-processing, audit rights, and deletion or return of personal data upon termination.

7.4 Disclosures Required by Law or for Safety

We may disclose your personal data without your consent where such disclosure is necessary:

• To comply with any applicable law, regulation, judgment, decree, order, subpoena, or lawful request of a governmental or regulatory authority;
• To respond to a request from law enforcement, including in cases of suspected theft, fraud, or sale of stolen goods through the Platform;
• To protect or enforce our legal rights, property, or safety, or that of our Users or the public; and
• In connection with any merger, sale of assets, financing, acquisition or reorganisation of all or part of our business.

7.5 Cross-Border Transfer of Personal Data

Your personal data is primarily stored and processed within India. However, certain Data Processors (including cloud, analytics, advertising, and communication providers) may be located outside India. In such cases, we transfer personal data outside India in accordance with Section 16 of the DPDP Act and Rule 15 of the DPDP Rules, and we shall not transfer personal data to any country or territory which is restricted by the Central Government of India through notification.

8. Security Safeguards

8.1 Reasonable Security Practices

In compliance with Section 8(4) of the DPDP Act, Rule 6 of the DPDP Rules, and the SPDI Rules, we have implemented reasonable technical, organisational and physical security safeguards, including:

• Encryption of personal data in transit (TLS/HTTPS) and at rest, using industry-standard algorithms;
• Tokenisation and masking of payment-related information;
• Role-based access controls, the principle of least privilege, and multi-factor authentication for administrative access;
• Secure password storage using salted, one-way hashing algorithms;
• Regular vulnerability assessments, penetration testing, and security audits;
• Logging and monitoring of access to personal data;
• Firewalls, intrusion detection and prevention systems, and anti-malware controls;
• Backup and business continuity arrangements;
• Mandatory data protection and information-security training for employees and contractors;
• Confidentiality and non-disclosure obligations imposed on all employees, contractors and Data Processors.

8.2 Personal Data Breach Notification

In the event of a personal data breach, we will, in accordance with Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules:

• Notify the Data Protection Board of India without delay, and submit a detailed report within 72 hours;
• Notify each affected Data Principal without delay, in a concise, clear and plain manner, through their registered mode of communication.

8.3 Contents of Breach Notification

• The nature, extent, timing and location of the breach;
• The likely consequences of the breach;
• The measures taken or proposed to be taken to mitigate possible harm;
• Recommended safety measures that you may take to protect your interests; and
• Contact details of a person from whom further information can be obtained.

8.4 Commitment to Transparency

We are committed to full transparency in the event of a personal data breach. We will not suppress, conceal, or unduly delay notification of any breach.

9. Data Retention and Erasure

9.1 Retention Periods

• Account Information: for the duration of your active account, plus 1 year after account closure or last activity;
• Transaction and Invoice Records: minimum 8 years from the end of the relevant financial year, as required under the Income-tax Act, 1961, the Companies Act, 2013, and the GST Act, 2017;
• KYC Records: minimum 5 years from the date of the last transaction;
• Electronics Seller Records: 3 years from the date of the relevant transaction, for fraud prevention, theft investigation, and law-enforcement cooperation;
• Communication and Support Records: 3 years from the date of the last interaction;
• Marketing Preferences: until you withdraw your consent or unsubscribe;
• Cookies and Tracking Data: as set out in Section 10.

9.2 Minimum Retention of Logs

In accordance with Rule 6(3) of the DPDP Rules and Rule 3(1)(h) of the IT (Intermediary Guidelines) Rules, 2021, we retain system logs and processing records for a minimum period of 1 year, and information facilitating User identification for a minimum period of 180 days after cancellation or withdrawal of registration.

9.3 Erasure Triggers

We will erase your personal data when:

• The specified purpose for which it was collected has been served, and retention is no longer necessary;
• You withdraw your consent and there is no other lawful basis for continued processing;
• You request erasure under Section 12 of the DPDP Act, and such request is verified;
• Your account remains inactive for a continuous period prescribed under the DPDP Rules; or
• Erasure is required by an order of a competent authority or court.

9.4 Erasure by Data Processors

Upon erasure, we will instruct all Data Processors with whom your personal data has been shared to delete or anonymise such data from their systems, except where retention is required by law.

10. Cookies and Tracking Technologies

10.1 What Are Cookies

A cookie is a small text file placed on your device by a website you visit. We use cookies and similar technologies (such as web beacons, pixels, local storage, and SDKs) to provide, secure and improve the Platform.

10.2 Categories of Cookies We Use

• Strictly Necessary Cookies: required for core functionality such as logging in, maintaining your session, and processing transactions. These cannot be disabled without affecting basic Platform functionality, and do not require consent.
• Functional Cookies: used to remember your preferences (language, region, recently viewed products) for an enhanced experience.
• Analytics Cookies: used to understand how Users interact with the Platform, including page visits, time on page, and click paths, in order to improve our services.
• Advertising and Marketing Cookies: used to deliver personalised ads, measure ad effectiveness, and conduct remarketing through partners such as Google Ads.

10.3 Third-Party Tracking Services

• Google Analytics — usage analytics and performance measurement;
• Google Ads / Google AdWords — advertising and remarketing;
• Meta (Facebook) Pixel — ad conversion tracking and audience building (where used);
• Other tag managers, error tracking and customer support tools as required from time to time.

10.4 Cookie Consent

Non-essential cookies are placed on your device only with your explicit, opt-in consent obtained through our cookie consent banner. You may, at any time:

• Manage or change your cookie preferences via the "Cookie Settings" link available on our Platform;
• Configure your browser to refuse or delete cookies; and
• Opt out of interest-based advertising via the Google Ads Settings page or industry opt-out tools.

11. Resellpur as an Intermediary

Resellpur is an online platform that facilitates peer-to-peer (P2P) transactions in pre-owned goods between independent Users. Resellpur is not the owner, seller, purchaser, or reseller of any item listed or sold on the Platform. In accordance with Section 79 of the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Resellpur acts purely as an intermediary providing a technological platform to enable transactions between independent Users.

12. Advertising and Remarketing

Resellpur uses advertising and remarketing services, including Google AdWords, to display advertisements to previous visitors of our Platform on third-party websites within the Google Display Network and search results pages. Third-party vendors, including Google, use cookies to serve advertisements based on prior visits to the Platform. Such processing is undertaken only with your explicit consent for non-essential cookies. You may opt out of Google's use of cookies through the Google Ads Settings page, or disable interest-based advertising through your browser settings or industry opt-out tools.

13. Links to External Sites

The Platform may contain links or references to third-party websites, applications and services that are not owned or controlled by us. This Policy does not apply to such third-party services. We strongly recommend that you review the privacy policies and terms of service of every third-party service you visit before providing any personal data.

14. Language and Accessibility

In accordance with Section 5(3) of the DPDP Act, this Privacy Policy is made available in English and shall, on request, be made available in Hindi and any of the other languages specified in the Eighth Schedule to the Constitution of India. To request a translated version, please write to nehal@resellpur.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. The "Last Updated" date at the top of this Policy indicates when it was most recently revised. Where the changes are material, we will notify you through email, in-app notification, or a prominent banner on the Platform before the changes take effect. Your continued use of the Platform after the effective date of any revised Policy shall constitute your acknowledgement of the changes.

16. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Subject to the dispute-resolution provisions of the Terms of Service and the grievance-redressal mechanism prescribed under the DPDP Act, the courts at Ghaziabad, Uttar Pradesh shall have exclusive jurisdiction over any disputes arising out of or in connection with this Policy.

17. How to Contact Us

If you have any questions, concerns, requests, or grievances regarding this Privacy Policy or the processing of your personal data, please contact us at: