Legal
Last updated: 14 June 2026
Effective Date: June 14, 2025 ⚠ IMPORTANT – PLEASE READ THIS PRIVACY POLICY CAREFULLY. This Privacy Policy explains how Grovyo Platforms Pvt Ltd collects, uses, stores, shares, and protects your personal data when you use the Apna City platform. By accessing or using Apna City (apnacity.in), you consent to the practices described in this Privacy Policy. This Policy is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the IT (SPDI) Rules, 2011, and all other Applicable Laws.
The data controller responsible for your personal data is: Data Controller (Fiduciary): Grovyo Platforms Pvt Ltd Platform : Apna City Website : https://apnacity.in Data Protection Contact : privacy@apnacity.in Grievance / DPO Contact : grievance@apnacity.in Jurisdiction : Republic of India As a "Data Fiduciary" under the Digital Personal Data Protection Act, 2023, Grovyo Platforms Pvt Ltd determines the purposes and means of processing your personal data and is responsible for ensuring its security and lawful use.
This Privacy Policy applies to all personal data collected by Grovyo Platforms Pvt Ltd through: The Apna City website (apnacity.in) and all its sub-domains. The Apna City mobile application (when launched). The Business Portal (business.apnacity.in). Any forms, surveys, registrations, or communications submitted to Grovyo through the Platform. Interactions with Grovyo's customer support, social media, or marketing communications. This Policy does not apply to third-party websites, applications, or services linked from the Platform. We encourage you to review the privacy policies of any third-party services you interact with.
3.1 Data You Provide Directly We collect personal data that you voluntarily provide to us when you: Register an Account: Mobile number (used for OTP authentication), name, email address (optional), and city of residence. Set Up a Business Listing: Business name, registered address, Google Maps link, area/locality, pincode, contact number, business category, photos, owner/manager name, and business documents (for verification). Submit Content: Reviews, recommendations, hidden gem nominations, event submissions, photos, and any other user-generated content. Apply as a Creator: Personal and portfolio information submitted via creator onboarding forms. Contact Support: Communications and correspondence submitted via support channels. Participate in Offers/Events: Preferences and interaction data related to offers, events, and promotions. 3.2 Data We Collect Automatically When you use the Platform, we automatically collect certain technical and usage data, including: Device Information: Device type, operating system, browser type and version, unique device identifiers. Usage Data: Pages visited, features used, time and duration of visits, click paths, search queries entered, offers viewed or saved, and business pages visited. Log Data: IP address, access timestamps, HTTP request data, error logs, and referrer URLs. Cookies & Tracking Technologies: As described in Section 8 below. 3.3 Location Data With your explicit consent, we may collect your approximate or precise geographic location to provide hyperlocal discovery features (such as showing offers and places near you). Location access is optional; you can disable it at any time through your device settings, though certain features may be limited as a result. 3.4 Data From Third Parties We may receive information about you from: Google Maps API: Location and place data to power maps and business location features. Social Media Platforms: If you share Platform content on social media or interact with our social media pages. Business Partners: Business Partners may provide contact information of their customers for targeted promotional purposes, only where they have the necessary consents to do so. 3.5 Sensitive Personal Data Grovyo does not intentionally collect Sensitive Personal Data or Information (SPDI) as defined under the IT (SPDI) Rules, 2011, which includes passwords, financial information, health data, biometric data, or sexual orientation. If you inadvertently provide such data, please contact us at privacy@apnacity.in to have it removed.
We process your personal data for the following purposes, based on the legal grounds indicated: Purpose Data Used Legal Basis Account registration & authentication Mobile number, OTP, name Consent / Contract performance Providing hyperlocal discovery services City, location, interests, usage data Contract / Legitimate interest Showing personalised offers and events Location, browsing history, preferences Consent / Legitimate interest Business listing and verification Business details, documents, photos Contract / Legal obligation Processing and displaying offers Business and offer data Contract performance Platform analytics and improvement Usage data, log data Legitimate interest Sending transactional notifications Mobile number, email Contract / Consent Sending promotional communications Mobile number, email, interests Consent (opt-in) Moderation and safety Content, reports, account activity Legal obligation / Legitimate interest Customer support Name, contact, communications Contract / Legitimate interest Legal compliance and regulatory requests As required by law Legal obligation Fraud prevention and security Log data, IP, device info Legitimate interest / Legal obligation Creator content management Creator profile, published content Contract / Consent We will not use your personal data for purposes other than those listed above without obtaining your consent, unless required by law.
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), we process your personal data based on the following lawful grounds: Consent: Where you have given us explicit, informed, and free consent for a specific processing activity (e.g., receiving promotional communications, location-based services). You may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal. Contractual Necessity: Processing necessary to fulfil your request for our services, including account creation, business listing management, and offer publication. Legal Obligation: Processing required to comply with applicable Indian laws, court orders, or regulatory requirements. Legitimate Interests: Processing necessary for purposes in the legitimate interests of Grovyo or a third party, provided such interests are not overridden by your fundamental rights (e.g., fraud prevention, platform security, analytics). Vital Interests: In rare circumstances, where processing is necessary to protect your vital interests or those of another person.
We do not sell your personal data. We share data only in the circumstances described below: 6.1 Within the Platform Business listings, offers, events, and creator content published on the Platform are visible to all users of the Platform. By publishing content on the Platform, you consent to its visibility to Platform users. 6.2 Service Providers We share data with trusted third-party service providers who assist us in operating the Platform, including: Cloud hosting and storage providers (e.g., Cloudflare R2, Vercel). Analytics and monitoring tools (e.g., PostHog). Communication service providers (e.g., OTP/SMS providers, email services like Resend). Mapping services (e.g., Google Maps API). These providers are bound by contractual obligations to protect your data and may only use it to provide services to Grovyo, not for their own commercial purposes. 6.3 Business Partners When you interact with a business through the Platform (e.g., by expressing interest in an offer or saving a business page), we may share aggregated or anonymised interaction data with that Business Partner for their analytics purposes. We do not share your personally identifiable information with Business Partners without your explicit consent, except in anonymised/aggregated form. 6.4 Legal & Regulatory Disclosure We may disclose your personal data to law enforcement authorities, courts, government agencies, or other competent authorities when required or permitted to do so under Applicable Laws, including: In response to a court order, subpoena, or legal process. To protect the rights, property, or safety of Grovyo, our users, or the public. To comply with obligations under the Information Technology Act, 2000, the DPDP Act, 2023, or the IT Rules, 2021. 6.5 Business Transfers In the event of a merger, acquisition, restructuring, or sale of all or part of Grovyo Platforms Pvt Ltd's assets, your personal data may be transferred to the successor entity. We will notify you of any such change and ensure adequate protections are in place. 6.6 Cross-Border Transfers Grovyo stores data primarily in India. If any personal data is transferred outside India, we will ensure that such transfer complies with the requirements of the DPDP Act, 2023, and that adequate safeguards are in place to protect your data.
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by Applicable Laws: User Account Data : Retained while the Account is active + 2 years post-deactivation (for legal compliance) Business Listing Data : Retained for the period of listing + 5 years (tax / audit purposes) Transaction & Offer Data : 7 years (GST and financial record-keeping requirements) Log and Security Data : 180 days rolling (extendable for ongoing investigations) Marketing Communications : Until consent is withdrawn or the purpose is fulfilled Support Correspondence : 3 years from last interaction Creator Content : Duration of Creator agreement + 1 year Upon expiry of the applicable retention period, we will securely delete or anonymise your personal data, unless retention is required by law or a legitimate legal dispute is pending.
8.1 Types of Cookies We Use We use cookies and similar tracking technologies on the Platform for the following purposes: Strictly Necessary Cookies: Essential for the Platform to function (e.g., session management, authentication). Cannot be disabled. Performance & Analytics Cookies: Help us understand how users interact with the Platform (e.g., PostHog analytics). These are anonymised where possible. Functional Cookies: Enable personalised features such as remembering your city, language preference, or saved places. Marketing & Targeting Cookies: Used to deliver relevant promotional content and measure the effectiveness of our marketing campaigns. These require your consent. 8.2 Cookie Consent On your first visit to the Platform, you will be presented with a cookie consent banner. You may accept all cookies, manage your preferences, or reject non-essential cookies. Rejecting non-essential cookies will not prevent you from using core Platform features. 8.3 Third-Party Tracking Third-party tools embedded on the Platform (such as Google Maps or analytics SDKs) may set their own cookies, governed by their respective privacy policies.
Under the Digital Personal Data Protection Act, 2023 and other Applicable Laws, you have the following rights with respect to your personal data: Right to Access: You have the right to request a copy of the personal data we hold about you and information about how it is processed. Right to Correction: You have the right to request that inaccurate or incomplete personal data is corrected or updated. Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent (subject to legal retention obligations). Right to Grievance Redressal: You have the right to have your grievances heard and addressed by our Grievance Officer within the timelines specified in Section 15. Right to Nominate: Under the DPDP Act, 2023, you have the right to nominate an individual to exercise your data rights in the event of your death or incapacity. Right to Withdraw Consent: You may withdraw consent for data processing activities based on consent at any time, without prejudice to the lawfulness of processing prior to withdrawal. Right to Opt-Out of Marketing: You may unsubscribe from promotional communications at any time by following the unsubscribe link in our messages or contacting us at privacy@apnacity.in. To exercise any of these rights, please submit a written request to privacy@apnacity.in. We will respond to your request within 30 (thirty) days, as required under Applicable Laws. In some cases, we may need to verify your identity before fulfilling your request.
We take the security of your personal data seriously. Grovyo implements reasonable security practices and procedures as prescribed under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the DPDP Act, 2023, including: TLS/SSL encryption for all data transmitted between your device and our servers. Secure cloud storage with access controls and audit logging. OTP-based authentication to prevent unauthorised account access. Role-based access controls to restrict internal access to personal data. Regular security reviews and vulnerability assessments of the Platform. Data minimisation principles — we collect only the data necessary for the stated purpose. Despite our best efforts, no system is completely impenetrable. In the event of a personal data breach that is likely to result in risk to your rights, we will notify you and the appropriate regulatory authorities as required under the DPDP Act, 2023.
The Platform is not directed at children below the age of 18 years. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided personal data to us without your consent, please contact us immediately at privacy@apnacity.in and we will take prompt steps to delete such data. In compliance with the Digital Personal Data Protection Act, 2023, where we knowingly process personal data of children or persons with disabilities, we will obtain verifiable parental or guardian consent prior to such processing.
The Platform integrates with or links to third-party services including Google Maps, social media platforms, and payment gateways (if applicable in the future). Your use of these third-party services is governed by their own privacy policies. Grovyo is not responsible for the privacy practices or content of third-party services. We encourage you to read the privacy policies of any third-party service you interact with.
13.1 Business Partners Personal data submitted by Business Partners during onboarding and verification is processed for the purposes of business listing, offer management, analytics, and regulatory compliance. Business Partners are responsible for ensuring that any personal data of their customers or employees that they share with Grovyo has been collected lawfully and with the necessary consents. 13.2 Creators Personal and professional data submitted by Creators during onboarding is used for identity verification, content attribution, collaboration management, and promotion of Creator profiles on the Platform. Creators may request deletion of their profile and associated data upon termination of their Creator agreement.
We reserve the right to update or amend this Privacy Policy at any time to reflect changes in our data practices, the Platform's features, or Applicable Laws. Material changes will be notified to registered users via email, SMS, or a prominent notice on the Platform. The revised Privacy Policy will take effect from the date specified therein. Your continued use of the Platform after the effective date of any amendment constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Policy, you must discontinue use of the Platform and request deletion of your Account.
In accordance with the Information Technology Act, 2000, the IT (SPDI) Rules, 2011, the IT Rules, 2021, and the Digital Personal Data Protection Act, 2023, Grovyo Platforms Pvt Ltd has appointed a Grievance Officer / Data Protection Officer to address data-related complaints and requests. Grievance Officer / DPO : [Name to be designated] Designation : Data Protection Officer & Grievance Officer Company : Grovyo Platforms Pvt Ltd Platform : Apna City (apnacity.in) Email : grievance@apnacity.in Privacy Requests Email : privacy@apnacity.in Response Timeline : Acknowledgement within 24 hours; resolution within 30 days (as per DPDP Act) If you are dissatisfied with our response, you may approach the Data Protection Board of India, once constituted under the Digital Personal Data Protection Act, 2023, or any other competent authority under Applicable Laws.
This Privacy Policy is designed to comply with the following Indian laws and regulations, as applicable and as amended from time to time: • Digital Personal Data Protection Act, 2023 (DPDP Act) • Information Technology Act, 2000 (IT Act) • Information Technology (Amendment) Act, 2008 • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 • Consumer Protection Act, 2019 • Consumer Protection (E-Commerce) Rules, 2020 • Telecom Regulatory Authority of India (TRAI) regulations on commercial communications • Reserve Bank of India (RBI) guidelines (applicable to payment-related features, if any)
For any questions, concerns, requests, or complaints related to this Privacy Policy or the processing of your personal data, please reach out to us at: Grovyo Platforms Pvt Ltd Brand: Apna City | Platform: apnacity.in General Privacy Queries : privacy@apnacity.in Grievance Officer : grievance@apnacity.in General Support : support@apnacity.in
© 2025 Grovyo Platforms Pvt Ltd. All Rights Reserved.
Related document
Review our terms & conditions for complete legal information.