Privacy Policy

Last updated: 29 May 2026

Albarter Private Limited (“Albarter”, “we”, “us”) runs a B2B marketplace at albarter.com that connects buyers and verified suppliers. This policy explains what personal data we collect when you use the marketplace, why we collect it, how long we keep it, and the rights you have over it.

1. Who we are

Albarter is the data fiduciary (as defined under India's Digital Personal Data Protection Act, 2023) for personal data you submit to the marketplace. You can reach our grievance officer at grievance@albarter.com.

2. Data we collect

2.1 Information you give us

• Account and contact details — name, email, phone, role, company name, designation, profile photo.
• Organisation details — legal name, industry, country, state, city, GSTIN or PAN, and the list of categories you sell or source.
• KYC and verification documents — uploaded GST certificates, PAN cards, incorporation certificates, udyam registration, and trade references.
• Listings and RFQ content — product titles, specifications, pricing, MOQ, lead times, photos and any documents you attach to enquiries or quotations.
• Communications — text, voice and call data inside negotiation rooms, including attachments and AI-generated transcripts/translations of those sessions.

2.2 Information we collect automatically

• Device and usage data — IP address, browser and OS, pages visited, click and scroll behaviour, app version, and approximate location (city level).
• Cookies and similar technologies — see our Cookie Policy for the full list and how to control them.
• Push notification tokens — when you grant notification permission on web or mobile.

2.3 Information from third parties

• GST and PAN verification services, used to confirm registration numbers you provide.
• Payment partners, who tell us the status of payments and refunds without sharing your full instrument details.
• Email and SMS providers (SendGrid, Twilio), who tell us whether OTPs and transactional messages were delivered.

3. Why we use your data

• To run the marketplace — sign you in, verify your business, match you with counterparties, host negotiation rooms, generate invoices and route payments.
• To keep it trustworthy — detect fraud, enforce platform rules, ban abusive actors, and respond to grievances.
• To improve the product — analyse aggregate usage to fix bugs, prioritise features and tune AI assistants (we never train models on the contents of your private negotiation rooms).
• To send transactional and service messages — quotes received, orders updated, invoices due, security alerts. You cannot opt out of these without closing your account.
• To send marketing, only if you opted in. You can opt out at any time from the email footer or your notification settings.
• To comply with the law — tax filings, response to lawful requests from authorities, and DPDP Act obligations.

4. Lawful basis for processing

Under the DPDP Act 2023 we rely on your consent for marketing communications, optional profile fields, and any sensitive personal data; and on legitimate uses for running the marketplace itself, fraud prevention, security, and legal compliance. Withdrawal of consent is honoured but will limit features that depend on it (for example, you cannot remove your phone number while keeping OTP login active).

5. How long we keep data

• Account data: while your account is active, plus 5 years after closure for audit and tax purposes.
• Transaction records(RFQs, quotations, orders, invoices): 8 years, in line with India's GST record-keeping requirements.
• Negotiation room contents: 3 years from the last activity in that room, after which messages and voice/video recordings are purged.
• Analytics: pseudonymised after 13 months; aggregated indefinitely.
• Marketing consents: until withdrawn, plus a 14-day grace period to honour pending sends.

6. Who we share data with

We share data only with parties that have a reason to see it:

• Other organisations on the marketplace — when you raise an RFQ or accept a quote, your company name, contact, and the contents of that thread are shared with the counterparty.
• Service providers under contract — cloud hosting (Vercel, Supabase, Cloudflare), email (SendGrid), SMS (Twilio), realtime (Ably), analytics (PostHog), and AI providers (Anthropic, OpenAI) for translation and summary features. They are bound by data-processing agreements.
• Authorities when compelled by a valid legal order, or when we believe in good faith that disclosure is necessary to prevent serious harm.
• An acquirer if Albarter is sold, merged or reorganised — your data moves with the marketplace under the same terms.

We do not sell your personal data.

7. International transfers

Our primary infrastructure is in India. Some service providers (Vercel, Cloudflare, AI providers) are headquartered abroad and process data on servers outside India. Where that happens, we use contractual protections approved under the DPDP Act.

8. Your rights

You can ask us to:

• See what personal data we hold about you and how we use it.
• Correct anything that's wrong or out of date.
• Erase data we no longer need to retain (subject to the retention windows in §5).
• Withdraw consent for marketing or optional features.
• Nominate someone to exercise these rights on your behalf if you can't.
• Make a grievance — see §10.

Email privacy@albarter.com with your request. We respond within 7 working days for simple cases and within 30 days where verification is needed.

9. Security

We encrypt data in transit (TLS 1.3) and at rest, use role-based access controls internally, store passwords nowhere (OTP-only login), and run regular security assessments. No system is invulnerable. If you become aware of a breach, please write to security@albarter.com immediately.

10. Grievances

Our grievance officer is the named contact for any complaint about how your data is handled. See the Grievance Redressal page for the procedure and SLAs.

11. Changes to this policy

We update this policy when our practices change. The “Last updated” date at the top reflects the most recent change. Material changes are notified by email and flagged in-app for at least 30 days before they take effect.