Our Privacy Policy

Our Privacy Policy outlines how we collect, use, and protect your personal information. Your privacy and security are our priorities.

Last Updated on February 2026

1.

What This Privacy Policy Is About

Subbito Private Limited ("Subbito", "we", "us", "our") is a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA).

We operate a platform connecting customers with independent service professionals for home services.

This Privacy Policy explains how we collect, process, store, and share your personal data in compliance with the DPDPA, 2023.

2.

Who This Policy Applies To

This Policy applies to all Data Principals (individuals to whom the personal data relates), including Customers, Service Professionals, and Website or App Visitors.

By using the Platform, you provide your voluntary, specific, informed, and unconditional consent to the processing of your personal data as described herein, unless a different legal basis applies under the DPDPA.

3.

Types of Personal Data Collected

We collect limited categories of personal data that are necessary for the lawful purposes described below:

  • Contact Data: Phone number, email address, home address, location information
  • Identity & Profile Data: Name, username, gender, profile photos
  • Marketing & Communication Data: Feedback, survey responses, chats, call records
  • Technical Data: IP address, browser type, device type, operating system, login time
  • Transaction Data: Service bookings, payment details, UPI ID, transaction history
  • Usage Data: Booking history, platform activity, browsing behaviour

Note: We do not intentionally collect children's data without verifiable parental consent, as required under the DPDPA.

4.

Purpose of Processing

Notice under Section 5 of DPDPA

We collect and process your personal data only for the following lawful purposes:

  • Creating and managing user accounts
  • Providing and facilitating home services
  • Enabling service professionals to deliver services
  • Processing payments and preventing fraud
  • Customer support
  • Platform improvement and analytics
  • Complying with legal obligations (tax, court orders, etc.)
  • Marketing and service updates (with opt-out)

Consent withdrawal: You may withdraw your consent at any time by contacting our Grievance Officer. Consequences of withdrawal may include inability to provide services.

6.

How Personal Data Is Collected

We collect data through:

  • Direct interactions — account creation, bookings, support, surveys
  • Automated technologies — cookies, device information, browsing activity
  • Third parties — analytics providers, payment gateways, service professionals, public sources
7.

Sharing Personal Data

We share personal data only with:

  • Service professionals (to perform requested services)
  • Internal companies within Subbito group
  • Data Processors — payment processors, hosting, analytics, messaging providers (under written contracts)
  • Government authorities when required by law (Section 8(4) of DPDPA)

No sale of personal data to third parties occurs. Provider verification data is shared strictly for onboarding, fraud prevention, dispute handling, and legal compliance, with adequate contractual safeguards.

8.

International Data Transfers

Section 16 of DPDPA

We may transfer personal data to servers or processors located outside India only to countries or entities permitted by the Central Government by notification, or with your explicit consent where required.

You have the right to know the countries where your data is transferred.

9.

Data Retention

Section 8(5) of DPDPA

We retain personal data only as long as necessary for the purposes stated in this Policy, or as required by Indian law.

  • General data: Duration of account activity + up to 2 years thereafter
  • Transaction & tax records: Period required under the Income Tax Act, 1961 (typically 6 years from end of financial year)
  • Dispute-related data: Until resolution of dispute + 1 year

After the retention period expires, we will delete or de-identify the data. Aggregated, anonymized data may be kept indefinitely for research/analytics.

10.

Data Security

Section 8(5) of DPDPA

We implement reasonable security safeguards to prevent unauthorised access, loss, or disclosure, including encryption (TLS, at rest), password protection and access controls, call masking, and regular security audits.

You are responsible for protecting your account password. In case of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals as required by law.

11.

Data Principal Rights

Sections 12–15 of DPDPA

As a Data Principal, you have the following rights, exercisable by contacting our Grievance Officer:

  • Right to access — Summary of your personal data being processed
  • Right to correction — Correction or erasure of inaccurate/outdated data
  • Right to deletion — Request deletion of your personal data (subject to legal retention)
  • Right to grievance redressal — File a complaint with us or the Data Protection Board
  • Right to nominate — Nominate another individual to exercise your rights in case of death or incapacity
  • Right to withdraw consent — Withdraw consent at any time (with consequences explained)

We will respond within 7 working days as per DPDPA rules.

13.

Account Deletion

You may delete your account through the app (if feature available) or by contacting our Grievance Officer.

Upon account deletion, access to services is removed. Most profile data is deleted within 30 days. Certain records (transactions, bookings, tax records, disputes) may be retained only as permitted under Section 8(5) of DPDPA for legal compliance.

14.

Cookies and Tracking

We use cookies to recognise users, remember preferences, and improve user experience. You may manage cookie settings through your browser. Third-party cookies may also be used.

15.

User Generated Content

When you post comments, feedback, or photos on public areas of the Platform, that content may become publicly visible. You are responsible for such content. Do not share sensitive personal data publicly.

16.

Payment Security

Payments are processed through secure, PCI-DSS compliant gateways. Subbito does not store full card details. UPI IDs and transaction logs are stored securely for compliance.

17.

Policy Updates

We may update this Privacy Policy from time to time. Material changes will be notified via email or prominent notice on the Platform. Continued use after the effective date constitutes acceptance.

18.

Grievance Officer

Section 9 of DPDPA

We have appointed a Grievance Officer to address complaints and requests. You may contact them for exercise of Data Principal rights, complaints regarding processing or breach, withdrawal of consent, and clarifications on this Policy.

Aniket Thakur

Director

help@subbito.com

Response time: 7 working days. If your grievance is not resolved, you may file a complaint with the Data Protection Board of India under Section 15 of the DPDPA.

19.

Significant Data Fiduciary Provisions

If Subbito is classified as a Significant Data Fiduciary by the Central Government, we will appoint a Data Protection Officer, conduct Data Protection Impact Assessments, and undergo periodic audits as required.

20.

Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, and any rules made thereunder.