How we collect, use, and protect your data.
Last Updated: 29 May 2026
Entity: Grocito Online Private Limited
Grocito Online Private Limited ("we", "us", "our") is committed to protecting the privacy of your data. This Privacy Policy outlines our practices regarding the collection, storage, processing, and protection of data when you use the Grocito CRM Platform. This policy is designed to comply with the Digital Personal Data Protection (DPDP) Act, 2023 of India, alongside standard global data security practices.
To clarify data ownership and legal responsibility under the DPDP Act:
The Customer (You): You are the "Data Fiduciary" (Data Controller). You determine the purpose and means of collecting personal data from your leads, clients, and website visitors. It is your strict legal responsibility to obtain explicit, lawful consent from your subjects before adding their data to Grocito CRM or sending them communications.
Grocito: We are the "Data Processor". We process the data uploaded to our Platform solely on your behalf, based on your configurations, and to provide you with the SaaS functionality.
We collect data in three primary ways:
3.1 Data You Provide (Account Data): When you register, we collect your business name, personal name, email address, phone number, billing address, payment details, and compliance documents (GSTIN/PAN for KYC).
3.2 Data You Process (Customer Data): This includes all the information you input about your leads (names, phone numbers, emails, addresses, financial quotes, notes), files you upload to the Document Manager, and communication logs (emails, call recordings, SMS).
3.3 Data We Collect Automatically (Telemetry): We collect system logs, IP addresses, browser types, device identifiers, and usage metrics to monitor platform performance, prevent unauthorized access, and debug errors.
We strictly use the collected data to:
Provide, operate, and maintain the Grocito CRM Platform.
Process subscription payments and wallet top-ups.
Facilitate omnichannel communications (routing your messages through our telecom partners).
Provide AI-generated insights, summaries, and content drafting.
Investigate and prevent fraudulent transactions, spam, and unauthorized access.
Comply with Indian legal and regulatory obligations. Crucial Guarantee: Grocito will NEVER sell, rent, trade, or expose your Customer Data (your leads/clients) to third-party marketers, competitors, or external data brokers.
To provide full CRM functionality, we utilize secure, enterprise-grade third-party sub-processors. By using Grocito, you consent to data routing through:
Google Cloud & Firebase (Mumbai/New Delhi, India Region): For database hosting, storage, and serverless computing.
AI Providers (Google Gemini): For processing text to generate AI insights. Note: We use Enterprise APIs. Your proprietary CRM data is NOT used by Google to train their public foundation models.
Communication Gateways: Meta (WhatsApp API), Fast2SMS (DLT SMS), TeleCMI, Zoom Phone or others (Cloud Telephony), and Google APIs.
Payment Gateways: Razorpay and Zoho Payments. We do not store raw credit card numbers or banking passwords on our servers.
We employ robust security architecture:
Encryption: All data is encrypted in transit using TLS 1.2+ and encrypted at rest on Google Cloud servers using AES-256 encryption.
Multi-Tenant Isolation: Your data is logically separated from all other tenants using strict Firebase custom authentication claims and Firestore security rules.
Access Control: Grocito staff access to production environments is strictly limited to authorized engineering personnel for debugging and support, logged, and heavily restricted.
Active Accounts: Customer Data is retained for the lifetime of your active subscription.
Post-Termination: Upon account cancellation, we retain Customer Data for a 30-day grace period to allow for data export. After 30 days, the data is permanently wiped.
Legal Retention: Billing records, invoices, and KYC documents are retained for up to eight (8) years to comply with Indian tax (GST) and corporate audit laws.
Under the DPDP Act, you have the right to:
Access the personal data we hold about your organization.
Correct inaccurate organizational data.
Export your Customer Data at any time using the in-app Backup/Export tool.
Request the deletion of your account.
In accordance with Indian law, if you have any privacy concerns, data breaches to report, or DPDP compliance queries, please contact our Grievance Officer:
Email: support@grocito.com
Address: Grocito Online Private Limited, J979, C/o Hanuman Sahay Gupta, Raja Colony, Dausa (303303), ROC-Jaipur, Rajasthan, India. We will respond to all legitimate privacy requests within 15-30 business days.