Privacy policy

This Privacy Policy explains how Robnu (“Robnu”, “we”, “us”), operated by Onviqa Inc., collects, uses, stores, and protects information when you use the Robnu web application at robnu.com, the Robnu API at api.robnu.com, and the Robnu Chrome browser extension (together, the “Service”). It is aligned with the Digital Personal Data Protection Act, 2023 (“DPDP 2023”) and the Information Technology Act, 2000 of India.

Robnu does not sell, rent, or share your personal data with third parties for marketing purposes.

Who this policy applies to

This policy applies to sellers who register a Robnu account and connect a marketplace seller-central account, authorised users within a seller's organisation (staff, operators, accountants), and visitors who browse robnu.com without creating an account. It does not apply to end-buyers — Robnu does not collect end-buyer data beyond the order, shipment, and return information that the marketplace exposes to the seller for fulfilment.

What we collect and why

Information you provide directly:

• Account & billing: name, business name, work email, phone, address — for account creation, support, and statutory invoicing.
• GSTIN: for tax-compliant invoicing under the Central Goods and Services Tax Act, 2017.
• Authorised users: emails and roles for multi-user access management.
• Support correspondence: tickets and replies, retained to resolve issues and improve the Service.

Marketplace session tokens

To act on your behalf against marketplace seller portals, the Robnu Chrome extension reads marketplace session tokens from your browser when you are logged in to the marketplace seller-central site (for example, seller.ajio.com).

• Tokens are read from window.localStorage and other in-page storage on the marketplace seller-central origin only.
• We do not read, capture, or store your marketplace password.
• Tokens are transmitted over TLS 1.2+ (HTTPS) directly to api.robnu.com.
• At rest, tokens are encrypted using a per-seller AWS KMS Data Encryption Key (DEK) and stored only in encrypted form in PostgreSQL. Plaintext tokens are never written to disk.
• Tokens carry a short time-to-live (typically five minutes). Robnu refreshes them in the background using a Postgres advisory-locked refresh routine.
• You can revoke Robnu's access at any time by clicking Disconnect in the Robnu Chrome extension popup or the Disconnect control on the relevant Connection in your Robnu web dashboard. On disconnect, tokens for that connection are cryptographically erased within five minutes.

Marketplace business data pulled on your behalf

Once you authorise a connection, Robnu uses your session tokens to retrieve, on your behalf, the data your marketplace already shows you in seller-central: orders and order lines, shipments and tracking events, returns, refunds and cancellations, payouts and remittance statements, inventory and listing identifiers, and limited end-buyer data necessary for fulfilment as exposed by the marketplace. This data is your data. Robnu acts as a Data Processor in respect of it, and you remain the Data Fiduciary (Data Controller) under DPDP 2023.

Technical and audit data

• IP address, user-agent, timestamp, event type — for security audit, abuse prevention, and troubleshooting.
• Sign-in, token-refresh, and disconnect events — an audit log of what Robnu did on your behalf.
• Server logs (request paths, response codes) — reliability, capacity planning.

Cookies

Robnu uses only essential cookies required to make the Service work. We do not use advertising or cross-site tracking cookies. We do not deploy Google Analytics, Meta Pixel, or comparable third-party tracking tags on robnu.com. Essential cookies in use:

• __robnu_session — authenticated session for the web dashboard (30 days).
• __robnu_csrf — cross-site request forgery protection (session).
• __robnu_consent — records your essential-cookie acknowledgement (12 months).

What we do not collect

• Marketplace passwords. We never read or store them.
• Payment card details. When subscription billing is introduced, it will be processed by a PCI-DSS-compliant payment processor; Robnu will not receive or store full card numbers.
• End-buyer behavioural or profiling data beyond the order-fulfilment fields the marketplace already provides to you.
• Biometric or health data, or government identifiers other than GSTIN.
• Data used to train AI models. Robnu does not use seller data to train machine-learning models.

How long we keep your data

• Marketplace session tokens: until you disconnect or delete your account, then cryptographically erased within five minutes.
• Order, shipment, return, payout records: up to seven years after creation, to support tax-compliance obligations under Indian law.
• Account PII: for the life of the account; deleted within 30 days of a verified deletion request, except where retention is required by law.
• Audit logs: one year from the event date, then automatically purged.
• Support correspondence: up to three years from last contact.
• Financial / tax records: as required by Indian tax law (typically eight years).

Your rights as a Data Principal

Under DPDP 2023, you have the right to access a summary of your personal data, the right to correction of inaccurate or incomplete data, the right to erasure of data no longer necessary for the original purpose (subject to legal retention obligations), the right to nominate another individual to exercise your rights, the right to grievance redressal, and the right to withdraw consent at any time where processing is based on consent. To exercise any of these rights, email [email protected] from the email registered on your Robnu account. We aim to respond within 30 days.

Security measures

• In transit: TLS 1.2 or higher on all api.robnu.com and robnu.com endpoints. HSTS enabled.
• At rest: Marketplace session tokens, PII, and other sensitive fields are encrypted using AWS KMS-managed Data Encryption Keys (envelope encryption). Database backups are encrypted.
• Key management: Per-seller DEKs allow scoped revocation. Master keys are managed by AWS KMS in the Mumbai region.
• Access control: Role-based access; production database access is limited to authorised engineering staff under signed confidentiality obligations and is logged.
• Audit logging: Every token-using action against a marketplace API is recorded with seller id, timestamp, and event type.
• Network: Production ingress is fronted by Cloudflare Tunnel. There is no public inbound port on the application VM other than the Cloudflare-tunnelled origin.
• Disaster recovery: Encrypted daily database snapshots retained for 30 days.

No system is perfectly secure. If we become aware of a personal-data breach, we will notify the Data Protection Board of India and affected Data Principals as required by DPDP 2023.

Subprocessors

• Amazon Web Services, Inc. — S3 (encrypted document storage), SQS (asynchronous job queue), KMS (encryption-key management); Asia Pacific (Mumbai).
• Cloudflare, Inc. — edge ingress (Cloudflare Tunnel), DNS, DDoS protection.
• Onviqa-managed PostgreSQL host — Windows VM, India.
• Resend — transactional email delivery (verification, alerts).

Cross-border data transfers

Robnu primarily processes data within India. Limited routing through Cloudflare's global edge and metadata-only flows to AWS APIs may briefly transit jurisdictions outside India. Substantive customer data (orders, tokens, PII) is stored in India.

Children

Robnu is a B2B platform for registered businesses. The Service is not directed at, and we do not knowingly collect personal data from, individuals under 18 years of age.

Changes to this policy

Material changes will be notified by email to your registered address and posted on this page at least 14 days before they take effect. The “Last updated” date at the top of the page reflects the current version.

Grievance officer

For questions, complaints, or to exercise your rights, contact our Grievance Officer at [email protected]. Postal: Onviqa Inc., Surat, Gujarat, India. If you are not satisfied with our response, you may approach the Data Protection Board of India established under DPDP 2023.