Privacy Policy

Last Updated: January 31, 2026

Muditron Tech OPC Pvt Ltd ("Company," "we," "us," or "our"), operating the platform Xatpat available at https://xatpat.com/ ("Platform"), is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, process, store, and share your personal data, in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable Indian laws.

By using our Platform, you ("User," "Data Principal") consent to the processing of your personal data as described in this policy.

1. Information We Collect

We collect personal data to provide our services, improve user experience, and comply with legal obligations.

A. Data You Provide to Us

  • Merchants: Name, business name, phone number, email address, physical address (for KYC and logistics), PAN details, bank account information (for settlements).
  • Customers: Name, phone number, delivery address.
  • Payment Information: We do not store sensitive card details. Payments are processed by our authorized payment aggregators (e.g., Razorpay), who process details according to their own privacy policies.

B. Data We Collect Automatically

  • Device Information: IP address, browser type, device model, and operating system.
  • Usage Data: Logs of your interactions with our Platform (e.g., pages visited, timestamps).
  • Location Data: GPS location (with your consent) for verifying business address or delivery address.

2. Purpose of Data Processing

We process your personal data for the following specific purposes:

  1. Service Delivery: To create and manage your account, process orders, facilitate deliveries (sharing address with delivery partners like Borzo), and handle payments.
  2. Communication: To send you transactional updates (order status, OTPs), security alerts, and administrative messages.
  3. Improvement: To analyze usage patterns and improve our Platform's functionality and security.
  4. Compliance: To perform KYC verification (for Merchants) and comply with legal obligations (e.g., fraud prevention, tax laws).

We strictly limit our processing to these purposes and do not simply sell your data to third parties for marketing.

3. Legal Basis for Processing

We process your data based on:

  1. Consent: Your clear and affirmative consent provided when you sign up or use specific features.
  2. Legitimate Uses: As defined under the DPDP Act, for purposes such as fulfilling orders, employment-related purposes (if applicable), or complying with the law.

4. Data Sharing and Disclosure

We may share your personal data with:

  1. Service Providers: Third-party vendors who assist us in operating our Platform, such as:
    • Logistics Partners: (e.g., Borzo) for delivering orders.
    • Payment Aggregators: Razorpay Payments Private Limited for processing payments. When you make an online payment, we share your transaction amount, order ID, and anonymized payment information with Razorpay. Razorpay does NOT receive your complete card details, which are processed directly by their PCI DSS Level 1 certified infrastructure. Razorpay's privacy practices are available at https://razorpay.com/privacy/ and their terms at https://razorpay.com/terms/.
    • Cloud Infrastructure: Amazon Web Services (AWS) for hosting data. AWS's privacy practices are available at https://aws.amazon.com/privacy/.
  2. Legal Requirements: Government authorities, courts, or law enforcement agencies if required by law or to protect our rights and safety.

5. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or misuse. These include:

  • Payment Security: All payment card data is processed by our PCI DSS Level 1 certified payment partner, Razorpay Payments Private Limited. We do not store complete card details.
  • Encryption: Sensitive data is encrypted using industry-standard AES-128-bit encryption during transmission and storage.
  • Access Controls: Role-based access controls limit data access to authorized personnel only.
  • Security Audits: Regular security audits and vulnerability assessments.
  • Compliance: Our payment processing complies with RBI Payment Aggregator Guidelines and PCI DSS standards.

However, no internet transmission is completely secure, and we cannot guarantee absolute security.

6. Data Retention

We retain your personal data based on the following schedule:

Data TypeRetention PeriodLegal Basis
Account informationDuration of account + 1 yearContract fulfillment
Transaction records8 years from transaction dateTax and accounting laws
KYC documents8 years from account closureRBI/PMLA requirements
Marketing communicationsUntil consent withdrawn + 30 daysConsent management
Usage logs90 daysSecurity and analytics
Support tickets3 years from resolutionCustomer service

Once the retention period expires, we will securely delete or anonymize your data.

7. Your Rights (Data Principal Rights)

Under the DPDP Act, 2023, you have the following rights:

  1. Right to Access: Request a summary of your personal data being processed and the processing activities.
  2. Right to Correction & Erasure: Request correction of inaccurate data or erasure of your data (subject to data retention laws).
  3. Right to Grievance Redressal: File a complaint regarding our use of your data.
  4. Right to Nominate: Nominate an individual to exercise your rights in the event of death or incapacity.

To exercise these rights, please contact our Grievance Officer designated below.

8. Children's Privacy

Our Platform is not intended for use by individuals under 18 years of age (as defined in our Terms and Conditions). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child without parental consent, we will take steps to delete it.

9. Updates to this Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page with an updated date.

10. Grievance Officer

If you have any concerns or complaints regarding your personal data, please contact our Data Protection/Grievance Officer:

Name: Anush Krishna
Email: info@muditron.com
Address: Muditron Tech (OPC) Pvt Ltd, No 645, A Main Rd, near Sapthgiri College, Kirloskar Layout, Siddeshwar Layout, Soundarya Layout, Bengaluru, Sidedahalli, Karnataka 560073

We will respond to your grievance within the timelines prescribed by applicable law.

Contact Us

For general privacy inquiries, contact us at info@muditron.com.