1 Introduction
Ginvani Enterprise ("we," "us," "our," or "Company") is committed to protecting your privacy in compliance with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and all applicable Indian laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (https://ginvani.com) and our Amazon Ads Management Services (the "Services").
Jurisdiction & Applicability
This Privacy Policy is compliant with:
- Digital Personal Data Protection Act, 2023 (DPDP Act)
- Digital Personal Data Protection Rules, 2025 (DPDP Rules)
- Reserve Bank of India (RBI) Guidelines on data localization and payment security
- Information Technology Act, 2000 (ITA 2000)
- Bharatiya Nyaya Sanhita, 2023 (BNS 2023)
Scope
Our Services are designed for business use only and are intended for individuals acting as representatives of organizations managing Amazon Ads campaigns. These Services are not intended for personal, family, or household use.
By accessing or using Ginvani's Services, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy.
2 What Personal Information We Collect
A. Information You Provide to Us
2.1 Account Registration Information
- Full name (as per official ID)
- Email address (personal and business)
- Company name and GST/CIN details
- Indian mailing address (State, City, PIN Code)
- Phone number (with country code +91)
- Job title and organizational role
- Password (encrypted with AES-256)
2.2 Amazon Ads Authentication Information
- Amazon Seller/Vendor account identifiers
- Amazon brand registry information
- Amazon Ads account credentials (encrypted)
- Amazon API authentication tokens (encrypted, rotated every 90 days)
2.3 Payment Information
Currently, online payment processing is not enabled. Service access is provided on an invitation-only basis with invoicing handled offline.
2.4 Campaign Data and Business Information
- Amazon Ads campaign data (campaign names, budgets, bids)
- Performance metrics (impressions, clicks, cost, conversions)
- Product information (ASINs, titles, descriptions)
- Inventory levels and stock status
- Aggregated, anonymized customer insights
2.5 Communication Information
- Support tickets and inquiries
- Email correspondence and chat transcripts
- Feedback and survey responses
B. Information Collected Automatically
2.6 Technical Information
- IP address (with ISP details)
- Device type, ID, and hardware model
- Browser type, version, and operating system
- Geolocation (state/region level only)
2.7 Usage Data
- Pages visited and time spent
- Features used and interaction patterns
- API call frequency and patterns
- Login times and session duration
2.8 Cookies and Similar Technologies
- Session cookies (30 minutes) to maintain login status
- Persistent cookies (up to 2 years) for preferences
- Analytics cookies to understand usage patterns
3 How We Collect Information
3.1 Direct Collection
- Registration and profile forms
- Voluntary submissions and inquiries
- Customer support interactions
- Surveys, feedback, and user research
3.2 Automatic Collection
- Cookies and web technologies
- Server logs and analytics
- Error reporting and crash logs
- Performance monitoring
3.3 Third-Party Integration
- Amazon Ads API connections
- Email service providers
- Analytics platforms
- Cloud infrastructure (Google Workspace)
4 How We Use Your Information
4.1 Primary Purposes (as per DPDP Act Section 6)
- Service Delivery – Account management, Amazon Ads optimization, reporting, support
- Analytics and Improvement – Usage patterns, platform performance, new features
- Communication – Account updates, security alerts, marketing (with opt-in consent)
- Legal & Compliance – Fraud prevention, GST, RBI, IT Act compliance
4.2 Legal Basis (as per DPDP Act Section 6)
- Consent: Marketing, non-essential cookies
- Contractual necessity: Service delivery
- Legal obligation: GST compliance, RBI requirements
- Legitimate business interest: Fraud prevention, security, analytics
4.3 Consent Management
As per the DPDP Act: consent is explicit, free, specific, and informed. You can withdraw consent anytime without penalty. Withdrawal does not affect prior processing.
5 How We Share and Disclose Information
A. Service Providers (Data Processors)
- Cloud Infrastructure (Google Workspace – India data residency)
- Email Services (Gmail via Google Workspace)
- Analytics (Google Analytics with India data residency)
- Payment Processors (when enabled; RBI-approved only)
B. Amazon Ads Integration
We share necessary information with Amazon only to authenticate your account, pull campaign data, execute campaigns, and comply with Amazon's API requirements. Your Amazon account data remains under Amazon's control.
C. Legal Requirements
We may disclose information when required by court orders, Indian government authorities, law enforcement agencies, or regulatory bodies (RBI, MEITY, etc.).
D. Business Transfers
In case of merger, acquisition, or asset sale, your information may be transferred to the acquiring entity under similar privacy protections.
E. With Your Consent
We share information with other parties only when you explicitly authorize it.
6 Data Security and Protection
Encryption Standards
- Data at Rest: AES-256 encryption
- Data in Transit: TLS 1.3 (minimum)
- Password Storage: bcrypt hashing (salt rounds ≥12)
- API Credentials: AES-256 with 90-day key rotation
Access Controls
- Role-Based Access Control (RBAC)
- Multi-Factor Authentication (MFA) mandatory for admin
- Secure session management with 30-minute timeout
- Activity logging for all access attempts
Infrastructure Security
- Web Application Firewall (WAF) with DDoS protection
- Weekly vulnerability scanning
- Quarterly penetration testing by third-party
- Security patching within 48 hours of release
India-Specific Compliance
- Data residency in India (RBI requirement)
- No cross-border transfer without explicit consent
- Sensitive data stored in India only
- Compliance with MeitY guidelines
7 Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Active use + 1 year post-deletion | Account recovery, dispute resolution |
| Transaction records | 7 years | GST & Income Tax compliance |
| Campaign data | 3 years (or active period) | Analytics, performance tracking |
| Log files | 90 days | Security monitoring |
| Backup data | 30 days after deletion | Disaster recovery |
| API audit logs | 1 year | Security, compliance |
| Payment records | 7 years | GST & IT Act compliance |
| Support tickets | 2 years | Dispute resolution |
Deletion & Erasure Rights (DPDP Act Section 18)
- Cease active use within 48 hours of request
- Remove from production systems within 5 business days
- Purge from backup systems within 30 days
- Provide written confirmation of deletion via email
8 Third-Party Services and Links
8.1 Third-Party Integrations
- Amazon Ads API: Governed by Amazon's Privacy Policy
- Analytics Services: Google Analytics with India data residency
- Email Services: Google Workspace
- Cloud Infrastructure: Google Cloud India regions
Our website may contain links to third-party websites. We are not responsible for privacy practices of external sites.
9 Your Privacy Rights (DPDP Act Sections 18–19)
- Right to Know (Access) – Request a copy of your personal data
- Right to Correction (Rectification) – Correct inaccuracies
- Right to Erasure (Deletion) – Request data deletion (subject to legal retention)
- Right to Data Portability – Receive your data in portable format
- Right to Withdraw Consent – Withdraw marketing or non-essential consent anytime
- Right to Grievance Redressal – File complaints with us or Data Protection Board of India
How to Exercise Your Rights
10 Regional Privacy Rights
10.1 Indian Users (DPDP Act 2023)
As an Indian resident, you have comprehensive rights under the DPDP Act including the right to know, access, correct, erase, port, restrict, and withdraw consent. Consent is separate for each processing activity and freely given.
10.2 NRI and International Users
Data will be transferred to India with your explicit consent, remains protected by DPDP Act, and your rights are the same as Indian residents.
10.3 GST & IT Act Compliance
- GST registration number required for businesses
- 7-year transaction record retention
- Cyber security as per IT Act Section 43/43A
- Data breach notification per Section 72
11 Payment Methods (India-Specific)
Future Implementation (RBI-Compliant)
- UPI: Google Pay, PhonePe, Paytm, BHIM, WhatsApp Pay
- Digital Wallets: Paytm, Amazon Pay, MobiKwik
- Bank Transfers: NEFT, RTGS, IMPS
Payment data will be processed through RBI-approved gateways only. We will never store full credit card numbers, CVV, or expiry dates. All payment data hosted in India.
12 Cookies and Tracking Technologies
| Cookie Type | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Session/Auth | Maintain login status | Session | Contract |
| Preferences | Remember settings | 2 years | Legitimate interest |
| Analytics | Track usage patterns | 2 years | Consent |
| Security | Fraud prevention, CSRF | Session | Legitimate interest |
| Marketing | Campaign performance | 1 year | Consent |
Non-essential cookies require explicit consent. You can manage cookies via: Settings → Privacy & Cookies, or email ginvani.digital@ginvani.com.
13 Incident Response & Data Breach Notification
| Action | Timeline |
|---|---|
| Internal escalation & assessment | Immediate |
| Affected user notification | Within 24 hours |
| Amazon notification (if API-related) | Within 24 hours |
| MEITY/RBI notification | Within 72 hours |
| Public disclosure (if required) | Within 30 days |
14 Data Protection Officer (DPO) & Contact
Data Protection Officer
Kamal Kumar Jain (Proprietor)
Email: ginvani.digital@ginvani.com
Phone: +91-8951093800
Available: Monday–Friday, 10am–6pm IST
Mailing Address:
Ginvani Enterprise, Attn: Data Protection Officer
2nd Floor, Shahida Market, Shad Complex, SS Road
Guwahati, Assam 781001, India
15 Children's Privacy
Ginvani Services are NOT intended for users under 18 years. We do not knowingly collect information from individuals under 18. If you believe we have information about a minor, contact ginvani.digital@ginvani.com and we will delete it within 48 hours.
16 Amazon Ads API Compliance
- OAuth 2.0 authentication (never passwords)
- API credentials encrypted (AES-256), token rotation every 90 days
- Read-only access where possible; explicit authorization for changes
- Campaign changes logged with timestamp; audit trail for 1 year minimum
- Users retain full account control; can revoke API access anytime
- Amazon notified within 24 hours of confirmed breach
- No unauthorized use of Amazon data or sharing with third parties
17 Changes to This Privacy Policy
When we make material changes, we will post the updated policy, update the "Last Updated" date, send email notification to registered users (30 days before effective), and require explicit consent for significant changes.
18 Legal & Regulatory Compliance
Governing Law & Jurisdiction
This Privacy Policy is governed by the laws of India. Venue: Courts in India (Guwahati, Assam) where Ginvani is registered. Applicable laws include: DPDP Act 2023, IT Act 2000, BNS 2023, Indian Contract Act 1872, GST Act 2017, Income Tax Act 1961.
Data Localization (RBI Requirement)
- All personal data retained and processed in India
- No cross-border transfer without explicit user consent
- Sensitive data (payment, financial) India-only
- Infrastructure: Google Workspace India data centers
19 Questions and Support
This Privacy Policy is compliant with DPDP Act 2023, DPDP Rules 2025, and all applicable Indian laws.