Privacy Policy

Aaroora (“Aaroora”, “we”, “our”, “us”) operates a quick-commerce grocery delivery service in Vellore and Madurai, Tamil Nadu, India. We are committed to protecting your privacy and handling your personal data responsibly.

This Privacy Policy describes the personal data we collect from you, why we collect it, how we use and share it, and the rights you have over it. It applies to your use of our website at aaroora.com, our mobile applications, and any service that links to this policy (collectively, the “Services”).

By using the Services you confirm that you have read and understood this policy. If you do not agree with it, please do not use the Services.

This policy applies to personal data we process when you:

• Create an Aaroora account or sign in to one;
• Place an order, schedule a delivery, or use our cart and checkout;
• Communicate with our support team or use in-app chat;
• Subscribe to marketing communications or referral programmes;
• Browse our website or app, even without creating an account.

The policy does not apply to third-party websites, applications, or services that link to or integrate with our Services. Those third parties have their own privacy policies, which we encourage you to read.

3.1 Data you provide

• Account details: name, email address, mobile number, and password (or Google sign-in identifier).
• Delivery information: recipient name, delivery address, pincode, alternate contact number, and address labels (e.g. Home, Work).
• Order data: items added to cart, order history, substitution preferences, special instructions, and ratings.
• Payment data: we do not store full card or UPI credentials. Payments are processed by our payment gateway (Razorpay), which collects and tokenises payment instruments. We store only a payment reference, amount, and status.
• Support communications: messages, photos, or attachments you send to our support team or share through in-app chat.

3.2 Data we collect automatically

• Device & technical data: IP address, device identifiers, browser type, operating system, app version, and crash logs.
• Usage data: pages and screens viewed, items searched, time spent, referrers, and interactions with our Services.
• Location data: approximate location derived from your pincode or IP address, and — only with your explicit permission — precise GPS location used to determine serviceable areas and delivery polygons.
• Cookies & similar technologies: see Section 7 for details.

3.3 Data we receive from third parties

• Sign-in providers (e.g. Google) share your name, email, and profile picture when you choose to sign in with them.
• Payment partners share transaction confirmations, refund status, and fraud signals.
• Delivery partners share rider location and delivery confirmations for your active order.

We use personal data for the following purposes:

• To create and manage your account and to authenticate sign-in;
• To process, fulfil, and deliver your orders — including routing them to the correct dark store and assigning a delivery rider;
• To process payments, refunds, and wallet credits;
• To send order updates, delivery notifications, and important service communications (these are transactional and cannot be opted out of while you have an active order);
• To provide customer support, investigate complaints, and resolve disputes;
• To personalise your experience — including showing relevant products, remembering your preferences, and offering substitutions when items are out of stock;
• To detect, prevent, and investigate fraud, abuse, or violations of our Terms of Service;
• To improve our Services — including analytics, A/B testing, and product development;
• To send marketing and promotional communications (only with your consent, which you can withdraw at any time);
• To comply with applicable laws and regulatory requirements.

Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other applicable laws, we process your personal data on one or more of the following bases:

• Consent — for marketing communications, optional location access, and certain analytics cookies.
• Performance of a contract — to deliver orders you place with us and to provide the Services you have signed up for.
• Legitimate use — for fraud prevention, security, internal analytics, and improving our Services.
• Legal obligation — to comply with tax, accounting, food safety (FSSAI), and other regulatory requirements.

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

• Delivery partners and riders — name, address, and contact number, so they can deliver your order.
• Payment gateways — Razorpay and any other PCI-DSS compliant processors we use to handle payments.
• Cloud infrastructure providers — including Supabase (database, authentication, storage), Vercel (hosting), and Sentry (error monitoring), under appropriate data-processing terms.
• Communication providers — SMS, WhatsApp, and email service providers used to send transactional notifications.
• Analytics providers — to understand how the Services are used, in aggregated or de-identified form wherever possible.
• Professional advisors — lawyers, auditors, and accountants under confidentiality obligations.
• Authorities — courts, regulators, or law-enforcement agencies where required by law or to protect our rights, your safety, or the safety of others.
• Successors in interest — in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality.

We use cookies and similar technologies (such as local storage and SDK identifiers) to:

• Keep you signed in and remember your cart;
• Secure your session against hijacking and CSRF attacks;
• Understand how the Services are used, in aggregate;
• Measure the performance of campaigns and referrals.

You can control cookies through your browser settings. Disabling essential cookies will break sign-in, cart, and checkout.

We retain your personal data for as long as your account is active and for a reasonable period after closure to comply with our legal, accounting, tax, and reporting obligations:

• Account data: retained while your account is active. On closure, we delete or anonymise it within 90 days, except where law requires otherwise.
• Order and invoice data: retained for at least 8 years to meet GST and accounting requirements under Indian tax law.
• Payment data: retained as required by our payment gateway and applicable banking regulations.
• Support communications: retained for up to 3 years from the date of the last interaction.
• Marketing preferences: retained until you withdraw consent or close your account.

We implement reasonable technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2 or higher) for all network traffic;
• Encryption at rest for our databases and storage buckets;
• Role-based access controls and row-level security on production data;
• Regular security reviews, dependency scanning, and least-privilege access;
• Logging and monitoring of administrative actions.

No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security. You play an important role in keeping your account safe by using a strong password and not sharing your credentials.

Subject to applicable law, you have the following rights with respect to your personal data:

• Right to access — request a summary of the personal data we hold about you and how it is processed.
• Right to correction — request correction of inaccurate or incomplete data, or completion of incomplete data.
• Right to erasure — request deletion of your personal data, subject to legal retention requirements.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
• Right to nominate — nominate another person to exercise your rights in the event of your death or incapacity.
• Right to grievance redressal — raise concerns with our Grievance Officer (see Section 15).

To exercise these rights, email hello@aaroora.com from the email address associated with your account. We will respond within 30 days.

The Services are not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

Some of our service providers (e.g. cloud infrastructure, error monitoring) may process your data outside India. Where this happens, we ensure appropriate safeguards are in place, including data-processing agreements and providers certified to recognised security standards.

The Services may contain links to or embed content from third parties. Those third parties operate independently and are not controlled by us. We are not responsible for their privacy practices. Please review their privacy policies before sharing information with them.

We may update this policy from time to time. When we make material changes, we will notify you by email or through an in-app notice before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

If you have questions, concerns, or complaints about this policy or our handling of your personal data, please contact our Grievance Officer:

We will acknowledge your complaint within 48 hours and aim to resolve it within 30 days, as required under the Information Technology Act, 2000 and the DPDP Act, 2023.