PRIVACY POLICY

Last Updated: February 25, 2025

Introduction and Overview

Bamboowala (“we,” “our,” or “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how your personal information is collected, used, disclosed, and safeguarded by SS Bamboowala Private Limited.

This Privacy Policy applies to our website (https://thebamboowala.com/), its associated subdomains, and our applications (collectively, our “Service”). By accessing or using our Service, you acknowledge that you have read, understood, and agree to the collection, storage, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service.

1. Definitions and Key Terms

To help explain things as clearly as possible in this Policy, key terms are strictly defined as follows:

• Consent: means free, specific, informed, and unambiguous indication of your wishes by which you signify agreement to the processing of personal data relating to you, either by a statement or clear affirmative action.
• Cookie: small amount of data generated by a website and saved by your web browser, used to identify your browser, provide analytics, and remember information about you.
• Company: when this policy mentions “Company,” “we,” “us,” or “our,” it refers to SS Bamboowala Private Limited, having Regd. Address at 135, Ramnagar Road No. 4, 2nd Crossing, Agartala, Tripura, 799002, India, responsible for your information under this Policy.
• Country: where ‘Bamboowala’ or the owners/founders of ‘Bamboowala’ are based, in this case is India.
• Customer/You/Data Principal: refers to the individual or company that signs up to use Bamboowala’s Products or Services or provides personal data to us.
• Data Protection Officer: individual designated by the company responsible for overseeing data protection strategy and implementation to ensure compliance with regulations.
• Data Processor: any natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Company.
• Device: any internet connected device such as a phone, tablet, computer, or any other device used to visit our Service.
• Grievance Officer: individual designated by the company responsible for addressing complaints and grievances related to data privacy and protection.
• IP address: Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address, which can often be used to identify the location from which a device is connecting to the Internet.
• Legal Basis: lawful grounds on which we rely to collect and process your personal data.
• Personal Data: any information relating to an identified or identifiable natural person (data principal); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Processing: any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, making available, alignment or combination, restriction, erasure, or destruction.
• Sensitive Personal Data: means such personal data, which may reveal, be related to, or constitute: (i) financial information; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorized as sensitive personal data under applicable law.
• Service: refers to the service provided by ‘Bamboowala’ which can be accessed via https://thebamboowala.com/ or other URLs of ‘Bamboowala’ as described in the relative terms.
• Third-party Service Provider: refers to data processors, advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.

2. Personal Data We Collect

We collect information directly from you when you interact with our Service in the following ways:

2.1 Information You Provide to Us

• Identity and Contact Information: Name, email address, phone number, shipping and billing addresses
• Account Information: Username, password, account preferences, and feedback
• Transaction Information: Products purchased, order history, payment details
• Communications: Information provided in emails, chat conversations, or surveys
• User Content: Reviews, ratings, photos, or other content you share on our Service

2.2 Information Collected Automatically

• Device and Technical Information: IP address, device type, browser type, operating system, unique device identifiers
• Usage Information: Pages viewed, time spent on site, links clicked, shopping cart activity, search queries, browsing behavior
• Location Information: General location inferred from IP address
• Cookies and Similar Technologies: Information collected via cookies, web beacons, and similar technologies as described in our Cookie Policy section

2.3 Information from Third Parties

• Social Media: When you interact with our Service through social media platforms
• Service Providers: Information from payment processors, fraud detection services, shipping providers
• Public Sources: Publicly available information from business directories, social media

3. Legal Basis and Purposes of Processing

We process your personal data only when we have a valid legal basis to do so. Depending on the specific processing activity, we rely on one or more of the following legal bases:

3.1 Legal Bases

• Consent: We process certain data when you have given clear consent for specific purposes
• Contractual Necessity: Processing necessary to fulfill our contractual obligations to you
• Legitimate Interests: Processing necessary for our legitimate interests or those of a third party
• Legal Obligation: Processing necessary to comply with our legal obligations
• Vital Interests: In rare circumstances, to protect someone’s life

3.2 Purposes of Processing

We process your personal data for the following specific purposes:

• Service Provision: To provide and maintain our Service, process transactions, fulfill orders, and manage your account
• Communication: To respond to inquiries, provide customer support, and send service-related communications
• Improvement and Development: To analyze usage patterns, troubleshoot issues, conduct research, and improve our Service
• Personalization: To personalize your experience and deliver content and product offerings relevant to your interests
• Marketing: With your consent, to provide marketing communications about our products and services
• Security and Fraud Prevention: To protect our Service, verify accounts, prevent fraud, and ensure security
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

For each purpose, we ensure that processing is necessary, proportionate, and limited to what is required to achieve the stated purpose.

4. Consent and Choice

4.1 Obtaining Consent

We obtain your consent through clear affirmative actions such as: – Checking boxes on our website – Clicking “I agree” buttons – Selecting preferences in account settings – Other clear affirmative actions indicating consent

Where we rely on consent as the legal basis for processing, such consent is: – Freely given and specific to the processing activity – Informed by clear information about what you are consenting to – Unambiguous and demonstrated through a clear affirmative action – As easy to withdraw as it is to give

4.2 Withdrawing Consent

You may withdraw your consent at any time by: – Updating your preferences in your account settings – Clicking the “unsubscribe” link in our marketing communications – Contacting us at swattik@thebamboowala.com

Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

5. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

5.1 Service Providers and Data Processors

We share data with third-party service providers who process data on our behalf, including: – Payment processors – Shipping and logistics providers – Customer support services – Marketing and analytics providers – IT and cloud service providers – Fraud prevention services

All service providers are contractually obligated to use your data only for the purposes specified by us and in accordance with this Privacy Policy.

5.2 Business Partners

With your consent, we may share data with business partners including: – Marketplace partners – Promotional partners – Loyalty program partners

5.3 Legal Requirements

We may disclose your information when required by law, regulation, or legal process, including: – In response to court orders or legal proceedings – To comply with regulatory requirements – To protect our rights, property, or safety – To investigate fraud or respond to a government request

5.4 Business Transfers

In connection with any merger, acquisition, divestiture, or other corporate reorganization, we may transfer data to the relevant third party, provided they agree to adhere to the terms of this Privacy Policy.

6. Cross-Border Data Transfers

6.1 Data Storage Locations

Our primary data storage is located in India. However, we may transfer data to service providers or business partners located outside India.

6.2 Safeguards for International Transfers

For cross-border transfers to countries that may not provide the same level of data protection as India, we implement appropriate safeguards including:

• Standard Contractual Clauses approved by relevant data protection authorities
• Ensuring recipient countries have adequate data protection laws as determined by appropriate authorities
• Obtaining explicit consent for specific transfers when required
• Implementing technical and organizational measures to ensure data protection regardless of location

6.3 Documentation and Records

We maintain records of all cross-border transfers, including: – Categories of data transferred – Recipients and their countries – Safeguards implemented – Risk assessments conducted

You may request information about specific transfers by contacting us at swattik@thebamboowala.com.

7. Data Retention

7.1 Retention Principles

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

7.2 Retention Periods

Specific retention periods for different data categories include: – Account Information: 7 years after your last account activity – Transaction Records: 10 years to comply with tax and accounting requirements – Marketing Preferences: Until you opt-out or request deletion – Website Usage Data: 2 years in identifiable form – Communication Records: 5 years from the date of communication

7.3 Data Minimization

After the applicable retention period expires, personal data is: – Securely deleted or destroyed – Anonymized (where the data is rendered into a form which does not identify you) – Archived with restricted access (where retention is required for legal purposes)

8. Data Security

8.1 Technical and Organizational Measures

We implement appropriate technical and organizational security measures to protect your personal data, including:

• Encryption of personal data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments and testing
• Staff training on data protection and security
• Physical security measures for premises and equipment
• Documented incident response procedures

8.2 Data Breach Response

In the event of a data breach affecting your personal information, we will:

1. Investigate and contain the breach promptly
2. Assess the risk to your rights and freedoms
3. Notify affected data principals within 72 hours of discovering the breach
4. Provide details about what information was compromised
5. Outline steps we are taking to address the breach
6. Offer guidance on how you can protect yourself
7. Notify relevant regulatory authorities as required by law
8. Document the breach and our response for future prevention

8.3 Ongoing Risk Assessment

We regularly review and update our security measures based on: – New technological developments – Changes in our processing activities – Identified vulnerabilities – Industry best practices

9. Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023 and other applicable laws, you have several rights regarding your personal data:

9.1 Right to Confirmation and Access

You have the right to: – Confirm whether we process your personal data – Access your personal data – Receive information about how your data is processed

9.2 Right to Correction

You can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure

You can request deletion of your personal data under certain circumstances, such as: – When data is no longer necessary for the purpose it was collected – When you withdraw consent and there is no other legal basis for processing – When you object to processing and there are no overriding legitimate grounds

9.4 Right to Restriction of Processing

You can request temporary restriction of processing in certain situations, including: – When you contest the accuracy of your data – When processing is unlawful but you oppose erasure – When we no longer need the data but you require it for legal claims

9.5 Right to Data Portability

You can request your data in a structured, commonly used, and machine-readable format, and have it transmitted to another controller where technically feasible.

9.6 Right to Object

You can object to processing based on legitimate interests, including profiling, and to processing for direct marketing purposes.

9.7 Right to Not Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you, unless: – Necessary for a contract – Authorized by law – Based on your explicit consent

9.8 How to Exercise Your Rights

To exercise any of these rights, you may: – Access your account settings (for certain functions) – Contact us at swattik@thebamboowala.com – Submit a request through our website at https://thebamboowala.com/privacy-rights

We will respond to valid requests within 30 days, with possible extension of up to 60 additional days when necessary, taking into account the complexity and number of requests.

10. Children’s Privacy

10.1 Age Restrictions

Our Service is not directed to children under 18 years of age, and we do not knowingly collect personal data from children under 18 or children under the applicable age of digital consent in their jurisdiction.

10.2 Verification Measures

To prevent collection of data from children under 18, we implement: – Age verification prompts at account creation – Monitoring techniques to identify potentially underage users – Prompt deletion of any data identified as belonging to a child

10.3 Parental Consent

If we learn that we have collected personal data from a child under the age of 18 without verified parental consent, we will: – Immediately suspend the account – Delete this data from our servers – Implement measures to prevent recurrence

10.4 Reporting

If you believe we might have collected information from a child under 18, please contact us at swattik@thebamboowala.com immediately.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are files with small amount of data that may include an anonymous unique identifier.

Our cookies are categorized as follows:

1. Strictly Necessary Cookies: Essential for the website to function properly (e.g., authentication, security)
2. Functional Cookies: Remember your preferences and settings (e.g., language, region)
3. Analytical/Performance Cookies: Collect information about how visitors use our website (e.g., which pages, error messages)
4. Targeting/Advertising Cookies: Record your visits to our website, pages visited, and links followed to deliver personalized advertisements

11.2 Cookie Management

You can control cookies through your browser settings and other tools:

• You can set your browser to refuse all cookies or to indicate when a cookie is being sent
• You can delete cookies already stored on your device
• You can use our Cookie Preference Center to manage your preferences
• Various opt-out mechanisms are available for targeted advertising

However, if you disable cookies, some features of our Service may become unavailable or function improperly.

11.3 Retention of Cookie Data

Different types of cookies remain valid for different periods: – Session cookies: Deleted when you close your browser – Persistent cookies: Remain for a pre-defined period (specified in our Cookie Preference Center)

11.4 Third-Party Cookies

Some cookies are placed by third parties, such as analytics providers and advertising networks. We provide details about these third parties and their privacy policies in our Cookie Preference Center.

12. Marketing Communications

12.1 Consent for Marketing

We will only send marketing communications when: – You have given explicit consent to receive such communications – You have an existing relationship with us and the marketing relates to similar products or services – You have not opted out of receiving marketing

12.2 Opting Out

You can opt out of marketing communications at any time by: – Clicking the “unsubscribe” link in any marketing email – Adjusting your communication preferences in your account – Contacting our customer service team – Emailing swattik@thebamboowala.com

12.3 Service Communications

Note that even if you opt out of marketing communications, you will still receive service-related communications necessary for the operation of your account or fulfillment of transactions.

13. Automated Decision-Making and Profiling

13.1 Scope of Automated Processing

We may use automated decision-making, including profiling, for purposes such as: – Fraud prevention and security – Credit and payment processing – Product recommendations – Website personalization

13.2 Significant Decisions

For decisions that significantly affect you (legally or similarly), we ensure: – Human oversight and review is available – You are informed about the logic involved – You can request explanation of decisions – You can contest any automated decision

13.3 Safeguards

We implement appropriate safeguards when using automated decision-making: – Regular testing for bias and discrimination – Staff training on automated system limitations – Periodic review of algorithms and decision models

14. Data Protection by Design and Default

14.1 Privacy Impact Assessments

We conduct Data Protection Impact Assessments for processing activities that may result in high risk to your rights and freedoms.

14.2 Data Minimization

We implement data minimization principles by: – Collecting only data necessary for specified purposes – Limiting access to personal data to authorized personnel – Implementing pseudonymization and anonymization where possible

14.3 Technical Measures

We integrate data protection requirements into our systems through: – Privacy-enhancing technologies – Default privacy-protective settings – Secure development practices

15. Accountability and Governance

15.1 Documentation

We maintain documentation of our processing activities, including: – Categories of data processed – Purposes of processing – Recipients of data – Security measures – Retention periods – Legal bases for processing

15.2 Data Protection Officer and Grievance Officer

We have appointed a Data Protection Officer and Grievance Officer who is responsible for: – Monitoring compliance with data protection laws – Advising on data protection obligations – Cooperating with regulatory authorities – Handling data protection inquiries and grievances

Our Data Protection Officer and Grievance Officer can be reached at: Email: swattik@thebamboowala.com Phone: +91 – 700 598 4264

15.3 Grievance Redressal Process

Our grievance redressal process follows these steps: 1. Acknowledgment of grievance within 48 hours 2. Initial assessment within 7 days 3. Investigation and resolution within 30 days 4. Implementation of resolution and notification to you 5. Appeal process if you are not satisfied with the resolution

16. Third-Party Services and Links

16.1 Third-Party Services

We may integrate third-party services into our website, such as: – Payment processors – Analytics providers – Social media features – Advertising networks

These third parties may collect information about you when you interact with their features. Their collection and use of information is governed by their privacy policies, not ours.

16.2 Links to Other Websites

Our Service may contain links to other websites not operated by us. We are not responsible for the content, privacy practices, or policies of these websites. We encourage you to review the privacy policy of every website you visit.

17. Changes to This Privacy Policy

17.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated version will be effective as of the “Last Updated” date at the top of this Privacy Policy.

17.2 Notification of Changes

For significant changes to this Privacy Policy, we will notify you by: – Posting a notice on our website – Sending an email to registered users – In-app notifications where applicable

17.3 Continued Use

Your continued use of our Service after the effective date of any updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you should discontinue use of our Service.

18. Governing Law and Dispute Resolution

18.1 Governing Law

This Privacy Policy is governed by the laws of India without regard to its conflict of laws provisions.

18.2 Compliance with Indian Laws

This Privacy Policy complies with: – Information Technology Act, 2000 – Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 – Digital Personal Data Protection Act, 2023

18.3 Dispute Resolution

Any disputes arising under this Privacy Policy shall be resolved through: 1. Amicable negotiations in good faith 2. Formal complaint to our Grievance Officer 3. Mediation by a mutually agreed third party 4. Legal proceedings in the courts of Agartala, Tripura, India

19. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: swattik@thebamboowala.com
• Phone/WhatsApp: +91 – 700 598 4264
• Contact Form: https://thebamboowala.com/contact

Postal Address: 135, Ramnagar Road No. 4, 2nd Crossing, Agartala, Tripura, 799002, India