Privacy Policy
This Privacy Policy explains how Original Collectors ("we", "us", "our") collects, processes, stores, and protects your personal data. We are committed to safeguarding your privacy in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and applicable rules thereunder.
1. Data Fiduciary — Who We Are
Original Collectors is the Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023. We determine the purposes and means of processing your personal data. We are operated from India and our services are primarily directed at users in India, though accessible internationally.
Data Fiduciary
Original Collectors
Contact Email
privacy@originalcollectors.com
Grievance Officer
grievance@originalcollectors.com
Jurisdiction
India
2. Personal Data We Collect
2.1 Data You Provide Directly
| Account Registration | Name, email address, password (hashed), username, display name |
| Profile Information | Bio, avatar/photo, region, preferred currency, collector interests |
| KYC Verification | Legal name, city, phone number, government ID document (for high-value transactions) |
| Vault / Collection Data | Item descriptions, photos, purchase price, estimated values, condition notes |
| Marketplace Listings | Item title, description, asking price, location, shipping preferences, payment channels you accept |
| Messages & Posts | Content of direct messages, feed posts, community posts, and comments |
| Transaction Records | Agreed price, payment channel chosen, shipping details, tracking ID, shipment proof photo |
| Support & Grievances | Content of communications with our support or moderation team |
2.2 Data Collected Automatically
| Device & Browser | IP address, browser type and version, operating system, device identifiers |
| Usage Data | Pages visited, features used, clicks, session duration, referral URL |
| Log Data | Server logs including timestamps, error reports, API request logs |
| Cookies & Local Storage | Session tokens, preference settings, feature flags (see Clause 8) |
2.3 Data from Third Parties
| OAuth Providers | If you sign in via Google or another OAuth provider: name, email, profile photo (only what you authorise) |
| Payment Processors | Transaction confirmation status from Razorpay/Stripe — we do not store card or banking details |
| AI Services | Responses from OpenRouter AI (item descriptions, tags) — no personal data is sent to AI providers |
3. Purposes and Legal Basis for Processing
Under the DPDP Act 2023, we process your personal data for specified, legitimate purposes with your consent ("deemed consent" where the purpose is reasonably expected given the service context), or as required by law. The following table sets out our processing purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and authentication | Email, password hash, username | Contract performance / Consent |
| Providing vault, marketplace, and community features | All profile and content data | Contract performance |
| KYC verification for transaction facilitation | Legal name, phone, government ID | Legal obligation / Consent |
| Sending transactional notifications (OTPs, alerts) | Email, phone number | Contract performance |
| Improving Platform features via usage analytics | Usage data (anonymised/aggregated) | Legitimate interest |
| AI-powered description and tagging | Item metadata (no personal identifiers) | Consent (opt-in feature) |
| Fraud prevention and safety enforcement | Account activity, IP, reports | Legitimate interest / Legal obligation |
| Responding to legal requests from authorities | As specified in request | Legal obligation |
| Subscription billing | Email, transaction confirmation status | Contract performance |
| Marketing communications (opt-in only) | Email, notification preferences | Consent |
5. Cross-Border Data Transfers
Our primary infrastructure (Supabase and Cloudflare R2) may store data on servers outside India. Where your data is transferred outside India, we ensure adequate protections are in place in compliance with Section 16 of the DPDP Act 2023, including contractual safeguards with our data processors. We will update this clause as the Central Government notifies permitted countries under the DPDP Act.
6. Data Retention
| Active account data | Retained for the lifetime of your account |
| Deleted account data (profile, personal details) | Purged within 30 days of account deletion request |
| Community and feed posts (public) | Anonymised on account deletion (author replaced with 'Deleted User') to preserve community integrity |
| Transaction records | Retained for 7 years as required for financial record-keeping under Indian law |
| KYC documents | Retained for 5 years post-transaction completion, then securely deleted |
| Server logs | Retained for 90 days, then deleted |
| Moderation and ban records | Retained for 3 years for safety and legal purposes |
| Backup copies | Retained for up to 60 days after the primary data is deleted |
7. Your Rights Under the DPDP Act 2023
As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:
Right to Access
Request a summary of the personal data we hold about you and the purposes for which it is processed.
Right to Correction and Erasure
Request correction of inaccurate or incomplete data, or deletion of data that is no longer necessary for the original purpose. Note: certain data may be retained as required by law.
Right to Grievance Redressal
Lodge a grievance with our Grievance Officer. If unsatisfied with our response, you may approach the Data Protection Board of India (once constituted).
Right to Nominate
Nominate another individual to exercise your data rights in the event of your death or incapacity.
Right to Withdraw Consent
Withdraw consent for processing based on consent at any time. Withdrawal does not affect processing already carried out. Some services may not be available after withdrawal.
To exercise any of these rights, contact us at privacy@originalcollectors.com. We will respond within 30 days. Identity verification may be required before we fulfil your request.
9. Data Security
We implement industry-standard technical and organisational measures to protect your personal data:
- All data in transit is encrypted using TLS 1.2 or higher
- Passwords are hashed using bcrypt; we never store plaintext passwords
- API access is authenticated via short-lived JWTs; admin access requires additional 2FA
- KYC documents are stored in isolated storage buckets with restricted access
- Admin actions are logged immutably in a moderation audit trail
- Access to production data is restricted to authorised personnel on a need-to-know basis
- We perform regular security reviews and dependency audits
9.1 Data Breach Notification
In the event of a personal data breach that is likely to result in harm to you, we will notify the Data Protection Board of India and affected users as required under the DPDP Act 2023. Notifications will be sent to your registered email address within the statutory timeframe.
10. Children's Privacy
The Platform is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If we become aware that we have collected personal data from a child under 13 without such consent, we will take steps to delete it promptly.
For users between 13 and 18, parental consent is required. Parents or guardians may contact us at privacy@originalcollectors.com to review, modify, or request deletion of their child's data.
11. Grievance Officer (India — IT Rules 2021 & DPDP Act 2023)
In accordance with Rule 4 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer for India:
Designation
Grievance Officer
Organisation
Original Collectors
grievance@originalcollectors.com
Acknowledgement Timeline
Within 24 hours of receipt
Resolution Timeline
Within 15 days of receipt
Escalation
Data Protection Board of India (once constituted)
If your grievance is not resolved to your satisfaction within 15 days, you may escalate to the Data Protection Board of India (once the Board is constituted and notified under the DPDP Act 2023).
12. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we offer. Material changes will be notified via in-app notification and email at least 14 days before the effective date. The version number and effective date at the top of this document will be updated accordingly.
We maintain an archive of previous policy versions. If you would like a copy of a previous version, contact us at privacy@originalcollectors.com.
13. Contact Us
Privacy Queries
privacy@originalcollectors.comData Rights Requests
privacy@originalcollectors.comGrievance Officer
grievance@originalcollectors.comGeneral Legal
legal@originalcollectors.comDocument version 1.0 · Effective 1 April 2026
Prepared in compliance with: DPDP Act 2023 · IT Act 2000 · IT (Intermediary Guidelines) Rules 2021