India-wide coverage 100% free Aadhaar-verified sellers Post a free ad

O
Post Ad Log in

Privacy Policy

Effective May 15, 2026 First-draft · counsel review pending

Artifact Stonex Pvt. Ltd. ("we", "Odito") is the data fiduciary for personal data collected through odito.in, under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Rules, 2021. This notice is published under section 5(1) of the DPDP Act.

1. What we collect

  • Account data: email address (for login OTP), display name, optional phone number for the WhatsApp contact button, city and locality.
  • Listing data: title, description, price, photos, category, location, and per-category attributes you submit when posting an ad.
  • Verification data: Aadhaar number and the one-time OTP transaction reference, only when you choose to verify for the Verified Badge. Aadhaar numbers are encrypted at rest. We do not store an image of your Aadhaar card.
  • Communication data: messages exchanged in the chat feature, conversation metadata, and unread counts.
  • Technical data: IP address, user agent, and timestamps for authentication, OTP, fraud screening, and grievance audit logs.

2. Why we collect it

We process personal data only for the specified lawful purposes:

  • To authenticate you (email OTP) and protect your account.
  • To publish your listings and enable buyer/seller chat and the WhatsApp contact button.
  • To run heuristic and (later) AI-assisted fraud detection on listings — required to keep the marketplace safe.
  • To verify identity through Aadhaar OTP when you opt in, for the Verified Badge.
  • To comply with Indian law and respond to lawful orders from courts and government authorities.

We do not sell your personal data. We do not use it for advertising profiles.

3. Who we share it with (processors)

Limited categories of data are processed by service providers acting on our instructions:

  • Hosting: Hostinger India — application servers and database. Data is stored on servers located in India once migration to the India region is complete (see Open items below).
  • Image storage and delivery: Cloudinary — listing photos.
  • Email delivery: the SMTP provider configured for the odito.in domain.
  • Aadhaar OTP verification: a UIDAI-authorised KYC provider (to be appointed). Only the Aadhaar number and OTP are shared with this provider, and only at the moment of verification.
  • Error monitoring: Sentry — captures stack traces with personal data redacted.

4. How long we keep it

  • Account, listings, chat: for the life of your account and as required by Indian intermediary record-keeping rules thereafter.
  • OTP codes: hashed; deleted after 24 hours regardless of verification outcome.
  • Aadhaar number: retained encrypted only while the Verified Badge is active; deleted on erasure request.
  • Audit logs: 24 months, supporting fraud investigation and grievance redressal.

5. Your rights as a data principal

Under sections 11–14 of the DPDP Act you may:

  • Access a summary of your personal data we hold.
  • Correct inaccurate or outdated data.
  • Erase your data, subject to lawful retention obligations.
  • Withdraw consent at any time; processing already done remains lawful.
  • File a grievance with our Grievance Officer (see below).

To exercise any of these rights, submit a request from the data-principal requests page in your account, or email grievance@odito.in. We acknowledge within 24 hours and resolve within 15 days as required by the Information Technology Rules, 2021.

6. Cookies and similar technologies

We use a small number of strictly-necessary cookies for session authentication and CSRF protection. We do not use third-party advertising or behavioural-tracking cookies. The Cloudinary CDN may set technical cookies for image delivery.

7. Children

Odito is not directed at users under the age of 18. We do not knowingly process personal data of children. If you believe a minor has registered, write to us and we will delete the account.

8. Grievance Officer

Appointed under the Information Technology Rules, 2021 §3(2) and DPDP §13:

  • Name: Mahendra Bugaliya
  • Email: grievance@odito.in
  • Postal address: Artifact Stonex Pvt. Ltd., Makrana, Nagaur, Rajasthan, India
  • Company CIN: U23993RJ2024PTC095646

9. Open items (pre-launch)

This policy is published in good faith ahead of launch. Two items are being completed and will be reflected here once done:

  • Migration of the odito.in production server to a Hostinger India region for data residency under DPDP §17. Until that migration is complete, no production personal data is being processed.
  • Appointment of the Aadhaar OTP verification provider. Verification is disabled in production until this is in place.

10. Changes to this policy

We will publish any material change on this page with a new effective date. If a change affects your rights, we will email account holders.