Privacy Policy

1. Information we collect

Account information — when you sign up as a bakery owner or staff member, we collect your name, email, mobile number, password (hashed), bakery name, branch addresses, and the currency / GST settings you provide.

Business data — orders, menu items, prices, customer records you create, inventory levels, production status, invoices, online-storefront content, WhatsApp campaign drafts, and any files you upload (cake photos, logos, etc.). This data belongs to you; we store it on your behalf.

End-customer data your bakery captures — when a customer of your bakery places an order (in person, via WhatsApp, or through your online storefront), we store the name, phone number, address, order history, allergy notes, and any other details your bakery records about that customer. You are the data fiduciary for this information under the DPDP Act; we are the data processor.

Payment information — when you pay for a subscription, our payment processor (Razorpay) collects card or UPI details. We never see or store full card numbers; we only receive a transaction ID and status.

Usage data — basic, aggregated information about how the Service is used: pages visited, errors encountered, device type, and approximate location derived from IP. We do not run third-party advertising trackers on xcoms.in.

2. How we use information

• Provide and operate the xcoms platform and your online storefront.
• Process subscription payments and send invoices, payment reminders, and service notifications.
• Respond to your enquiries, support tickets, and customer success conversations.
• Improve the product — fix bugs, measure feature usage, plan roadmap priorities.
• Comply with applicable Indian law (GST records, lawful requests from public authorities).

We do not sell your data or your customers’ data to anyone. Ever.

3. Sharing with third parties

We share data with a small number of service providers, only to the extent needed to deliver the Service:

• Cloud hosting — Render (compute) and Cloudflare R2 (file storage), both in their India / Asia regions where available.
• Payment processing — Razorpay Software Pvt. Ltd. for subscription billing.
• Messaging — Meta’s WhatsApp Business API for invoices and campaign messages your bakery sends.
• Email — transactional email delivery providers for password resets and receipts.

Each provider is contractually bound to use the data only for the service we ask of them. We will disclose data to law enforcement only on receipt of a lawful, valid request.

4. Data retention

We keep your business data for as long as your subscription is active. After cancellation we retain it for an additional 90 days so you can re-subscribe and pick up where you left off, then we delete or irreversibly anonymise it. GST and financial records are retained for the minimum period required under Indian tax law (currently 8 years).

5. Your rights under the DPDP Act

You have the right to:

• Access the personal data we hold about you.
• Correct any information that is inaccurate or out of date.
• Erase your account and the personal data we hold about you.
• Withdraw consent for any optional data processing.
• File a grievance with our Grievance Officer (details below) — and, if not resolved, with the Data Protection Board of India.

To exercise any of these rights, email info@xspine.in with the subject “Privacy request”. We aim to respond within 7 business days.

6. Security

We use TLS 1.2+ for every connection, encrypt data at rest in our database and file storage, hash passwords with industry-standard algorithms, and restrict production database access to a small number of XSpine engineers. No system is perfectly secure; if we discover a breach affecting your data, we will notify you and the Data Protection Board within the time-frames required by law.

7. Cookies

xcoms.in uses a small number of strictly necessary cookies (session, CSRF) and no advertising / cross-site tracking cookies. The xcoms app (app.xcoms.in) uses cookies only for sign-in and your preferences. We do not load Google Analytics or similar trackers on this marketing site.

8. Children

xcoms is a business tool not intended for use by anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

9. Changes to this policy

We may update this policy as the product evolves or the law changes. When we do, we’ll update the “Last updated” date above and, for material changes, notify subscription holders by email at least 14 days before the change takes effect.

10. Grievance Officer

In accordance with the DPDP Act and IT Rules, our Grievance Officer is: