Bullionare

Legal

Privacy Policy

Last updated: June 2026

This Privacy Policy ("Policy") describes how Bullionare Times Private Limited (CIN: U24205KA2023PTC176302), having its registered office at 2nd Floor, 28/6/3, Laxmi Tower 3, Nagarathpet Cross, Kempana Lane, Bengaluru – 560002, Karnataka, India ("Bullionare", "Gold Pay", "we", "us", or "our") collects, uses, shares, stores and otherwise processes your personal information when you access or use our website (bullionare.com, gold-pay.co), mobile applications, or any related services (collectively, the "Services").

This Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023 ("DPDP Act"). By using the Services, you consent to the practices described here.

1. Information we collect

1.1 Personal Information

  • Identity data – full name, date of birth, gender, photograph, signature.
  • Contact data – email address, mobile number, billing & shipping address, nominee details.
  • Government-issued IDs (KYC) – PAN, Aadhaar (masked), Passport, Voter ID, or Driving Licence as required under the Prevention of Money Laundering Act, 2002 ("PMLA") and RBI/SEBI norms.

1.2 Financial Information

  • Bank account number, IFSC, UPI ID, payment instrument details (processed by PCI-DSS compliant payment partners; we do not store full card numbers or CVV).
  • Transaction history, holdings, redemptions, sell-backs, gifts and related metadata.

1.3 App Activity & Device Data

  • Pages viewed, in-app actions, search queries, time spent, crash logs.
  • Device identifiers (IDFA/AAID), IP address, browser type, operating system, mobile network information, advertising ID.
  • Approximate location (derived from IP) — we do not access precise GPS unless you explicitly grant permission.

1.4 Information from third parties

We may receive data from KYC verification agencies (e.g. CKYC, NSDL e-Gov, Karza, Digio), payment gateways (e.g. Razorpay, PayU, Cashfree), credit information companies (where applicable), and our vaulting & logistics partners (e.g. Sequel Logistics, Brink's India) for fulfilling and securing your transactions.

2. Purposes for processing

PurposeLegal basis
Create and operate your Bullionare / Gold Pay accountPerformance of contract
KYC, AML and counter-terrorism financing complianceLegal obligation (PMLA, RBI/SEBI)
Process buy / sell / redemption / delivery transactionsPerformance of contract
Fraud prevention, risk scoring, platform securityLegitimate interest / legal obligation
Customer support & dispute resolutionPerformance of contract
Service notifications (OTP, order updates, statements)Performance of contract
Marketing, offers, promotional communicationsConsent (you can opt out anytime)
Product analytics, crash reporting, A/B testingConsent / legitimate interest
Tax reporting (TCS, GST), regulatory filingsLegal obligation

3. Sharing & disclosure

We do not sell your personal information. We share information strictly with:

  • Vaulting & custodian partners – to allocate, store and insure physical gold against your holdings.
  • Logistics partners – for last-mile insured delivery, only the data required to deliver.
  • Payment gateways & banks – to process payments, refunds and payouts.
  • KYC service providers – to verify identity documents against authoritative sources.
  • Analytics & crash-reporting providers – Google Firebase, Crashlytics or equivalent, configured with IP anonymisation and short retention where supported.
  • Regulatory & law-enforcement authorities – when required under applicable Indian law, court order or government directive.
  • Professional advisors & auditors – under strict confidentiality.
  • Successor entities – in case of a merger, acquisition, or reorganisation, subject to the same protections.

4. Data security

  • Transport-layer encryption (TLS 1.2 or higher) for all data in transit.
  • Encryption at rest for sensitive personal data and KYC documents using AES-256.
  • Role-based access control, principle of least privilege, mandatory MFA for internal access.
  • Periodic vulnerability assessment and penetration testing (VAPT) of our applications and infrastructure.
  • ISO 27001-aligned information security management practices.

No method of transmission over the internet is 100% secure; while we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

5. Data retention

Data categoryRetention period
KYC documents & related records8 years from end of relationship (PMLA)
Transaction records8 years (PMLA / Companies Act)
Tax invoices & GST records8 years (GST Act)
Account & contact informationDuration of account + 8 years thereafter
Marketing consentsUntil withdrawn
Server logsUp to 180 days

On expiry of the retention period, data is securely deleted or irreversibly anonymised.

6. Your rights as a Data Principal (DPDP Act, 2023)

  • Right to access a summary of your personal data and processing activities.
  • Right to correction & erasure of inaccurate, incomplete or outdated data, subject to legal retention obligations.
  • Right to grievance redressal within statutorily prescribed timelines.
  • Right to nominate another individual to exercise your rights in case of death or incapacity.
  • Right to withdraw consent for processing based on consent at any time.

To exercise these rights, email info@bullionare.com with the subject "Data Principal Request". We will respond within 30 days.

7. Cookies & similar technologies

We use first-party and third-party cookies for session management, preference storage, analytics and limited marketing attribution. You can disable cookies in your browser; some features may not function correctly without them.

8. Children

Our Services are intended only for individuals 18 years or older. We do not knowingly collect personal data from minors. Parents or guardians who believe a minor has provided us data may write to info@bullionare.com for deletion.

9. Cross-border transfers

Your personal data is primarily stored and processed in data centres located in India. Where third-party processors operate from outside India, transfers are made only to jurisdictions notified as permissible by the Central Government under the DPDP Act, with contractual safeguards in place.

10. Third-party links

Our Services may contain links to third-party websites and applications, including Gold Pay (gold-pay.co). Their data practices are governed by their own privacy policies, which we encourage you to review.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via the app, email or website at least 7 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Grievance Officer & contact

In accordance with Rule 5(9) of the SPDI Rules and Section 8(9) of the DPDP Act, 2023, the designated Grievance Officer is:

  • Grievance Officer: Customer Grievance Cell
  • Company: Bullionare Times Private Limited
  • Address: 2nd Floor, 28/6/3, Laxmi Tower 3, Nagarathpet Cross, Kempana Lane, Bengaluru – 560002
  • Email: info@bullionare.com
  • Phone: +91 91645 39990 (Mon–Sat, 10:00–18:00 IST)

All grievances are acknowledged within 24 hours and resolved within 30 days, in line with applicable regulations.

13. Governing law & jurisdiction

This Policy is governed by the laws of India. Courts at Bengaluru, Karnataka shall have exclusive jurisdiction over any disputes.