Legal
Privacy Policy
Last updated: June 2026
This Privacy Policy ("Policy") describes how Bullionare Times Private Limited (CIN: U24205KA2023PTC176302), having its registered office at 2nd Floor, 28/6/3, Laxmi Tower 3, Nagarathpet Cross, Kempana Lane, Bengaluru – 560002, Karnataka, India ("Bullionare", "Gold Pay", "we", "us", or "our") collects, uses, shares, stores and otherwise processes your personal information when you access or use our website (bullionare.com, gold-pay.co), mobile applications, or any related services (collectively, the "Services").
This Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023 ("DPDP Act"). By using the Services, you consent to the practices described here.
1. Information we collect
1.1 Personal Information
- Identity data – full name, date of birth, gender, photograph, signature.
- Contact data – email address, mobile number, billing & shipping address, nominee details.
- Government-issued IDs (KYC) – PAN, Aadhaar (masked), Passport, Voter ID, or Driving Licence as required under the Prevention of Money Laundering Act, 2002 ("PMLA") and RBI/SEBI norms.
1.2 Financial Information
- Bank account number, IFSC, UPI ID, payment instrument details (processed by PCI-DSS compliant payment partners; we do not store full card numbers or CVV).
- Transaction history, holdings, redemptions, sell-backs, gifts and related metadata.
1.3 App Activity & Device Data
- Pages viewed, in-app actions, search queries, time spent, crash logs.
- Device identifiers (IDFA/AAID), IP address, browser type, operating system, mobile network information, advertising ID.
- Approximate location (derived from IP) — we do not access precise GPS unless you explicitly grant permission.
1.4 Information from third parties
We may receive data from KYC verification agencies (e.g. CKYC, NSDL e-Gov, Karza, Digio), payment gateways (e.g. Razorpay, PayU, Cashfree), credit information companies (where applicable), and our vaulting & logistics partners (e.g. Sequel Logistics, Brink's India) for fulfilling and securing your transactions.
2. Purposes for processing
| Purpose | Legal basis |
|---|---|
| Create and operate your Bullionare / Gold Pay account | Performance of contract |
| KYC, AML and counter-terrorism financing compliance | Legal obligation (PMLA, RBI/SEBI) |
| Process buy / sell / redemption / delivery transactions | Performance of contract |
| Fraud prevention, risk scoring, platform security | Legitimate interest / legal obligation |
| Customer support & dispute resolution | Performance of contract |
| Service notifications (OTP, order updates, statements) | Performance of contract |
| Marketing, offers, promotional communications | Consent (you can opt out anytime) |
| Product analytics, crash reporting, A/B testing | Consent / legitimate interest |
| Tax reporting (TCS, GST), regulatory filings | Legal obligation |
3. Sharing & disclosure
We do not sell your personal information. We share information strictly with:
- Vaulting & custodian partners – to allocate, store and insure physical gold against your holdings.
- Logistics partners – for last-mile insured delivery, only the data required to deliver.
- Payment gateways & banks – to process payments, refunds and payouts.
- KYC service providers – to verify identity documents against authoritative sources.
- Analytics & crash-reporting providers – Google Firebase, Crashlytics or equivalent, configured with IP anonymisation and short retention where supported.
- Regulatory & law-enforcement authorities – when required under applicable Indian law, court order or government directive.
- Professional advisors & auditors – under strict confidentiality.
- Successor entities – in case of a merger, acquisition, or reorganisation, subject to the same protections.
4. Data security
- Transport-layer encryption (TLS 1.2 or higher) for all data in transit.
- Encryption at rest for sensitive personal data and KYC documents using AES-256.
- Role-based access control, principle of least privilege, mandatory MFA for internal access.
- Periodic vulnerability assessment and penetration testing (VAPT) of our applications and infrastructure.
- ISO 27001-aligned information security management practices.
No method of transmission over the internet is 100% secure; while we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.
5. Data retention
| Data category | Retention period |
|---|---|
| KYC documents & related records | 8 years from end of relationship (PMLA) |
| Transaction records | 8 years (PMLA / Companies Act) |
| Tax invoices & GST records | 8 years (GST Act) |
| Account & contact information | Duration of account + 8 years thereafter |
| Marketing consents | Until withdrawn |
| Server logs | Up to 180 days |
On expiry of the retention period, data is securely deleted or irreversibly anonymised.
6. Your rights as a Data Principal (DPDP Act, 2023)
- Right to access a summary of your personal data and processing activities.
- Right to correction & erasure of inaccurate, incomplete or outdated data, subject to legal retention obligations.
- Right to grievance redressal within statutorily prescribed timelines.
- Right to nominate another individual to exercise your rights in case of death or incapacity.
- Right to withdraw consent for processing based on consent at any time.
To exercise these rights, email info@bullionare.com with the subject "Data Principal Request". We will respond within 30 days.
7. Cookies & similar technologies
We use first-party and third-party cookies for session management, preference storage, analytics and limited marketing attribution. You can disable cookies in your browser; some features may not function correctly without them.
8. Children
Our Services are intended only for individuals 18 years or older. We do not knowingly collect personal data from minors. Parents or guardians who believe a minor has provided us data may write to info@bullionare.com for deletion.
9. Cross-border transfers
Your personal data is primarily stored and processed in data centres located in India. Where third-party processors operate from outside India, transfers are made only to jurisdictions notified as permissible by the Central Government under the DPDP Act, with contractual safeguards in place.
10. Third-party links
Our Services may contain links to third-party websites and applications, including Gold Pay (gold-pay.co). Their data practices are governed by their own privacy policies, which we encourage you to review.
11. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified via the app, email or website at least 7 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
12. Grievance Officer & contact
In accordance with Rule 5(9) of the SPDI Rules and Section 8(9) of the DPDP Act, 2023, the designated Grievance Officer is:
- Grievance Officer: Customer Grievance Cell
- Company: Bullionare Times Private Limited
- Address: 2nd Floor, 28/6/3, Laxmi Tower 3, Nagarathpet Cross, Kempana Lane, Bengaluru – 560002
- Email: info@bullionare.com
- Phone: +91 91645 39990 (Mon–Sat, 10:00–18:00 IST)
All grievances are acknowledged within 24 hours and resolved within 30 days, in line with applicable regulations.
13. Governing law & jurisdiction
This Policy is governed by the laws of India. Courts at Bengaluru, Karnataka shall have exclusive jurisdiction over any disputes.