Business Privacy Policy | PetNimbus Business

This Business Privacy Policy ("Business Privacy Policy") explains how GOODSHIFT Private Limited (CIN: U63122BR2026PTC081407), operating the PetNimbus platform ("PetNimbus", "we", "us"), collects, uses, stores, shares, retains, and protects personal data and business information of partner businesses ("Business Partner", "you") registered on the PetNimbus Business portal. It also sets out the obligations of the Business Partner when it processes Customer data received through the Platform.

This Business Privacy Policy should be read together with the Partner Terms & Conditions, the consumer-facing Privacy Policy, and the Terms & Conditions. By registering as a Business Partner, you acknowledge that you have read and agreed to this Business Privacy Policy.

1. Definitions

Business Partner / Partner: The registered legal entity or individual professional that has signed up on the PetNimbus Business portal.
Authorised Signatory: The individual designated by the Business to sign up, accept Partner Terms, and manage the Business account.
KYC Data: Identity, business registration, licence, and tax documents submitted by the Business for verification.
Bank Data: Bank account number, IFSC, account holder name, cancelled cheque / passbook image, and any other information required for current-period commission reconciliation and for the future online payout model.
Service Data: Information the Business adds to its dashboard to deliver services — service descriptions, pricing, working hours, staff profiles, menus, etc.
Customer-Facing Data: Customer personal data the Business receives through the Platform to fulfil an Appointment (see Partner Terms Section 10).
Data Fiduciary, Data Principal, Data Processor: As defined in the DPDP Act 2023.

2. Data Fiduciary Declaration

GOODSHIFT Private Limited is the Data Fiduciary under the DPDP Act 2023 for all Business Partner personal data processed through the PetNimbus Business portal.
The Authorised Signatory of the Business is a Data Principal in respect of their own personal data (name, phone, email, Aadhaar, PAN) submitted during onboarding and retains all rights under the DPDP Act 2023 Chapter III.
When the Business receives Customer-Facing Data through the Platform to fulfil an Appointment, the Business acts as a Data Processor on behalf of PetNimbus for that Customer data. The obligations of the Business as a Data Processor are set out in Section 10 and in the Partner Terms.

3. Data Collected from the Business

PetNimbus collects the following categories of data directly from the Business during onboarding and over the course of the partnership:

3.1 Authorised Signatory Personal Data

Full name
Mobile phone number (verified via OTP through 2Factor.in)
Email address
Aadhaar number (last 4 digits displayed in the dashboard; the full Aadhaar is stored encrypted and used only for KYC verification against the UIDAI offline e-KYC dataset where applicable)
PAN (linked to the Business PAN where the signatory is also the proprietor)
Residential address (where different from the business address)

3.2 Business Entity Data

Registered legal name of the entity
Trade name / brand name (if different)
Entity type (private limited, LLP, partnership, proprietorship, NGO, society)
CIN / LLPIN / registration number (as applicable)
Business PAN
GSTIN (if registered)
FSSAI licence number (for pet cafes / boarding serving food)
Veterinary Council of India (VCI) or State Veterinary Council registration (for vet clinics)
Trade Licence / Shop & Establishment Act registration
12A / 80G certificate (for NGO / Shelter accounts)

3.3 Bank Data

Bank account number
IFSC
Account holder name
Cancelled cheque or passbook front-page image

Bank Data is collected now to enable the future online payout model (see Partner Terms Section 5). Under the current payment model, PetNimbus does not transfer money to the Business; Bank Data is held in preparation for the future model and for any exceptional refund reversals.

3.4 Location & Service Data

Business address & precise geocoordinates (used for map display, distance calculation, and service-zone matching)
Working hours and availability schedule
Service descriptions, pricing, duration, and capacity
Menu, price list, and pet-size/breed applicability
Clinic / facility photos, staff photos, service photos uploaded by the Business

3.5 Operational & Performance Data

Appointment history: bookings received, confirmed, completed, cancelled, NO_SHOW rate
Customer ratings and reviews
Response time, acceptance time, support-chat activity
Commission history and payout reconciliation records (BusinessPayout entries)
Dashboard login times, IP address, device type (session logs retained for 90 days for security)

4. Purposes of Collection

PetNimbus processes Business Partner data for the following specific purposes:

KYC verification to confirm identity, eligibility, and licensure before listing the Business on the Platform.
Commission reconciliation under the current model (Section 4 of the Partner Terms) and payout settlement under the future online payout model (Section 5 of the Partner Terms).
Service delivery facilitation: routing bookings, enabling the dashboard, supporting chat between Customer and Business.
GST, TDS, and tax compliance: generating commission invoices, issuing TDS certificates (future payout model), filing mandatory returns with the GSTN and Income Tax Department.
Fraud, abuse, and safety monitoring: detecting NO_SHOW abuse, fake documents, chargeback abuse, unlicensed practice.
Customer safety: computing internal trust indicators for the Business (not displayed publicly).
Dispute resolution and grievance redressal.
Regulatory reporting when legally compelled by a court order, government authority, or applicable law (e.g., the Data Protection Board of India, Income Tax Department, GSTN, Enforcement Directorate under the Prevention of Money Laundering Act 2002).
Platform product improvement and analytics on aggregated, de-identified metrics.

5. Legal Basis for Processing

PetNimbus processes Business Partner data on the following legal bases under the DPDP Act 2023:

Consent (DPDP Act Section 6): Implied by the Authorised Signatory's acceptance of the Partner Terms and this Business Privacy Policy at registration.
Legitimate Use — Performance of a contract (DPDP Act Section 7(a)): Processing necessary to provide the Platform services, settle commissions, and honour obligations under the Partner Terms.
Legitimate Use — Compliance with law (DPDP Act Section 7(b)): Processing required to comply with the Companies Act 2013, Income Tax Act 1961, CGST / SGST / IGST Acts 2017, Prevention of Money Laundering Act 2002, Prevention of Cruelty to Animals Act 1960, and IT Rules 2021.
Legitimate Use — Compliance with court / authority orders (DPDP Act Section 7(c)): Responding to lawful requests from courts, tribunals, and regulators.

6. Data Storage & Security

Hosting location: All Business Partner data is stored in AWS Asia-South-1 (Mumbai) region. Data is not transferred outside India other than where expressly disclosed in Section 7 (Third-Party Processors) and where adequate contractual safeguards are in place.
Encryption in transit: TLS 1.3 for all API calls to and from the Business dashboard and mobile app.
Encryption at rest: AES-256 encryption on AWS RDS (PostgreSQL) and AWS S3 for all persisted data.
Sensitive-data encryption: Aadhaar (full), PAN, and Bank Data are encrypted with a separate AWS KMS-managed key and are accessible only to a restricted set of compliance / finance staff.
KYC document storage: KYC Documents uploaded by the Business are stored in a private AWS S3 bucket that is never publicly accessible. Access is available only via time-limited presigned URLs (valid 15 minutes) to authorised compliance personnel.
Access controls: Role-based access control, audit logging of every access to sensitive documents, mandatory MFA for staff accounts with access to the production environment.
Authentication: Business dashboard login uses JWT with bcrypt password hashing, OTP verification at registration, and session-timeout enforcement.
Error monitoring: Sentry receives sanitised crash and error reports without any personal-data payloads.

7. Third-Party Data Processors

PetNimbus shares Business Partner data with the following sub-processors strictly for the purposes stated. Each processor operates under a written data-processing agreement with PetNimbus and is required to meet the security and confidentiality standards mandated by the DPDP Act 2023 and this Business Privacy Policy.

Amazon Web Services (AWS) — Cloud hosting, database, S3 storage. Region: Asia-South-1 (Mumbai). Data processed: all Business Partner data at rest.
Razorpay — Commission invoicing under the current model; payout settlement under the future online payout model. Data processed: Business legal name, PAN, GSTIN, bank account details, commission transaction records. Razorpay is a PCI DSS Level-1 certified payment service provider and a Reserve Bank of India licensed Payment Aggregator.
2Factor.in — OTP delivery for Authorised Signatory phone verification at registration and for password resets. Data processed: phone number and one-time passcode.
Google Cloud Vision API — Automated image moderation of Business-uploaded images (profile, clinic, services, staff, menu photos) for safety, policy compliance, and anti-fraud checks. Data processed: image pixels only; no Business identifiers are shared.
Firebase Cloud Messaging (FCM) — Push-notification delivery to the Business dashboard and partner mobile app. Data processed: device token, notification payload (e.g., new booking alert).
Resend — Transactional email delivery (booking notifications, commission statement emails, grievance acknowledgments). Data processed: email address and email content.
Sentry — Error and crash reporting for the Business portal. Data processed: stack traces and sanitised error metadata; no personal-data payloads are sent.
Upstash Redis (or equivalent managed Redis) — Server-side caching, Business dashboard session token storage, rate limiting, and distributed cron-lock coordination. Data processed: short-lived cache entries keyed by Business or session identifier.
OpenAI — Not used for Business Partner data. OpenAI is used only on the consumer side for AI Nutrition Plans and receipt parsing in the Pet Financial Hub. No Business Partner data is ever sent to OpenAI.

PetNimbus does not sell, rent, or trade Business Partner data to any third party for advertising or any commercial purpose unrelated to providing the Platform.

8. Data Retention Schedule

KYC Documents (PAN, Aadhaar, business registration, licences, cancelled cheque): 7 years from the date of partnership termination, as required by the Income Tax Act 1961 (Section 44AA and related retention rules), the Companies Act 2013, and the Prevention of Money Laundering Act 2002.
Commission / BusinessPayout reconciliation records: 7 years from the date of the transaction, for tax audit and GST-audit purposes.
Active Business dashboard data (service listings, pricing, working hours): retained as long as the Business account is active.
Clinic photos, service photos, staff photos: retained while the account is active. Deleted within 90 days of termination on written request from the Business.
Dashboard login session logs & IP addresses: 90 days, then purged.
Customer Appointment records (where the Business was the service provider): 3 years from the appointment date for tax and dispute-resolution purposes, then auto-archived.
Chat messages between Business and Customer: retained per the consumer Privacy Policy; typically 1 year for active accounts.
Grievance & dispute records: 5 years per the Consumer Protection Act 2019 limitation period.

Data retained beyond the active partnership period is held in cold storage with restricted access, used only for legal-compliance, audit, and dispute-resolution purposes, and is not used for any other processing.

9. Rights of the Authorised Signatory as a Data Principal

Under the DPDP Act 2023, the Authorised Signatory has the following rights in respect of their personal data:

Right to access information about personal data (DPDP Act Section 11): Request a summary of the personal data processed, the processing activities undertaken, and the identities of Data Fiduciaries / Data Processors with whom the data has been shared.
Right to correction and erasure (DPDP Act Section 12): Correct inaccurate or incomplete personal data, update outdated personal data, and request erasure of personal data that is no longer necessary for the original purpose, subject to legal retention overrides stated in Section 8 above.
Right of grievance redressal (DPDP Act Section 13): Raise a grievance with the PetNimbus Grievance Officer (see Section 13 below).
Right to nominate (DPDP Act Section 14): Nominate another individual who shall, in the event of death or incapacity of the Authorised Signatory, exercise the rights of the Data Principal.
Withdrawal of consent (DPDP Act Section 6(4) and deemed withdrawal under Section 16): Withdraw consent previously given. Note: withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, and does not override processing carried out on other legal bases (e.g., compliance with tax laws). Withdrawal of consent may result in the Business account being suspended or terminated, because the Platform cannot be provided without processing the relevant data.

How to exercise your rights: Send an email to grievance@petnimbus.com from the registered email address on file, with the subject line "DPDP Rights Request — Business Portal", stating the specific right(s) you wish to exercise. PetNimbus may request verification of identity before acting on the request. PetNimbus will acknowledge within 24 hours and resolve within 15 calendar days.

10. Customer Data Received via the Platform — Business as Data Processor

When the Business receives Customer-Facing Data through the Platform to fulfil an Appointment, the Business acts as a Data Processor for that Customer data and is bound by the following obligations in addition to Section 10 of the Partner Terms:

Purpose limitation: Use Customer-Facing Data only to deliver the specific service booked. Do not process Customer-Facing Data for any other purpose, including marketing, upselling, research, or sharing with affiliates, without PetNimbus's prior written authorisation and the Customer's explicit consent.
Storage minimisation: Do not retain Customer-Facing Data beyond the completion of the Appointment, except for the minimum required by law (e.g., tax invoice record, clinical vet record). Do not export Customer lists or contact databases.
Security safeguards: Implement reasonable technical and organisational measures to protect Customer-Facing Data against unauthorised access, loss, and destruction, commensurate with the sensitivity of the data and the scale of the Business's operations.
Onward transfer restriction: Do not transfer Customer-Facing Data to any third party (including cloud service providers of the Business's own choosing, CRM platforms, or marketing-automation providers) without PetNimbus's prior written authorisation.
Breach notification: Notify PetNimbus at grievance@petnimbus.com within 24 hours of discovering any actual or suspected personal-data breach involving Customer-Facing Data. Provide all information reasonably required for PetNimbus to notify the Data Protection Board of India and the affected Customers under the DPDP Act 2023.
Sub-processor restriction: Do not engage sub-processors (e.g., third-party receptionists, external record-keepers) to process Customer-Facing Data without PetNimbus's prior written consent.
Co-operation with rights requests: Promptly assist PetNimbus in responding to Customer data-access, correction, and erasure requests that touch the Customer-Facing Data held by the Business.
Liability: Breaches of this Section 10 or of the analogous Section 10 of the Partner Terms are the sole liability of the Business under DPDP Act 2023 Section 8(5) and (6). The Business shall indemnify PetNimbus in full for any penalty, fine, compensation, regulatory action, or cost resulting from such a breach.

11. Cookies & Tracking on the Business Portal

The Business Portal uses essential session cookies (JWT-based authentication token persisted in localStorage) for login continuity and CSRF protection. These cookies are strictly necessary for the operation of the portal and are not used for analytics or advertising.
The Business Portal does not use third-party tracking cookies, behavioural-advertising pixels, or cross-site identifiers.
The session token is cleared on logout and on session expiry.

12. Changes to This Business Privacy Policy

PetNimbus may update this Business Privacy Policy from time to time to reflect changes in law, sub-processors, or platform functionality.
Material changes (including changes to sub-processors handling Business Partner data, data-retention extensions, or expansion of the purposes of processing) will be notified at least 15 calendar days in advance via email to the registered email address and via an in-dashboard banner.
Continued use of the Business Portal after the effective date of the updated policy constitutes acceptance.

13. Grievance Officer

Name: Grievance Officer, GOODSHIFT Private Limited
Email: grievance@petnimbus.com
Postal Address: 302, BLOCK-C, MOTI BHAVAN, NEAR RBI ROAD, SALIMPUR, Patna Collectoriate, Phulwari, Patna – 800001, Bihar, India
Acknowledgment SLA: Within 24 hours of receipt.
Resolution SLA: Best effort within 15 calendar days per IT Rules 2021 Rule 3(2).

In the unlikely event that a grievance is not resolved to the Business's satisfaction, the Business may escalate the matter to the Data Protection Board of India as contemplated under the DPDP Act 2023.

14. Contact Us

GOODSHIFT Private Limited — PetNimbus Partner Team

Partner enquiries: partner@petnimbus.com
Privacy & DPDP requests: grievance@petnimbus.com
Registered office: 302, BLOCK-C, MOTI BHAVAN, NEAR RBI ROAD, SALIMPUR, Patna Collectoriate, Phulwari, Patna – 800001, Bihar, India
CIN: U63122BR2026PTC081407