Privacy Policy · MeetGrow

This Privacy Policy explains how Visionxpress Media House Private Limited ("we", "us", "Company") collects, uses, shares and protects personal data of users of the MeetGrow platform ("Platform"). It is issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 and rules made thereunder, and any other applicable law.

1. Who we are

Field	Value
Legal name	Visionxpress Media House Private Limited
CIN	U63122DL2025PTC459881
Registered office	124, 1st Floor, Block QP, Kothi Pitampura, Rani Bagh, New Delhi 110034
Data Protection Officer	Mr. Kanish Malhotra
DPO email	[email protected]
Customer support	[email protected]
Office hours	Monday – Friday, 10 AM – 6 PM IST

The Company is the Data Fiduciary for the personal data described in this Policy. Where we process data on behalf of an Organiser (for example, attendee lists shared with the Organiser), the Company acts as a Data Processor for that limited purpose and the Organiser acts as Data Fiduciary.

2. The personal data we collect

Information you give us

Mobile number (mandatory at sign-in).
Name and email (when you complete your profile or buy a ticket).
Age / date of birth (if required by an age-restricted event).
Billing/GST information (only if you opt for a GST invoice).
Profile photo (optional).
Communication content (your messages to support, grievances, reviews).
Payment-instrument information — handled directly by our payment aggregator and not stored by us. We only retain a transaction reference, last 4 digits of the card / UPI handle, and gateway response.

Information collected automatically

Device identifiers (mobile model, OS, browser).
IP address (truncated to /24 for analytics).
Approximate location derived from IP (city-level only).
Cookies and similar technologies — see our Cookie Policy.
Usage data — pages viewed, events browsed, search terms, time on page.
Sentry error logs (with PII automatically scrubbed).
PostHog product analytics (text inputs masked; consent-gated).

Information from third parties

Verification data from MSG91 (WhatsApp/SMS OTP delivery confirmations).
Payment status from Razorpay.
Organiser-supplied data (e.g., guest-list uploads).

3. Purposes of processing and legal basis

Purpose	Categories of data	Legal basis (DPDP Act)
Create and maintain your account	Phone, OTP logs, profile	Necessary for performance of the contract
Process bookings and payments	Phone, name, email, payment ref	Necessary for performance of the contract
Issue GST invoices and maintain financial records	Identity, GSTIN	Legal obligation (GST Act, Companies Act)
Customer support and grievance redressal	Identity, contact, communication	Legitimate use
Fraud prevention and platform security	IP, device, behavioural signals	Legitimate use
Transactional and event-related communications	Phone, email	Necessary for performance of the contract
Marketing communications	Email, phone, behavioural signals	Consent (separate, withdrawable)
Product analytics	De-identified usage data	Consent (cookie banner)
Compliance with law, including tax filings and statutory record-keeping	All applicable data	Legal obligation

4. Sharing with third parties

We share personal data only as described below, and only to the minimum extent needed for the purpose:

Recipient	Purpose	Country
Razorpay Software Pvt Ltd	Payment processing, refunds, settlements	India
MSG91 (Walkover Web Solutions)	OTP delivery via WhatsApp/SMS	India
Resend Inc.	Transactional email delivery	USA (data may transit)
Supabase (Supabase Inc., AWS Mumbai region)	Database hosting	India (data at rest)
Cloudflare R2	File storage; image delivery	India edge nodes; data resides in India region
Sentry (Functional Software, Inc.)	Error monitoring (with PII scrubber)	USA
PostHog (PostHog, Inc.)	Product analytics (consent-gated; inputs masked)	EU/USA
Organisers	Attendee list for events you book	India
Government authorities	When mandated by lawful order	India

We do not sell personal data to any third party.

5. Cross-border transfers

The DPDP Act permits cross-border transfer of personal data except to countries notified by the Central Government as restricted. We transfer data only to processors located outside India where (a) the transfer is necessary for the service, (b) the recipient is bound by appropriate confidentiality and security obligations, and (c) the destination country is not on the notified restricted list.

The current list of cross-border processors and their roles is in clause 4.

6. Retention

We retain personal data only as long as is necessary for the purpose for which it was collected, or as required by law:

Data category	Retention period
Active account data	Until you delete the account
Booking and tax records	8 years (Companies Act, Income Tax Act)
Payment gateway logs	8 years (RBI guidance)
Marketing consent and history	Until consent is withdrawn + 18 months audit log
Support and grievance tickets	3 years from closure
Sentry error logs	90 days
PostHog raw events	12 months
Server access logs	30 days
Aggregated, anonymised analytics	Indefinitely

7. Your rights under the DPDP Act

You have the right to:

Access — confirmation of whether we process your data and a summary of the data and processing activities.
Correction and erasure — correct inaccurate data; erase data no longer needed.
Withdraw consent — for any processing based on consent (e.g., marketing).
Grievance redressal — escalate any concern to our Grievance Officer (clause 9).
Nominate — nominate another individual to exercise your rights in case of death or incapacity.
Data portability — export your data via our self-service tool at /account/export-my-data (returns a JSON file in human and machine-readable form).

To exercise these rights, write to [email protected]. We will respond within 30 days. We may verify your identity before acting on a request.

8. Children (under 18)

The minimum age to create an account is 13. Persons aged 13 to under 18 may use the Platform only with verifiable consent from a parent or legal guardian. We do not knowingly:

track or profile children for behavioural advertising;
send marketing communications to children;
deny or limit any service required for the child's safety.

Our full Children's Privacy Policy describes how parental consent is captured and verified.

9. Grievance Officer and Data Protection Officer

For any privacy concern:

Grievance Officer: Mr. Kanish Malhotra — [email protected]
Data Protection Officer: Mr. Kanish Malhotra — [email protected]
Postal: 124, 1st Floor, Block QP, Kothi Pitampura, Rani Bagh, New Delhi 110034
Acknowledgement: within 24 hours.
Resolution: within 15 days (grievance) or 30 days (DPDP request).

If your concern is not resolved, you may refer it to the Data Protection Board of India established under the DPDP Act.

10. Security

We follow reasonable security practices and procedures appropriate to the volume and sensitivity of the data, including:

TLS 1.2+ for all data in transit;
bcrypt hashing of OTPs and administrator passwords;
principle-of-least-privilege role-based access for staff;
audit logging of administrator actions;
2FA (TOTP + recovery codes) for administrator accounts;
regular dependency scanning and security patching.

No system is perfectly secure. If a personal data breach occurs that is likely to result in significant harm, we will notify the Data Protection Board and affected Data Principals as required by the DPDP Act (typically within 72 hours of becoming aware).

11. Cookies

See the standalone Cookie & Tracking Policy.

12. Updates to this Policy

We may update this Policy. Material changes will be notified at least 30 days in advance by email and an in-app banner. The "Last Updated" date at the top reflects the most recent revision. Earlier versions are available on request.

If you have any questions, write to [email protected].