Privacy Policy – BoxMist
Last Updated & Effective Date: 12 December 2025
This Privacy Policy is issued in accordance with India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), together with the Information Technology Act, 2000 and rules made under it.
BoxMist ("Company", "we", "our", or "us") is a brand operated by Meedukan, the registered legal entity that operates the Platform and is responsible for compliance, data processing, taxation, and contractual obligations. Meedukan is the Data Fiduciary — the entity that determines the purpose and means of processing your personal data. You, the user, are the Data Principal.
This Policy applies to our website boxmist.com, our mobile applications, and all related services (collectively, the "Platform"). It serves as the notice required under Section 5 of the DPDP Act and explains what personal data we collect, why, how we use and protect it, and the rights available to you.
You may request a copy of this notice in English or in any language listed in the Eighth Schedule to the Constitution of India.
1. The Personal Data We Collect
We collect only the personal data necessary for the purposes set out in Section 3 (the principle of data minimisation).
A. Identity and contact data
- Full name
- Phone number
- Email address
- Delivery and billing address
B. Location data
- Precise location (GPS) and/or approximate location, collected from your device when you use the Platform.
- We use location to detect your delivery area, show nearby stores and serviceable products, auto-fill or confirm your delivery address, calculate delivery distance and charges, and enable live tracking of your order.
- Location is collected only while you are using the app (foreground). [If your app also collects location in the background — e.g. continuous delivery tracking when the app is closed — say so explicitly here, state why, and note that you obtain separate consent for it. Background location triggers stricter Google Play review.]
- You can disable location access in your device settings; some features (such as delivery to your current location) may not work without it.
C. Technical and usage data
- Device information (model, OS, browser)
- IP address
- Usage statistics and interaction data
- Cookies and similar technologies (see Section 7)
D. Transaction and order data
- Order history
- Payment status and method (we do not store full payment card numbers; these are handled by our payment gateway)
- Delivery details
We do not routinely collect government identity documents or verification details. Where a specific order or legal requirement makes verification necessary (for example, age-restricted goods), we will tell you at that point why it is needed and use it only for that purpose.
2. Consent and the Basis for Processing
Under the DPDP Act, your consent is our primary basis for processing your personal data. Where we ask for consent:
- It is free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action.
- It is limited to the specific purpose for which it is sought, and we process only the data necessary for that purpose.
- The consent request is presented in clear and plain language, with the option to access it in English or another Eighth Schedule language.
For certain activities, we may process your data without separate consent where the DPDP Act permits it as a legitimate use — for example, to provide a service you have specifically requested (such as fulfilling your order).
Withdrawing consent. You may withdraw your consent at any time, and doing so will be as easy as giving it (see Section 5). Withdrawal does not affect processing already carried out lawfully, and we may continue processing where the law independently requires or permits it. Some services may not function if consent necessary for them is withdrawn.
3. Purposes for Which We Process Your Data
We process your personal data only for the following specified purposes:
- Creating and managing your BoxMist account
- Processing and delivering grocery, daily-need, and marketplace orders
- Determining your delivery area, showing nearby stores, confirming your delivery address, and enabling order tracking (using location data)
- Facilitating secure payment processing
- Providing customer support
- Sending order updates and essential service or security notifications
- Conducting security checks and fraud prevention
- Improving our products, services, and customer experience
- Sending promotional and marketing communications — only where you have given separate, opt-in consent
We will not use your data for a new purpose without informing you and, where required, obtaining fresh consent.
4. Sharing of Information and Data Processors
We share your personal data only on a need-to-know basis, with:
- Delivery partners — for order fulfilment
- Payment gateways — for transaction processing
- Data Processors — third parties providing hosting, analytics, SMS, and communication services. They process data only under a valid contract with us, strictly on our instructions, and are bound to protect it.
- Government or legal authorities — when required by law or in response to valid legal process
We do not sell, trade, or rent your personal data to any third party.
Cross-border processing. Some service providers may store or process data on servers outside India. [State whether your hosting/analytics/SMS providers are located in or outside India.] Such processing is carried out in accordance with the DPDP Act and any restrictions notified by the Central Government.
5. Your Rights as a Data Principal
The DPDP Act grants you the following rights, which you may exercise by contacting our Grievance Officer (Section 9):
- Right to access — obtain a summary of the personal data we process about you, and the identities of those with whom it has been shared.
- Right to correction and erasure — have inaccurate or incomplete data corrected or updated, and have data erased where it is no longer required and the law permits.
- Right to withdraw consent — withdraw consent as easily as it was given.
- Right to grievance redressal — have your complaints addressed by us through a readily available means (Section 9).
- Right to nominate — nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
We will act on valid requests within the timelines prescribed under the DPDP Rules. If you are not satisfied with our response, or do not receive one, you may escalate your complaint to the Data Protection Board of India.
6. Your Duties as a Data Principal
The DPDP Act also places certain duties on Data Principals. When using the Platform, you agree to:
- Comply with applicable law while exercising your rights;
- Not impersonate another person when providing your personal data;
- Not suppress material information when providing data for any document or identifier issued by the State;
- Not register a false or frivolous grievance or complaint; and
- Furnish only authentic and verifiably correct information.
7. Cookies & Tracking Technologies
We use cookies and similar technologies to improve functionality and speed, enhance personalization, analyse usage patterns, and — only with applicable consent — support advertising and re-marketing. We do not direct tracking or advertising at users we know to be under 18. You may disable cookies in your browser settings, though some features may not work correctly.
8. Data Retention and Security
Retention. We retain personal data only for as long as necessary for the purpose for which it was collected, after which it is deleted or anonymised:
- Account data — while your account is active and for a reasonable period after closure.
- Order and transaction data — as required under applicable tax, accounting, and consumer-protection laws [commonly up to 8 years for tax/GST records — confirm your applicable period].
- Marketing data — until you withdraw consent or opt out.
Security safeguards. We implement reasonable security safeguards as required under the DPDP Rules, which may include encryption or masking, access controls, logging and monitoring of access, data backups, and measures to detect and remediate unauthorised access. No method of online transmission or storage is completely secure, but we work to protect your data against unauthorised access, misuse, loss, and disclosure.
Breach notification. In the event of a personal data breach, we will notify the affected Data Principals and the Data Protection Board of India in the manner and within the timelines required under the DPDP Rules.
9. Grievance Redressal & Contact Information
For any question, request, or complaint about this Policy or your personal data, contact our Grievance Officer:
Grievance / Data Protection Officer: [insert name or designation] Legal Entity: Meedukan Brand Name: BoxMist Email: support@boxmist.com [consider a dedicated address such as privacy@boxmist.com] Phone: 9440865995 Address: Shop No 5-1, Vittal Rao Market, 566/10, Street Number 5, Troop Bazaar, Koti, Hyderabad, Telangana 500012 Website: https://boxmist.com
We will acknowledge and respond to grievances within the period required under applicable law. If you remain dissatisfied, you may approach the Data Protection Board of India.
10. Children's Privacy
Our services are intended for individuals aged 18 years and above. Where we knowingly process the personal data of a child (a person under 18) or a person with a lawful guardian, we will obtain verifiable consent of the parent or lawful guardian as required by the DPDP Act. We do not knowingly track or monitor the behaviour of children or direct targeted advertising at them. If we discover that we have collected a child's data without the required consent, we will delete it promptly.
11. Third-Party Links
Our Platform may contain links to other websites. BoxMist is not responsible for the privacy practices of third-party sites, and we encourage you to read their policies.
12. Changes to This Privacy Policy
We may update this Policy to reflect changes in our practices or the law. When we make material changes, we will notify you and, where required, seek fresh consent. The "Last Updated" date above reflects the most recent revision. Continued use after a non-material update indicates your awareness of the revised Policy; for changes requiring consent, we will obtain it separately.