Effective Date: 10 June 2026

Buopso Private Limited (“We” or “Ours” or “Company” or “ShipKia”) is a company duly incorporated under the laws of the Indian Companies Act, 2013, which provides end-to-end technology related services/platform designed to enable eCommerce logistics and post-order operations, including shipping, order management, NDR/RTO handling, communication, and fulfilment, offered through its digital platform and integrations under the brand name “ShipKia”.

1. Introduction

Please read this Privacy Policy carefully. By accessing or using the ShipKia platform, website, or services, you agree to the collection and use of your personal information in accordance with this Privacy Policy. Where required under applicable law, we will seek your explicit consent before processing your personal data.

This privacy policy (“Policy”) is applicable to the comprehensive use of, or access to, the domain name and website located at www.shipkia.com, ShipKia’s proprietary mobile application, and any associated platforms, tools, or Services developed by ShipKia. This also includes instances where such services are accessed through integrations or third-party platforms; however, ShipKia’s responsibility is limited to the Services provided directly through its own systems and authorised integrations.

This Privacy Policy is fundamentally integrated into, and constitutes an inseparable part of, the service agreements and terms and conditions of use established between ShipKia and its merchant partners, users, and end-customers. For the purposes of this Policy, the website, mobile application, and all online or offline platforms/tools developed by ShipKia are individually and collectively referred to as the “Platform”. This Policy has been formally adopted by and shall be fully applicable to all subsidiaries, business units, and affiliates under the ShipKia corporate umbrella.

The Services provided through the Platform are made available to persons who have affirmatively agreed to become users of the Platform (referred to as “You” or “Your” or “Yourself” or “User”, which term shall encompass persons accessing the Platform as transitory visitors, merchants, or those undertaking any specific Service) in strict accordance with the Platform’s terms of use as formulated by ShipKia and uploaded to its digital domain from time to time (the “Terms of Use”).

2. Governing Law & Regulatory Framework

This policy is governed by and shall be construed in accordance with the following applicable laws and regulations:

• Digital Personal Data Protection Act, 2023 (DPDPA) primary data protection framework
• Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)
• Reserve Bank of India (RBI) Guidelines on payment data storage, localisation, and processing
• GSTN Data Handling Norms applicable to KYC and financial information
• Any other applicable Indian laws and regulations in force from time to time

3. Roles Under the DPDPA, 2023

• ShipKia acts as the Data Fiduciary in respect of personal data collected directly from merchants and users on the Platform.
• Merchants integrating ShipKia’s platform or checkout tools may independently act as Data Fiduciaries in respect of their end-customers’ data processed through ShipKia’s systems.
• Users and end-customers are referred to as Data Principals under the DPDPA, 2023.

4. Types of Personal Information collected by the Company

While using our Services, we may collect the following categories of Personal Information from the Users hereinafter collectively referred to as “User Information”:

• Name;
• User ID;
• Email address;
• Address (including country and ZIP/postal code);
• Phone Number;
• Password chosen by the User;
• Geographical location through the IP address of the Users;
• Financial account information like bank account details, GST certificate, PAN Card, etc. and transactional information in relation to transactions where ShipKia is involved;
• Any of the aforesaid information pertaining to the customer/buyer of the User; and
• All other personally identifiable information/details as the User may share from time to time (including personally identifiable information/details of the customer/buyer of the User).

In order to avail the Services/Platform, the Users may also be required to upload/share certain documents (for instance, Aadhaar, PAN Card, GST certificate, etc.), on the Platform and/or e-mail the same to the Company. Accordingly, the term “User Information” shall also include any such documents uploaded or otherwise provided by the Users. We may also keep records of telephone calls received and made for making inquiries, orders, or other purposes necessary for the administration of Services.

5. Consent Framework

In accordance with the DPDPA, 2023, all consent obtained by ShipKia shall be:

• Free - not bundled with conditions unrelated to the service
• Specific - for clearly defined and stated purposes
• Informed - accompanied by a clear notice describing the nature and purpose of data use
• Unconditional - not contingent on acceptance of non-essential terms
• Unambiguous - expressed through a clear and affirmative action by the Data Principal

Merchants integrating ShipKia’s tools are independently responsible for obtaining valid consent from their end-customers for personal data shared with ShipKia through such integrations.

6. Purposes for which the Company may use the Personal Information

The information which we collect may be utilized for various business and/or regulatory purposes, including but not limited to the following:

a) To onboard merchants, create and manage user accounts, authenticate access, and administer the use of the ShipKia platform
b) To facilitate shipment booking, label generation, courier partner allocation, pickup scheduling, transportation, delivery, returns, and Return-to-Origin (RTO) management
c) To enable pre-purchase and post-purchase logistics services, including serviceability checks, delivery time estimation, address validation, standardisation, and optimisation
d) To enable delivery coordination, address verification, Non-Delivery Report (NDR) management, reattempt processing, and customer communication related to order fulfilment
e) To process orders, shipments, returns, exchanges, refunds, cash-on-delivery (COD) remittances, settlements, reconciliation, and invoicing
f) To operate checkout-related features that reduce friction during order placement, including address retrieval, validation, and autofill features, subject to applicable consents obtained by the merchant from its respective customers
g) To provide warehousing, inventory management, picking, packing, and fulfilment services, where applicable
h) To provide shipment tracking, status updates, service notifications, and other transactional communications to Users and their customers
i) To provide customer and merchant support, handle queries, complaints, disputes, and maintain service quality standards
j) To perform analytics, reporting, forecasting, and optimisation of logistics operations, delivery performance, and platform functionality, including processing data in aggregated or pseudonymised form where reasonably possible
k) To detect, prevent, investigate, and mitigate fraud, misuse, security incidents, and unauthorised access to the Platform
l) To comply with applicable laws, regulations, tax requirements, contractual obligations, and lawful requests from governmental, regulatory, or statutory authorities
m) To maintain platform security, system monitoring, logging, audits, internal controls, and operational diagnostics
n) To send service-related communications and updates, including notifications related to transactions, shipments, or account activity via SMS, email, and messaging platforms such as WhatsApp. Such communications will be sent based on user interaction, transaction requirements, or consent obtained in accordance with applicable laws. Users may opt out of non-essential communications where applicable.
o) To enhance, improve, and develop the Platform, Services, features, and overall user experience

We collect only such Personal Information as is necessary to fulfil the purposes described above and process such information in a manner consistent with these purposes. Any processing of Personal Information beyond these purposes shall be undertaken only with the User’s consent or as otherwise permitted under applicable law.

7. Data Localisation & Infrastructure

All personal data of Indian users collected and processed by ShipKia is stored exclusively on servers and data centres located within the territory of India, in compliance with applicable data localisation requirements under Indian law.

ShipKia does not currently transfer or process Indian user data on servers located outside India. In the event that cross-border data processing becomes necessary in the future (e.g., for cloud infrastructure or analytics services), such transfers shall be conducted only to countries notified by the Central Government under the DPDPA, 2023, or subject to appropriate contractual safeguards ensuring equivalent data protection standards.

8. Children’s Data

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that such data has been inadvertently collected, we will take appropriate steps to delete it.

9. Disclosure and Transfer of User’s Personal Information

9.1 Disclosure to Third Parties

We may share your Personal Information with third parties strictly on a need-to-know basis to provide our Services. Such third parties may include:
• Courier and logistics partners for shipment processing and delivery
• Payment gateways, banking partners, and financial institutions for transaction processing and settlements
• Technology service providers such as cloud hosting, storage, analytics, and infrastructure providers
• Communication service providers (including SMS, email, and messaging platforms like WhatsApp) for transactional notifications and customer communication
• Customer support and service vendors assisting in operations
All such third parties are contractually bound to maintain the confidentiality of your information and are required to implement reasonable security practices in compliance with applicable laws.

9.2 Couriers & Logistics Partner Data Sharing

ShipKia shares shipment-related personal data, including the recipient’s name, delivery address, phone number, and order details with courier and logistics partners solely for the purpose of fulfilling delivery, returns, and Return-to-Origin (RTO) operations within India.

All courier and logistics partners are required to enter into formal data processing agreements with ShipKia prior to receiving any personal data. These agreements restrict further use, disclosure, or retention of such data beyond the scope of shipment fulfilment, and require partners to maintain data security standards consistent with applicable Indian law.

ShipKia does not share end-customer personal data with courier partners for any marketing, profiling, or non-operational purpose.

9.3 Disclosure Due to Legal Requirement

We may need to disclose / transfer User’s Personal Information to Governmental and judicial institutions/authorities, to the extent required:
• Under applicable laws, rules, and regulations and/or under orders of any relevant judicial or quasi-judicial authorities
• To protect and defend the rights or property of the Company;
• To combat fraud and credit risk;
• To enforce the Company's Terms of Use (to which this Privacy Policy is also a part); or
• When the Company, in its sole discretion, deems it necessary in order to protect its rights or the rights of others.

9.4 Disclosure to Related Parties

Relevant data may be shared with ShipKia's affiliates, subsidiaries, and group companies to facilitate service delivery. The Company shall ensure that such entities adopt at least a reasonable level of security practices and procedures as required under applicable law.

10. Payment Data & RBI Compliance

• All payment-related data, including Cash-on-Delivery (COD) transaction data, merchant settlements, and banking information, is handled in strict accordance with the Reserve Bank of India’s guidelines on payment data storage and localisation.
• ShipKia does not store full card credentials, CVV numbers, or UPI authentication data on its own servers.
• All payment processing is facilitated through RBI-compliant, PCI-DSS certified payment gateways.
• Payment data is retained only for the period required under applicable law, including the GST, Income Tax Act, and RBI guidelines.

11. Automated Decision-Making & Algorithmic Processing

ShipKia may use automated systems and algorithms to facilitate certain operational decisions, including but not limited to:
• Courier partner allocation based on serviceability, performance, and cost
• Delivery route and time optimisation
• Fraud detection and risk flagging
• NDR reattempt scheduling and prioritisation

Such automated processing is based on objective operational logic and does not produce legal or similarly significant effects on users without human oversight. Users may contact the Grievance Officer at any time to seek clarification on any automated decision affecting their account or shipments.

12. Links to Third-Party

The links to third-party advertisements, third party websites or any third-party electronic communication services (referred to as “Third Party Links”) may be provided on the platform which are operated by third parties and are not controlled by, or affiliated to, or associated with the Company, unless expressly specified on the Platform. If You access any such Third-Party Links, we request You to review the concerned website’s privacy policy. We shall not be responsible for the policies or practices of such third parties.

13. Cookie and Tracking Technologies

We use cookies and similar tracking technologies to enhance user experience, analyse platform usage, and improve our Services. Cookies are small text files stored on your device that help us recognise repeat users, remember preferences, and understand how users interact with our Platform.
We may use first-party and third-party cookies, including analytics tools, to measure traffic, improve performance, and support operational activities.

Cookie Consent Mechanism

ShipKia implements a cookie consent banner on its Platform, enabling users to accept, reject, or customise non-essential cookies prior to their deployment. Essential cookies required for core platform functionality are deployed without additional consent. Users may update their cookie preferences at any time through the Platform's cookie settings.

You can control or disable cookies through your browser settings. However, disabling cookies may affect certain functionalities of the Platform. By continuing to use our Platform, you consent to our use of cookies in accordance with this Privacy Policy.

14. Opt-Out Mechanism for Marketing Communications

Users and end-customers may opt out of non-essential marketing or promotional communications at any time by:
• Clicking the “Unsubscribe” link in any marketing email
• Replying “STOP” to any promotional SMS
• Contacting ShipKia at [email protected]

Please note that transactional and service-related communications, such as shipment tracking updates, delivery notifications, and account activity alerts, cannot be opted out of, as they are essential to service delivery.

15. Security Practices and Procedures

For the purpose of providing the Services and for other purposes identified in this Privacy Policy, we are required to collect and host certain data and information of the Users. We are committed to protecting Your Personal Information, and to that end, the Company adopts reasonable security practices and procedures to implement technical, operational, managerial and physical security control measures in order to protect the Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. While we try our best to provide security that is commensurate with the industry standards, due to the inherent vulnerabilities of the internet, we cannot ensure or warrant complete security of all information that is being transmitted to Us.

The Company takes adequate steps to ensure that third parties to whom the Personal Information may be transferred adopt at least such a reasonable level of security practices and procedures as required under applicable law to ensure security of Personal Information.

You acknowledge that while the Company implements reasonable security practices and procedures to protect your information, transmission of data over the internet is not completely secure and may be subject to interception beyond our control. To the extent permitted under applicable law, the Company shall not be held responsible for any loss or damage arising from such interception or unauthorized access despite implementing reasonable security measures.

16. Data Breach Notification

In the event of a security breach leading to unauthorized access, loss, or disclosure of Your personal data, ShipKia is committed to notifying the relevant regulatory authorities and affected Users without undue delay. We aim to provide such notifications within 72 hours of confirming the incident, outlining the nature of the breach and the remedial measures being taken.

17. Rights of Data Principals Under DPDPA, 2023

In accordance with the Digital Personal Data Protection Act, 2023, Data Principals (users and end-customers) have the following rights with respect to their personal data:

Right Description
Right to Access Obtain a summary of personal data being processed and the nature of processing activities undertaken by ShipKia
Right to Correction Correct inaccurate or outdated personal data held by ShipKia
Right to Erasure Request deletion of personal data where it is no longer necessary for the stated purpose
Right to Grievance Redressal File complaints with ShipKia's designated Grievance Officer
Right to Nominate Nominate an individual to exercise data rights in the event of death or incapacity
Right to Withdraw Consent Withdraw consent at any time, prospectively (not retrospectively)

To exercise any of the above rights, please contact ShipKia at: [email protected]

18. User Rights & Voluntary Information

All the information provided to the Company by a User, including Sensitive Personal Data or Information, is voluntary. Users have the right to withdraw his/her/its consent at any time, in accordance with the terms of this Privacy Policy and the Terms of Use, but please note that withdrawal of consent will not be retrospective.

Users can access, modify, correct and delete the Personal Information provided by them which has been voluntarily given by the User and collected by the Company in accordance with this Privacy Policy and Terms of Use. However, if the User updates his/her information, the Company may keep a copy of the information which User originally provided to the Company in its archives for User documented herein. In case the User seeks to update or correct his/her Personal Information, the User may exercise these rights by emailing the Company at [email protected] and communicate the change(s) for updating the Company’s records.

In case the User does not provide his/her information or consent for usage of Personal Information or subsequently withdraws his/her consent for usage of the Personal Information so collected, the Company reserves the right to discontinue, in part or full, the Services/associated features and benefits for which the said information was sought.

19. Retention of Personal Information

We retain your Personal Information only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted under applicable law.
In general:
• Account and KYC-related information is retained for the duration of your account and as required under applicable laws
• Transactional and shipment-related data is retained for operational, legal, and audit purposes for a reasonable period
• System logs and technical data may be retained for security and diagnostic purposes for a limited duration

Once the applicable retention period expires, such information is securely deleted or anonymised.
We may retain your Personal Data for longer periods in the following circumstances:
a) If it is necessary for the specified purpose for which it was collected or for compliance with any applicable law
b) In the event of pendency of any legal or regulatory proceeding
c) For safety, security, and integrity purposes as per the law
d) For purposes such as judicial and/or governmental investigations
e) To protect our rights, property, or products/services

In case a User has withdrawn or cancelled their registration from the Platform, we are obliged under law to retain their Personal Information. Accordingly, we shall retain such information for as long as necessary to comply with legal obligations, plus an additional period of 180 days from the date of account cancellation to ensure completion of any pending settlements or dispute resolutions. We may retain non-personally identifiable data indefinitely or to the extent allowed by applicable law.

20. Use of the Platform

You agree that while using the Platform, You shall not upload, modify, publish, transmit update or share any information which:

(a) belongs to another person and to which the user does not have any right;
(b) is obscene, pornographic, paedophilic, invasive of another’s privacy including bodily privacy, insulting or harassing on the basis of gender, racially or ethnically objectionable, relating or encouraging money laundering or gambling, or promoting enmity between different groups on the grounds of religion or caste with the intent to incite violence;
(c) is harmful to child;
(d) infringes any patent, trademark, copyright or other proprietary rights;
(e) deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any misinformation or information which is patently false and untrue or misleading in nature;
(f) impersonates another person;
(g) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign States, or public order, or causes incitement to the commission of any cognizable offence, or prevents investigation of any offence, or is insulting other nation;
(h) contains software virus or any other computer code, file or program designed to interrupt, destroy or limit the functionality of any computer resource;
(i) violates any law for the time being in force.

21. Termination

ShipKia reserves the right to suspend or terminate your access to the Services, in whole or in part, under the following circumstances:

(a) if the User breaches any terms and conditions of this Policy or the Terms of Use;
(b) if ShipKia reasonably believes that the User’s actions may cause legal liability for the User, ShipKia, or other users, or are contrary to applicable laws or the Terms of Use;
(c) if required to comply with applicable laws, regulatory requirements, or lawful orders of authorities; or
(d) for legitimate business, operational, or security reasons, upon providing reasonable notice where practicable.

22. Changes to this Privacy Policy

We may update this Privacy Policy from time to time and shall notify you regarding the Policy as well as any such changes periodically and at least once a year. However, you are advised to review this page/policy periodically for any changes. Your continued usage of the Services shall constitute your acceptance of the amended/updated Privacy Policy.

23. Complaints and Grievance Redressal

Any complaints, abuse or concerns with regards to content or comment or breach of these terms/Privacy Policy may be informed to the designated Grievance Officer as mentioned below in writing or through email. We aim to respond to all grievances within 7–15 business days.

Attn: Mr. Paras Jain (Grievance Officer)
Buopso Private Limited,
B-92, near Millennium City Centre Metro Station, Sushant Lok Phase I, Sector 43, Gurugram, Haryana 122009
Email: [email protected]

Note: All sections highlighted in yellow represent additions or amendments made for DPDPA 2023 compliance, RBI payment data guidelines, operational accuracy (India-only data centres and courier partner data sharing), and industry best practices for Indian shipping aggregators.