Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account or sign in with a third-party provider (Google, Microsoft), we collect:

• Email address — used as your unique identifier and for transactional communications.
• Full name — displayed in your profile and used for personalisation.
• Profile image / avatar URL — sourced from your Google or Microsoft account when you use OAuth sign-in.
• Phone number — optionally provided during registration; used for account recovery and WhatsApp integration if enabled.

1.2 Usage Data

We automatically record information about how you use the Service, including:

• Search queries you submit (business type, location, radius).
• Search results and business leads you save or export.
• Notes and status labels you attach to leads.
• Subscription plan and payment status (we do not store full card details).
• IP address, browser type, and device information for security and analytics.

1.3 Payment Information

Payments are processed by Razorpay. We store only the Razorpay order ID and payment status. Full card numbers and bank details are never transmitted to or stored on our servers.

1.4 Integration Credentials

If you connect WhatsApp Business via our Integrations page, we store your WhatsApp API token and webhook verification token in our database, encrypted at rest.

2. How We Use Your Information

We use the information we collect to:

• Provide and improve the Service — process searches, display results, and personalise your dashboard.
• Authentication — verify your identity when you sign in and maintain your session.
• Communication — send transactional emails (OTP verification, payment receipts, plan change confirmations). We do not send marketing emails without your explicit consent.
• Subscription management — track your plan limits, search quotas, and billing cycle.
• Security & fraud prevention — detect suspicious activity and protect your account.
• Analytics & product improvement — understand aggregated usage patterns to improve features (data is anonymised where possible).
• Legal obligations — comply with applicable laws, regulations, or lawful government requests.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

3. Third-Party Services

We rely on the following third-party providers to operate the Service. Each has its own privacy policy.

When you choose to sign in with Google or Microsoft, those providers may share your name, email address, and profile picture with us as part of the authentication flow. We use this data only to create or update your GrabNear account.

4. Cookies & Sessions

GrabNear uses the following types of browser storage:

• Authentication session (localStorage) — Supabase stores a JWT access token and refresh token in your browser's localStorage. This token is used to authenticate your requests and is automatically refreshed. It is cleared when you log out.
• Strictly necessary cookies — set by Cloudflare (our DNS/CDN provider) for DDoS protection and load balancing. These do not track you across websites.

We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that follow you beyond the GrabNear platform.

5. Data Retention

• Account data (name, email, profile) — retained for as long as your account is active. You may request deletion at any time.
• Search history and leads — retained for the lifetime of your account. You can manually delete individual searches or leads from your dashboard.
• Payment records — retained for 7 years as required by Indian GST regulations.
• Server logs — retained for up to 30 days for security and debugging, then automatically purged.
• Deleted accounts — personal data is removed within 30 days of account deletion, except where retention is required by law.

6. Security

We implement reasonable technical and organisational measures to protect your data, including:

• All data in transit is encrypted via TLS/HTTPS.
• Database and credentials are stored with Supabase, which encrypts data at rest.
• API keys and integration tokens are stored encrypted.
• Access to production systems is restricted to authorised personnel.

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at support@grabnear.com.

7. Your Rights

Depending on your location, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion — request that we delete your account and personal data ("right to be forgotten").
• Portability — receive your data in a machine-readable format.
• Withdraw consent — opt out of any non-essential data processing at any time.

To exercise any of these rights, email us at support@grabnear.com. We will respond within 30 days.

8. Children's Privacy

GrabNear is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy, please reach out: