Privacy Policy

This policy explains what data Lulu Grow collects from clients (business owners using the platform) and from the customers who scan their QR codes — and what we do with it.

Last updated: May 9, 2026

Plain-language summary

We collect what we need to run the service: your account info, the businesses you add, the feedback your customers leave, and basic billing data via Razorpay. We never sell your data. We never share your customers' phone numbers or messages with anyone outside what's required to deliver the service. You can request a copy or a deletion of your data at any time by emailing us.

What data we collect

From you (the business owner / client)

• Account details: name, email address, phone number, hashed password.
• Business details: business name, category, address (optional), Google review URL, brand color, logo image (if uploaded), funnel threshold, welcome message.
• Subscription & payment data: plan, trial/paid status, expiry date, Razorpay order & payment IDs. Card details are never sent to us — Razorpay handles them directly.
• WhatsApp preferences: WhatsApp number (if different from contact phone) and notification toggle.
• Login history: last login timestamp, recent login attempts (for rate-limiting brute-force attacks).
• Audit logs: emails and WhatsApp messages we sent to you.

From your customers (people who scan your QR)

• Anonymous events: every QR scan, rating tap, redirect, or feedback submission is logged with IP address, user-agent, and timestamp. This is how we power your analytics dashboard.
• Identifiable feedback: if a customer submits the "Bad" feedback form, we collect the name, phone, email (optional), and message they typed in. This data is for you alone — it never reaches Google and is not shared with any other client of ours.

What we do not collect

• We do not run third-party analytics or advertising trackers.
• We do not collect device fingerprints beyond standard IP & user-agent.
• We do not request location, contacts, photos, or any phone permission.
• We do not collect any data about customers who scan but don't submit feedback (beyond the anonymous event log used for your stats).

Why we collect it

• To operate the service: we can't show your dashboard without storing your account, businesses, and feedback.
• To bill you: Razorpay needs the order/payment IDs we record so we can prove your plan is active.
• To notify you: we email and WhatsApp you when complaints arrive, when payments succeed, and when your trial is ending.
• To prevent abuse: the IP-based rate limits on login attempts and feedback submissions keep spammers out.
• To improve the service: aggregated, non-identifying usage metrics help us understand how the product is used.

Who we share data with

We share the minimum data required to deliver the features you use. We do not sell data to anyone. The third parties that touch your data are:

• Razorpay — payment processing. They receive the amount, your email and phone, and a unique order id when you check out. Razorpay's privacy policy.
• Twilio (or whichever WhatsApp provider is configured) — sending WhatsApp messages. They receive the recipient phone and the message body when we send a notification. Twilio's privacy policy.
• Anthropic — generating AI-suggested complaint replies. When you click "Suggest Reply" on a complaint, the customer's complaint text and the business name/category are sent to Anthropic's Claude API. Anthropic does not train on this data. Anthropic's privacy policy.
• Email provider — sending account emails (verification, password reset, billing, broadcasts). They see the recipient address and the message body.
• Hosting provider — our servers physically run somewhere; that provider has access to encrypted disk volumes per industry-standard practice.

We do not share data with advertisers, data brokers, or any party not listed above. We do not share your customers' feedback messages with anyone — they are only ever visible to you.

How long we keep your data

• Active account data — kept while your account is active.
• Login attempt logs — automatically deleted after 30 days.
• Anonymous QR scan / event logs — automatically deleted after 6 months.
• Email and WhatsApp message logs — automatically deleted after 90 days.
• Abandoned payment orders — automatically deleted after 14 days.
• Account & subscription history — kept for as long as you have an account, plus minimum statutory retention required for tax/audit purposes after deletion.

Cleanup runs nightly via an automated cron job.

Your rights (DPDP Act 2023)

If you are based in India, the Digital Personal Data Protection Act, 2023 grants you the following rights, all of which we honour:

• Access: ask for a copy of every piece of personal data we hold about you.
• Correction: ask us to correct inaccurate data. (Most fields are also editable yourself in the Profile page.)
• Erasure: ask us to delete your account and associated data. We will do so within 14 days, except where statute requires us to retain.
• Portability: ask for an export of your data in a portable format. (Feedback can already be exported as CSV from your dashboard.)
• Withdrawal of consent: withdraw consent for any non-essential processing.
• Grievance redressal: raise concerns with our grievance officer (see Contact below).

To exercise any of these rights, email us. Identity verification will be required to prevent unauthorized access.

How we protect your data

• Passwords are stored using bcrypt hashing — even we cannot read them.
• All web traffic in production is served over HTTPS.
• Sessions use HTTPOnly, SameSite-Lax cookies, with strict-mode session ID handling and automatic regeneration on login.
• All database queries use parameterized statements to prevent SQL injection.
• Form submissions are protected by CSRF tokens.
• Razorpay payment signatures are verified with HMAC-SHA256 using timing-attack-safe comparison.
• Login attempts are rate-limited by IP and email; uploaded files have their real mime type verified before being saved; the upload directory blocks PHP execution as defense in depth.

Cookies

We use exactly one cookie per session: a HTTPOnly authentication cookie that keeps you logged in. We do not use tracking cookies, third-party advertising cookies, or analytics cookies. We do not need a cookie banner because we only use strictly-necessary cookies.

Children

Our service is for businesses and is not directed at children under 18. We do not knowingly collect data from minors.

Contact & Grievance Officer

For any privacy questions, data subject rights requests, or grievances, email: support@trustifyqr.local.

We will respond within 7 business days. For unresolved grievances, you may also contact the Data Protection Board of India once it is operational.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will reflect any changes. Material changes will be notified via email to active clients.