*Enjoy Free shipping for orders over ₹999! Shop Now*

Category
Call Us Now
+91 8519007970
0

Privacy Policy

(Aligned with the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025)

1. INTRODUCTION

Nexus Sanghi Private Limited (the "Company", "we", "us", or "our") is committed to protecting the privacy and confidentiality of all personal data provided by Direct Sellers, Nexus Preferred Customers, and other individuals. This Privacy Policy governs the collection, use, storage, disclosure, and processing of digital personal data (personal data in electronic or digitised form) in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules) notified thereunder.
The terms used but not defined in this Privacy Policy have the meanings ascribed to them in the Company's Policies and Procedures document or as defined under applicable law.
By providing personal data to the Company, you acknowledge that you have read, understood, and consent to the practices described in this Privacy Policy.

2. SCOPE, ROLE, AND LEGAL BASIS

2.1 Scope

This Privacy Policy applies to all digital personal data of individuals collected, processed, stored, or disclosed by the Company through its website, mobile applications, online platforms, registration systems, and other electronic means in India.

2.2 Roles under the DPDP Act

  • Data Fiduciary: Nexus Sanghi Private Limited acts as a Data Fiduciary in relation to the personal data processed under this Privacy Policy.
  • Data Principals: Nexus Direct Sellers /Direct Sellers, Nexus Preferred Customers/ Customers, and other individuals whose personal data is collected or processed are referred to as Data Principals.

2.3 Legal Basis for Processing

The Company processes personal data on the following legal bases:

  1. Consent: Where the Data Principal has provided free, specific, informed, unconditional, and unambiguous consent for one or more specified purposes.
  2. Legitimate Uses: Where processing is authorised under the DPDP Act or other applicable laws without consent, including but not limited to:
  • Compliance with a legal obligation or order of a court or tribunal.
  • Performance of a function under any law or provision of law.
  • Provision of a service or benefit sought by the Data Principal from the State.
  • Issuance of certificates, licenses, or permits for any action or activity by the State.
  • Performance of a contract to which the Data Principal is a party or taking steps at the request of the Data Principal prior to entering into such a contract.
  • Prevention, detection, investigation, or prosecution of any offence or contravention of law.
  • Processing personal data that is publicly available.
  • Processing personal data voluntarily provided by the Data Principal to be processed for a specified purpose.

3. COLLECTION AND USE OF PERSONAL DATA

3.1 Categories of Personal Data Collected

The Company collects the following categories of personal data for legitimate business purposes:

  • Identity and contact information: Name, postal address, email address, phone number, Date of birth, gender, photograph, and copies of government-issued identity documents (Aadhaar, PAN, passport, driving licence, voter ID, etc.).
  • Financial information: Bank account number, IFSC code, UPI ID, payment transaction records, billing address, and tax-related information (including PAN, TAN, and GST details).
  • Professional and employment information: Occupation, employer details, business address, income details, and related professional information.
  • Account and registration data: Username, password, security questions and answers, sponsor details, and account preferences.
  • Transactional data: Purchase history, order details, invoices, Point Value (PV) records, commission records, product preferences, and payment history.
  • Location data: Delivery address and, where consented, real-time or approximate location data for service or delivery purposes.
  • Communication records: Correspondence with customer support, feedback, complaints, inquiries, marketing communication preferences, and audio/video testimonials (where provided voluntarily).
  • Technical data: IP address, device information, browser type and version, operating system, login data, usage logs, cookies, and similar tracking technologies.

3.2 Purposes of Processing

The Company processes personal data for the following purposes:

  • Creating and managing accounts for Direct Sellers and Nexus Preferred Customers.
  • Identification, authentication, verification, and Know Your Customer (KYC) compliance.
  • Facilitating the sale, purchase, and delivery of products to Direct Sellers and customers.
  • Processing orders, payments, refunds, and commission or bonus payouts.
  • Sending notifications, promotional materials, business updates, product information, and service-related communications (with consent where required).
  • Providing customer support, addressing queries, feedback, and complaints.
  • Compliance with legal, regulatory, tax, audit, and reporting obligations.
  • Conducting internal research, data analytics, and business improvement initiatives.
  • Preventing, detecting, investigating, and addressing fraud, security breaches, unauthorised access, and unlawful activities.
  • Enforcing the Company's terms and conditions, policies, and agreements.
  • Performing any other lawful purpose for which consent has been obtained.

 4. NOTICE AND CONSENT

4.1 Notice to Data Principals

Before or at the time of collecting personal data, the Company will provide a clear and itemised notice to the Data Principal in English or in any language specified in the Eighth Schedule of the Constitution of India, containing:

  • The categories of personal data being collected.
  • The specific purposes for which the data will be processed.
  • The manner in which the Data Principal may exercise their rights under this Privacy Policy and the DPDP Act.
  • The manner in which the Data Principal may make a complaint to the Data Protection Board of India.
  • Contact details of the Company's Data Protection Officer or designated person.
  • Details of cross-border transfers of personal data, if any.
  • The process and consequences of withdrawing consent.

4.2 Consent Requirements

Consent obtained from Data Principals must be:

  • Free: Given voluntarily without coercion, fraud, or misrepresentation.
  • Specific: Linked to a clearly specified purpose.
  • Informed: Based on clear, transparent, and adequate information about the processing.
  • Unconditional: Not bundled with or made a precondition for the acceptance of any other terms unrelated to the purpose of processing.
  • Unambiguous: Expressed through an affirmative action indicating Agreement.

 4.3 Right to Withdraw Consent

Data Principals may withdraw their consent at any time by contacting the Company through the designated channels (email, online portal, written request, or phone). Upon withdrawal of consent, the Company will cease processing the relevant personal data within a reasonable time, except where:

  • Processing is required to comply with a legal obligation, court order, or order of any competent authority.
  • Processing is authorised under legitimate uses as specified under the DPDP Act or other applicable laws.

Withdrawal of consent may affect the Company's ability to provide certain products, services, or benefits to the Data Principal.

 4.4 Consent Managers

The Company may, in the future, integrate with registered Consent Managers under the DPDP Act and DPDP Rules to enable Data Principals to manage their consent preferences across multiple Data Fiduciaries through a single platform. Currently, consent is handled directly through the Company's systems and platforms. Data Principals will be notified if and when Consent Manager integration becomes available.

5. AGE RESTRICTION AND ELIGIBILITY

5.1 Minimum Age Requirement

The Company's services, including registration as a Nexus Direct Seller (NDS) or Nexus Preferred Customer (NPC), are available only to individuals who are 18 years of age or older. For the purposes of this Privacy Policy and in accordance with the Digital Personal Data Protection Act, 2023, a child is defined as any individual who has not completed 18 years of age.
The Company does not knowingly collect, process, or retain personal data of individuals under the age of 18 years.

5.2 Age Verification at Registration

At the time of registration, individuals must confirm that they are at least 18 years of age. The Company may implement age verification mechanisms, including but not limited to:

  • Self-declaration of Date of birth during account creation.
  • Cross-verification of Date of birth against government-issued identity documents (e.g., Aadhaar, PAN, passport, driving licence) submitted during KYC/identity verification processes.
  • Reference to reliable identity and age details already held by the Company or issued by entities entrusted by law or the Central Government (such as Digital Locker service providers under the Digital Locker facility).

By registering with the Company, you represent and warrant that you are at least 18 years of age and possess full legal capacity to enter into a binding contract under Indian law.

 5.3 Discovery of Data of Individuals Under 18

If the Company discovers or is notified that personal data of an individual under 18 years of age has been collected (for example, through misrepresentation of age during registration, system error, or otherwise), the Company will:

  • Immediately suspend or terminate the individual's account.
  • Delete all personal data of that individual from the Company's systems and records within a reasonable period, in accordance with this Privacy Policy and applicable law.
  • Notify the individual (or their parent/guardian, if contact details are available and known) of the account suspension and data deletion.

Parents or guardians who believe the Company has inadvertently collected their child's personal data are encouraged to contact the Data Protection Officer immediately at the contact details provided in Section 13 of this Privacy Policy.

5.4 No Liability for Misrepresentation

The Company relies on the truthfulness and accuracy of information provided by individuals during the registration process. The Company is not liable for any consequences arising from deliberate or inadvertent misrepresentation of age by an individual, including, but not limited to, the individual's inability to continue using the Company's services, or any loss, damage, or inconvenience resulting from account suspension, termination, or data deletion.

6. DATA SHARING AND DISCLOSURE

6.1 Sharing with Third Parties

The Company may share personal data with the following categories of recipients, solely for the purposes described in this Privacy Policy and in compliance with applicable law:

  • Service providers and data processors: IT service providers, cloud storage providers, payment gateways, logistics and delivery partners, marketing agencies, customer relationship management (CRM) platforms, SMS/email service providers, and customer support vendors. All such sharing is governed by written contracts that mandate equivalent or higher standards of data protection and restrict onward sharing or unauthorised use.
  • Business partners and affiliates: For joint marketing campaigns, co-branded services, promotional offers, and collaborative business activities, with prior consent where required by law.
  • Legal and regulatory authorities: To comply with applicable laws, regulations, legal processes, court orders, summons, warrants, government requests, tax authorities, law enforcement agencies, or other competent authorities.
  • Professional advisors: Lawyers, auditors, accountants, consultants, and other professional advisors engaged by the Company, under appropriate confidentiality obligations.
  • Corporate transactions: In connection with mergers, acquisitions, asset sales, restructuring, bankruptcy, or similar corporate transactions, subject to confidentiality agreements and continuation of data protection obligations by the successor entity.

The Company will not sell, rent, lease, or trade personal data to third parties for their independent marketing or commercial purposes without obtaining explicit consent from the Data Principal.

6.2 Cross-Border Data Transfers

Where personal data is transferred outside India (for example, to cloud service providers, data processors, or business partners located abroad), such transfers will be made in compliance with the DPDP Act, 2023 and any restrictions, conditions, or approvals notified by the Central Government of India from time to time.
The Company will ensure that such cross-border transfers are governed by written contracts or other legally enforceable arrangements that require the recipient to maintain an equivalent or higher level of data protection and to comply with applicable data protection laws. The Company will also provide Data Principals with information about such transfers in the notice provided at the time of data collection.

7. DATA RETENTION AND DELETION

The Company will retain personal data only for as long as it is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law (including but not limited to tax, accounting, audit, regulatory, and legal retention obligations).
Once personal data is no longer required for the stated purposes and there is no legal or regulatory obligation to retain it, the Company will delete or irreversibly anonymise such data within a reasonable period.
48-Hour Prior Notice of Deletion: Where the Company intends to delete personal data that is no longer required, the Company will provide at least 48 (forty-eight) hours' prior notice to the Data Principal before such deletion, unless:

  • The Data Principal has specifically requested deletion of such data.
  • Deletion is required by law, a court order, or an order issued by a competent authority.
  • Providing notice is not reasonably practicable in the circumstances.

Direct Sellers, Nexus Preferred Customers, and other Data Principals may request deletion of their personal data at any time by contacting the Data Protection Officer, subject to the Company's legal, contractual, and regulatory obligations.

8. DATA PROTECTION AND SECURITY

The Company implements appropriate technical and organisational security measures to protect personal data from unauthorised access, loss, misuse, alteration, destruction, disclosure, or data breaches. These measures include, but are not limited to:

  • Encryption of personal data in transit (using secure protocols such as TLS/SSL) and at rest (using industry-standard encryption algorithms).
  • Access controls and authentication mechanisms to ensure that personal data is accessible only to authorised personnel on a need-to-know basis, using role-based access controls, strong password policies, and multi-factor authentication where appropriate.
  • Data masking, pseudonymisation, and obfuscation techniques, where appropriate, to minimise exposure of sensitive personal data.
  • Logging, monitoring, and auditing of access to personal data, with logs retained for at least one (1) year or longer as required by applicable law, to enable detection, investigation, and prevention of unauthorised access or security incidents.
  • Regular security audits, vulnerability assessments, and penetration testing to identify and address security weaknesses.
  • Incident response and breach management plans for timely detection, containment, and resolution of data breaches or security incidents.
  • Data backup and disaster recovery procedures to ensure business continuity and data integrity.
  • Employee training and awareness programs on data protection, information security, confidentiality obligations, and compliance with the DPDP Act and this Privacy Policy.
  • Secure disposal and destruction of personal data that is no longer required, using methods that ensure such data cannot be reconstructed or retrieved.

Despite these safeguards, no method of electronic transmission, storage, or processing is completely secure. The Company cannot guarantee absolute security, but will take all reasonable and appropriate steps to protect personal data in accordance with applicable law and industry best practices.

9. DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to cause harm to one or more Data Principals, the Company will:

  1. Notify the Data Protection Board of India in the manner, format, and within the timeline prescribed under the DPDP Act and DPDP Rules.
  2. Notify the affected Data Principals without undue delay, providing:
    • A description of the nature of the breach and the categories of personal data affected.
    • The potential consequences and risks arising from the breach.
    • The measures taken or proposed to be taken by the Company to address the breach, mitigate harm, and prevent recurrence.
    • Contact details of the Data Protection Officer or designated person for further information and assistance.

The Company will also take prompt and appropriate action to investigate the breach, contain its impact, remediate vulnerabilities, and prevent future occurrences.

10. RIGHTS OF DATA PRINCIPALS

Data Principals have the following rights under the DPDP Act, DPDP Rules, and this Privacy Policy:

10.1 Right to Access

To obtain confirmation of whether the Company is processing your personal data, and to access such personal data, along with information about:

  • The purposes of processing.
  • The categories of personal data being processed.
  • The recipients or categories of recipients with whom the personal data has been or will be shared.
  • The period for which the personal data will be retained.

10.2 Right to Correction

To request correction, completion, or updating of inaccurate, incomplete, misleading, or outdated personal data held by the Company.

10.3 Right to Erasure (Right to be Forgotten)

To request deletion or erasure of personal data where:

  • The personal data is no longer necessary for the purposes for which it was collected or processed.
  • Consent has been withdrawn, and there is no other legal basis for continued processing.
  • The processing is unlawful or in contravention of the DPDP Act or any other applicable law.

This right is subject to the Company's legal and regulatory obligations to retain personal data for specified purposes or periods.

10.4 Right to Withdraw Consent

To withdraw consent to the processing of personal data at any time, through the designated channels provided by the Company. Upon withdrawal of consent, the Company will cease processing the relevant personal data within a reasonable time, except where processing is required by law or authorised for a legitimate purpose.
Withdrawal of consent may impact the Company's ability to provide certain services, products, or benefits to the Data Principal.

10.5 Right to Grievance Redressal

To lodge a complaint or raise a grievance regarding the collection, processing, storage, disclosure, or security of personal data with the Company's Data Protection Officer or, if not satisfied with the Company's response, with the Data Protection Board of India.

10.6 Right to Nominate

To nominate another individual (such as a family member, legal representative, or trusted person) to exercise your rights under this Privacy Policy and the DPDP Act in the event of your death or incapacity, in the manner prescribed by the Company from time to time.

10.7 How to Exercise Your Rights

Data Principals may exercise any of the above rights by contacting the Company's Data Protection Officer at the contact details provided in Section 13 of this Privacy Policy. Requests may be submitted via email, written letter, online portal, or other designated channels.
The Company will acknowledge receipt of the request and will respond within a reasonable time, and in any event within the timelines prescribed under the DPDP Act and DPDP Rules (generally within 90 (ninety) days from the Date of receipt of the request, unless extended as permitted by law).
The Company may request additional information or documentation to verify the identity of the Data Principal making the request, to prevent unauthorised access to personal data.

11. GRIEVANCE REDRESSAL

11.1 Complaint Procedure

If you have any concerns, complaints, or grievances regarding the collection, processing, storage, disclosure, or security of your personal data, or if you believe that the Company has contravened any provision of the DPDP Act or this Privacy Policy, you may raise a grievance by contacting the Company's Data Protection Officer at the details provided in Section13 below.
Your grievance should include:

  • Your name and contact details.
  • A description of the issue or complaint.
  • Any relevant supporting documents or information.
  • The relief or remedy you are seeking.

11.2 Response Timeline

The Company will acknowledge receipt of the grievance and will endeavour to resolve it within 90 (ninety) days from the Date of receipt, or within such other period as may be prescribed under the DPDP Act or DPDP Rules.
The Company will communicate the outcome of the investigation and the steps taken or proposed to be taken to address the grievance.

11.3 Escalation to Data Protection Board

If you are not satisfied with the Company's response or resolution of your grievance, or if the Company fails to respond within the prescribed timeline, you may file a complaint with the Data Protection Board of India in accordance with the procedures and formats notified under the DPDP Act and DPDP Rules.


12. COOKIES AND TRACKING TECHNOLOGIES

The Company's website and online platforms may use cookies, web beacons, pixels, tags, and similar tracking technologies to:

  • Enhance user experience and website functionality.
  • Analyse website traffic, usage patterns, and performance.
  • Deliver personalised content, recommendations, and advertising.
  • Remember user preferences and login sessions.

Types of cookies used:

  • Essential cookies: Required for the website to function properly (e.g., session management, security).
  • Functional cookies: Enable enhanced functionality and personalisation (e.g., language preference, user settings).
  • Analytics cookies: Collect information about how visitors use the website (e.g., page views, time spent, click patterns).
  • Advertising cookies: Used to deliver relevant advertisements and measure advertising effectiveness.

Managing cookies:
Data Principals may manage or disable cookies in their browser settings. However, disabling certain cookies may affect the functionality of the Company's website and limit access to certain features or services.
For more details about the cookies used by the Company, please refer to the Company's Cookie Policy (if separate) or contact the Data Protection Officer.

13. DATA PROTECTION OFFICER AND CONTACT DETAILS

For all queries, requests, complaints, grievances, and other communications relating to personal data and this Privacy Policy, Data Principals may contact:
Data Protection Officer
Nexus Sanghi Private Limited
Name/Designation: [To be filled]
Postal Address: [To be filled]
Email: [To be filled]
Phone: [To be filled]
The Data Protection Officer is responsible for overseeing compliance with the DPDP Act, this Privacy Policy, and related data protection obligations, and for serving as the primary point of contact for Data Principals and the Data Protection Board of India.

14. OBLIGATIONS OF DIRECT SELLERS

Direct Sellers who collect, use, share, or otherwise process personal data of customers, prospects, or other individuals in connection with their business activities under the Nexus compensation plan and the Company's Direct Seller Enrolment Agreement must:

  • Comply fully with this Privacy Policy, the Company's Policies and Procedures, and all applicable data protection laws, including the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.
  • Obtain all necessary consents from individuals before collecting, processing, or sharing their personal data, and provide clear and adequate notice as required under the DPDP Act.
  • Use personal data solely for lawful purposes and in accordance with the purposes notified to and consented to by the individuals.
  • Implement appropriate technical and organisational security measures to protect personal data from unauthorised access, loss, misuse, alteration, or disclosure.
  • Treat all personal data, including customer information, as private, confidential, and sensitive, and avoid sharing or disclosing such data to unauthorised individuals, entities, or third parties without consent or a lawful basis.
  • Not sell, rent, lease, trade, or transfer personal data to third parties for purposes unrelated to the Direct Seller's business activities under the Company's Direct Seller Enrolment Agreement.
  • Promptly report any data breaches, unauthorised access, loss, misuse, or suspected security incidents involving personal data to the Company's Data Protection Officer.
  • Inform customers and prospects about the provisions of this Privacy Policy before collecting or sharing their personal data with the Company.
  • Ensure accurate, truthful, and complete data entry when registering customers, submitting orders, or providing information to the Company.
  • Respect customer preferences regarding communication, marketing, data usage, and consent withdrawal.

Failure to comply with these obligations may result in disciplinary action, suspension or termination of the NDS (Direct Seller's) account and status, withholding of commissions or bonuses, and potential civil or criminal liability under applicable laws.

15. LAWFUL USES WITHOUT CONSENT

In addition to consent-based processing, the Company may process personal data without obtaining explicit consent where such processing is permitted as a legitimate use under Section 7 of the DPDP Act or other applicable laws, including but not limited to:

  • Compliance with any legal obligation or order of a court or tribunal.
  • Performance of any function under any law or provision of law.
  • Provision of any service or benefit sought by the Data Principal from the State.
  • Issuance of any certification, license, or permit for any action or activity by the State.
  • Performance of a contract to which the Data Principal is a party or taking steps at the request of the Data Principal prior to entering into such a contract.
  • Measures to ensure the safety of, or provide assistance or services to, the Data Principal during any disaster or breakdown of public order.
  • Prevention, detection, investigation, or prosecution of any offence or contravention of any law.
  • Processing personal data that is publicly available or made publicly available by the Data Principal or any other person under any law for the time being in force.
  • Processing personal data that the Data Principal has voluntarily provided to be processed for a specified purpose.

16. ACCOUNTABILITY AND RECORD-KEEPING

The Company will maintain appropriate internal records, documentation, and evidence of its personal data processing activities, consent management, security measures, data breaches, grievance redressal, and compliance with the DPDP Act and DPDP Rules.
The Company will periodically review and update this Privacy Policy, its internal data protection policies, security measures, and operational procedures to ensure continued compliance with evolving legal requirements, regulatory guidance, technological developments, and industry best practices.

17. SIGNIFICANT DATA FIDUCIARY STATUS

As of the Date of this Privacy Policy, Nexus Sanghi Private Limited has not been notified by the Central Government of India as a Significant Data Fiduciary (SDF) under Section 10 of the DPDP Act.
If the Company is notified as a Significant Data Fiduciary in the future, additional obligations under the DPDP Rules, 2025 will apply, including but not limited to:

  • Appointment of an independent Data Auditor to conduct annual audits of the Company's compliance with the DPDP Act.
  • Conduct  Data Protection Impact Assessments (DPIA) on an annual basis or more frequently as prescribed.
  • Submission of annual independent audit reports, DPIA reports, and compliance certificates to the Data Protection Board of India.
  • Enhanced security measures, stricter controls on the use of automated decision-making and profiling, and additional transparency obligations.

Data Principals will be informed of any change in the Company's Significant Data Fiduciary status through updates to this Privacy Policy, direct communication, or publication on the Company's website.

18. AMENDMENTS TO THIS PRIVACY POLICY

The Company reserves the right to update, modify, or amend this Privacy Policy from time to time at its discretion, to reflect changes in:

  • Legal or regulatory requirements, including amendments to the DPDP Act or notification of new rules.
  • The Company's business practices, services, products, or operations.
  • Technology, security standards, or industry best practices.

Any material changes to this Privacy Policy will be communicated to Data Principals through one or more of the following means:

  • Publication of the amended Privacy Policy on the Company's website.
  • Email notification to registered Direct Sellers and Nexus Preferred Customers.
  • In-app notifications or prominent notices on the Company's online platforms.
  • Any other appropriate means of communication.

The amended Privacy Policy will take effect immediately upon publication or on such other Date as may be specified in the notice of amendment. Continued use of the Company's services, products, or platforms after such publication or notification constitutes acceptance of the revised Privacy Policy.
Data Principals are encouraged to review this Privacy Policy periodically to stay informed about how the Company collects, uses, protects, and shares personal data.

19. GOVERNING LAW AND JURISDICTION

This Privacy Policy and any disputes arising out of or in connection with the collection, processing, storage, disclosure, or security of personal data under this Privacy Policy shall be governed by and construed in accordance with the laws of India, including but not limited to the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025.
Any disputes, claims, or legal proceedings arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Indore (Madhya Pradesh).

20. CONTACT US

For any questions, concerns, requests, or feedback regarding this Privacy Policy, the Company's data protection practices, or the exercise of your rights as a Data Principal, please contact:
Nexus Sanghi Private Limited
Data Protection Officer
Name/Designation: Ravi Sanghi/Director
Postal Address: 39, B.J. Vihar Colony, Indore
Email: admin@nexussanghi.com
Phone: +91 9109837970
Last Updated: 01-07-2025
Effective Date: 01-07-2025
This Privacy Policy is effective as of the Date mentioned above and supersedes all prior versions.