Milk Daily™ - Privacy Policy

═══════════════════════════════════════════════════════════════════════════════

Version: 1.0
Last Updated: February 6, 2026
Effective Date: February 6, 2026
Document ID: MD-PP-2026-001

Previous Versions: None (Initial Release)
Language: English (Authoritative Version)
Governing Law: Digital Personal Data Protection Act, 2023 (India)

Milk Daily™ is a mobile application developed and operated by MDK Genesis, a registered software services company based in India. This Privacy Policy complies with the Digital Personal Data Protection Act, 2023 (DPDP Act) and explains our data practices.

By using Milk Daily, you consent to:

Data collection, use, and sharing as described
Cross-border transfers with safeguards
Processing for stated purposes
Electronic notices about your data

If you don't agree, immediately stop using the App and delete your account.

2. COMPLIANCE FRAMEWORK

We comply with:

DPDP Act, 2023 (Primary law) - Key sections:
- Section 4: Processing of Personal Data (Lawful Purpose)
- Section 5: Notice Requirements
- Section 6: Consent Requirements
- Section 7: Consent for Children
- Section 8: Data Fiduciary Obligations
- Sections 11-14: Data Principal Rights
- Section 15: Data Protection Board Procedures
Information Technology Act, 2000
Information Technology (Reasonable Security Practices) Rules, 2011
Consumer Protection Act, 2019
Consumer Protection (E-Commerce) Rules, 2020
Google Play & Apple App Store requirements

3. INFORMATION WE COLLECT

3.1 Personal Data

Information Collected from Admins:

Full name
Email address
Phone number (for OTP verification)
Business name and details
Business address (optional, for invoicing)
Profile image (optional)

Information Collected from Users (via Admin):

Full name
Phone number
Address (delivery/service address, if provided by Admin)
Profile image (optional)
Relationship to Admin (customer classification)
Delivery slot/route assignment number

Authentication Data:

Hashed password (BCrypt encrypted, never stored in plain text)
OTP verification records (phone number + timestamp)
Session tokens (encrypted, automatically expired)
Login timestamps and IP addresses (for security)
Failed login attempts (for rate limiting)

Subscription Data:

Purchase history and transaction IDs
Subscription status and tier
Payment method type (not card details)
Billing cycle information
RazorPay customer ID (for subscription management)

3.2 Business Data

Transaction Records:

Milk delivery transactions and quantities
Stock levels and pricing information
Payment records and advances
Payment method preferences (Cash, PhonePe, GPay, Paytm, Other)
Service charges, discounts, and taxes
Cancellation records and history
Order deletion audit logs (for data integrity)

Uploaded Content:

Excel/CSV files for bulk user import (processed and deleted within 24 hours)
Business images (shop photos, logos)
Splash screen customization images
Profile photographs

Reports Generated:

Daily/Monthly transaction summaries
Payment collection reports
Stock movement reports
User activity summaries

Configuration Data:

Shop/business customization settings
Theme preferences
Notification preferences
WhatsApp API configuration (encrypted)
Billing cycle and date filter settings
Recurring order automation schedules

3.3 Technical Data

Device Information:

Device type and model
Operating system and version
App version installed
Screen resolution (for UI optimization)
Device language settings

Session & Authentication Data:

Authentication tokens (encrypted, 2-hour validity, auto-refresh available)
Session identifiers (rotated on each login)
Token refresh timestamps
Last active timestamp

Usage Analytics (Anonymized):

Feature usage patterns (no personal identifiers)
App navigation flows
Performance metrics (load times, errors)
Crash reports (stack traces without personal data)

Security Logs:

Login attempts (successful and failed)
IP addresses (for fraud detection)
Rate limit violations
Suspicious activity indicators

Network Information:

Connection type (WiFi/Mobile data)
API response times
Request timestamps

3.4 Data We Do NOT Collect

We explicitly do NOT collect:

Precise GPS/geolocation data (we may store address text provided by Admin)
Contact lists or phone book access
Call logs or SMS history
Biometric data (fingerprints, face ID - these stay on your device)
Sensitive personal data as defined under DPDP Act:
- Health or medical information
- Financial information (bank account, card numbers)
- Sexual orientation
- Political opinions
- Religious beliefs
- Genetic or biometric data
- Caste or tribe information
Background app activity
Microphone or camera access (except for optional profile photo)
Browsing history
Social media data

Note: Delivery/service addresses provided by Admins for their Users are considered business operational data, not location tracking.

4. DATA ROLES (DPDP ACT, 2023)

4.1 Admin = Data Fiduciary (Section 2(i))

Under Section 2(i) of the DPDP Act, Admins qualify as Data Fiduciaries because they:

Determine the purpose of processing User data
Determine the means of processing
Control all User data they add
Are responsible for obtaining valid consent under Section 6
Must provide notice under Section 5
Must respond to Data Principal requests under Sections 11-14

4.2 We = Data Processor (Section 2(k))

Under Section 2(k) of the DPDP Act, MDK Genesis acts as Data Processor:

Process data on Admin's documented instructions
Provide technical platform and infrastructure
Implement security safeguards under Section 8(5)
Assist Admin with compliance obligations
Notify Admin of data breaches under Section 8(6)

4.3 User = Data Principal (Section 2(j))

Users are Data Principals with rights under Chapter III of the DPDP Act:

Right to access information (Section 11)
Right to correction and erasure (Section 12)
Right to grievance redressal (Section 13)
Right to nominate (Section 14)

4.4 Data Processing Agreement

Integrated in Terms Section 3.4
Downloadable from App settings
Governs Data Fiduciary-Processor relationship
Compliant with Section 8(2) of DPDP Act

5. HOW WE USE DATA

5.1 Service Delivery

Account management
Transaction processing
Report generation
WhatsApp messaging (with your API key)
Subscription handling

5.2 Service Improvement

Performance optimization
Feature development
Bug fixes
User experience

5.3 Security & Compliance

Fraud prevention
Legal compliance
Policy enforcement
Security monitoring

5.4 Communications

Service updates
Security notices
Subscription alerts
Support responses

6.1 No Sale of Data

We never sell, rent, or trade personal data.

We may disclose personal data only when legally required (see Section 6.3 below).

With Processors:

Cloud hosting
Payment processors (RazorPay)
SMS gateway (TextBelt)
Email services (SendGrid, if applicable)
Backup services

All processors sign DPAs with equivalent protection.

6.3 Legal Disclosures

When required by:

Court orders
Government authorities
Law enforcement
Data Protection Board

6.4 Business Transfers

In merger/acquisition:

Data transfers to successor
Same protections continue
Notice provided

7. DATA SECURITY

7.1 Technical Measures

Measure	Implementation
Encryption (Transit)	HTTPS/TLS for all communications
Password Storage	BCrypt hashing (industry standard)
Access Control	RBAC, least privilege
Network	CORS enforcement, request validation
Testing	Security assessments as scheduled
Monitoring	Error logging, anomaly detection
Backups	Encrypted, tested

7.2 Organizational Measures

Employee training and NDAs
Security policies and procedures
Incident response plan
Regular audits and reviews

7.3 Evidence Maintained

Security architecture documentation
Vulnerability assessments (when conducted)
Compliance documentation
Incident response playbook

7.4 Data Protection Impact Assessment (DPIA)

In accordance with privacy best practices and anticipated DPDP Act guidelines, we conduct Data Protection Impact Assessments:

When We Conduct DPIA:

Before introducing new processing activities
When processing large volumes of personal data
When using new technologies
When processing may result in significant harm
Before significant changes to existing processing

Our DPIA Process:

Describe the processing activity and purpose
Assess necessity and proportionality
Identify risks to Data Principals
Implement risk mitigation measures
Document decisions and outcomes
Review periodically

Transparency:

DPIA summaries available upon request (where applicable)
High-risk processing activities disclosed
Mitigation measures communicated

8. DATA RETENTION (Section 8(7), DPDP Act, 2023)

Under Section 8(7) of the DPDP Act, we retain personal data only for as long as necessary to fulfill the purpose for which it was collected, unless retention is required by law.

8.1 Retention Schedule

Data Type	Retention Period	Legal Basis	Regulatory Reference
Active Account Data	Subscription term + 90 days grace	Service delivery (Contract)	Section 8(7) DPDP Act
Personal Identifiers (name, phone, email)	Until deletion request or account termination	User consent & control	Section 6 DPDP Act
Transaction Records	36 months (anonymized after closure)	Tax compliance	GST Act - 6 years; Income Tax Act - 7 years
Subscription/Payment History	7 years	Tax laws	Income Tax Act, 1961
Technical/Security Logs	180 days	Security, Fraud prevention	IT (Reasonable Security) Rules, 2011
Encrypted Backups	30 days rolling	Disaster recovery	Business continuity
OTP Records	24 hours (10 min validity)	Verification security	Operational necessity
Session Tokens	2 hours (active), Immediate on logout	Authentication	Security best practices
Failed Login Attempts	24 hours	Rate limiting, Security	Security best practices
Uploaded Files (Excel imports)	24 hours (originals)	Processing only	Data minimization principle
Profile/Business Images	Account lifetime + 30 days post-deletion	Service feature	Section 8(7) DPDP Act
Consent Records (WhatsApp, T&C)	36 months after last interaction	Compliance evidence	Section 6 DPDP Act
DSAR Request Logs	36 months	Compliance audit trail	Section 11-14 DPDP Act

8.2 Anonymization

Method: Cryptographic hashing with salt
Purpose: Compliance, audit, disputes
Retention: 36 months
Irreversible: Technically infeasible to re-identify

8.3 Subscription Lapse

Days 1-90: Read-only, data retained
After 90 days: Eligible for deletion
Export reminders: Days 30, 60, 85

8.4 Retention Exceptions (Legal/Regulatory Requirements)

We may retain certain data beyond the standard retention periods when required by law:

Exception Type	Retention Period	Legal Basis
Ongoing Legal Proceedings	Until resolution + 1 year	Court orders, legal holds
Tax Audit Requirements	Up to 7 years	Income Tax Act, 1961; GST Act
Regulatory Investigation	As directed by authority	DPDP Act Section 8(7) proviso
Dispute Resolution	Until settlement + 3 years	Limitation Act, 1963
Law Enforcement Request	As legally mandated	IT Act, 2000; CrPC
Anti-Money Laundering	5 years after relationship ends	PMLA, 2002 (if applicable)

Your Rights During Extended Retention:

You will be notified if retention is extended due to legal requirements
Data access rights remain available (subject to legal restrictions)
Upon resolution, standard deletion timelines resume

9. DATA DELETION

9.1 Unified Deletion Timeline

All deletion requests follow this single process:

Step 1: Request Submission

Via App: Settings > Account > Delete Account
Via Email: dhilipkumarmd1961@gmail.com
Required Information:
- Account email/phone
- Reason for deletion (optional)
- Confirmation of data export completion (recommended)

Step 2: Acknowledgment (Within 7 Calendar Days)

We confirm receipt of your request
We verify your identity (may request additional proof)
We provide estimated completion timeline

Step 3: Processing Period (Days 1-30)

Days 1-14: Account Deactivation
- Access suspended
- Data export still available
- Reversible upon request
Days 15-30: Permanent Deletion
- Personal identifiers removed
- Transaction records anonymized
- Associated User data processed (for Admin accounts)

Step 4: Completion Confirmation

Written confirmation sent to registered email
Summary of deleted/anonymized data categories
Retention exceptions explained (if any)

Step 5: Extension (If Applicable)

Complex requests may extend by additional 30 days
You will be notified with reasons for extension
Maximum total processing time: 60 calendar days

9.2 Admin Account Deletion

When an Admin requests deletion:

30-day mandatory grace period for data export
All associated User data will be deleted or anonymized
Users will be notified of impending data deletion
Subscription will be cancelled (no refund for current period)
Process is IRREVERSIBLE after confirmation

9.3 User Account Deletion

Users may request deletion through:

Their Admin (preferred and faster)
Direct request to dhilipkumarmd1961@gmail.com

Processing:

Admin is notified of User's request
User's personal data deleted within 30 days
Transaction records anonymized (retained for Admin's compliance)

9.4 Verification Requirements

To prevent unauthorized deletion requests, we require:

Request from registered email/phone
Account password confirmation (via App)
For high-value accounts: Additional identity verification
For legal/court-ordered deletions: Proper legal documentation

10. YOUR RIGHTS (Chapter III, DPDP ACT, 2023)

10.1 Rights Summary

Right	DPDP Section	Description	Timeline
Access	Section 11	Know what data we have and how it's used	30 days
Correction	Section 12	Fix inaccurate or misleading data	30 days
Erasure	Section 12	Request deletion of your data	30 days
Portability	Section 11	Get your data in machine-readable format	30 days
Consent Withdrawal	Section 6(4)	Withdraw consent at any time	Immediate
Grievance	Section 13	Complain to our Grievance Officer	30 days
Nomination	Section 14	Nominate someone to exercise rights on your behalf	As needed
Board Complaint	Section 15	Complain to Data Protection Board	After exhausting internal remedies

10.2 How to Exercise Rights

Step 1: Submit Request

Email dhilipkumarmd1961@gmail.com with:

Account details
Request type
Identity proof
Contact info

Step 2: Our Processing

We will:

Acknowledge in 7 days
Verify identity
Process in 30 days (may extend 30 days)
Respond in writing

Step 3: If Unsatisfied

Internal escalation to Grievance Officer
Data Protection Board of India
Courts in Tamil Nadu

10.3 Fees

No charge for standard requests
Reasonable fee for excessive requests
Free for data correction

11. WHATSAPP MESSAGING

11.1 Your Responsibility

When using WhatsApp features:

You provide your own Business API key
You obtain explicit consent from recipients
You maintain consent records
You provide opt-out ("STOP")
You comply with WhatsApp policies

11.2 Our Role

Technical conduit using your key
Don't store API keys permanently
Don't access message content
Provide delivery status only

11.3 Message Types

Transactional only: Reports, alerts
No marketing/promotional
Frequency limits as per WhatsApp policy

12. INTERNATIONAL TRANSFERS (Section 16, DPDP Act, 2023)

Under Section 16 of the DPDP Act, 2023, transfer of personal data outside India is permitted except to countries restricted by the Central Government.

12.1 Transfer Locations

Data may transfer outside India for:

Cloud hosting (servers may be in Singapore, US)
Technical support
Analytics (anonymized)
SMS/Email delivery services

12.2 Safeguards (Pending DPDP Rules)

Pending specific rules under Section 16, we implement:

Standard Contractual Clauses (as per global best practices)
Adequacy assessments of destination countries
Additional technical measures (encryption, access controls)
Regular compliance reviews
Data minimization for transfers

Note: Upon publication of specific data transfer rules under Section 16 of the DPDP Act, we will update our transfer mechanisms accordingly.

Our Commitment:

We will adopt any rules published under Section 16 within 60 days of their effective date
We will notify all Admins via email of any changes to cross-border transfer mechanisms
Updated policies will be published with 30 days advance notice before taking effect
Previous transfer mechanisms will be documented for audit purposes

12.3 Your Rights

Be informed about cross-border transfers
Understand the safeguards in place
Object to transfers in certain circumstances
Request information about specific transfers

13. LOCAL STORAGE & DEVICE DATA

13.1 Essential Local Storage (Cannot Be Disabled)

As a mobile application, Milk Daily uses secure device storage instead of browser cookies:

Authentication Storage:

Encrypted session tokens (in device secure storage/Keychain)
Login state persistence
User identifier for quick login

Functional Storage:

App preferences and settings
Theme and language preferences
Last sync timestamp
Cached user data for offline access

Security Storage:

Device verification tokens
Biometric authentication references (stored locally only)
Security question hashes

13.2 Optional Local Storage

Performance Cache:

Recent transaction data (for quick loading)
Report templates
Frequently accessed data
Image thumbnails

You can clear cached data via:

App Settings > Storage > Clear Cache
Device Settings > Apps > Milk Daily > Clear Data (will require re-login)

13.3 What We DON'T Store Locally

Complete transaction history (fetched from server)
Other users' data
Payment/financial credentials
Plain text passwords or OTPs

13.4 No Browser Cookies

As this is a native mobile application:

We do NOT use browser cookies
We do NOT use web tracking pixels
We do NOT use advertising identifiers
We do NOT share data with ad networks

13.5 Third-Party SDKs

Our app may include the following SDKs that have their own data practices:

SDK	Purpose	Data Access	Privacy Link
RazorPay SDK	Payments	Transaction data	razorpay.com/privacy
Crashlytics (if applicable)	Crash reporting	Crash logs (anonymized)	firebase.google.com/support/privacy

All SDKs are configured for minimal data collection and comply with our privacy standards.

14. BREACH NOTIFICATION

14.1 Our Process

Stage	Timeline
Detection	Within 24 hours
Assessment	Within 72 hours
Notification (DPB)	Within 72 hours (if significant harm)
Notification (Admins)	Without undue delay
Remediation	Immediate action

14.2 Significant Harm Threshold (Section 8(6), DPDP Act)

⚠️ INTERIM THRESHOLD NOTICE: The monetary threshold below (₹10,000) is our internal assessment pending official Data Protection Board guidance. This may be revised.

A breach is considered to cause "significant harm" (as contemplated under Section 8(6) of the DPDP Act, requiring notification to the Data Protection Board) if it involves:

Quantitative Thresholds:

Financial loss exceeding ₹10,000 per person (interim - subject to DPB guidance)
100+ Data Principals affected
Sensitive personal data categories involved

Qualitative Factors:

Identity theft or fraud risk
Reputational damage or humiliation
Discrimination based on personal data
Mental trauma or psychological distress
Loss of employment or business opportunity
Physical safety concerns
Children's data involved

Note: The Data Protection Board of India may issue specific guidance on "significant harm" thresholds under Section 8(6). The monetary threshold of ₹10,000 is our internal assessment based on industry practices and will be revised upon official DPB guidance. This interim threshold is applied consistently across our Privacy Policy and Terms & Conditions (Section 22.4).

Update Commitment: We will formally revise this threshold within 30 calendar days of any conflicting or superseding guidance issued by the Data Protection Board of India.

14.3 Notification Content

Our breach notifications will include:

Nature of breach
Categories of data affected
Likely consequences
Measures taken to address
Contact details for questions

15. CHILDREN'S PRIVACY (Section 9, DPDP Act, 2023)

15.1 Age Restriction & Legal Basis

Under Section 9 of the DPDP Act, 2023:

App is NOT for individuals under 18 years of age
Valid consent under Section 6 requires the person to be 18+
For users under 18, verifiable parental/guardian consent is required
We do not knowingly collect data from children without proper consent
If we discover unauthorized child data, we delete immediately

15.2 Age Verification Mechanism

We implement the following measures to prevent underage usage:

During Registration:

Self-declaration checkbox confirming age 18+
Date of birth field (optional but recommended)
Terms acceptance requiring age confirmation

Ongoing Monitoring:

Pattern detection for potentially underage users
Admin responsibility verification for added Users
Periodic reminders about age requirements

Upon Discovery of Underage User:

Immediate account suspension (within 24 hours)
Notification to associated Admin (if applicable)
Data deletion within 72 hours
In any exceptional case where service may be provided to a minor, verifiable parental consent is mandatory under Section 9 of the DPDP Act, 2023 (including identity verification of the parent/guardian)
Documentation of incident for compliance records

15.3 Parental Rights

Parents/guardians may:

Request deletion of child's data: dhilipkumarmd1961@gmail.com
Verify if child's data exists in our systems
Provide verifiable consent for child's use (exceptional cases)
Complain to Data Protection Board if concerned

16. POLICY UPDATES

16.1 When We Update

We may update this policy to:

Comply with new laws
Reflect practice changes
Improve clarity
Add new features

16.2 Notification

In-App notice for 30 days
Email to registered Admins
Updated "Last Updated" date
Previous versions available on request

16.3 Your Acceptance

Continued use = Acceptance of changes.

If you disagree, stop using the App and delete your account.

17. CONTACT US

Note: The email address listed below (dhilipkumarmd1961@gmail.com) is a personal email used temporarily. A dedicated business email will be provided soon.

17.1 Grievance Officer (DPDP Act, 2023)

As required under the Digital Personal Data Protection Act, 2023:

Field	Details
Name	Mr. Dhilip Kumar M (Grievance Officer)
Organization	MDK Genesis
Email	dhilipkumarmd1961@gmail.com
Phone	+91-8072561961
Address	1-151-2 Koppampatti, Rasipuram, Namakkal - 637403, Tamil Nadu, India
Response	7 days acknowledgment, 30 days resolution

17.2 General Support

Field	Details
Email	dhilipkumarmd1961@gmail.com
Hours	Monday - Friday, 10:00 AM - 6:00 PM IST
Security Issues	dhilipkumarmd1961@gmail.com

17.3 Legal Notices

Field	Details
Address	1-151-2 Koppampatti, Rasipuram, Namakkal - 637403, Tamil Nadu, India
Email	dhilipkumarmd1961@gmail.com

18. GOVERNING LAW

Primary: DPDP Act, 2023
Secondary: IT Act, 2000
Jurisdiction: Courts in Tamil Nadu, India
Language: English prevails

19. VERSION HISTORY & CHANGE LOG

We maintain a record of all changes to this Privacy Policy for transparency and compliance.

Version	Date	Changes	Effective Date
1.0	February 6, 2026	Initial release - DPDP Act 2023 compliant	February 6, 2026

Future Updates:

Major changes: 30 days advance notice via email and in-app notification
Minor clarifications: 7 days notice
Regulatory updates: Within timelines specified by law
All previous versions available upon request at dhilipkumarmd1961@gmail.com

DOCUMENT END

Milk Daily™ is a trademark of MDK Genesis.

This document was last reviewed on February 6, 2026.