Milk Daily™ - TERMS & CONDITIONS

═══════════════════════════════════════════════════════════════════════════════

Version: 1.0
Last Updated: February 6, 2026
Effective Date: February 6, 2026
Document ID: MD-TC-2026-001

Previous Versions: None (Initial Release)
Language: English (Authoritative Version)

CRITICAL PRE-USE ACKNOWLEDGMENT

THIS IS A LEGALLY BINDING AGREEMENT. BY ACCESSING THE MILK DAILY APPLICATION, YOU CONFIRM:

You have read, understood, and agree to these Terms
You are solely responsible for verifying all financial calculations
This is a record-keeping tool ONLY - not a financial advisor
You assume all risks associated with data accuracy and security

1. DEFINITIONS & INTERPRETATION

1.1 "App" means the Milk Daily mobile application, website, APIs, and all related services.

1.2 "Admin" means the primary subscription holder who purchases, manages users, and controls all data. Under the DPDP Act, 2023, the Admin acts as the Data Fiduciary for all data of Users they add.

1.3 "User" means any individual added by an Admin via invite code.

1.4 "We/Us/Our" refers to MDK Genesis, its affiliates, directors, and employees.

1.5 "You/Your" refers to any person or entity accessing the App.

1.6 "Subscription" means the paid access period purchased through official app stores.

1.7 "Content" includes all data, images, records, and information uploaded to the App.

1.8 "DPDP Act" means the Digital Personal Data Protection Act, 2023 of India, including all rules, regulations, and guidelines issued thereunder.

1.9 "WhatsApp API Key" means the Business API credentials provided by Admin for sending messages.

1.10 "Significant Harm" as referenced in Section 8(6) of the DPDP Act, 2023, means any data breach that may cause or is likely to cause:

Bodily harm
Significant financial loss
Identity theft or fraud
Loss of reputation
Humiliation or mental trauma
Discrimination based on personal data
Loss of employment or business opportunity
Any other significant harm to the Data Principal

1.11 "OTP" means One-Time Password used for account verification and authentication.

1.12 "Session Token" means the encrypted authentication credential issued upon successful login.

1.13 "Rate Limiting" means the restriction on the number of API requests to prevent abuse.

1.14 "Data Principal" means an individual whose personal data is being processed.

1.15 "Data Fiduciary" as defined in Section 2(i) of the DPDP Act, 2023, means any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.

1.16 "Consent" as defined in Section 6 of the DPDP Act, 2023, means free, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes.

1.17 "Data Protection Impact Assessment (DPIA)" means an assessment conducted to identify and minimize the data protection risks of processing activities.

1.18 "Lawful Purpose" as per Section 4 of the DPDP Act, 2023, means any purpose not expressly forbidden by law.

2. ACCEPTANCE & ELECTRONIC AGREEMENT

2.1 By downloading, installing, accessing, or using Milk Daily, you:

Confirm you are at least 18 years old (as required for valid consent under Section 9 of DPDP Act, 2023)
Have authority to bind your organization (if applicable)
Accept these Terms as legally binding
Consent to electronic communication
Provide valid consent as defined under Section 6 of the DPDP Act, 2023

2.1.1 Age Verification Mechanism

We implement the following age verification measures:

Self-Declaration: During signup, you must confirm you are 18 years or older
Date of Birth Collection: Optional DOB field for verification
Account Monitoring: We monitor for patterns indicating underage users
Admin Responsibility: Admins must ensure Users they add are 18+
Parental Notice: If we discover a user under 18, we will:
- Immediately suspend the account
- Notify the Admin (if applicable)
- Delete all associated personal data within 72 hours
- In any exceptional case where service may be provided to a minor, require verifiable parental consent as mandated under Section 9 of the DPDP Act, 2023 (including identity verification of the parent/guardian)

2.2 Mandatory In-App Acknowledgment

Before first use as Admin, you must explicitly confirm:

"I understand Milk Daily is a record-keeping tool only. I am solely responsible for verifying all financial data, calculations, and compliance. I will not rely solely on this app for financial decisions. I acknowledge that I must obtain necessary consents for WhatsApp messages and comply with all applicable laws."

This acknowledgment is logged, timestamped, and linked to your account. You can export this acknowledgment record from your account settings.

2.3 Disagreement

If you disagree with any term, immediately cease use and delete the App.

3. ACCOUNT TYPES & HIERARCHICAL RESPONSIBILITIES

3.1 ADMIN ACCOUNTS (PRIMARY CONTROLLERS)

Rights:

Purchase and manage subscriptions
Generate and distribute invite codes
Add, modify, delete milk stocks and pricing
Set service charges, discounts, and taxes
View all user transactions, cancellations, reports
Manage payment records and advances
Export data in CSV/PDF formats
Customize shop name, branding, themes
Use bulk import via spreadsheet (Excel/CSV)
Connect WhatsApp Business API for report sending

Responsibilities:

Ensure accuracy of all entered data
Maintain legal compliance for all transactions
Securely manage and distribute invite codes
Resolve all user disputes
Verify all generated reports
Maintain independent backups
Ensure tax compliance and filings
Protect login credentials
Obtain necessary consents from Users for data processing
Fulfill data subject requests from Users within 30 days
Maintain proof of consent for WhatsApp messages
Provide and manage your own WhatsApp Business API credentials

Legal Status: Admins act as Data Fiduciaries for their Users' data under Section 2(i) of the DPDP Act, 2023 and are solely responsible for:

Establishing lawful basis for processing under Section 4
Obtaining valid consent under Section 6
Providing notice under Section 5
Fulfilling Data Principal rights under Sections 11-14

3.2 USER ACCOUNTS (LIMITED ACCESS)

Permissions:

Join only via Admin's invite code
Log daily purchases and cancellations
View personal daily/monthly summaries
Access own transaction history
Opt-out of WhatsApp messages via "STOP" keyword

Restrictions:

Cannot modify stock, pricing, or other users' data
Cannot access financial settings
Cannot export bulk data
No administrative privileges

3.3 DATA FIDUCIARY-PROCESSOR RELATIONSHIP

3.3.1 For all data processing activities within the App, the following roles apply:

Admin: Data Fiduciary under DPDP Act
MDK Genesis: Data Processor under DPDP Act
User: Data Principal under DPDP Act

3.3.2 This relationship is governed by the Data Processing Agreement in Section 3.4.

3.4 DATA PROCESSING AGREEMENT (INTEGRATED)

DATA PROCESSING AGREEMENT BETWEEN ADMIN (DATA FIDUCIARY) AND MDK GENESIS (DATA PROCESSOR)

A. SCOPE AND PURPOSE

This DPA forms part of the Terms & Conditions and governs the processing of personal data by MDK Genesis on behalf of the Admin. The purpose is to provide the Milik Daily services as described in these Terms.

B. PROCESSING DETAILS

Data Subjects: Users added by Admin
Categories of Data: Name, contact details, address, transaction records, financial data
Processing Operations: Storage, retrieval, calculation, reporting, notification
Duration: For the term of the Subscription
Anonymization Method: Cryptographic hashing with salt to remove personal identifiers, making re-identification technically infeasible

C. PROCESSOR OBLIGATIONS

MDK Genesis shall:

Process data only on documented instructions from Admin
Ensure confidentiality of processed data through employee training and access controls
Implement appropriate technical and organizational security measures including:
- Password hashing using BCrypt algorithm
- HTTPS/TLS encryption for data in transit
- Secure session token management
- Regular security updates
- Access logging and monitoring
Assist Admin in fulfilling data subject requests under DPDP Act
Notify Admin of any data breaches without undue delay (within 72 hours of confirmation)
Delete or return all data upon termination as per Section 7.3
Maintain records of processing activities (ROPA) as required by DPDP Act
Allow for audits by Admin or their representatives with 30 days prior notice, not more than once annually

D. SUB-PROCESSING

1. We engage the following sub-processors:

Sub-Processor	Purpose	Data Processed	Location
Cloud Hosting Provider	Data storage & infrastructure	All app data (encrypted)	India / Singapore
RazorPay	Payment processing	Transaction data (no card details)	India
TextBelt / SMS Gateway	OTP delivery	Phone number, OTP code	USA / India
SendGrid (if applicable)	Email notifications	Email address, message content	USA
Backup Service Provider	Disaster recovery	Encrypted backups	India

2. We ensure sub-processors provide equivalent protection through:

Written Data Processing Agreements
Security assessments before engagement
Regular compliance reviews
Contractual liability provisions

3. Sub-Processor Change Notification:

We notify Admins via email 30 days before adding new sub-processors
Notification includes: Name, purpose, data categories, location
You may object within 15 days with valid concerns
Default Outcome: If you do not object within 15 days, you are deemed to have accepted the new sub-processor
Current list always available in App Settings > Privacy > Sub-Processors

4. Sub-Processor Audit:

We conduct annual security reviews of all sub-processors
Results available upon request (under NDA)
Non-compliant sub-processors are replaced within 90 days

E. CROSS-BORDER TRANSFERS

Where data transfers occur outside India, we implement:

Standard Contractual Clauses approved by relevant authorities
Additional technical measures (encryption, access controls)
Regular compliance reviews of transfer mechanisms
Data minimization for transferred data

F. COOPERATION AND AUDITS

We cooperate with Admin for DPDP Act compliance
Admin may request summary audit reports (annual basis)
We provide necessary information to demonstrate compliance
Audit rights are subject to confidentiality obligations

G. DATA SUBJECT REQUEST ASSISTANCE

We provide tools for Admin to fulfill User requests
We assist with technical aspects of data portability
We verify requestor identity when assisting directly

H. TERM AND TERMINATION

This DPA remains effective while we process personal data on Admin's behalf. Upon termination, data handling follows Section 7.3.

3.4.1 By using the App as an Admin, you agree to this DPA. A downloadable version is available in App settings.

4. SUBSCRIPTION, PAYMENTS & BILLING POLICY

4.1 Subscription Model

Access requires active subscription
Pricing displayed in App
Payments processed through RazorPay
We DO NOT store payment card details

4.2 Auto-Renewal (CLEAR NOTICE)

⚠️ Important: Your subscription automatically renews at the end of each billing period. To avoid charges:

Disable auto-renewal at least 24 hours before current period ends
Auto-renewal is managed in your device's app inside subscription settings
For RazorPay payments, manage in your Milk Daily account settings
We send renewal reminders 7 days and 1 day before renewal

Multi-Channel Renewal Reminders: | Timing | Channel | Content | |--------|---------|--------| | 7 days before | Email + In-App Push | "Your subscription renews in 7 days" | | 3 days before | In-App Push Notification | "Renewal reminder: 3 days left" | | 1 day before | Email + In-App Push + Banner | "Final reminder: Renews tomorrow" | | On renewal | Email confirmation | "Your subscription has been renewed" |

In-App Notice: "Your subscription will automatically renew. To cancel, go to subscription settings at least 24 hours before renewal."

How to Disable Auto-Renewal:

iOS: Settings > Apple ID > Subscriptions > Milk Daily > Cancel
Android: Play Store > Menu > Subscriptions > Milk Daily > Cancel
RazorPay: Milk Daily App > Settings > Subscription > Manage > Cancel*

4.3 Pricing & Tax Changes

We may modify subscription prices with:

30 days advance email notice to Admins
Clear in-App notification with comparison
Option to cancel before new rate applies

4.4 Third-Party Payment Processors

RazorPay for direct payments - Processors are solely responsible for:

Payment security and PCI DSS compliance
Transaction completion and receipts
Refund processing and disputes
Billing inquiries and chargebacks

We are NOT liable for processor failures, delays, or errors. Refunds must be requested through the respective payment processor.

4.5 App Store Compliance

These Terms comply with:

Google Play Developer Distribution Agreement
Apple App Store Review Guidelines
Required auto-renewal disclosures
Refund handling through store mechanisms

5. REFUND & CANCELLATION TERMS

5.1 Cancellation by You

Cancel anytime via Account settings (for RazorPay payments)
Cancellation stops future billing
No refunds for current billing period
Access continues until period ends

5.2 Refund Policy

All refund requests must be directed to RazorPay support (for direct payments).

We do NOT provide direct refunds. RazorPay policies govern all refunds.

Exception - Service Non-Performance: In cases of documented service failure on our part, you may be eligible for pro-rata credit or refund:

Issue	Remedy	How to Claim
Service unavailable for 24+ consecutive hours	Pro-rata credit for downtime	Email dhilipkumarmd1961@gmail.com with details
Critical feature failure for 72+ hours	Pro-rata credit or partial refund	Email with feature name and impact
Data loss due to our negligence	Full refund for affected period	Email dhilipkumarmd1961@gmail.com
Security breach causing harm	Case-by-case evaluation	Contact Grievance Officer

Eligibility Conditions:

Issue must be reported within 7 days of occurrence
Issue must be caused by our systems (not user error or third-party services)
Documentation/screenshots required
Decision made within 15 business days
Credits applied to next billing cycle; refunds within 30 days

5.3 Subscription Lapse

If subscription lapses:

All Admin and User access suspended immediately
Data retained for 90 days (read-only access)
After 90 days, data becomes eligible for deletion
Reactivation requires new subscription purchase
Export reminders sent at days 30, 60, and 85

6. FINANCIAL & LEGAL DISCLAIMERS

6.1 Purpose Limitation

Milk Daily is EXCLUSIVELY a:

Record-keeping and organization tool
Data tracking and calculation assistant
Reporting and summary generator

It is NOT a:

Financial advisor or planning service
Accounting or auditing system
Legal compliance tool or consultant
Tax calculation or filing service
Banking or payment processing service

6.2 Accuracy Responsibility

While we strive for accurate calculations, YOU ARE SOLELY RESPONSIBLE FOR VERIFYING ALL FINANCIAL DATA.

You must:

Verify all calculations manually before relying on them
Maintain independent business records and books
Consult qualified professionals (CA, lawyers) for legal/tax matters
Cross-check all financial data against original sources
Ensure compliance with GST and other tax regulations

6.3 No Reliance Clause

You agree NOT to rely solely on the App for:

Financial or business decisions
Tax calculations or filings
Legal compliance verification
Business planning or forecasting
Any consequential actions with financial impact

7. DATA MANAGEMENT & OWNERSHIP

7.1 Data Entry Responsibility

Admins own all data entered through their account
Users own their personal transaction data
Accuracy responsibility lies with the enterer
Admins must maintain original transaction records

7.2 Storage & Backup

WE DO NOT GUARANTEE PERMANENT OR COMPLETE DATA STORAGE.

Data may be lost due to technical failures
Regular independent backups are YOUR responsibility
Export feature provided for backup purposes
We maintain backups for disaster recovery (encrypted, 30-day retention)

7.3 Data Deletion Protocol - SINGLE SOURCE OF TRUTH

A. User-Initiated Deletion:

Request: Via Admin or email to dhilipkumarmd1961@gmail.com
Acknowledgment: Within 7 calendar days
Processing:
- Days 1-14: Account deactivated, reversible period
- Days 15-30: Personal identifiers permanently deleted
- Transaction records anonymized (cryptographic hashing)
Completion: Within 30 calendar days total
Extension: Complex requests may extend by 30 days with notification

B. Admin Account Deletion:

Request: Via App settings or email
Grace Period: 30 days for data export
Processing: After 30 days, all associated User data deleted/anonymized
Irreversible: No recovery after confirmation

C. Subscription Lapse:

Days 1-90: Read-only access, data retained
After 90 days: Eligible for deletion
Export: Available during 90-day period

D. Anonymization:

Method: Cryptographic hashing with salt
Retention: 36 months for compliance/audit
Purpose: Legal compliance, dispute resolution, financial auditing
Irreversibility: Technically infeasible to re-identify

7.4 Data Portability

Available upon verified request
Machine-readable format (CSV)
Provided within 30 calendar days
No charge for first request annually

8. INTELLECTUAL PROPERTY PROTECTION

8.1 Our Ownership

We exclusively own:

All source code, algorithms, and databases
UI/UX design, branding, and logos
Documentation, know-how, and processes
All related intellectual property rights

8.2 License Grant

We grant you a limited, non-exclusive, non-transferable license to:

Use the App for your internal business purposes
Access features as per your subscription tier
This license terminates upon subscription end

8.3 Strict Prohibitions

You MUST NOT:

Copy, clone, reverse engineer, or decompile
Create derivative works or competing services
Scrape, crawl, or extract data via unauthorized means
Use our branding or confusingly similar marks
Bypass technical limitations or access controls

8.4 IP Rights Enforcement

Violation of our intellectual property rights may result in:

Immediate account termination without refund
Legal action for injunctive relief
Recovery of actual damages suffered
Statutory damages where permitted by law
Reporting to app stores and authorities

9. USER CONDUCT & PROHIBITED ACTIVITIES

9.1 Acceptable Use

Use the App only for:

Legitimate milk/dairy business tracking
Record-keeping as intended
Business organization and management
Personal or small business use

9.2 Prohibited Activities

ABSOLUTELY PROHIBITED:

Hacking, cracking, or security bypassing
Injecting malware or harmful code
Sharing invite codes publicly or indiscriminately
Using for illegal or fraudulent activities
Harassment of other users
Uploading prohibited content
Automated scraping or data extraction
Circumventing payment systems

9.3 Invite Code Security

CRITICAL SECURITY: Invite codes are equivalent to financial credentials.

Admin is 100% responsible for:

Secure distribution to authorized persons only
Immediate revocation of compromised codes
Financial losses from code misuse
Regular rotation (recommended quarterly)
Monitoring for unauthorized access

9.4 WhatsApp Usage Compliance

When using WhatsApp features:

You provide your own WhatsApp Business API key
We act as conduit using your credentials
You maintain proof of consent from recipients
You provide clear opt-out mechanism ("STOP")
You comply with WhatsApp Business Policy
You are liable for message content and compliance
We don't store API keys permanently (encrypted temporary cache only)

9.5 Rate Limiting & API Usage

To ensure fair use and system stability, the following rate limits apply:

Endpoint Category	Limit	Cooldown Period
OTP Requests	5 per minute	60 seconds
Login Attempts	10 per 15 minutes	15 minutes
API Calls (General)	100 per minute	60 seconds
Report Generation	10 per hour	60 minutes
Excel Import	5 per hour	60 minutes

Consequences of Exceeding Limits:

Temporary IP/Account blocking (15 minutes to 24 hours)
Repeated violations may result in permanent suspension
No refunds for access lost due to rate limit violations

We reserve the right to modify these limits without prior notice to protect system integrity.

10. CONTENT GUIDELINES

10.1 Permitted Content

You may upload:

User records to add users
Business-related images (shop image, splash screen image)
Contact information (with consent)
Profile images

10.2 Prohibited Content

DO NOT UPLOAD:

Illegal, offensive, or harmful material
Copyrighted content without permission
Malicious software, code, or scripts
Personal data of others without explicit consent
Discriminatory, defamatory, or harassing content
Adult, violent, or dangerous content
Any content violating applicable laws

10.3 Content Removal

We may remove any content that:

Violates these Terms or laws
Is reported as infringing or harmful
Threatens security or system integrity
Is inappropriate for the platform

No liability for content removal. Repeat violations may result in account termination.

10.4 File Upload Policy

Permitted File Uploads:

Excel/CSV files for bulk user import (max 10MB)
Profile images (JPEG, PNG - max 2MB)
Shop/Business images (JPEG, PNG - max 5MB)
Splash screen customization images (JPEG, PNG - max 3MB)

File Processing:

Uploaded files are scanned for malware using ClamAV antivirus engine (or equivalent enterprise-grade scanner)
Scanning occurs immediately upon upload before any processing
Excel imports are validated for data format and integrity
Images are resized and optimized automatically
Original files are deleted after processing (within 24 hours)
Processed data is stored securely per our retention policy
Signature database updated daily for latest threat detection

Prohibited File Content:

Executable files (.exe, .bat, .sh, etc.)
Scripts (.js, .php, .py, etc.)
Compressed archives with executables
Files exceeding size limits
Corrupted or malformed files
Files containing malware or malicious code

File Security:

All uploads transmitted via HTTPS/TLS 1.3
Files stored in isolated, access-controlled storage
Automatic virus/malware scanning via ClamAV (updated daily)
Multi-layer scanning: signature-based + heuristic analysis
No public access to uploaded files
Secure deletion upon account termination
Quarantine and notification if malware detected

11. SECURITY & RISK ALLOCATION

11.1 Your Security Responsibilities

YOU MUST:

Use strong, unique passwords (minimum 8 characters, mixed case, numbers, symbols recommended)
Protect invite codes
Use secure, updated devices
Enable device security features
Log out from shared devices
Notify us immediately of unauthorized access

11.2 Our Security Measures

IMPLEMENTED AND VERIFIED:

Authentication Security:

Password hashing using BCrypt algorithm (industry standard)
Secure session token generation and management
OTP-based two-factor verification for sensitive operations
Automatic session expiration after inactivity
Secure password reset flow with email verification

Data Protection:

HTTPS/TLS encryption for all data in transit
Database access restricted to application layer only
Prepared statements to prevent SQL injection
Input validation and sanitization on all endpoints
XSS protection through output encoding

Access Control:

Role-based access control (Admin/User separation)
Invite code system for controlled user onboarding
API authentication via secure tokens
Rate limiting on sensitive endpoints (OTP, login)

Network Security:

CORS policy enforcement
Request origin validation
API endpoint protection
DDoS mitigation measures

Monitoring & Response:

Error logging for security events
Failed login attempt monitoring
Anomaly detection for suspicious patterns
Incident response procedures documented

PLANNED/IN PROGRESS (Transparency Note):

AES-256 encryption at rest (planned for future release - currently data is encrypted in transit only)
Annual penetration testing (scheduled)
SIEM integration (planned)
HSM for key management (under evaluation)

Note: We believe in transparency. Features listed as "planned" are on our security roadmap but not yet implemented. We will update this section as features are deployed.

Evidence Available Upon Request (subject to NDA):

Security architecture documentation
Vulnerability assessment results (when conducted)
Compliance documentation
Incident response playbook

11.3 Data Protection Impact Assessment (DPIA)

In accordance with best practices under the DPDP Act, 2023, we conduct Data Protection Impact Assessments for:

When DPIA is Conducted:

Introduction of new data processing activities
Changes to existing processing that increase risk
Processing of large volumes of personal data
Use of new technologies for data processing
Systematic monitoring of Data Principals
Processing that may result in significant harm

DPIA Process:

Identification: Describe the processing and its purposes
Assessment: Evaluate necessity and proportionality
Risk Analysis: Identify risks to Data Principals' rights
Mitigation: Implement measures to address risks
Documentation: Record findings and decisions
Review: Regular review and updates as needed

Your Rights:

Request summary of DPIA findings (where applicable)
Raise concerns about high-risk processing
Be informed of significant changes to processing

11.4 Cybersecurity Acknowledgment

NO SYSTEM IS 100% SECURE. You acknowledge inherent risks including:

Data breaches despite security measures
Unauthorized access attempts
Cyber attacks and vulnerabilities
Service interruptions or data loss
Third-party service failures

12. THIRD-PARTY SERVICES

12.1 WhatsApp Integration

Your API Key: You provide your own WhatsApp Business API credentials
Our Role: Technical conduit using your credentials
Your Responsibility:
- Obtain explicit consent from recipients
- Maintain consent records as per DPDP Act
- Provide easy opt-out ("STOP" keyword)
- Comply with WhatsApp Business Policy
- Limit to transactional messages only
Data Flow: We don't store message content, only delivery status
No Liability: For delivery failures, policy violations, or consent issues

12.2 Payment Processors

RazorPay: For direct payments, RazorPay handles:

Payment processing and security
PCI DSS compliance
Refund processing
Dispute resolution

Data: We receive only transaction status, no payment details.

12.3 Cloud & Infrastructure

Hosted on secure cloud platforms
Regular security assessments
Geographic redundancy
99.9% uptime SLA (excluding maintenance)

12.4 General Disclaimer

We are NOT responsible for:

Third-party service failures or changes
API discontinuations or modifications
Integration errors or incompatibilities
Your compliance with third-party terms
Payment processor disputes or chargebacks

12.5 SMS/OTP Services

We use third-party SMS gateway services for One-Time Password (OTP) verification:

Provider: TextBelt (or equivalent SMS gateway)
Website: https://textbelt.com
Privacy Policy: https://textbelt.com/privacy

Data Shared with SMS Provider:

Phone number (for message delivery)
OTP code (encrypted in transit)
Delivery timestamp

Data NOT Shared:

Your name or identity
Account details
Transaction history
Any other personal information

SMS Provider Responsibilities:

Message delivery only
No storage of message content beyond delivery
Compliance with telecom regulations

Our Responsibilities:

Secure transmission of phone numbers
OTP expiration (valid for 10 minutes only)
Rate limiting to prevent abuse
No logging of OTP codes after verification

Your Responsibilities:

Provide accurate phone number
Keep OTP confidential
Report unauthorized OTP requests immediately

We are NOT liable for:

SMS delivery failures due to carrier issues
Delays in OTP delivery
Charges by your mobile carrier for receiving SMS
OTP interception due to compromised devices

12.6 Email Services

We may use third-party email services for:

Account notifications
Subscription alerts
Security warnings
Support communications

Provider: SendGrid (Twilio Inc.) or equivalent
Privacy: https://www.twilio.com/legal/privacy

Data Shared:

Email address
Message content (transactional only)
Delivery/open status

We do NOT use email for marketing without explicit consent.

13. LIMITATION OF LIABILITY

13.1 Cap on Liability

Our maximum aggregate liability for any and all claims shall not exceed the GREATER OF:

(a) Actual direct damages proven by you, OR
(b) Total subscription fees paid by you in the preceding 12 months

This applies to all claims in contract, tort, or otherwise.

13.2 Excluded Damages

WE ARE NOT LIABLE FOR:

Indirect, consequential, or incidental damages
Lost profits, revenue, or business opportunities
Data loss or corruption (maintain your own backups)
Reputational damage or goodwill loss
User or Admin disputes
Third-party actions or failures
Force majeure events
Security incidents except as required by DPDP Act

13.3 EXCLUSIONS FROM LIMITATION - CARVE-OUTS

The liability cap does NOT apply to:

Death or personal injury from our negligence
Fraud or fraudulent misrepresentation
Gross negligence or willful misconduct
Breach of DPDP Act obligations
Statutory liabilities under consumer protection laws
IP infringement claims
Indemnification obligations under Section 14
Any liability that cannot be limited by Indian law

13.4 Essential Purpose

This limitation is fundamental to the agreement and pricing.

14. INDEMNIFICATION

You agree to defend, indemnify, and hold harmless MDK Genesis from:

Your use or misuse of the App
Violation of these Terms or applicable laws
Infringement of third-party rights (IP, privacy)
Content you upload or distribute
Your negligence, misconduct, or errors
Disputes with your Users or third parties
Failure to obtain necessary consents (WhatsApp, data processing)
DPDP Act violations as Data Fiduciary
All associated costs, damages, and legal fees

Survival: This section survives termination of these Terms.

15. TERMINATION & SUSPENSION

15.1 By You

Cancel subscription via app store or account settings
Delete account via App settings
Cease using the App

15.2 By Us

We may suspend or terminate immediately if:

Violation of these Terms
Fraudulent or illegal activity
Non-payment of fees
Legal or regulatory requirements
Security threats or attacks
DPDP Act violations
Prolonged inactivity (180+ days)

15.3 Effects of Termination

Immediate access revocation
Data handling per Section 7.3
No refunds for termination due to violation
Survival of key terms (Section 19)

15.4 Appeal Process

For account termination, you may appeal via dhilipkumarmd1961@gmail.com within 30 days.

16. DISPUTE RESOLUTION

16.1 Mandatory Arbitration (Commercial Users)

For commercial/business users:

Governing Law: Arbitration and Conciliation Act, 1996
Seat: Tamil Nadu, India
Language: English
Arbitrator: Single arbitrator mutually agreed
Rules: UNCITRAL Arbitration Rules
Award: Binding and enforceable

16.2 CONSUMER PROTECTION CARVE-OUT

If you qualify as a "consumer" under Consumer Protection Act, 2019:

Option 1: Arbitration as above, OR
Option 2: Appropriate consumer forum/civil court
Notice: You must notify your choice within 30 days of dispute
No Prejudice: Choosing court doesn't waive arbitration for future disputes

16.3 Small Claims Exception

Either party may use small claims court for claims under ₹200,000.

16.4 Class Action Waiver

NO CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTIONS.

All disputes must be brought individually.

16.5 Informal Resolution First

Before formal proceedings:

Written notice to dhilipkumarmd1961@gmail.com
30-day negotiation period
Senior executive escalation
Mediation option (optional)

17. GOVERNING LAW & JURISDICTION

Primary Law: Laws of India
Key Statutes:
- Digital Personal Data Protection Act, 2023
- Information Technology Act, 2000
- Consumer Protection Act, 2019
- Indian Contract Act, 1872
- Arbitration and Conciliation Act, 1996
Exclusive Jurisdiction: Courts in Tamil Nadu, India
Grievance Officer: As specified in Section 21
Language: English language version shall prevail in case of any conflict with translations

18. FORCE MAJEURE

Not liable for delays/failures due to:

Natural disasters (floods, earthquakes)
Government actions or restrictions
Internet or utility failures
Pandemics or health emergencies
War, terrorism, or civil unrest
Other unforeseeable events beyond reasonable control

Obligation: Must notify within 7 days and resume when feasible.

19. SURVIVAL

These sections survive termination:

Definitions (1)
Intellectual Property (8)
Limitation of Liability (13)
Indemnification (14)
Dispute Resolution (16)
Data Protection obligations (3.4, 7, 22)
Payment obligations
Confidentiality provisions

20. GENERAL PROVISIONS

20.1 Entire Agreement: These Terms, Privacy Policy, and DPA constitute complete agreement

20.2 Severability: If any provision is invalid, others remain effective

20.3 No Waiver: Failure to enforce is not waiver of rights

20.4 Assignment: We may assign; you need our written consent

20.5 Notices: Electronic to registered email; legal to dhilipkumarmd1961@gmail.com

20.6 Headings: For reference only

20.7 Language: English version prevails

20.8 Updates: 30 days notice for material changes; continued use = acceptance

20.9 Relationship: Independent contractors, not partnership

20.10 Time: Time is of the essence

21. CONTACT & GRIEVANCE REDRESSAL

Note: The email address listed below (dhilipkumarmd1961@gmail.com) is a personal email used temporarily. A dedicated business email will be provided soon.

21.1 Grievance Officer (DPDP Act, 2023)

As required under the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer:

Field	Details
Name	Mr. Dhilip Kumar M (Grievance Officer)
Organization	MDK Genesis
Email	dhilipkumarmd1961@gmail.com
Phone	+91-8072561961
Address	1-151-2 Koppampatti, Rasipuram, Namakkal - 637403, Tamil Nadu, India

Response Commitment:

Acknowledgment: Within 7 calendar days of receiving complaint
Initial Response: Within 15 calendar days
Resolution Attempt: Within 30 calendar days
Complex Issues: May extend to 45 days with notification

Grievance Categories Handled:

Data access, correction, or deletion requests
Privacy concerns and data breach inquiries
Consent withdrawal requests
Complaints about data processing practices
WhatsApp messaging opt-out issues
Any DPDP Act related concerns

21.2 General Support

Field	Details
Email	dhilipkumarmd1961@gmail.com
Hours	Monday - Friday, 10:00 AM - 6:00 PM IST
Response Time	Within 24-48 business hours
Urgent Security	dhilipkumarmd1961@gmail.com

21.3 Legal Notices

Field	Details
Address	1-151-2 Koppampatti, Rasipuram, Namakkal - 637403, Tamil Nadu, India
Email	dhilipkumarmd1961@gmail.com
Requirements	Registered post for formal notices

Requirements for Valid Legal Notice:

Sent via registered post with acknowledgment due, OR
Email with delivery receipt requested
Must reference specific Terms/Policy sections
Must include your complete contact details
Must be in English language

21.4 Escalation Path

If your concern is not resolved satisfactorily:

Level	Contact	Response Time
Level 1	dhilipkumarmd1961@gmail.com	24-48 hours
Level 2	dhilipkumarmd1961@gmail.com	7 days
Level 3	dhilipkumarmd1961@gmail.com	15 days
Level 4	External Resolution	As applicable

External Resolution Options:

Data Protection Board of India (for DPDP matters)
Consumer Forum (for consumer complaints)
Courts in Tamil Nadu (for legal disputes)

22. DATA PROTECTION RIGHTS (DPDP ACT)

22.1 Your Rights Summary (Chapter III, DPDP Act, 2023)

Right	DPDP Section	Description
Access	Section 11	Know what data we have and how it's processed
Correction	Section 12	Fix inaccurate or misleading data
Erasure	Section 12	Request deletion of your data
Portability	Section 11	Get your data in machine-readable format
Consent Management	Section 6	Withdraw consent at any time
Grievance	Section 13	Complain about processing to Grievance Officer
Nomination	Section 14	Nominate another person to exercise rights

22.2 Right to Nomination Procedure (Section 14, DPDP Act)

You may nominate another individual to exercise your data rights on your behalf:

How to Nominate:

Email dhilipkumarmd1961@gmail.com with subject "Nomination Request"
Provide: Your account details, nominee's full name, phone, email, ID proof
Specify which rights the nominee can exercise (all or specific)
Provide your signed authorization letter

Verification Process:

We verify both your identity and nominee's identity
Confirmation sent to both parties
Nomination takes effect within 7 days of verification

Nominee Rights:

Exercise specified rights on your behalf
Receive communications about your data requests
Cannot transfer nomination to third parties

Revocation:

You may revoke nomination at any time via email
Revocation effective within 7 days of receipt

22.3 DSAR Procedure

Step 1: Submit Request

Email dhilipkumarmd1961@gmail.com with:

Account details
Request type
Identity verification
Contact information

Step 2: Our Processing

We will:

Acknowledge within 7 calendar days
Verify identity (may ask for additional proof)
Process within 30 calendar days
May extend by 30 days for complex requests with notice
Provide response in writing

Step 3: If Unsatisfied

Internal escalation to Grievance Officer
External: Data Protection Board of India
Legal: Courts in Tamil Nadu

22.3 Fee Policy

No charge for standard requests
Reasonable fee for manifestly unfounded/excessive requests
No fee for correction of inaccurate data

22.4 Breach Notification SLA

Stage	Timeline
Detection	Within 24 hours
Assessment	Within 72 hours
Notification (DPB)	Within 72 hours (if significant harm)
Notification (Admins)	Without undue delay
Remediation	Immediate steps

"⚠️ INTERIM THRESHOLD - Significant Harm" (per Section 8(6) of DPDP Act, 2023):

🚨 IMPORTANT NOTICE: The ₹10,000 threshold below is an INTERIM MEASURE pending official guidance from the Data Protection Board of India. This threshold may change.

A breach is deemed to cause "significant harm" warranting notification to the Data Protection Board if it involves:

Financial loss exceeding ₹10,000 per individual (interim threshold)
Identity theft or fraud risk
Reputational damage or humiliation
Discrimination based on personal data
Mental trauma or distress
Loss of employment or business opportunity
100+ individuals affected
Sensitive personal data exposure
Children's data involved

Note: The Data Protection Board of India may issue further guidance on "significant harm" thresholds under Section 8(6). The monetary threshold of ₹10,000 is our internal assessment based on industry practices and may be revised upon official DPB guidance.

Update Commitment: We will formally revise this threshold within 30 calendar days of any conflicting or superseding guidance issued by the Data Protection Board of India.

Admin acknowledgments logged and exportable
Consent records (WhatsApp) maintainable in-app
DSAR handling logs maintained for 36 months
Audit trails for data access and modifications

23. VERSION HISTORY & CHANGE LOG

We maintain a record of all changes to these Terms for transparency and compliance.

Version	Date	Changes	Effective Date
1.0	February 6, 2026	Initial release - DPDP Act 2023 compliant	February 6, 2026

Future Updates:

Major changes: 30 days advance notice via email and in-app notification
Minor clarifications: 7 days notice
Security updates: Immediate with notification
All previous versions available upon request at dhilipkumarmd1961@gmail.com

DOCUMENT END

Milk Daily™ is a trademark of MDK Genesis.

This document was last reviewed on February 6, 2026.