YoSurprise
Privacy Policy

Privacy Policy

Last updated: March 2026 · Version 1.0

YoSurprise ("we", "us", "our") is a SaaS platform operated by Kishiva Technologies Private Limited, registered in India. This Privacy Policy explains what data we collect, why, how we use it, who we share it with, and your rights under the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act, 2023 (DPDP Act).

1. Who We Are

Data Controller / Fiduciary: Kishiva Technologies Private Limited

Registered Address: [Your registered address], India

Data Protection Officer: privacy@yosurprise.com

Brands using YoSurprise act as independent data controllers for the personal data of their own customers. YoSurprise acts as a data processor on behalf of those brands for end-customer data.

2. Data We Collect

2.1 Brand Owner Data (Account Holders)

  • Full name and business name
  • Email address (used as account identifier)
  • Phone number (optional, for support)
  • Payment information (processed securely by Razorpay or Stripe — we do not store raw card data)
  • IP address and user-agent at signup and consent events
  • Integration credentials (WhatsApp API, PetPooja, Odoo — stored encrypted)

2.2 End Customer Data (Coupon Recipients)

  • WhatsApp phone number (provided voluntarily to receive a coupon)
  • Coupon code and redemption status
  • Consent timestamp and version

We do not collect names, email addresses, location data, or any other information from end customers unless explicitly provided.

2.3 Technical Data

  • Server logs (IP, timestamps, request paths) — retained for 90 days
  • Cookie preferences and consent signals
  • Session tokens (httpOnly cookies, not accessible to JavaScript)

3. Why We Process Your Data

PurposeLegal Basis (GDPR)DPDP Act Basis
Account creation & managementContract performanceConsent
Campaign delivery & coupon generationContract performanceLegitimate use
WhatsApp coupon deliveryConsent (explicit)Consent
Analytics & platform improvementLegitimate interestLegitimate use
Billing & subscription managementContract performance / Legal obligationConsent
Compliance & fraud preventionLegal obligationLegal obligation
Marketing communicationsConsentConsent

4. Data Sharing

We do not sell personal data to third parties.

We share data only as described below:

  • WhatsApp Business API: End customer phone numbers are sent to the brand's own WhatsApp Business API configuration to deliver coupons. This is configured and controlled by the brand.
  • PetPooja POS: Order data is shared with PetPooja when a brand has enabled the integration, for coupon validation at point of sale.
  • Odoo ERP: Order and customer data is synced to Odoo when a brand has enabled the Odoo integration.
  • Razorpay: Billing and subscription data for Indian customers is processed by Razorpay. Their privacy policy applies.
  • Stripe: Billing data for international customers is processed by Stripe. Their privacy policy applies.
  • Appwrite (Infrastructure): Our backend infrastructure provider. Data is stored on servers subject to appropriate data processing agreements.

5. Data Retention

  • Account data: Retained while the account is active. Deleted within 30 days of account deletion request.
  • Coupon and campaign data: Retained for 365 days from creation (configurable by platform settings).
  • Consent logs: Retained for 5 years to demonstrate compliance with data protection law.
  • Billing records: Retained for 7 years as required by Indian tax law (GST compliance).
  • Server logs: Retained for 90 days.

6. Your Rights — GDPR (EU / EEA Users)

If you are in the EU or EEA, you have the following rights:

  • Right of Access: Obtain a copy of your personal data.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data where there is no overriding legal basis to retain it.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Restriction: Restrict how we process your data in certain circumstances.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: Where processing is consent-based, you can withdraw at any time without affecting prior processing.

To exercise these rights, visit /data-request or email privacy@yosurprise.com. Response within 30 days. You may also lodge a complaint with your national supervisory authority.

7. Your Rights — India DPDP Act 2023

As a "data principal" under the India Digital Personal Data Protection Act, 2023, you have:

  • Right to access information: Know what personal data we process and the basis for it.
  • Right to correction and erasure: Request correction of inaccurate data or erasure where it is no longer necessary.
  • Right to grievance redressal: File a grievance with our Data Protection Officer. If unresolved within 30 days, escalate to the Data Protection Board of India.
  • Right to nominate: Nominate another individual to exercise your rights in the event of death or incapacity.

Contact our Grievance Officer: privacy@yosurprise.com

8. Cookies

We use the following types of cookies:

  • Essential cookies: Session management, security (httpOnly, cannot be disabled).
  • Analytics cookies: Understanding usage patterns to improve the platform. Only set with your consent.
  • Marketing cookies: Personalised advertising and retargeting. Only set with explicit consent.

You can manage cookie preferences using the banner displayed on public pages, or by clearing your browser's localStorage and cookies.

9. Security

  • All data is transmitted over HTTPS / TLS 1.2+
  • API keys and integration credentials are stored encrypted
  • Access to production data is restricted by role-based access controls
  • Session tokens are httpOnly cookies, not accessible to client-side JavaScript
  • Regular security reviews and dependency audits
  • Breach notification: we will notify affected users within 72 hours of discovering a breach affecting personal data, in accordance with GDPR Article 33 and DPDP Act provisions

10. International Transfers

Our primary infrastructure is located in India. If personal data is transferred outside India (for example, to Stripe's servers for international billing), we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) under GDPR where applicable.

11. Children's Privacy

YoSurprise is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@yosurprise.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or an in-app announcement before the changes take effect. Continued use of YoSurprise after the effective date constitutes acceptance.

13. Contact Us

Data Protection Officer: privacy@yosurprise.com

General Enquiries: hello@yosurprise.com

Postal Address: Kishiva Technologies Private Limited, [Address], India

→ Submit a formal data request

© 2026 Kishiva Technologies Private Limited · YoSurprise

Terms of ServiceData Request