Privacy Policy (India)

Effective date: 9 September 2025
Who we are: Swajal Water Pvt. Ltd. (“Boon”, “we”, “our”, “us”) operates the brand Boon and websites including helloboon.com, companion mobile/web apps, and IoT platforms for our products (e.g., WaterAI™ dashboards for Purify, Refill, Homie). This Privacy Policy explains how we collect, use, share, store, and protect your personal data when you visit our sites, use our products/services, or interact with us in India.

This policy is designed to align with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian laws. If you are outside India, local laws may also grant you additional rights.

1) Scope & Definitions

Scope. This policy covers online storefronts, account creation, orders and support, marketing communications, and connected/IoT features in Boon devices and apps. It does not cover third‑party websites or services we do not control.

Personal Data. Information that can identify you directly or indirectly (e.g., name, phone number, email, address, device identifiers, order details).
Sensitive Personal Data. We do not intentionally collect health, biometric, financial account passwords, or other sensitive categories unless required for a specific service and with additional safeguards.

2) What We Collect

We collect the following categories of data, depending on your use of our services:

A. Identity & Contact — name, phone, email, billing/shipping address, organisation (if applicable).
B. Account & Order — login ID, password (hashed), order/cart history, invoices, warranty registrations.
C. Payments — tokenised payment references from payment gateways (we do not store full card or UPI credentials).
D. Customer Support — call/chat/email records, service tickets, installation notes, warranty claims, feedback.
E. Device & IoT Telemetry (for connected products) — device serial number, firmware/app version, timestamps, network status, sensor/operational parameters such as TDS, temperature, flow rates, usage counters, error logs, filter life estimates and fault codes; optional location metadata when you authorise it for service coverage.
F. Technical Data — IP address, device type, OS/browser, cookie IDs, analytics events, and diagnostics.
G. Marketing Preferences — opt‑ins, campaign interactions, interests inferred from on‑site activity.
H. KYC/Compliance (if required) — minimal documents for high‑value purchases/enterprise installations, collected only where mandated by law/contract.

We collect data from you, from your devices (when connected features are enabled), and from partners (payment providers, couriers, analytics, channel partners) as needed to provide services.

3) Why We Use Your Data (Purposes)

  • Purchase & Fulfilment: process orders, payments, shipping, installation, returns/warranty.
  • Product Operation (IoT): deliver connected features, quality monitoring (e.g., TDS/temperature), predictive maintenance, security, and firmware updates.
  • Customer Support: respond to queries, schedule service visits, troubleshoot, and improve reliability.
  • Safety & Quality: detect anomalies, prevent misuse, ensure water quality and device safety features.
  • Legal & Compliance: taxation, accounting, fraud prevention, lawful requests.
  • Marketing with Consent: send updates, offers, and surveys; you may opt out anytime.
  • Research & Improvement: aggregate/anonymise data to improve products, features, and sustainability outcomes (e.g., water/energy efficiency).

4) Our Legal Basis & Your Consent

Where required by the DPDP Act, we rely on your consent (e.g., marketing, optional analytics) or on other legitimate grounds such as fulfilment of a contract (order processing), compliance with law (tax/GST), or legitimate uses reasonably expected by you (device telemetry for reliability/safety). You may withdraw consent for optional uses at any time without affecting core services.

5) Cookies & Similar Technologies

We use cookies, SDKs and similar tools to enable core site functions and measure performance. You can manage preferences via your browser settings or any cookie banner presented on our sites.

  • Strictly Necessary: cart, checkout, security, session management.
  • Performance/Analytics: page views, funnels, diagnostics (aggregated reports).
  • Functional: remember preferences, language, logged‑in state.
  • Marketing (with consent): measure campaigns, show relevant offers.

Blocking some cookies may impact site functionality.

6) Sharing & Disclosures

We do not sell your personal data. We share limited data with:

  • Payment partners for processing your transactions.
  • Logistics & Installation partners for delivery, scheduling, and on‑site service.
  • Cloud/IT providers that host our apps, backups, and IoT services.
  • Analytics & Communication providers for emails/SMS/WhatsApp (with opt‑in), error reporting, and usage analytics.
  • Authorised Channel Partners where you purchased through a partner and service coordination is required.
  • Authorities or legal advisors when required by law or to protect rights, safety, or property.

All vendors operate under contracts and security obligations consistent with this policy and applicable law.

7) International Transfers

Some providers may process data outside India. Where applicable, we implement safeguards (contractual clauses, security controls) so that your data is protected to a comparable standard.

8) Data Retention

We keep personal data for as long as needed to provide services, comply with law, resolve disputes, and enforce agreements. Typical examples:

  • Accounts & Orders: active account life and a statutory period thereafter for tax/compliance.
  • IoT Telemetry: rolling windows sufficient for diagnostics and product improvement, then anonymised or deleted.
  • Support Records: until the ticket is resolved plus a reasonable archival period.
  • Marketing Data: until you withdraw consent or after periods of inactivity, whichever is earlier.

9) Your Rights (Data Principal Rights)

Subject to law, you may request:

  • Access to your personal data.
  • Correction/Update of inaccurate or incomplete data.
  • Erasure where data is no longer necessary or consent is withdrawn (subject to legal retention).
  • Grievance Redressal via our contacts below.
  • Nomination: you may nominate another person to exercise your rights in case of death or incapacity, as provided by the DPDP Act.

We may verify your identity before acting on requests and may decline requests where permitted by law (e.g., fraud prevention, legal retention).

10) Children’s Data

Our services are intended for adults. Under Indian law, a child is under 18 years. We do not knowingly collect personal data from children without verifiable parental consent. If you believe a child has provided data, please contact us to delete it.

11) Security

We use administrative, technical, and physical safeguards appropriate to the nature of the data, including encryption in transit, access controls, network isolation, and routine monitoring. No method of transmission or storage is 100% secure; we strive to continuously improve our defences.

12) WhatsApp/SMS & Calls

If you opt in, we may contact you via WhatsApp/SMS/calls for order updates, service scheduling, or support. You can opt out by following instructions in the message or contacting support. Standard carrier charges may apply.

13) Third‑Party Links

Our websites/apps may contain links to third‑party sites or embedded services. Their privacy practices are governed by their own policies; please review them before use.

14) Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The “Effective date” will be revised accordingly. Material changes will be notified via the website/app or by email where appropriate.

15) Contact & Grievance Redressal

Email: privacy@helloboon.com / support@helloboon.com
Grievance Officer: [Name], Swajal Water Pvt. Ltd.
Postal Address: [Registered address, Gurugram, Haryana, India]

To exercise your rights or raise a concern, write to us with your name, contact details, and a description of your request. We aim to acknowledge grievances within 48 hours and resolve them within 15 working days where feasible.

16) Data Protection Officer (if applicable)

If and when Boon is designated a Significant Data Fiduciary under the DPDP Act, we will appoint a Data Protection Officer (DPO) resident in India and publish their contact details here. Until then, the Privacy Desk and Grievance Officer handle privacy matters.

17) Country‑Specific Notes (Non‑India)

If you purchase or use Boon products outside India, local laws (e.g., data portability or additional consent rules) may apply through our authorised partners. This policy will be adapted or supplemented as required.

Quick Summary (Plain Language)

  • We collect basic identity, orders, payments (tokenised), support interactions, cookies, and device telemetry for connected features.
  • We use them to fulfil orders, operate IoT features, improve quality, and—only with consent—send marketing.
  • We share data with service partners (payments, logistics, cloud) under contract; we don’t sell personal data.
  • You can access, correct, or ask us to delete your data (subject to legal retention), complain to our Grievance Officer, and nominate a person to act on your behalf.
  • We secure data with appropriate safeguards and keep it only as long as needed.