Privacy Policy

The Chennai Business Club ("CBC", "we", "us") operates a closed B2B referral network for verified Chennai businesses. This policy describes what we collect, why, where it's stored, how long we keep it, and your rights under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

What we collect

At signup. Business name, your name (the registrant), your designation (self-declared), email, mobile / WhatsApp number, primary pincode, company address, service category + subcategory, optional GSTIN / PAN / Udyam number, optional years in business, optional Instagram / Facebook / LinkedIn URLs. We capture the referral code (if any) that brought you in.

For verification (mandatory for the verified badge, optional otherwise).GST certificate, MSME / Udyam certificate, three most recent income tax return statements. For freelancers without GST / MSME: ID proof, address proof, experience certificate, and education certificate are accepted as a fallback.

Optional media. A personal photo or a company logo. Either satisfies the platform's "face for the listing" requirement — registrants are not required to upload a personal photo if they prefer a logo.

While you use the service. Referral link clicks (HMAC-salted fingerprint of IP + user-agent — we never store raw IPs), wallet credit transactions, KYC status changes, thank-you notes you post, reviews you write, and basic page-view analytics via PostHog (if enabled).

Where it's stored

Database. Supabase Postgres in India (Mumbai region targeted; current preview runs in us-west-2 pending migration before live launch). Personal data tables have Row-Level Security so only the owning vendor or authorised admins can read them.

Documents and photos. Two Supabase Storage buckets:

• vendor-media (public): profile photo and logo. These are public by design because they appear on your public /v/<slug> profile.
• vendor-docs (private): GST certificate, MSME / Udyam certificate, income tax return PDFs, ID proof, address proof, experience certificate, education certificate. Stored without a public URL; admins and the document owner view them via short-lived (15-minute) signed URLs only.

Why we collect it

• Verifying that the registrant runs a real Chennai business (KYC).
• Attributing referrals correctly so credits flow to the right person.
• Service-essential communication: signup confirmation, KYC status changes, payment receipts (Phase 2), thank-you notes received, credits earned.
• Marketing — only with separate explicit consent recorded at signup.
• Detecting fraudulent referral activity (bulk self-referrals, fingerprint collisions).

Who can see what

• Public, on your /v/<slug>: business name, photo / logo, pincode, category + subcategory, GST-verified pill (if applicable), bio, hours, ratings + reviews, public thank-you notes, social URLs.
• Members-only (signed-in vendors): the directory at /memberslists the same public fields, plus the ability to send a thank-you note.
• You only: your wallet history, your referral click count, your private thank-you notes, your verification document files.
• Admin staff only: uploaded certificate files (via signed URLs), uploaded ID / address / education proofs, contact email + phone, company address.

Verification workflow

Accounts are auto-created in kyc_status='pending'. Your public profile is not visible in the members directory until an admin (or eventually our verification vendor) flips the status to verified. Admin actions are recorded in audit_log with the admin's user id and a before/after diff.

How long we keep it

• Profile + referral records: for as long as your account is active.
• Verification documents (GST cert, MSME, ITRs, freelancer proofs):retained while your KYC status is verified or in_review. On account erasure they are deleted from storage; only the existence (audit trail) and statutory invoices remain.
• GST invoices and payment records (Phase 2 onward): retained 8 years per Indian tax law, even after account erasure.
• Audit log: retained indefinitely for compliance.

Your rights (DPDP Act)

• Right to access a copy of your personal data and uploaded documents.
• Right to correction — most fields are editable from your dashboard.
• Right to erasure ("delete my account").
• Right to grievance redressal.

Erasure anonymizes your user record (phone replaced with a hash, email cleared, free text redacted), removes uploaded photos and documents from storage, and retains only what we are legally required to retain. Outgoing referral attributions remain so that the businesses you brought in keep their attribution intact.

Sharing

We share data with: Supabase (hosting), Vercel (delivery), Resend (transactional email), Razorpay (payments — Phase 2), Sentry / PostHog (observability). When the verification vendor is engaged (Karza or equivalent) we will share GSTIN + business name strings for the lookup and update this policy accordingly. We do not sell personal data.

Quiet hours

Per TRAI guidelines, promotional messages are never sent between 21:00 and 09:00 IST. Transactional messages (signup confirmations, payment receipts) may be delivered at any time.

Contact

Email privacy@cbc.in. A formal grievance officer will be designated post-incorporation.