Privacy Policy

01Scope & overview

This Privacy Policy explains how Sahya Agro Organic Farms ("Sahya Agro," "we," "us," or "our") — a farm and food business operated from Saloni Village, Narnaul, Mahendragarh District, Haryana 123001, India — collects, uses, stores, shares, and protects the personal information of our customers, website visitors, subscribers, B2B clients, farm visitors, and any other individual who interacts with us through our website (sahyaagro.com), our WhatsApp Business number, our customer-support email addresses, our physical farm, or any other channel.

This policy is written to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 read with the IT (Reasonable Security Practices) Rules 2011, and where applicable, equivalent regulations in jurisdictions where our customers are located, including the GDPR for European Union residents and the UAE's Federal Decree-Law No. 45 of 2021 on Personal Data Protection. By providing your personal information to us through any of these channels, you consent to the practices described below.

If anything in this policy is unclear, or if you would like more detail on a specific practice, write to our Grievance Officer (details in Section 13). We try to respond to substantive privacy questions within five working days.

02Data we collect

We collect the minimum personal information necessary to fulfil orders, deliver eggs, run our subscription service, manage B2B accounts, and communicate with you. Specifically, the categories of personal data we may collect are:

Identity & contact data

• Name (first name, last name, salutation if provided)
• Phone number (mobile and/or landline)
• Email address
• Postal address for delivery (street, city, state, country, postal code)
• Date of birth (only if you voluntarily provide it for birthday discounts; never required)

Order & transaction data

• Order history, product preferences, dispatch dates, delivery confirmations
• Payment confirmation references (we do not store full card numbers, CVV, or UPI PIN — those go directly to our payment gateway, Razorpay)
• Subscription frequency, pause/resume history, switch logs
• Communications about specific orders (replacement requests, tracking queries)

Technical & usage data

• IP address, approximate location (city/region level), device type, browser type and version, operating system
• Pages viewed on our website, referral source, time spent, scroll depth
• Cookie identifiers (see Section 8 for details)

B2B data (for restaurants, hotels, caterers)

• Business name, GST number, FSSAI license number of the buyer (if applicable)
• Authorised purchaser name, designation, contact details
• Credit terms history, invoice payment records

We do not collect sensitive personal data as defined under DPDP Act 2023 (such as financial information beyond payment confirmation, biometric data, health records, sexual orientation, or political views) unless you voluntarily provide it for a specific purpose, such as a doctor's recommendation note attached to a bulk Omega Reserve order during pregnancy.

03How we collect it

We collect personal data in three primary ways:

Directly from you when you place an order via WhatsApp, fill out our contact form, subscribe to our newsletter, book a farm visit, sign up for a recurring subscription, request a lab report, or otherwise communicate with us. This is the largest source of data we hold and the one over which you have the most control.

Automatically through our website when you visit sahyaagro.com. This includes server logs (IP, timestamp, requested URL), cookies set by our analytics partners (see Section 8), and event-level interaction data captured by Google Analytics 4 and Google Ads conversion tracking.

From third parties in limited circumstances — for example, when a courier partner shares delivery confirmation back to us, when a payment gateway confirms a successful transaction, or when a B2B referral partner introduces a new client to us with their consent. We do not buy or rent customer lists from any third party.

04Why we collect it

We collect personal data only for specified, lawful purposes. The legal basis varies by data type but generally includes contractual necessity (to fulfil your order), legitimate business interest (to operate efficiently and prevent fraud), legal obligation (to comply with FSSAI, GST, and tax requirements), and consent (for marketing communications, which you can withdraw any time). Specifically, we use your data to:

• Process and dispatch your egg orders accurately and on time
• Run our recurring subscription service, including pause/resume requests
• Communicate about your order — dispatch confirmation, tracking, delivery updates, replacement processing
• Respond to questions, complaints, and feedback about our products or service
• Issue invoices, receipts, and (for B2B clients) GST-compliant tax documents
• Maintain food-safety traceability records as required under FSSAI regulations and our ISO 22000 certification
• Send marketing communications (newsletter, offers, new product launches) — only if you've opted in, and you can opt out any time
• Improve our website, services, and farm operations through aggregated, non-identifying analytics
• Detect, prevent, and investigate fraud, abuse, or violations of our terms of service
• Comply with applicable laws, court orders, or lawful requests from government authorities

We do not use your personal data for purposes incompatible with these — for example, we do not profile you for behavioural advertising on third-party platforms beyond standard Google Ads remarketing, we do not sell your data to brokers, and we do not use your data to train artificial intelligence models.

05Sharing with third parties

We share personal data only with carefully selected third parties who help us operate our business. Each receives only the minimum data needed for their specific function, under contractual data-protection commitments:

• Courier partners (Snowman Logistics, regional cold-chain partners, Gulf freight forwarders) receive your name, delivery address, phone number, and order details — necessary to deliver your eggs.
• Payment gateway (Razorpay) receives transaction-level details to process card and UPI payments. Your full card data goes directly to them and is never stored by us.
• Communication tools (WhatsApp Business API provider, transactional SMS provider, email service provider) receive your phone or email and message content for delivering order updates.
• Analytics & advertising (Google Analytics 4, Google Ads) receive anonymised device-level events. Where possible, we use IP anonymisation and rely on aggregated data.
• Cloud hosting (our website host stores data centrally; databases are encrypted at rest).
• Professional advisers (chartered accountants, tax consultants, legal advisers) receive transaction records or specific data only when required for compliance audits or legal proceedings.
• Government authorities when legally compelled — FSSAI inspectors, GST officers, or law enforcement under valid court orders. We notify affected customers where lawfully possible.

We do not share your personal data with marketing brokers, lead-generation services, social media platforms beyond what's needed for ad delivery, or any other party for the purpose of monetising your data. We have never sold customer data and we never will.

06How long we keep it

We retain personal data only for as long as necessary to fulfil the purpose it was collected for, plus any period required by law. Specifically:

• Order records: 7 years from the date of order (required under Indian tax and FSSAI traceability rules).
• Active subscription data: Throughout the active subscription, plus 7 years after cancellation for tax and warranty purposes.
• Marketing list data: Until you unsubscribe or after 24 months of inactivity, whichever is sooner.
• Website analytics: 14 months at the user-event level, then aggregated indefinitely (no identifying data).
• Customer support correspondence: 3 years from the last interaction, after which it is anonymised or deleted.
• B2B account records: Throughout the relationship, plus 7 years after the last transaction.

You can request earlier deletion of your data, subject to our legal obligation to retain certain records (see Section 7).

07Your rights

Under the DPDP Act 2023 and equivalent international frameworks, you have the following rights with respect to your personal data:

• Right to access — Request a copy of the personal data we hold about you. We respond within 30 days.
• Right to correction — Ask us to correct inaccurate or incomplete information.
• Right to erasure — Request deletion of your data, subject to legal retention requirements.
• Right to restrict processing — Ask us to limit how we use your data while a query is being resolved.
• Right to data portability — Receive a copy of your data in a structured, machine-readable format.
• Right to withdraw consent — For data processing based on consent (such as marketing communications), you can withdraw consent any time without affecting the lawfulness of prior processing.
• Right to grievance redressal — File a complaint with our Grievance Officer (Section 13). If unresolved, you can escalate to the Data Protection Board of India.

To exercise any of these rights, email privacy@sahyaagro.com or write to the postal address in Section 13. We will verify your identity before processing the request to protect your data from unauthorised access.

08Cookies & tracking

Our website uses the following categories of cookies and similar technologies:

• Essential cookies — Required for the website to function (e.g., session management). These cannot be disabled.
• Analytics cookies — Set by Google Analytics 4 to understand how visitors use our site. We use IP anonymisation. You can opt out via Google's Analytics Opt-out Browser Add-on.
• Advertising cookies — Set by Google Ads for conversion tracking and remarketing. You can manage these via your Google Ad Settings or browser controls.

You can control cookies through your browser settings — most browsers allow you to refuse cookies, delete existing cookies, or be alerted before cookies are set. Disabling essential cookies may break certain website features. We do not currently use cross-site behavioural tracking pixels from social media platforms.

09Children's privacy

Our services are designed for adults aged 18 and above. We do not knowingly collect personal data from children under 18 without verifiable parental consent. If you believe we have collected data from a minor without proper consent, please contact our Grievance Officer (Section 13) and we will delete it promptly.

Where parents place orders that benefit children — for instance, ordering Omega Reserve eggs for a school-going child — the data we collect (delivery address, parent's contact) is associated with the parent, not the child.

10International transfers

For Gulf-region customers (UAE, Saudi Arabia, Qatar, Kuwait, Oman, Bahrain), we transfer minimum necessary delivery data (name, address, phone) to our cold-chain freight forwarders and local last-mile delivery partners in those jurisdictions. These transfers are governed by data-processing agreements that require equivalent standards of protection. Our customer support and database operations remain in India.

For European Union residents, we rely on Standard Contractual Clauses (SCCs) for cross-border transfers from the EU to India. We do not currently target the EU market for new customers but maintain compliance for any existing residents.

11Security measures

We follow reasonable security practices and procedures as required under Section 43A of the IT Act 2000 and the Reasonable Security Practices Rules 2011. These include:

• Encryption of personal data in transit (HTTPS/TLS 1.2+) and at rest (database-level AES-256 encryption)
• Role-based access control — only authorised personnel can access customer data, and only the data needed for their function
• Regular security audits, vulnerability scans, and penetration testing
• Two-factor authentication on all administrative accounts
• Backup and disaster recovery protocols including off-site backups
• Staff training on data handling, with confidentiality clauses in employment contracts
• Annual review of our security posture against ISO 27001 best practices (we are not currently ISO 27001 certified but follow the framework)

While we take security seriously, no system is perfectly secure. In the event of a personal data breach affecting you, we will notify you and the Data Protection Board of India within 72 hours of becoming aware, in line with DPDP Act 2023 requirements.

12Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or services. The "Last updated" date at the top of this page indicates the most recent revision. Material changes (those that meaningfully affect your rights or our practices) will be communicated to you via email if we have your contact details, and prominently flagged on our website for at least 30 days. Continued use of our services after the change constitutes acceptance of the revised policy.

An archive of previous versions is available on request — email privacy@sahyaagro.com.

13Contact us

For any question, concern, or request regarding this Privacy Policy or your personal data, contact our Grievance Officer:

If you are unsatisfied with our response, you have the right to escalate your complaint to the Data Protection Board of India once it is operational, or to the appropriate authority in your jurisdiction (such as the European Data Protection Board for EU residents).

For general (non-privacy) questions about our products or service, please use our standard channels: WhatsApp +91 90917 92917 or email info@sahyaagro.com.