Legal · Document 02 of 04
Last updated · May 26, 2026
This Privacy Policy describes how Planet AI (operating under the brand name Pichup, hereafter "we", "us", "our") collects, uses, stores, and protects your personal information when you use the website pichup.org ("Website"). This policy complies with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as applicable.
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Deliver download links, order confirmations, exchange status updates, customer-support outreach | Contract performance |
| Payment info | Process transactions via Razorpay | Contract performance |
| IP address, User-Agent, country code | Security, fraud prevention, abuse detection, chargeback defense, audit trail | Legitimate interest, legal claim defense |
| Exchange submission data (sourced-when, authenticity description, file link) | Review the submission and evaluate authenticity claim | Contract performance |
| Affirmative consent record (Terms / Submission Terms acceptance, timestamp) | Evidence of informed agreement to enforce against disputes | Legitimate interest, legal claim defense |
We share limited personal data with the following third-party services, solely for the purposes described:
| Service | Data Shared | Purpose | Privacy Policy |
|---|---|---|---|
| Razorpay | Payment details, email, order info | Payment processing | razorpay.com/privacy |
| Cloudflare | IP address, request data | Website hosting, security, CDN | cloudflare.com/privacypolicy |
| Resend | Email address | Transactional email delivery | resend.com/legal/privacy-policy |
We do not sell, rent, or trade your personal information to any third party for marketing or other purposes.
| Data Type | Retention Period | Reason |
|---|---|---|
| Transaction records (Razorpay) | 8 years | Indian tax / GST compliance, legal obligations |
| Order audit records (R2): order id, email, bank, amount, currency, consent timestamp, accepted documents, IP, User-Agent, country | Indefinite (durable storage) | Chargeback defense, dispute resolution, legal claim defense |
| Order audit records (KV mirror) | 180 days | Fast operator lookup during the typical chargeback window |
| Exchange-submission audit records (R2 and KV) | Indefinite (R2) / 180 days (KV) | Evidence of consent and indemnification under §08A.c of the Terms; defense against third-party rights claims |
| Delivery audit records (R2 and KV): payment id, email, bank shipped, timestamp | Indefinite (R2) / 180 days (KV) | Proof of delivery for chargeback contestation |
| Email address | Duration of business relationship + 3 years | Customer support, re-issuance of download links |
| Download tokens and per-token counters | 1 hour (auto-expire) | Access control |
| Webhook idempotency keys | 7 days | Prevent duplicate processing of retried webhook deliveries |
| Cloudflare server logs | ~7 days (Cloudflare retention default) | Security and abuse detection |
Audit records (orders, deliveries, exchange submissions) are stored in R2 object storage and treated as durable evidence; they will not be deleted in the ordinary course. Requests to delete audit records will be evaluated against our legal-claim-defense obligations and Indian retention requirements; see §07.
Under the Digital Personal Data Protection Act, 2023, you have the right to:
To exercise any of these rights, contact us via our contact page. We will acknowledge within 7 days and respond substantively within 30 days.
Our infrastructure providers (Cloudflare, Resend) operate globally. Your data may be processed in countries outside India, including the United States. These providers maintain adequate data protection standards. By using this Website, you consent to such transfers.
This Website is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, please contact us and we will promptly delete it.
We may update this Privacy Policy from time to time. Changes take effect immediately upon posting. We recommend reviewing this page periodically. The "Last updated" date at the top indicates the most recent revision.
In accordance with the Information Technology Act, 2000, and the rules made thereunder, the Grievance Officer for the purpose of this Privacy Policy can be reached via our contact page. Grievances will be addressed within 30 days of receipt.
For privacy-related questions or requests, contact us via our contact page.