BackCermora
✦ Legal & Compliance ✦

Privacy Policy

How Cermora (ADDSUS Solutions LLP) collects, uses, stores, shares, and protects your personal information.

Version 1.0Effective June 2026
Platform
www.cermora.com
Legal Entity
ADDSUS Solutions LLP
Registered Office
Hyderabad, Telangana
Applicable Law
IT Act 2000 · DPDPA 2023

ADDSUS Solutions LLP is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Cermora platform.

1. Scope and Applicability

This Privacy Policy applies to all Users of the Cermora platform — including Customers who browse and book Event Services, Vendors who list their services, and visitors who access the website without registering. It governs the collection and processing of personal data through:

  • The Cermora website (www.cermora.com)
  • Twilio SMS service

This Policy is published in compliance with:

  • Section 43A of the Information Technology Act, 2000
  • The IT (SPDI) Rules, 2011
  • The Consumer Protection (E-Commerce) Rules, 2020
  • Applicable provisions of the DPDPA, 2023 as notified
2. Personal Data We Collect

2.1 Data Provided by You

CategoryData PointsPurpose
IdentityName, date of birth, genderAccount creation, booking confirmation
ContactMobile number, email, postal addressCommunication, invoicing, delivery
Login CredentialsUsername, encrypted password, OTPAuthentication and security
Payment DataPayment type, last 4 digits, txn IDsPayment processing, refunds, disputes
GST / TaxGSTIN, PAN, business address, trade nameGST invoicing, TCS, tax filings
Vendor BusinessReg. number, licences, bank detailsVendor onboarding, payouts, compliance
Event PreferencesType, date, guests, budget, locationPersonalised recommendations
CommunicationAsk Vibhu messages, tickets, reviewsService improvement, dispute resolution

2.2 Data Collected Automatically

  • Location data: Approximate or precise location (with your consent) for venue proximity search.
  • Log data: IP address, timestamps, referring URLs, error logs.
  • Cookies & tracking: session and persistent cookies.

2.3 Data from Third Parties

  • Social login: Name, email, profile picture from Google, Facebook, or Apple.
  • Payment gateway: Transaction status, reference numbers, fraud risk scores.
  • Insurance partners: Application status, policy reference numbers (IRDAI-licensed).
  • EMI partners: Loan application status and reference numbers (NBFC/Bank).
3. How We Use Your Personal Data
Very Important
We use your data only for the purposes listed below, under a clear legal basis. We do not sell your personal data.
PurposeLegal BasisData Used
Account creation and managementContract performanceIdentity, contact, credentials
Processing bookings and paymentsContract performanceIdentity, contact, payment data
GST invoicing & TCS filingLegal obligationGSTIN, PAN, txn data, contact
Vendor payout processingContract performanceBank details, GSTIN, txn data
Personalised recommendationsLegitimate interest / consentUsage, preferences, location
Customer support & disputesLegitimate interestAll relevant personal data
Platform security & fraudLegitimate interestDevice, IP, usage, payment
Marketing communicationsConsent (opt-in)Name, email, mobile, preferences
Analytics & improvementLegitimate interestUsage data, aggregated behavior
Legal & regulatory complianceLegal obligationIdentity, tax, transactions
Ask Vibhu AI assistantContract performance / consentQueries, preferences, history
4. Sharing of Personal Data

4.1 With Vendors

When a booking is made, we share name, contact number, and event details with the relevant Vendor to enable service delivery. Vendors are contractually restricted from using Customer data for independent marketing.

4.2 With Customers (Vendor Data)

Vendor business name, photos, service descriptions, pricing, and ratings are publicly displayed. Personal contact details (personal mobile, home address) are never publicly shown.

4.3 With Service Providers and Partners

Partner CategoryPurposeData Shared
Payment GatewaySecure payment processingName, amount, email, phone, order ID
Cloud InfrastructureData storageAll platform data (encrypted at rest)
HostingPlatform operationsAll platform data
Insurance Partners (IRDAI)Event insurance facilitationName, contact, event details
NBFC / Bank PartnersEasy EMI processingName, contact, financial data with consent
SMS / Email ProvidersTransactional & marketing commsName, email, mobile
KYC / VerificationVendor identity verificationPAN, Aadhaar (Vendor), business docs

4.4 Legal and Regulatory Disclosure

We may disclose personal data to law enforcement, government authorities, tax authorities (GSTN, Income Tax Dept), or courts when required by law. We will make reasonable efforts to notify you unless legally prohibited.

4.5 Business Transfers

In the event of a merger, acquisition, or sale, personal data may be transferred to the acquiring entity. You will be notified before such transfer.

5. Sensitive Personal Data or Information (SPDI)

Under Rule 3 of the SPDI Rules, 2011, the following data categories are subject to heightened protection:

SPDI CategoryCollected?PurposeStorage
Financial informationPartial (last 4 digits)Payment reconciliationEncrypted; full data with gateway
PasswordsYes (hash only)AuthenticationHashed; never plain text
Health / medicalNoNot stored
Biometric dataNoNot stored
Sexual orientationNoNot stored
Aadhaar NumberVendor only (consent)KYC verificationEncrypted; masked post-verification
Your Consent Matters
SPDI is collected only with your explicit consent. You may withdraw consent at any time, subject to consequences for the related service functionality.
6. Data Retention

We retain personal data only as long as necessary to fulfil the purposes outlined in this Policy, or as required by law:

Data CategoryRetention PeriodReason
Account & profileAccount duration + 3 yearsService, disputes, reactivation
Booking & transactions8 years from txn dateGST law + litigation buffer
GST invoices & tax docs8 years from FY endGST Act, Income Tax Act
Payment transaction logs5 years from txn datePSS Act, fraud detection
Communication & support3 years from last interactionDisputes, Consumer Protection Act
Vendor KYC & documentsListing duration + 5 yearsRegulatory & audit trails
Marketing preferencesUntil withdrawal + 2 yearsEvidence of consent management
Usage data13 monthsAnalytics standard
7. Your Data Rights

Subject to applicable law, you have the following rights:

RightWhat It MeansHow to Exercise
AccessGet a copy of your personal dataEmail support@cermora.com
CorrectionFix inaccurate / incomplete dataAccount settings or email
ErasureDelete your personal data (legal limits apply)Email support@cermora.com
Withdraw ConsentOpt out of marketing or optional processingAccount settings or unsubscribe link
Data PortabilityReceive data in machine-readable formatEmail support@cermora.com
Grievance RedressalComplain about our data practicesDPO email; 30-day response
NominateAppoint someone to act on your behalfEmail with documentation
Retention Exceptions
Certain data cannot be deleted on request — e.g., GST invoices (8 years under the CGST Act) and transaction records (5 years under the Payment and Settlement Systems Act). We will clearly communicate what can and cannot be deleted.
8. Cookies and Tracking Technologies

8.1 Types of Cookies Used

Cookie TypePurposeDurationDisable?
Strictly NecessaryLogin, sessions, payment, cartSessionNo
FunctionalLanguage, location, saved searches7 daysYes (browser)
AnalyticsBehavior, improvement (GA, Mixpanel)13 monthsYes (banner)
MarketingRetargeting on Google, Meta30–90 daysYes (settings)
Third-PartySocial buttons, video embedsVariesYes (browser)

8.2 Managing Cookies

  • A cookie consent banner is displayed on your first visit.
  • Change preferences anytime via Cookie Settings in the website footer.
  • Disabling analytics / marketing cookies will not break core platform features.
9. Data Security

ADDSUS Solutions LLP implements reasonable security practices under Rule 8 of the SPDI Rules, 2011.

9.1 Technical Measures

  • SSL/TLS encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • PCI-DSS compliant payment gateway (no full card storage)
  • Multi-factor authentication for Vendor & admin access
  • Regular penetration testing and security audits
  • Intrusion detection and real-time monitoring

9.2 Organisational Measures

  • Need-to-know access restrictions
  • Confidentiality obligations for employees & contractors
  • Data processing agreements with all third-party processors
  • Documented incident response procedures

9.3 Data Breach Response

We will assess risk and notify affected individuals and the Data Protection Board of India under DPDPA, 2023 timelines.

User Responsibility
No internet transmission is completely secure. Keep your login credentials confidential. Never share your OTP or password — Cermora will never ask for your password.
10. Children's Privacy
  • The Cermora Platform is not intended for individuals under 18.
  • We do not knowingly collect personal data from minors. If discovered, such data will be promptly deleted.
  • Parents / guardians may contact abc@cermora.com with concerns.
11. Third-Party Links and Services
  • The Platform contains links to third-party websites (insurance, NBFC, social media) for convenience only.
  • Cermora is not responsible for the privacy practices of third-party sites — read their policies before sharing data.
  • Integrations like Google Maps, Instagram feeds, and payment gateways are governed by their own privacy policies.
12. Cross-Border Data Transfers
  • Cermora primarily stores and processes data within India.
  • Where processed outside India (e.g., cloud services), we ensure appropriate safeguards as required by law.
  • We do not transfer SPDI to foreign entities except for payment processing or cloud infrastructure, with contractual protections.
  • We will update practices as DPDPA cross-border rules are notified.
13. Updates to This Privacy Policy
  • We may update this Policy to reflect changes in practice, technology, or law.
  • Material changes will be notified via email and/or a Platform notice at least 15 days before they take effect.
  • The current version is always available at www.cermora.com/privacy.
  • Continued use after the effective date constitutes acceptance.
14. Contact Us and Grievance Officer

For questions, concerns, requests, or complaints regarding this Privacy Policy:

Data Protection Officer (DPO)
xyz@cermora.com
Response within 30 days
Privacy Queries
abc@cermora.com
Response within 15 working days
Grievance Officer
xyz@cermora.com
ADDSUS Solutions LLP, Hyderabad, Telangana
48 hrs ack · 30 days resolution
Data Protection Board (India)
www.dpboard.gov.in
Once operational under DPDPA, 2023
Your Rights Are Protected
Under the Consumer Protection Act 2019, IT Act 2000, and DPDPA 2023, you have the right to know, access, correct, and seek deletion of your personal data. Cermora is committed to honouring these rights promptly and transparently.
ADDSUS Solutions LLP · Cermora

www.cermora.com · Version 1.0 · Effective June 2026 · Subject to revision with notice