Privacy Policy
This Privacy Policy is drafted in compliance with Indian law including the IT Act 2000, SPDI Rules 2011, and the Digital Personal Data Protection Act 2023. By using Downxtown, you acknowledge that you have read and understood this policy.
Introduction
Downxtown ("Platform", "we", "us", "our") is a brand commerce platform operated by Alhikma Technologies, a company registered under the laws of India. We connect buyers ("Users") with independent D2C brands and retail businesses ("Brands", "Sellers") through our Android application and web storefront.
This Privacy Policy explains how we collect, use, store, share, and protect information about you when you access or use Downxtown. It applies to all users — buyers, brands, and visitors — across all surfaces including the Android app and website.
By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein. If you do not agree with this policy, please discontinue use of the Platform.
Applicable Law & Regulatory Framework
This Privacy Policy is drafted in compliance with the following Indian laws:
- •Information Technology Act, 2000 ("IT Act")
- •Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
- •Digital Personal Data Protection Act, 2023 ("DPDP Act") — to the extent notified and in force
- •Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020
- •Payment and Settlement Systems Act, 2007 (relevant to payment processing)
Where applicable, this policy also acknowledges the principles of the GDPR for users accessing the Platform from the European Union, though Downxtown's primary legal compliance framework is Indian law.
Information We Collect
3.1 Information You Provide Directly
For Buyers
- •Full name, email address, mobile number
- •Delivery address(es)
- •Profile photo (optional)
- •Payment-related information (processed through Razorpay — see Section 6)
- •Messages sent to brands via in-app messaging
- •Reviews and ratings submitted on the Platform
For Brands / Sellers
- •Business name, brand identity, authorized representative name and contact details
- •Business email address and phone number
- •GST Identification Number (GSTIN), where applicable
- •Bank account details for payment settlement (processed via Razorpay Route API)
- •Product catalogue information including descriptions, images, and pricing
- •Physical store addresses (if listed on the Platform)
- •Brand story and profile content
3.2 Information Collected Automatically
When you use the Platform, we automatically collect:
- •Device type, model, and operating system version; app version
- •IP address and approximate geographic location (city/region level)
- •Session data — pages viewed, features accessed, time spent
- •Crash logs and error reports via Firebase Crashlytics
- •Search queries and browsing behavior within the Platform
This does not include precise GPS location unless you explicitly grant permission for the Nearby Store Discovery feature.
3.3 Location Data
The Nearby Store Discovery feature requires device location access. Location access is:
- •Optional — core platform use is unaffected without it
- •Requested at runtime — you will be asked for permission before any location data is accessed
- •Used only for discovery — not stored persistently on our servers or shared with third parties beyond proximity results
You may revoke location permission at any time through your device settings.
3.4 Information from Third-Party Integrations
If you connect your Shopify store via the Shopify Connector, we receive access to your product catalogue data (names, descriptions, images, variants, pricing, inventory status) as authorized through the Shopify Partner API. We do not access Shopify customer data, order history, or payment information.
How We Use Your Information
Account & Platform Operations
- •Creating and managing your account
- •Enabling brand discovery, product browsing, and the follow model
- •Facilitating in-app direct messaging between buyers and brands
- •Processing purchase redirects to brand-managed checkout flows
- •Displaying brand profiles, product catalogues, and reviews
Personalization & Discovery
- •Curating your brand feed based on follow activity, browsing behavior, and category preferences
- •Surfacing relevant brands and products based on engagement signals
- •Enabling the Nearby Store Discovery feature using location data
Communications
- •Sending transactional notifications (order redirects, follow confirmations, messages received)
- •Delivering platform updates, policy changes, and security alerts
- •Sending marketing communications where you have consented — you may opt out at any time
Safety, Security & Compliance
- •Detecting and preventing fraudulent activity, spam, and abuse
- •Investigating complaints and enforcing our Terms of Service
- •Complying with legal obligations, court orders, and government requests under applicable Indian law
- •Maintaining records as required under the IT Act and SPDI Rules
Analytics & Platform Improvement
- •Understanding how users interact with the Platform
- •Identifying bugs, crashes, and performance issues
- •Informing product development decisions
Future Revenue Products: Aggregated, anonymized behavioral data may inform a future Premium Analytics product offered to brands. This will use non-personally-identifiable data only. Any change will be communicated to users with an opportunity to opt out.
Sensitive Personal Data or Information (SPDI)
Under the IT (SPDI) Rules 2011, financial information is classified as Sensitive Personal Data and requires heightened protection. Downxtown collects financial information in the following limited contexts:
Buyers
Payment card or UPI details are entered and processed directly by Razorpay. Downxtown does not store, process, or have access to raw payment credentials at any point.
Brands
Bank account details for settlement are transmitted to and managed by Razorpay Route API. Downxtown maintains only the reference identifiers necessary for settlement reconciliation.
We do not collect passwords, biometric data, health data, sexual orientation, or religious beliefs as part of platform operations.
Payment Processing & Third-Party Transactions
Redirect Purchases
When a buyer taps a product and is redirected to the brand's own website or Shopify checkout, the transaction is completed entirely outside the Downxtown platform. Downxtown does not receive, process, or store any payment or order data from these transactions. The brand's own privacy policy governs that interaction.
In-Platform Payments (where applicable)
Any in-platform payment processing is handled exclusively by Razorpay, a PCI-DSS compliant payment gateway regulated under the Payment and Settlement Systems Act, 2007. Razorpay's privacy policy governs their handling of payment data and is available at razorpay.com.
Downxtown is not a party to the commercial transaction between buyer and brand. We expressly disclaim liability for any disputes arising from transactions completed on external brand websites or checkout flows.
Third-Party Services & Data Processors
Downxtown uses the following third-party services. Each acts as a data processor bound by applicable data protection obligations:
Firebase (Google LLC)
Purpose: Authentication, push notifications, crash reporting (Crashlytics), analytics
Data shared: Device identifiers, app usage events, crash logs
Governed by: Google's Privacy Policy and Data Processing Terms
Razorpay Software Private Limited
Purpose: Payment gateway and settlement infrastructure
Data shared: Transaction reference data; raw financial credentials are not passed through Downxtown
Governed by: Razorpay's Privacy Policy
MongoDB Atlas (MongoDB, Inc.)
Purpose: Primary database infrastructure for platform data storage
Data shared: All platform data stored in the database
Governed by: MongoDB's Data Processing Agreement
Shopify Inc.
Purpose: Catalogue sync via Shopify Connector (brand-side integration)
Data shared: Product catalogue data as authorized by the brand
Governed by: Shopify's Partner API Terms
We do not sell, rent, or trade your personal information to any third party for their independent marketing purposes.
Data Sharing
We share your data only in the following circumstances:
With Brands (for buyer-brand interaction)
When you message or follow a brand, your profile information (display name, profile photo if set) is visible to that brand. Brands do not receive your contact details, address, or payment data through Downxtown's interface unless you voluntarily share this in a message.
With Other Users
Your public profile — display name and profile photo — is visible to other users. Your follow activity may be visible depending on your privacy settings.
For Legal Compliance
We may disclose your information to law enforcement agencies, courts, government authorities, or regulatory bodies in India when required by law, court order, or in response to a lawful request under the IT Act. We will notify affected users where legally permissible.
Business Transfers
In the event of a merger, acquisition, restructuring, or sale of assets of Alhikma Technologies, user data may be transferred to the acquiring entity. Users will be notified and given the opportunity to delete their accounts if they do not consent.
With Your Explicit Consent
For any other purpose not described in this policy, we will seek your explicit consent before sharing your data.
Data Retention
We retain your personal data for as long as your account is active or as necessary to provide services, comply with legal obligations, resolve disputes, and enforce our agreements.
| Data Type | Retention Period |
|---|---|
| Account data | 3 years after account deletion |
| Transaction reference data | 8 years (accounting & tax law) |
| Messages | Duration of conversation thread |
| Analytics data | Anonymized after 12 months |
| Location data | Not retained beyond active session |
Upon account deletion, personally identifiable data is deleted or anonymized within 30 days, except where retention is required by law.
Data Security
Alhikma Technologies implements reasonable security practices and procedures as required under the IT (SPDI) Rules, 2011, including:
- •Encrypted data transmission using HTTPS/TLS across all platform surfaces
- •Secure storage of credentials using industry-standard hashing protocols
- •Access controls limiting employee access to personal data on a need-to-know basis
- •Regular security assessments and code reviews
- •Firebase Authentication for secure identity management
- •Razorpay's PCI-DSS infrastructure for all payment flows
While we implement these measures, no system is completely secure. In the event of a data breach likely to result in significant harm, we will notify affected users and relevant authorities in accordance with applicable law within a reasonable timeframe.
Users are responsible for maintaining the confidentiality of their account credentials. Do not share your login details with anyone.
Children's Privacy
Downxtown is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a user is under 18 and has provided personal information without verifiable parental consent, we will delete that data promptly.
If you believe a minor has registered on our platform, please contact us at the address provided in Section 15.
Your Rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023 (to the extent in force), and consistent with the IT Act framework, you have the following rights:
To exercise any of these rights, contact us at the details in Section 15. We will respond within 30 days of receiving a valid request.
Cookies & Tracking Technologies
The Downxtown Android application does not use browser cookies. The web storefront (downxtown.com) may use the following:
Grievance Redressal
In accordance with the Information Technology Act, 2000 and the Consumer Protection (E-Commerce) Rules, 2020, a Grievance Officer has been designated to address privacy-related concerns.
Name: Abdullah Ahmad Kidwai
Designation: Founder & CEO, Alhikma Technologies
Email: grievance@downxtown.com
Address: Lucknow, Uttar Pradesh, India
Response Time: Within 30 days of receipt of complaint
If you are not satisfied with our response, you may escalate your complaint to the relevant authorities under the IT Act or, once fully notified, the Data Protection Board of India under the DPDP Act, 2023.
Contact Us
For all privacy-related inquiries, data requests, or concerns:
Alhikma Technologies
Email: privacy@downxtown.com
Website: downxtown.com
Address: Lucknow, Uttar Pradesh, India
Updates to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or platform features. When we make material changes, we will:
- •Update the "Last Updated" date at the top of this policy
- •Send an in-app notification to registered users
- •For significant changes, request fresh consent where required by law
Continued use of the Platform after notification of changes constitutes acceptance of the revised policy. If you do not agree with the changes, you may delete your account before the changes take effect.
This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising in connection with this policy shall be subject to the exclusive jurisdiction of the courts located in Lucknow, Uttar Pradesh.