Privacy Policy

This Privacy Policy ("Policy") describes how Shootfolder.com Private Limited("Company", "we", "us", or "our"), a company incorporated under the Companies Act, 2013, with its registered office at 111, Block C, East of Kailash, New Delhi — 110065, collects, uses, stores, and discloses your personal information when you use our website shootfolder.com("Platform").

By accessing or using the Platform, you consent to the collection and use of your information as described in this Policy. If you do not agree with this Policy, please do not use the Platform.

This Policy is published in compliance with:

• The Information Technology Act, 2000 ("IT Act")
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IG Rules")
• The Digital Personal Data Protection Act, 2023 ("DPDP Act")

We collect the following categories of information:

Personal Information — information that can be used to identify you:

• Full name
• Email address
• Phone number
• Date of birth
• Gender
• Postal address (for Hosts)
• Payment information (processed by Razorpay; we do not store card details)
• IP address

Non-Personal Information — information that cannot be used to identify you individually:

• Geographic location (approximate, derived from IP)
• Browser type and version
• Device type and operating system
• Cookies and similar tracking technologies
• Page views, session duration, and navigation patterns

You may register or sign in using third-party authentication providers. We collect only the minimum information necessary for account creation from these services:

Google — We access your name, email address, and profile picture via Google OAuth 2.0. Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising purposes, and we do not share Google user data with third parties except as necessary to provide the Platform's core functionality.

Apple— We access your name and email address via Sign in with Apple. Apple's private email relay service may be used, in which case we receive a relay email address rather than your actual email. We honour Apple's privacy framework and do not attempt to reverse-map relay addresses.

Facebook — We access your name, email address, and profile picture via Facebook Login. In compliance with Facebook Platform policies, we provide a data deletion callback endpoint at /api/auth/facebook/deletion. You may request deletion of your Facebook-linked data at any time by using this endpoint or by contacting us directly.

Microsoft— We access your name, email address, and profile picture via the Microsoft Identity Platform. Data handling follows Microsoft's identity platform data practices.

For all providers, authentication tokens are securely stored and revoked upon account deletion.

We collect and process your information for the following purposes:

• To create and manage your account on the Platform
• To facilitate bookings and transactions between Crew and Hosts
• To process payments and refunds through Razorpay
• To communicate with you about your account, bookings, and Platform updates
• To verify Host identity and listing authenticity
• To improve the Platform, including search, recommendations, and user experience
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal and regulatory obligations
• To enforce our Terms of Use and other policies

We may share your information with:

• Other users: When you make a booking, relevant information (name, contact details) is shared between Crew and Host to facilitate the booking.
• Payment processors: Razorpay, for processing payments, refunds, and payouts.
• Service providers: Third-party vendors who assist us in operating the Platform (e.g., email services, analytics, cloud hosting).
• Law enforcement: When required by law, regulation, legal process, or governmental request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

We do not sell your personal information to third parties.

We implement reasonable security practices and procedures to protect your personal information from unauthorised access, use, disclosure, alteration, or destruction, in accordance with the SPDI Rules.

Our security measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security audits and vulnerability assessments
• Access controls and role-based permissions for internal staff
• PCI DSS compliant payment processing through Razorpay

Despite our best efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

You may request deletion of your account at any time using the Delete Account button in your account settings. Upon deletion:

• Your account will be deactivated within 48 hours.
• Your personal data will be permanently purged within 30 days of deactivation.
• Financial records will be retained for 6 years as required under the GST Act, 2017, and the Income Tax Act, 1961.
• All third-party authentication tokens (Google, Apple, Facebook, Microsoft) will be revoked upon account deletion.

We retain non-personal, aggregated data for analytical purposes even after account deletion. This data cannot be used to identify you.

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate personal information
• Withdraw consent for data processing (where consent is the legal basis)
• Request deletion of your personal data (subject to legal retention requirements)
• Opt out of non-essential communications through your account settings
• Disable cookies through your browser settings (this may affect Platform functionality)

To exercise any of these rights, please contact us at support@shootfolder.com.

The Platform is not intended for use by children under the age of 18 without parental or guardian supervision. We do not knowingly collect personal information from children under 18 without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@shootfolder.com, and we will take steps to delete such information.

In accordance with the Information Technology Act, 2000, and the DPDP Act, 2023, the Grievance Officer for the Platform is:

• Name: Mr. Prateek Ahuja
• Email: grievance@shootfolder.com
• Address: 111, Block C, East of Kailash, New Delhi — 110065

The Grievance Officer shall acknowledge complaints within 24 hours and resolve them within 15 days of receipt.

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date. We encourage you to review this Policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the revised Policy.

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in New Delhi, India.