BuyWell Marketplace
Data Protection and Consent Policy
How APRAS Naturals handles consent, DPDP/GDPR data rights, grievance intake, retention, and breach readiness.
Last reviewed: 2 June 2026
This policy supplements the Privacy Policy and describes how APRAS Naturals manages consent, data-rights requests, grievance intake, security evidence, and breach-response readiness for DPDP and GDPR compliance operations.
Consent Management
Consent requests should describe the personal data involved, the purpose of processing, and the way a user can withdraw consent. Withdrawal requests can be sent to aprasnaturals@gmail.com. Withdrawal does not affect processing already completed before withdrawal and may affect our ability to provide requested services that require the data.
Data-Rights Request Workflow
Users may request access, correction, completion, update, deletion, withdrawal, grievance support, and, where GDPR applies, portability, restriction, objection, or review of automated decisions. APRAS Naturals should verify identity, record the request, assign an owner, assess legal exceptions, respond within the applicable timeline, and keep evidence in the admin compliance panel.
Grievance Redressal
Privacy grievances should include the user name, contact detail, order number if relevant, request type, and supporting context. The support owner should acknowledge, investigate, resolve or escalate, and record the outcome. Users may also use statutory complaint channels where applicable.
Breach Readiness
A suspected personal data breach should be escalated immediately to the admin owner. The response should identify affected systems, data categories, users, containment steps, processor involvement, notification obligations, user impact, and corrective action. Evidence should be tracked in the compliance panel.
Retention and Deletion
Data should be retained only for service, legal, accounting, support, fraud-prevention, security, or dispute-resolution needs. Deletion requests should be assessed against active orders, refunds, tax records, chargeback risk, and legal holds before fulfilment.
Processor and Vendor Review
Processors such as hosting, payment, delivery, email, SMS, WhatsApp, analytics, and storage providers should be reviewed for purpose limitation, access control, security, retention, and incident support before production use.