Our Privacy Policy

For clarity and legal precision, the following terms have the meanings ascribed to them in this Policy. These definitions apply throughout all legal documents published by SolarWindMart, including the Terms of Service, Vendor Agreement, Buyer Agreement, and Financing Terms.

SolarWindMart collects information across multiple categories depending on the nature of your interaction with our Platform. We apply the principle of data minimisation — collecting only what is necessary for the stated purpose — while maintaining comprehensive records required for regulatory compliance, fraud prevention, dispute resolution, and service quality improvement.

Data collection occurs through four primary channels: (1) information you actively provide to us through registration, forms, and communications; (2) information generated automatically through your use of the Platform; (3) information obtained from verified third-party sources such as credit bureaus, government databases, and business registries; and (4) information shared by partner organisations such as financing companies, insurance providers, and system integration partners.

Categories of Data Collected

All data collected is processed within secure, access-controlled environments. We do not collect data that is irrelevant to the purpose of providing our marketplace, financing facilitation, vendor verification, or ancillary services. When you visit our Platform without registering, we collect only technical and anonymous usage data unless you voluntarily provide additional information through inquiry forms or live chat.

When you create an account, submit an inquiry, apply for solar financing, post a job listing, or contact our support team, you provide us with personal information. The specific data collected varies by user type and the services being accessed.

Individual Buyer Information

• Identity: Full legal name, date of birth, gender (optional), government-issued identity (Aadhaar, Voter ID, Passport, Driving Licence)
• Contact Details: Primary and secondary mobile numbers, verified email address, WhatsApp number (if provided)
• Address Information: Home/office address including pin code, district, state, and GPS-verified geolocation for installation site assessment
• Financial Profile: PAN card number, income bracket, credit score range (obtained from credit bureaus with your consent), bank account details for EMI mandates (where applicable)
• Energy Usage Profile: Monthly electricity consumption (units), average electricity bill, current electricity provider/DISCOM, rooftop area, roof type, and shadow analysis data
• Preferences & Interests: Preferred solar panel brands, technology preferences (monocrystalline, polycrystalline, bifacial), budget range, installation timeline, financing preference
• Communication Preferences: Preferred language, preferred mode of contact, marketing opt-in status
• Support Interactions: Grievance records, complaint history, chat transcripts (with consent), call recordings (notified separately)

Vendor / Service Provider Personal Information

• Proprietor/Director full name, designation, mobile, email, and personal Aadhaar/PAN
• Digital signature credentials for document execution
• Professional certifications (MNRE empanelment, NABCB accreditation, state government approvals)
• LinkedIn profile URLs and professional references (optional but recommended)
• Bank signatory details for escrow and payment disbursement purposes

Job Applicant & Professional Profile Information

• Resume/CV including educational qualifications, professional experience, technical skills, and certifications
• Expected salary, current CTC, notice period, and willingness to relocate
• References (third parties) — collected only with prior notification to the applicant
• Assessment results from our online screening tests (if applicable)

For registered businesses — including sole proprietorships, partnership firms, LLPs, private limited companies, public sector undertakings, and cooperative societies — we collect a comprehensive set of organisational information to verify legitimacy, enable marketplace participation, and comply with applicable regulations.

Entity-Level Business Data

• Legal Identity: Registered company name, trade name (if different), business type/structure, year of incorporation, and corporate identification number (CIN) or LLPIN
• Registration Documents: Certificate of Incorporation, MSME Udyam Registration, GST Registration Certificate, Import Export Code (IEC), trade licence, factory licence (if applicable)
• Tax Information: GSTIN, TAN, PAN (entity-level), HSN/SAC codes for products/services listed, and turnover declarations as required for GST compliance
• Operational Data: Manufacturing capacity (kWp/MW per annum), warehouse locations, service territories (state/district-wise), ISO certifications, BIS/IEC product certifications, and MNRE product approvals
• Banking Details: Current account number, IFSC code, bank name and branch, and UPI merchant ID for payment settlement
• Director/Partner Information: Names, DIN (for directors), shareholding pattern (for listed companies), and authorised signatory details

Product & Service Catalogue Data

• Product specifications including wattage, efficiency rating, dimensions, weight, certifications (IEC 61215, IEC 61730, BIS), warranty terms, and pricing tiers
• Service descriptions including EPC contract scope, installation methodologies, O&M packages, and performance guarantees
• Dealer/distributor network coverage, installer density, and after-sales service availability by geography

Performance & Compliance Data

• Customer ratings and verified reviews received on the Platform
• Project completion data (number of installations completed, aggregate capacity installed)
• Payment default history within the Platform (if any)
• Complaint and dispute records
• Compliance audit results from SolarWindMart's internal quality control team

In addition to information you actively provide, our Platform automatically collects certain technical and device-level data whenever you access our services. This data is critical for maintaining platform security, diagnosing performance issues, optimising user experience, and enabling fraud detection systems.

Automatically Collected Technical Data

• Device Identifiers: Device type (mobile, tablet, desktop), operating system version, unique device identifier (UDID), advertising ID (IDFA/GAID), and hardware model
• Network Information: IP address, ISP name, mobile network operator, approximate geolocation derived from IP, and connection type (Wi-Fi, 4G/5G, broadband)
• Browser & App Data: Browser type and version, screen resolution, installed browser plugins, referrer URL, entry/exit pages, session duration, and click-stream data
• Usage Patterns: Pages visited, products viewed, searches performed, filters applied, time spent on each page, and interaction sequences within the Platform
• Crash & Error Logs: Application crash reports, API error codes, and performance diagnostics (collected through Firebase Crashlytics or equivalent SDKs)
• Precise Geolocation: Where you grant permission — GPS coordinates for installation site surveys, delivery logistics, and vendor proximity matching

Log Files & Server Records

Our servers automatically log all requests made to the Platform. These logs include timestamps, user agent strings, HTTP method, requested URL, response codes, and data transfer volumes. Logs are retained for security audit purposes and are not used for commercial profiling unless expressly aggregated and anonymised for platform analytics.

SolarWindMart uses cookies, web beacons, pixel tags, local storage, and similar tracking technologies to operate the Platform efficiently, personalise your experience, analyse usage, and deliver relevant communications. This section explains what these technologies are, how we use them, and how you can control them.

Types of Cookies We Use

Web Beacons & Pixel Tags

Our marketing emails contain invisible 1×1 pixel images (web beacons) that allow us to determine whether an email was opened and which links were clicked. This data helps us improve email relevance and personalise future communications. You may disable this tracking by choosing to view emails in plain-text format in your email client.

Managing Cookies

You may adjust your cookie preferences at any time through our Cookie Consent Centre (accessible via the cookie icon in the footer). Most browsers also allow you to view, block, and delete cookies through browser settings. Please note that disabling essential cookies will impair Platform functionality and may prevent you from logging in or completing transactions.

The data we collect is used exclusively for legitimate, clearly defined purposes. We do not sell your personal data to advertisers or data brokers. The following describes the specific purposes for which we process your information, along with the legal basis for each processing activity.

Core Platform Operations

• Creating, maintaining, and securing your SolarWindMart account
• Enabling buyer-vendor matching based on product specifications, geographic proximity, budget, and service capability
• Processing product and service inquiries, RFQs (Request for Quotation), and purchase orders
• Facilitating secure payment processing, invoice generation, and GST-compliant billing
• Managing escrow-based milestone payments for EPC projects
• Providing after-sales support, warranty claims processing, and service escalation

Personalisation & Recommendations

• Recommending relevant solar products based on your energy profile, rooftop size, and geographical irradiance data
• Surfacing nearby certified installers and EPC contractors based on your location and project size
• Providing personalised ROI calculators and payback period estimates
• Displaying government subsidy eligibility (PM Surya Ghar Muft Bijli Yojana, state schemes) based on user location

Compliance & Legal Obligations

• Conducting KYC verification and anti-money laundering (AML) checks
• Complying with GST filing obligations, TDS/TCS deduction, and e-invoicing mandates
• Fulfilling obligations under SEBI, RBI, and IRDAI regulations (for financing and insurance services)
• Responding to lawful requests from courts, law enforcement, and regulatory authorities
• Maintaining audit trails for platform governance and dispute resolution

Platform Improvement & Research

• Conducting anonymised market research on renewable energy adoption trends
• Improving algorithm accuracy for buyer-vendor matching and lead scoring
• Testing new features through A/B experimentation
• Generating aggregated industry reports (no individual user data is disclosed)

Legal Basis for Processing

SolarWindMart operates as both a Data Fiduciary (with respect to the personal data of individual users) and as a Data Processor (with respect to customer data managed on behalf of vendors through our CRM and order management tools). This dual role creates layered data governance obligations that we take seriously.

Data Processing for Vendors

When vendors access the SolarWindMart Vendor Dashboard, they gain access to lead information, buyer contact data (where consented), inquiry histories, and transactional records. Vendors are required to enter into a separate Data Processing Agreement (DPA) as part of their vendor onboarding. Key obligations under the DPA include:

• Using buyer data only for responding to inquiries and fulfilling orders generated through the Platform
• Not retaining buyer contact information for independent marketing outside of SolarWindMart for more than 90 days post-inquiry closure
• Not sharing or selling buyer data to third parties without express written consent
• Implementing adequate security measures as specified in the SolarWindMart Vendor Security Standard (VSS-2024)
• Notifying SolarWindMart within 72 hours of any data breach involving buyer information

Data Processing for Buyers

Buyers' data is processed by SolarWindMart to fulfil service requests, match with appropriate vendors, and provide marketplace support. When buyers submit inquiries, their contact information is shared with a maximum of five (5) relevant vendors at a time, subject to consent. Buyers may control lead-sharing preferences through their account settings.

Every transaction conducted on the SolarWindMart Marketplace — whether a direct product purchase, an EPC contract booking, a service subscription, or a financing application — generates a detailed transactional record. These records are integral to our platform operations and are retained as part of your account history.

Transaction Data We Collect

• Order ID, order date, product/service description, quantity, unit price, applicable GST, and total order value
• Shipping address, delivery contact, and GPS coordinates for installation sites
• Payment method (UPI, NEFT/RTGS, credit/debit card, EMI, BNPL) and transaction reference numbers
• Vendor details, installer assignment, and site visit scheduling records
• Digital signatures on EPC contracts and work orders (via Aadhaar eSign or DSC)
• Milestone completion certificates and final inspection reports
• Net metering application status and DISCOM synchronisation records
• Performance monitoring data from IoT-enabled solar monitoring systems (where SolarWindMart's monitoring platform is used)

Escrow & Milestone-Based Payments

For EPC projects and large commercial installations, SolarWindMart facilitates escrow arrangements through our partner banking institutions. In such cases, buyer funds are held in a designated escrow account and released to vendors upon milestone verification. Transaction records for escrow arrangements are shared with the escrow bank, and your financial data is processed in compliance with RBI's Payment Aggregator/Payment Gateway guidelines.

GST Invoicing & Compliance

All transactions on the Platform generate GST-compliant e-invoices and e-way bills (where applicable) in accordance with the GST Act, 2017. Your GSTIN, business name, and address are included on tax invoices. These records are maintained for a minimum of eight (8) years as required under GST law, and may be shared with GSTN or tax authorities upon lawful request.

SolarWindMart operates a Solar Financing Gateway that connects buyers with registered Non-Banking Financial Companies (NBFCs), scheduled commercial banks, cooperative banks, and government-backed financing institutions (including SBI Solar Loans, IREDA, NABARD-linked schemes, and KfW-partnered programmes). This gateway is regulated under applicable RBI guidelines and IRDAI where insurance is bundled.

Financial Data Collected for Loan Applications

• Personal PAN, Aadhaar, and Form 60 (for those without PAN)
• ITR (Income Tax Returns) for the last 2–3 assessment years
• Bank statements for the preceding 12 months
• Salary slips / CA-certified P&L statement (for self-employed applicants)
• Property ownership documents (for loan-against-property variants)
• CIBIL/Equifax/Experian credit score (retrieved with your explicit consent via Credit Bureau Integration)
• Employment details including employer name, designation, vintage, and HR contact for verification
• Monthly installment capability declaration and existing debt obligations

Data Sharing with Financing Partners

Your financial and KYC data is shared exclusively with lending institutions that you select or that are recommended to you based on your eligibility profile. We do not share your financial data with vendors or any party not involved in the lending process. All financing partners are bound by signed Data Sharing Agreements that restrict use of your data to the loan evaluation and disbursement process only.

Subsidy & Government Scheme Data

Where you apply for subsidies under schemes such as the PM Surya Ghar Muft Bijli Yojana (Rooftop Solar Programme), your application data — including Aadhaar number, bank account for direct benefit transfer, electricity consumer number, and rooftop survey details — is submitted to the relevant government portal (National Portal for Rooftop Solar) in compliance with that scheme's terms. SolarWindMart acts only as a facilitation agent and does not store government scheme credentials beyond the application process.

SolarWindMart has partnered with IRDAI-registered insurance companies to offer solar asset protection plans, weather risk insurance (for agricultural and large-scale commercial projects), equipment breakdown coverage, and extended warranties. When you purchase or enquire about insurance products through our Platform, additional data processing obligations apply.

Insurance-Related Data Collected

• Installation site address, GPS coordinates, and municipal zone classification
• Solar system technical specifications (capacity, panel type, inverter make/model, mounting structure)
• Site vulnerability assessment data (cyclone zone, flood zone, hail probability)
• Previous insurance claim history (obtained from Insurance Information Bureau of India with consent)
• Property ownership status (owned/leased/rented) and structural integrity certification
• Utility bill and net-metering connection certificate

Data Sharing with Insurers

When you select an insurance product, your site, system, and identity data is transmitted securely to the selected insurer's underwriting portal via API integration. SolarWindMart acts as a corporate agent / web aggregator (registered under IRDAI) and is not the risk-bearing entity. The insurer's privacy policy also applies to your data once shared. SolarWindMart retains a copy of your insurance application data in your account for policy management and claim facilitation purposes.

One of SolarWindMart's core marketplace functions is the intelligent distribution of buyer inquiries (leads) to relevant, geographically proximate, and category-appropriate vendors. This section explains in detail how leads are generated, shared, and governed.

How Leads Are Generated

A "Lead" is created whenever a Buyer submits an inquiry, product enquiry form, "Get Quote" request, site survey request, or financing enquiry. Leads are also generated algorithmically through behavioural signals such as extended product page visits, multiple comparisons within a category, and wishlist additions, subject to your platform communication settings.

Lead Distribution Logic

• Leads are distributed to a maximum of five (5) verified vendors per inquiry to avoid buyer harassment
• Vendor selection is based on: geographic proximity to the installation site, product/service category match, vendor rating (minimum 3.5/5.0 required for lead eligibility), and response-rate history
• Leads are distributed simultaneously to all matched vendors; first-to-respond vendors receive a platform-visible "Quick Responder" badge
• Buyers receive notification of which vendors have been shared their details and may request removal of any specific vendor from a lead within 2 hours of lead dispatch

Data Shared in Leads

The following information is included in a standard lead shared with vendors: buyer first name, city/district (not full address), phone number (masked by default — vendors must earn "Verified" status to receive unmasked contact), product/service requirement summary, budget range, and installation timeline. Full addresses are shared only after the buyer explicitly approves a vendor for site survey.

SolarWindMart integrates with a carefully vetted ecosystem of third-party technology providers to deliver a comprehensive marketplace experience. Each integration involves data exchange, and we are transparent about the nature of such exchanges.

Technology Partners & Data Exchanges

All third-party integrations are governed by Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs) where applicable. We conduct periodic security assessments of critical technology partners and require them to adhere to our Third-Party Security Standards (TPSS-2024).

SolarWindMart takes the security of payment information with utmost seriousness. We are PCI-DSS Level 1 compliant and do not store raw payment card data on our servers. All payment processing is handled by RBI-licensed Payment Aggregators and Acquirer Banks.

Payment Data Processing Standards

• Credit and debit card details are tokenised at the point of entry using the payment gateway's secure iframe/SDK. SolarWindMart servers never receive or store raw card numbers, CVV, or expiry dates
• UPI transaction IDs and Virtual Payment Addresses (VPAs) are stored for reconciliation and dispute management purposes
• NEFT/RTGS transaction references and UTR numbers are retained for escrow management and vendor payment disbursement
• EMI disbursement schedules and bank mandate references (NACH) are stored for the duration of the loan/EMI agreement
• Refund transactions and chargeback records are retained for 8 years as required under the Payment Settlements Act, 2007

Vendor Payment & Settlement

Vendor payouts are processed through our settlement engine, which disburses funds to vendor bank accounts (after applicable TDS deduction at source) within 2–7 business days of order completion confirmation. Payment disbursement records are maintained in the vendor's financial dashboard and are accessible for a rolling 3-year period. Annual payment summaries are provided for tax filing assistance.

To maintain marketplace integrity and protect buyers from fraudulent vendors, SolarWindMart conducts a comprehensive, multi-layer vendor verification and KYC process. This process is mandatory for all vendors listing products or services on the Platform and is periodically renewed.

KYC Documentation Required

• Identity Verification: Aadhaar-based eKYC (via DigiLocker/UIDAI API) or physical document upload with face-match liveness check
• Business Verification: GST certificate, MCA21 company registration extract, trade licence, MSME registration
• Product Compliance: BIS certification numbers, IEC test reports, MNRE approved product list (ALMM) registration, DCDB approval certificates
• Financial Standing: Audited financial statements for the last 2 years, CIBIL commercial report, and banker's reference letter
• Physical Verification: For vendors above a defined transaction threshold, SolarWindMart may conduct physical premise verification through our empanelled field audit agencies

Ongoing Compliance Monitoring

KYC documents are re-verified annually or upon significant changes to business information. Vendors who fail to complete re-KYC within the stipulated period will be placed in a restricted state, limiting their lead access and payment settlements until verification is completed. Vendors identified through monitoring as having fraudulent, duplicate, or non-compliant registrations are permanently delisted and reported to appropriate regulatory authorities.

KYC Data Retention

All KYC documents and verification records are retained for a minimum of ten (10) years from the date of collection, as required under PMLA (Prevention of Money Laundering Act), 2002, and FEMA regulations. KYC data is stored in a segregated, highly encrypted data vault with restricted access governed by role-based access controls (RBAC).

SolarWindMart operates a dedicated Government Tender Portal aggregating renewable energy tenders from Central and State Government bodies, PSUs, DISCOMs, municipal corporations, defence establishments, and public sector institutions. This portal creates unique data processing obligations distinct from standard commercial transactions.

Data Collected for Government Tenders

• Vendor bidding eligibility data including DPIIT registration, NSIC certificate, MSE certification, and experience certificates in government projects
• Bid values, technical proposals, and commercial bid components (encrypted and accessible only to the procuring entity after bid opening)
• EMD (Earnest Money Deposit) and performance guarantee bank details
• Consortium formation documents and partnership agreements
• Empanelment category, class, and financial capacity data as required by specific tenders

Interaction with Government Systems

Our Tender Portal aggregates publicly available tender data from GeM (Government e-Marketplace), MNRE's tender notification system, state RESCO portals, and CPP Portal. Bid submission for supported tenders occurs through our secure integration with these government platforms. SolarWindMart acts as an information aggregator and facilitation layer and does not have authority to accept or reject bids on behalf of any procuring entity.

SolarWindMart's Career & Talent Hub connects renewable energy professionals with employers across the value chain — from panel manufacturers and EPC contractors to O&M companies, financing institutions, and government agencies. This portal processes sensitive professional and personal data, which we handle with heightened care.

Job Seeker Data

• Full name, contact details, current city, and willingness to relocate
• Educational qualifications, institution names, graduation years, and marksheets (uploaded documents)
• Work experience, employer names, designations, tenure, and key achievements
• Technical skills, certifications (NABCB, MNRE solar technician certification, electrical licensing), and language proficiencies
• CTC details, expected salary, and notice period
• Professional references (with prior notification to referees)
• Profile photo (optional)

Employer Data

• Company profile, HR contact details, talent acquisition team information
• Job description content, hiring requirements, and compensation bands
• Applicant tracking records and hiring decisions (retained confidentially)

Candidate Privacy Controls

Job seekers can control profile visibility through granular privacy settings: you may set your profile as "Visible to All Employers," "Visible to Premium Employers Only," "Hidden (Confidential Search)," or "Not Visible (Profile Paused)." Your current employer details are never disclosed to prospective employers without your explicit opt-in. You may permanently delete your Career Hub profile and all associated data through the account deletion function at any time.

With your consent, SolarWindMart sends informational and promotional communications across multiple channels. We are committed to sending relevant, useful communications — not spam — and to fully respecting your right to opt out of any or all marketing messages at any time.

Types of Communications We Send

• Transactional (Non-Marketing): Order confirmations, payment receipts, shipping updates, KYC status notifications, account security alerts — these are sent regardless of marketing preferences
• Product Updates: New product launches, marketplace feature announcements, and platform maintenance notices
• Promotional: Discount offers, seasonal sales (e.g., Solar Season Sale), vendor deals of the week, and cashback promotions
• Educational: Solar industry insights, policy updates (subsidy schemes, CERC/SERC tariff orders), installation guides, and ROI analysis reports
• Tender Alerts: New government tenders matching your saved search criteria and bidding eligibility profile
• Career Updates: New job postings matching your Career Hub profile and preferred locations

Communication Channels & Opt-Out

We respect the National Do Not Call (NDNC) registry maintained by TRAI. Phone calls for marketing purposes are not made to numbers registered on the NDNC list. Transactional calls (e.g., order confirmations, support callbacks) are exempt from DND restrictions.

Data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. Upon expiry of the applicable retention period, data is securely deleted, anonymised, or archived in accordance with our Data Lifecycle Management Policy (DLMP-2024).

Retention Schedule

Data Storage Location

All personal data of Indian users is stored on servers located within India, in compliance with the data localisation requirements of the DPDP Act, 2023. Our primary data centres are located in Mumbai (Primary) and Hyderabad (Disaster Recovery). For EU/UK users, data is stored on AWS EU (Frankfurt) and GCP EU (Belgium) infrastructure, with appropriate SCCs in place for any cross-border transfers to India.

SolarWindMart implements a comprehensive, defence-in-depth information security programme aligned with ISO/IEC 27001:2022, NIST Cybersecurity Framework, and the RBI Cybersecurity Framework for Payment Systems. Our Chief Information Security Officer (CISO) leads a dedicated information security team responsible for policy, implementation, and incident response.

Technical Security Controls

• Encryption at Rest: AES-256 encryption for all personal and sensitive data stored in databases and file systems
• Encryption in Transit: TLS 1.3 for all data in transit; HSTS enforced across all Platform domains
• Access Control: Role-Based Access Control (RBAC) with principle of least privilege; multi-factor authentication mandatory for all internal systems access
• Network Security: Web Application Firewall (WAF), DDoS protection (Cloudflare), and network segmentation between public-facing and internal systems
• Vulnerability Management: Quarterly penetration testing by CERT-In empanelled security firms; continuous automated vulnerability scanning (Qualys, Snyk)
• SIEM & SOC: 24×7 Security Operations Centre with SIEM (Splunk) for real-time threat detection and incident response
• Key Management: Dedicated Hardware Security Modules (HSMs) for cryptographic key management

Organisational Security Controls

• Mandatory annual information security training for all employees with role-specific advanced training for high-risk roles
• Background verification for all employees with access to personal data
• Strict clean-desk and clear-screen policies at all offices
• Vendor/contractor security assessments before granting system access
• Incident Response Plan (IRP) with defined escalation procedures and RTO/RPO commitments

Data Breach Notification

In the event of a personal data breach, SolarWindMart will notify the relevant Data Protection Board (under DPDP Act) within 72 hours of becoming aware of the breach. Affected individuals will be notified without undue delay where the breach poses a high risk to their rights and freedoms. Notification will include a description of the nature of the breach, categories and volume of data affected, likely consequences, and remedial actions taken.

SolarWindMart primarily serves users in India, but our Platform is accessible globally and we engage with international technology providers, renewable energy exporters, and overseas financial institutions. This necessitates cross-border data transfers that are governed by stringent legal safeguards.

Transfer Safeguards

• Standard Contractual Clauses (SCCs): Used for transfers of EU/UK user data to India and other third countries, ensuring GDPR-equivalent protection
• Adequacy Decisions: Where available, we rely on European Commission adequacy decisions for streamlined transfers
• Binding Corporate Rules (BCRs): In development for intra-group transfers across any future international subsidiaries
• Data Localisation: Indian user data is processed and stored within India; international transfers of Indian data occur only for specific, named purposes (e.g., international cloud backup) with appropriate government approvals under DPDP Act

Countries of Data Transfer

Personal data may be transferred to service providers located in the United States (AWS, Google Cloud, Twilio, Mixpanel), United Kingdom (certain analytics providers), Germany (KfW partner systems for German-funded solar projects), and Singapore (for APAC data processing by certain SaaS providers). All such transfers are governed by appropriate legal mechanisms as described above.

You have significant rights with respect to your personal data. SolarWindMart is committed to facilitating the exercise of these rights promptly and without unnecessary friction. Rights may be exercised through your Account Dashboard, our Privacy Request Portal, or by contacting our Data Protection Officer.

Response Timelines

We will acknowledge rights requests within 72 hours and provide a substantive response within 30 calendar days (extendable to 60 days in complex cases, with notice). Rights requests are free of charge, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request, explaining our reasons.

SolarWindMart's global privacy programme is designed to comply with multiple regulatory frameworks. We describe our compliance posture under each major applicable law below.

Digital Personal Data Protection Act, 2023 (India)

As a Data Fiduciary under the DPDP Act, 2023, SolarWindMart has appointed a Data Protection Officer (DPO), maintains comprehensive records of processing activities, implements privacy by design and default, ensures data localisation for Indian users, and will comply with obligations to the Data Protection Board as notified by the Central Government. We have reviewed our consent management framework to align with the Act's requirements for free, specific, informed, unconditional, and unambiguous consent.

GDPR (European Union / EEA)

For users accessing our Platform from the EU/EEA, SolarWindMart processes data in accordance with GDPR. Our EU representative is SolarWindMart Europe BV (registered in the Netherlands). We maintain Article 30 Records of Processing Activities (ROPA), conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, and appoint SCCs for international data transfers. EU users may exercise all rights under Articles 15–22 GDPR through our Privacy Request Portal.

IT Act, 2000 & SPDI Rules, 2011

We comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Our privacy policy has been published as required, we obtain explicit consent before collecting SPDI, and we implement ISO/IEC 27001 security practices as specified in the SPDI Rules.

CCPA (California)

California residents have additional rights under the CCPA, including the right to know, right to delete, right to opt-out of data sale (note: we do not sell personal data), and right to non-discrimination. California residents may exercise these rights by emailing privacy@solarwindmart.com with "CCPA Request" in the subject line.

SolarWindMart's Platform is designed for use by adults in a commercial and professional capacity. We do not knowingly collect, process, or retain personal data from children under the age of 18 years (or such higher age as defined by applicable law in the user's jurisdiction).

Our registration process includes an age verification step requiring confirmation that the registrant is at least 18 years of age. Users below 18 are not permitted to create accounts, submit inquiries, place orders, apply for financing, or participate in any transactional activity on the Platform without explicit parental or legal guardian consent and joint account registration.

If we discover or are notified that we have inadvertently collected personal data from a minor without appropriate consent, we will promptly delete such data from our systems, notify the reporting party of the action taken, and conduct an internal audit to prevent recurrence. If you believe we may have collected data from a minor, please notify our DPO immediately at dpo@solarwindmart.com.

The SolarWindMart Platform contains links to third-party websites, applications, and services including government portals, financial institution websites, logistics tracking platforms, and industry information websites. When you click on a third-party link, you will be directed away from the SolarWindMart Platform and subject to the privacy practices of the third party.

SolarWindMart does not control, endorse, or accept responsibility for the privacy practices of any third-party website or service. We strongly encourage you to review the privacy policy of any website you visit through a link on our Platform before providing any personal information. The inclusion of a link on our Platform does not constitute a recommendation or endorsement of the linked site or its privacy practices.

Embedded Third-Party Functionality

Certain features of the Platform rely on embedded third-party functionality such as Google Maps (for location search), YouTube (for installation tutorials), and payment gateway iframes. When you interact with these embedded components, the respective third-party provider may collect data from you directly, subject to their privacy policies. We display clear notices before loading such embedded content where technically feasible.

Social Media & Single Sign-On

You may choose to register or log in using your Google, LinkedIn, or Facebook account. When you do so, you authorise the respective social media provider to share certain profile information with us (name, email, profile picture). We use this information only for account creation/authentication. The data shared by the social provider is governed by that provider's terms and privacy policy.

SolarWindMart reserves the right to suspend, restrict, or permanently terminate user accounts under circumstances that violate our Terms of Service, Vendor Agreement, or applicable law. This section explains the data implications of such actions.

Grounds for Account Action

• Submission of false, fraudulent, or forged KYC documents
• Repeated customer complaints substantiated by our dispute resolution process
• Non-payment of platform fees, penalty dues, or escrow obligations
• Misuse of lead data (spamming buyers, contacting buyers outside Platform for unrelated purposes)
• Sale of counterfeit, uncertified, or non-compliant solar products
• Attempts to circumvent Platform commissions (side-dealing)
• Breach of confidentiality obligations or data protection requirements
• Violation of MNRE product certification requirements

Data Handling on Account Termination

Upon account termination (whether by user request or SolarWindMart action), we will: (a) immediately revoke access credentials and disable the account; (b) retain personal data for the minimum periods required by law (as specified in Section 20); (c) continue to honour opt-out preferences for marketing; (d) continue to store transaction records, KYC data, and audit logs for statutory periods; and (e) make your data available for export for 30 days post-termination (for voluntary terminations only) before permanent deletion of non-statutory data.

Accounts suspended or terminated for fraud, misrepresentation, or legal violations may have their data retained indefinitely for legal proceedings, regulatory reporting, and blacklisting across the Platform ecosystem. Such users are not entitled to data deletion of evidence relating to their violations.

SolarWindMart may revise, update, or expand this Privacy Policy from time to time to reflect changes in our services, legal obligations, regulatory developments, or industry best practices. We are committed to keeping users informed of material changes through clear and timely notice.

How We Notify You of Changes

• Material Changes: For changes that substantially affect your rights or how we process your data, we will provide at least 30 days' advance notice via email to your registered address and a prominent in-app banner before the changes take effect
• Minor Changes: For non-material updates (corrections, formatting changes, clarifications), we will post the revised Policy on the Platform with an updated "Last Revised" date, with 7 days' notice
• Version Archive: All previous versions of this Policy are archived and accessible through the Policy Version History page on our website, going back to our initial publication

Your Continued Use Constitutes Acceptance

Your continued use of the Platform after the effective date of any revision constitutes your acceptance of the updated Policy. If you do not agree with the revised terms, you must discontinue use of the Platform and may request account deletion. We will not reduce your rights under this Policy without your explicit consent where such reduction would be unlawful under applicable data protection law.

Policy Version History

We value your trust and welcome all queries, concerns, and feedback related to this Privacy Policy and our data practices. Our dedicated privacy team is committed to responding to all communications promptly and transparently.

Grievance Resolution Process

Privacy grievances and complaints must be submitted in writing (email or postal letter) to the Grievance Officer. The Grievance Officer will acknowledge receipt within 48 hours and issue a substantive resolution within 30 calendar days. If you are unsatisfied with our resolution, you may escalate your complaint to:

• Data Protection Board of India (once constituted under DPDP Act, 2023) — for Indian users
• Your national data protection supervisory authority — for EU/UK/other international users
• National Consumer Disputes Redressal Commission (NCDRC) — for consumer disputes in India
• CERT-In — for cybersecurity incident reports at incident@cert-in.org.in

SolarWindMart Technologies Private Limited · CIN: U74999UP2019PTC123456 · Privacy Policy v3.2.1 · Effective 1 January 2025 · Last Updated 10 May 2025