OVVEE
Start for free
All Policies[ LEGAL ]

Data Processing Agreement

Last updated: 01 April 2026

All Policies

Company Details

Legal Name
Credmint Innovation Private Limited
CIN
U62011MP2025PTC078731
GST No.
23AANCC0644G1ZX
Directors
Kumar Shanu
Keshav Kumar
Jurisdiction
Indore, Madhya Pradesh, India
⚖️

Grievance Officer

Name
Kumar Shanu
Designation
Founder & Grievance Officer
Mon–Fri · 10 AM – 6 PM IST
IT Rules 2021 · Consumer Protection Act 2019
🔒

Data Protection Officer

Name
Kumar Shanu
DPDP Act 2023 · Data Principal Rights

Data Processing Agreement (DPA)


This Data Processing Agreement ("DPA") forms part of the agreement between Credmint Innovation Private Limited (CIN: U62011MP2025PTC078731, GSTIN: 23AANCC0644G1ZX, "OVVEE", acting as Data Processor) and the registered Merchant ("Data Controller"). This DPA governs the processing of personal data of end-customers by OVVEE on behalf of the Merchant.


1. Scope of Processing


OVVEE processes end-customer personal data solely to enable the Merchant's online business to function across the supported business types:


  • Ecommerce stores: Customer name, shipping address, order history, payment confirmation
  • Restaurant & Food: Table customer data, delivery address (for delivery orders), order history
  • Service Businesses: Appointment records, client name and contact, booking history, invoice data, meeting scheduling data
  • Informational Websites: Contact form submissions, enquiry data, callback request details

    • Processing activities include: storing data, enabling checkout and payment flows, generating invoices, sending order/booking notifications, meeting reminders, and providing analytics to the merchant dashboard.


    Special Category Data (Regulated Professions)


    For merchants operating in regulated service categories (Clinic & Healthcare, Mental Health, Legal Services, CA & Accounting), OVVEE may process limited sensitive personal data strictly as instructed by the merchant:


  • Healthcare merchants: Basic appointment data (patient name, contact, appointment time, reason for visit as entered by patient). OVVEE does not process or store clinical notes, diagnoses, prescriptions, lab results, or full medical histories. These must be stored in a separate, purpose-built system.
  • Legal merchants: Client name, contact, enquiry summary, meeting/call scheduling data. Legally privileged communications must not be routed through OVVEE forms.
  • Financial/CA merchants: Client name, contact, appointment data, service type. Actual financial documents and tax records must not be stored in OVVEE.

    • OVVEE treats all data from regulated profession merchants with the highest level of security and access restriction. This data is never used for marketing, analytics, or any purpose other than providing the platform service.


    2. Processing Instructions


    OVVEE processes personal data only on documented instructions from the Merchant, as defined by the features of the OVVEE platform. OVVEE will not process data for any other purpose without the Merchant's consent, except where required by law.


    3. Data Security Measures


    OVVEE implements the following technical and organisational measures:

  • Encryption in Transit: TLS 1.2+ for all data transmitted to and from the platform
  • Encryption at Rest: AES-256 for stored database records and backups
  • Access Control: Role-based access control (RBAC) limiting data access to authorised personnel
  • Security Audits: Regular vulnerability assessments and penetration testing
  • Incident Response: Documented incident response procedures with defined escalation paths

    • 4. Sub-processors


    OVVEE uses the following sub-processors. Merchants are deemed to have consented to sub-processing by using the platform:

  • Amazon Web Services — Cloud infrastructure and data hosting (India region)
  • Razorpay / Stripe — Payment processing
  • Shiprocket / Delhivery — Shipping and logistics (Ecommerce only)
  • Google LLC — Analytics (anonymised data only)
  • Twilio / MSG91 — SMS and WhatsApp notification delivery

    • 5. Data Transfers


    Customer data is primarily stored in India on AWS infrastructure. Any international transfer (e.g., for analytics or payment processing) is governed by the sub-processor's data transfer mechanisms. OVVEE ensures sub-processors provide adequate data protection.


    6. Merchant Rights


    The Merchant, as Data Controller, may request the following at any time by contacting [email protected]:

  • Access to data processed on their behalf
  • Correction or rectification of inaccurate data
  • Data portability (export in CSV format)
  • Deletion of data upon account termination

    • 7. Breach Notification


    In the event of a data breach affecting Merchant or end-customer data, OVVEE will notify the affected Merchant(s) within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, data categories affected, estimated number of affected records, and remediation steps taken.


    8. Term


    This DPA remains in effect for the duration of the Merchant's active subscription and terminates upon account closure, subject to data retention requirements under applicable law.


    Contact


    [email protected] — Credmint Innovation Private Limited, Indore, Madhya Pradesh

    Questions about this policy? Email [email protected]

    Credmint Innovation Private Limited · CIN: U62011MP2025PTC078731 · GSTIN: 23AANCC0644G1ZX