Privacy Policy.

Introduction

Grootin Music Entertainment Pvt. Ltd. ("Grootin", "we", "us", or "our"), a company registered under the Companies Act 2013 and headquartered in Mumbai, Maharashtra, operates the website grootin.in and the Grootin music distribution platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

By accessing or using our platform, you consent to the practices described in this policy. If you do not agree with these terms, please do not access or use the platform.

Information We Collect

Personal Information

When you register for an account, make a purchase, or interact with our platform, we may collect the following personal information:

• Full name and display name
• Email address
• Mobile number and phone number
• Street address, city, state, pin code, and country
• IP address

Payment Information

We collect your name and billing address for payment processing. We never collect or store your credit card numbers, debit card numbers, CVV, or expiry dates. All payment processing is handled securely by our third-party payment partners, PayPal and Razorpay.

User-Generated Content

Any content you post publicly on our website, social media pages, or submit through registration forms and email or phone inquiries.

Demographics & Preferences

Your preferences, purchase history, and any responses to surveys or promotional campaigns.

Technical Data

We automatically collect certain technical information including your IP address, browser type, operating system, the website you visited before ours, pages viewed, and duration of your visit.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. Cookies are small data files stored on your device when you visit our platform.

Types of Cookies We Use

• Essential cookies — Required for the platform to function (login sessions, security tokens, preferences). These cannot be disabled.
• Analytics cookies — Help us understand how visitors interact with the platform. We use Google Analytics and Google Webmaster Tools to collect anonymised usage data such as page views, session duration, and traffic sources.
• Marketing cookies — Used to deliver relevant promotional content and measure the effectiveness of our campaigns. These may be set by third-party advertising partners.

Managing Cookies

You can control or delete cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you before a cookie is stored. Please note that disabling essential cookies may affect the functionality of the platform. For more information, visit www.allaboutcookies.org.

Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds, as required under the EU General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act (DPDP Act, 2023):

• Consent — When you sign up, subscribe, or opt in to marketing communications, you provide explicit consent for us to process your data for those purposes.
• Contract performance — Processing necessary to fulfil our obligations under your subscription agreement, including distributing your music, processing payments, and providing royalty reports.
• Legitimate interest — Processing necessary for our legitimate business interests, such as fraud prevention, platform security, service improvements, and internal analytics — provided these interests do not override your fundamental rights.
• Legal obligation — Processing required to comply with applicable laws, regulations, or court orders (e.g., tax reporting, responding to lawful government requests).

How We Use Your Information

• To confirm and process your purchases and subscriptions
• To distribute your music to streaming platforms and digital stores
• To calculate and process royalty payments
• To send you promotional content and platform updates
• To respond to your requests, inquiries, and support tickets
• To improve our products, services, and user experience
• To customise your experience on the platform
• To analyse trends and platform usage patterns
• To protect the company and our users from fraud or misuse
• To send transactional communications (receipts, royalty reports, account updates)
• To comply with legal and regulatory requirements

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specific retention periods are:

• Account data (name, email, address) — Retained for the duration of your account and for 2 years after account deletion, unless a longer retention period is required by law.
• Transaction & payment records — Retained for 7 years from the date of transaction, in compliance with Indian tax and financial regulations.
• Royalty and distribution records — Retained for 7 years after the last distribution activity, as required for licensing and audit purposes.
• Analytics & usage data — Retained in anonymised form for up to 26 months, after which it is automatically purged.
• Support correspondence — Retained for 3 years after the last interaction for quality assurance and dispute resolution.

When data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.

Your Rights

Depending on your location and applicable law (including GDPR, CCPA, and India's DPDP Act), you may have the following rights regarding your personal data:

• Right to access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete personal data.
• Right to erasure ("Right to be forgotten") — Request deletion of your personal data, subject to legal retention requirements.
• Right to data portability — Request your data in a structured, commonly used, machine-readable format (e.g., CSV or JSON).
• Right to restrict processing — Request that we limit how we use your data in certain circumstances.
• Right to object — Object to the processing of your data for direct marketing or based on legitimate interest grounds.
• Right to withdraw consent — Withdraw your consent at any time where processing is based on consent. This does not affect the lawfulness of processing performed before withdrawal.
• Right to lodge a complaint — File a complaint with a relevant data protection authority if you believe your rights have been violated.

To exercise any of these rights, email us at hello@grootin.in with the subject line "Data Rights Request". We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing the request.

For California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and its amendment (CPRA):

• The right to know what personal information we collect, use, and disclose.
• The right to request deletion of your personal information.
• The right to opt out of the sale or sharing of your personal information. Grootin does not sell your personal data.
• The right to non-discrimination for exercising your CCPA rights.

Children's Privacy

The Grootin platform is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. Users between the ages of 13 and 18 may use the platform only under the supervision of a parent or legal guardian who agrees to be bound by our Terms & Conditions.

If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take immediate steps to delete that information. If you believe we have inadvertently collected data from a child under 13, please contact us at hello@grootin.in.

Data Security

We implement and maintain appropriate technical and organisational security measures to protect your personal information, including:

• SSL/TLS encryption for all data transmitted between your browser and our servers
• Encrypted storage for sensitive personal data at rest
• Access controls and role-based permissions for internal staff
• Regular security audits and vulnerability assessments

However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

We will never ask you to share your password, credit card details, or other sensitive financial information via email, phone, or chat. If you receive such a request claiming to be from Grootin, please report it to us immediately.

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR.
• Notify affected users without undue delay via email, providing details of the breach, the data affected, steps we are taking to mitigate the impact, and recommended actions you can take to protect yourself.
• Maintain an internal breach register documenting all incidents, their effects, and remedial actions taken.

International Data Transfers

Grootin is headquartered in India. Your data may be transferred to and processed in countries outside your country of residence, including countries where our hosting providers, payment processors, and distribution partners operate (such as the United States and European Union).

When we transfer your data internationally, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all third-party service providers
• Ensuring that recipients maintain equivalent or higher data protection standards

Third-Party Sharing

We may share your personal information with the following categories of third parties:

• Service providers who assist in operating our platform (payment processors including PayPal and Razorpay, cloud hosting providers, analytics services including Google Analytics)
• Music distribution partners — Streaming platforms and digital stores where your music is distributed (e.g., Spotify, Apple Music, YouTube Music, Amazon Music, and others)
• Business partners and vendors for collaborative services
• Successors in business transactions such as mergers, acquisitions, or asset sales
• Law enforcement or government authorities when required to comply with legal obligations or court orders

We require all third parties to respect the security of your personal data and to process it in accordance with applicable law. We do not allow third-party service providers to use your personal data for their own purposes.

We do not sell your personal data to third parties.

Email Communications

You may opt out of marketing emails at any time by clicking the "Unsubscribe" link at the bottom of any marketing email, or by contacting us at hello@grootin.in. Please allow up to 10 business days for your request to be processed. Transactional emails (such as receipts, royalty reports, and account security alerts) will continue regardless of your marketing preferences.

Third-Party Websites

Our platform may contain links to third-party websites. This Privacy Policy does not cover the practices of those external sites. We encourage you to review the privacy policies of any third-party site you visit. Grootin is not responsible for the privacy practices or content of external websites.

Grievance Officer

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the Grievance Officer for the purpose of this Privacy Policy is:

Name: Abhiraj Singh
Email: hello@grootin.in
Address: 1st floor, 264-265, Dr Annie Besant Rd, Worli, Mumbai, Maharashtra 400025

The Grievance Officer shall address your concerns within 30 days of receiving a written complaint.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last Updated" date, and where appropriate, by sending you an email notification.

We encourage you to review this policy periodically. Your continued use of the platform after any changes constitutes your acceptance of the updated policy.

Governing Law

This Privacy Policy and any disputes arising from it are governed by the laws of India, including the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and any rules and regulations made thereunder. Any legal proceedings shall be conducted exclusively in the courts of Mumbai, Maharashtra.

For users in the European Economic Area (EEA), this policy also complies with the EU General Data Protection Regulation (GDPR). For users in California, this policy also complies with the California Consumer Privacy Act (CCPA/CPRA).