Adalwin Commerce
Legal · v1.0

Privacy Policy

Last updated: 9 May 2026

1. Who we are

Adalwin Commerce LLP ("Adalwin", "we", "us") operates the corporate gifting platform at swipe.adalwin.com, offered to businesses for curating, sourcing, and ordering branded gifts. Registered office: [TODO add registered address]. Grievance officer: privacy@adalwin.com.

2. What we collect

We collect three categories of data:

  • Account & contact data — your email address (for one-time passcode verification), company name, contact person, phone number if provided. Partners additionally submit a brand name, contact details, and optional bank-payout information so we can pay them out.
  • Activity data — products you swipe right or shortlist, curations you open, links you click in our emails. We use this to improve recommendations and to compile a proposal PDF for you.
  • Operational data — your IP address, user-agent, page-load timings, and request/response status codes. Used for fraud prevention, security incident response, and debugging.

We do not ask for or store passwords. Sign-in is via one-time passcode (OTP) emailed to your work address.

3. Why we collect it (lawful basis)

  • To deliver the service you signed up for (contract performance).
  • To send transactional emails — OTPs, curation share links, lead notifications (legitimate interest, since you initiated the action).
  • To prevent abuse — rate limiting, OTP brute-force defence, fraud detection (legitimate interest).
  • To meet our legal obligations in India (and where applicable, EU).

4. Who we share with

We rely on a small set of vetted processors. Each is named here so you know exactly who touches your data:

  • Vercel Inc. (USA) — application hosting and CDN. Subject to standard contractual clauses for cross-border transfer.
  • Supabase Inc. / AWS (Singapore) — primary database and authentication store. Data stored in the Asia-Pacific region.
  • Brevo (formerly Sendinblue, France) — transactional email delivery (OTP codes, curation links, lead alerts). Subject to GDPR.
  • Zoho Corporation (India) — inventory synchronisation. Only product catalog data is shared; no client account data.

We do not sell, rent, or trade your personal information. We do not place behavioural advertising cookies on your device.

5. Cookies & local storage

We use a small number of strictly-necessary cookies:

  • team_session — keeps team members signed in (48 hours).
  • client_session — keeps clients signed in across the swipe / portal flow (30 days).
  • cs_<curationToken> — binds your swipe session to a specific curation link.
  • theme — remembers your light/dark mode choice (browser-local, never sent to us).

We do not run third-party analytics or advertising trackers. No banner consent is required because we use only strictly-necessary cookies.

6. How long we keep your data

  • OTP codes: 10 minutes after issue, then automatically expired.
  • Sessions: 30 days for clients, 48 hours for team accounts.
  • Curations & leads: retained for 7 years for accounting and B2B record-keeping. [TODO confirm with counsel.]
  • Audit logs: 12 months minimum for security incident response.
  • Email send logs (Brevo): Brevo's own 30-day retention.

7. Your rights

You can ask us, at any time, to:

  • Send you a copy of the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data — subject to our legal obligation to retain accounting records for the period required by Indian law.
  • Restrict or object to specific processing.
  • Withdraw consent for any processing based on consent.

Email privacy@adalwin.com with your request and the email associated with your account. We respond within 30 days.

8. Security

We use TLS for all traffic, hash all OTP codes before storage, rate-limit authentication endpoints, and audit-log every team-side action. Bank account details (partner payouts) are encrypted at rest. We have not, to our knowledge, suffered a personal-data breach. If we do, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware.

9. International transfers

Some of our processors are based outside India. Where this is the case, transfers are protected by EU Standard Contractual Clauses or equivalent legal mechanisms.

10. Children

Our service is for businesses and is not directed at people under 18. We do not knowingly collect data from minors.

11. Changes to this policy

We may update this policy. Material changes will be flagged on this page with a new "Last updated" date and, if you have an active account, by email.

12. Contact

Privacy questions: privacy@adalwin.com
General contact: sales@adalwin.com


v1.0 · Drafted by Adalwin Commerce engineering for launch readiness. Pending review by counsel; sections marked [TODO] need company-specific input before being held out as final.