Back to Hustl

Data Compliance and Cookies

Last updated: May 2026

1. DPDPA compliance commitment

Hustl complies with the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable rules. Implementation is phased per government notification:

  • Phase I (effective): Data Protection Board framework
  • Phase II (from 13 November 2026): Consent manager framework
  • Phase III (from 13 May 2027): Full substantive obligations and data principal rights enforcement

We are preparing systems for consent records, grievance handling, and erasure workflows before Phase III.

2. Lawful basis for processing

  • Consent: marketing communications, optional features, KYC where required
  • Contract: providing the marketplace service you signed up for
  • Legal obligation: tax, KYC, lawful government orders
  • Legitimate uses under DPDPA: fraud prevention, security, and safety as permitted

3. Data processors (sub-processors)

We engage processors under agreements requiring security safeguards and purpose limitation:

  • Google Cloud Platform / Firebase (India regions)
  • Digio (KYC)
  • Razorpay (payments)
  • Cashfree (payouts)
  • MasterGST (GST verification)
  • Sentry (error monitoring, minimised data)
  • Vercel (hosting and analytics)

We do not authorise processors to use your data for their own marketing.

4. Cross-border transfers

We store and process personal data in India. We do not intentionally transfer personal data outside India. If this changes, we will update this policy and obtain required approvals or safeguards.

5. Cookies and tracking technologies

What we use

  • Strictly necessary: Firebase authentication session, security tokens
  • Security: Google reCAPTCHA Enterprise / Firebase App Check
  • Analytics: Vercel Analytics (first-party, aggregated page performance)
  • Local storage: app preferences, navigation stack on PWA

What we do not use

  • Google Analytics (GA4)
  • Meta Pixel / Facebook tracking
  • Advertising cookies or cross-site profiling
  • Session replay tools that record keystrokes or form fields

Because we do not use non-essential advertising cookies, we do not sell personal data under definitions used in foreign privacy laws (e.g. CCPA "sale"). Our business model is marketplace fees, not data sales.

6. Marketing and commercial communications (India)

India does not have CAN-SPAM, but commercial communications are regulated under TRAI guidelines, the IT Act, and DPDPA consent requirements.

  • Transactional messages (booking updates, OTP, payout alerts) are sent without separate marketing consent where necessary for the service.
  • Promotional SMS, WhatsApp, or email require opt-in consent before launch.
  • Every marketing message will include sender identification and an opt-out mechanism.
  • Opt-out is honoured within 7 business days.

7. Data breach response

We maintain incident response procedures. If a breach likely affects your rights, we will:

  1. Contain and investigate the incident
  2. Notify the Data Protection Board of India as required under DPDPA Section 8
  3. Notify affected users without undue delay with recommended protective steps
  4. Document remediation and preventive measures

8. Grievance officer

Name: Grievance Officer, Hustl
Email: grievance@hustl.today
Privacy requests: privacy@hustl.today
Response SLA: acknowledgement within 24 hours; resolution target 15 days

If unresolved, you may escalate to the Data Protection Board of India as provided under the DPDPA.

9. Data Protection Officer

As we scale, Hustl will appoint a Data Protection Officer (DPO) as required under DPDPA. Until formal appointment, privacy and grievance queries are handled by privacy@hustl.today.