Privacy Policy

We collect different categories of data depending on whether you are an advertiser using our platform, a visitor to our website, or someone walking past one of our screens.

• Advertiser account data: name, business name, email, phone, GSTIN if provided, billing address. Collected when you create an account or contact us via the website form.
• Campaign data: creatives you upload (images, video, copy), targeting choices, schedule, screens selected, spend amounts. Stored against your account for the duration of the campaign and as required for invoicing and reporting.
• Payment data: processed through Razorpay. Popi does not store full card numbers or UPI credentials on its own systems; we receive payment confirmation, the masked instrument identifier, and the transaction reference from Razorpay.
• Screen / venue sensor data: where a Popi screen at a venue is equipped with sensors or a camera, the device computes aggregate measurements locally — counts of people present, age-band and gender estimates, attention duration, dwell time. Raw frames and biometric identifiers do not leave the device. Only aggregate statistics are sent to Popi's servers.
• Website usage data: standard server logs (IP address, user agent, request path, timestamp), and basic product analytics when you sign in to the advertiser app.

• To provide the platform: create your account, accept and run your campaigns, calculate spend, generate invoices, deliver verified-play reports.
• To measure campaign effectiveness: aggregate sensor data is matched to play logs so we can report on impressions, attention, and audience composition for each campaign.
• To comply with our legal and tax obligations under Indian law (GST, the IT Act, the DPDPA).
• To detect and prevent fraud, abuse, and unauthorised access.
• To respond to enquiries you submit through our contact form.

We do not sell personal data. We share it only with the processors and recipients listed here, and only to the extent needed for the purposes above.

• Razorpay — payment processing. Their privacy terms apply to data they collect directly from you during checkout.
• Supabase — our database and storage provider, acting as a data processor on our behalf. Data is hosted in their EU region under their standard data-processing terms; we are reviewing migration to an India region as part of DPDPA compliance.
• Resend — transactional email delivery (e.g. contact-form notifications, account emails).
• Government authorities — where required by Indian law (tax filings, lawful demand by competent authority).
• Auditors and counsel — under confidentiality, for legal and financial review.

As a Data Principal, you have the following rights with respect to your personal data held by Popi:

• Right to access — request a summary of the personal data we hold about you and how we process it.
• Right to correction — ask us to correct inaccurate or incomplete data.
• Right to erasure — ask us to delete your data where it is no longer necessary for the purpose collected and there is no overriding legal obligation to retain it.
• Right to grievance redressal — escalate complaints to our Grievance Officer (see Section 7) and, if unresolved, to the Data Protection Board of India.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time; this does not affect the lawfulness of prior processing.
• Right to nominate — appoint a nominee to exercise your rights in the event of death or incapacity.

Requests are typically responded to within 30 days.

• Advertiser accounts and campaign records: retained for the lifetime of the account, plus 7 years after closure for tax and audit purposes.
• Payment transaction records: 7 years (income-tax requirement).
• Sensor aggregate data: indefinite for anonymised aggregates that cannot be tied back to an individual.
• Raw camera footage: stored on-device only, automatically purged within 30 days; identifiable frames within 7 days. Never transmitted to Popi servers in raw form.
• Contact-form submissions: 2 years from submission, then purged.
• Server / audit logs: 12 months.

The Popi website uses three categories of storage and cookies:

• Strictly necessary — session cookie for the advertiser app (required for sign-in), and the consent-state record itself (cookie-consent + cookie-preferences in localStorage). These cannot be disabled because the site does not function without them.
• Analytics — Google Analytics 4 (GA4) — only loaded after you accept. When granted, GA4 writes first-party cookies (_ga, _ga_<container-id>) used to count unique visitors and basic page metrics. Data is transmitted to Google LLC (United States) under the Google Ads Data Processing Terms. Default retention 14 months; we do not enable Google Signals or ad personalisation. Until you accept, GA4 runs in “Consent Mode v2” default-denied state — no analytics cookies are set and no pingbacks are sent.
• No third-party advertising or cross-site tracking cookies are loaded on the marketing site. We do not embed Facebook Pixel, LinkedIn Insight, Google Ads remarketing, or similar.

You can change your consent at any time from the “Cookie preferences” link at the bottom of every page. Withdrawing consent is as easy as giving it.

Popi is a B2B advertising platform intended for use by individuals aged 18 or over acting in a business capacity. We do not knowingly collect personal data from children. The screens we operate in public venues do not capture any data that can identify children — sensor data is processed on-device as anonymous aggregate counts only (see §1). If you believe a child has submitted personal data to us through the contact form or any other channel, please email the Grievance Officer (§7) and we will delete it.

Contact-form submissions trigger a notification email to the Popi team (currently routed to the addresses listed in §9). These emails contain the name, contact method, and content you submitted. Transport is standard TLS-secured transactional email via our processor (Resend); we do not encrypt the message body end-to-end. Submissions are also written to the Supabase database where they are subject to the retention window in §5.

If you have a concern about how we have handled your personal data, please contact our Grievance Officer:

• Name: [Grievance Officer name pending appointment]
• Email: grievance@popi.media
• Address: Mumbai, Maharashtra, India (full postal address to be added on incorporation)

We will acknowledge complaints within 7 days and resolve them within 30 days. If you are not satisfied with the resolution, you may escalate to the Data Protection Board of India.

We will update this policy as the product changes, as our legal counsel completes review, and as the DPDPA implementation rules take effect. Material changes will be notified to active advertisers by email. The “Last updated” date at the top of this page reflects the current version.

For any privacy-related question that is not a formal grievance:

• Email: team@popi.media
• WhatsApp: +91 89762 95562