Privacy Policy

1. Who we are

Watt2Buy is a consumer vehicle-comparison platform operated by Walawalkar Enterprise LLP (“WE LLP”), an initiative under the Sustainable Mobility and C&I Decarbonization Councils of NETRA (National Energy Transition Research Alliance). WE LLP is the Data Fiduciary under the Digital Personal Data Protection Act 2023 (“DPDP Act”) for any personal data processed through Watt2Buy.

2. What we collect

We have designed Watt2Buy to collect the bare minimum. There are three buckets:

(a) Ephemeral comparison data (processed in your browser only)

• City — used to load local fuel, electricity and policy parameters.
• Vehicle selections — the cars you add to the comparison.
• Driving profile — annual km, city/highway split, home-charging %, ownership horizon, financing inputs.
• Assumptions you override — fuel price, tariff, inflation, resale.

This data is not transmitted to any server. It lives in your browser URL and React state, and is discarded when you close the tab. It is not “personal data” under DPDP §2(t).

(b) Anonymous usage events (aggregate counters only)

• Page views (/ev, /guide, /policies, etc.) — counted in aggregate, no IP retention beyond 24 hrs.
• Comparison events (e.g. “Nexon EV vs Creta Petrol”) — stored without any user identifier.
• City-request counts — which cities users ask for so we know where to expand next.
• Outbound click counts on affiliate buttons (“Book test drive”, “Get best price”) — aggregate only.

These events are processed by our own /api/analytics endpoint (hosted on Vercel, India edge). No third-party analytics (Google Analytics, Meta Pixel, Hotjar, etc.) are loaded. No advertising cookies.

(c) Optional personal data — explicit opt-in only

• Email address on /request-city — only if you voluntarily fill it in to be notified when your city is added. Purpose is strictly limited to a single “your city is live” email; no marketing.
• Email on /contact and /data-request — to reply to your query or fulfil your DPDP rights request.

Lawful basis: consent under DPDP §6. You can withdraw consent at any time by emailing our Grievance Officer (see bottom of page).

3. What we never collect

• Phone number, PAN, Aadhaar, voter ID, passport, driving licence, or any government ID.
• Precise location (GPS). We only use the city you type.
• Banking details, UPI handles, card numbers, saved payment instruments.
• Health, sexual orientation, caste, religion, political opinion, biometrics, or any “sensitive” category.
• Data about minors under 18 (we do not knowingly process children’s data — DPDP §9).
• Data about Disabled Persons under DPDP §9(3) without lawful guardian consent.

4. Your DPDP rights (Chapter III)

As a Data Principal you have the following rights, exercisable at any time:

• Right to access (§11) — a summary of personal data we hold about you.
• Right to correction & erasure (§12) — we will correct or delete your data within 30 days.
• Right to grievance redressal (§13) — raise a complaint with our Grievance Officer below.
• Right to nominate (§14) — designate someone to exercise your rights if you cannot.
• Right to withdraw consent (§6(4)) — cancel your email opt-in at any time.

To exercise any of these rights, fill out the form at /data-request or email our Grievance Officer directly.

5. Retention

• Comparison / driving-profile inputs — not retained (in-browser only).
• Aggregate usage counters — retained for up to 24 months, then rolled into monthly totals.
• Opt-in emails (city-notify, contact, data-request) — retained until purpose is fulfilled, then deleted.
• Grievance-request logs — retained for 3 years for audit as permitted under DPDP §8(7).

6. Cross-border transfer

All application data is hosted in India (Vercel’s Mumbai edge region, AWS ap-south-1). We do not transfer personal data outside India. Vehicle images load from upload.wikimedia.org (Wikimedia Foundation, USA); this is a direct browser → Wikimedia request, and Wikimedia may log your IP per their own Privacy Policy. We do not share any data with Wikimedia.

7. Security

We enforce: HTTPS-only (HSTS), Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy, and input validation on every API route. Analytics payloads are sanitised server-side before being written to aggregate counters.

8. Children’s data (DPDP §9)

Watt2Buy is intended for adults making vehicle-purchase decisions and we do not knowingly process data of children under 18. We do not profile children or target them with advertising. If you believe a minor has submitted personal data on Watt2Buy, please notify our Grievance Officer and we will erase it within 7 days.

9. Data breach notification

In the unlikely event of a personal data breach affecting any opt-in user, we will notify the Data Protection Board of India and the affected data principals within 72 hours, per DPDP §8(6).

10. Changes to this policy

We may update this policy as the product evolves or as rules are notified under the DPDP Act. Material changes will be highlighted with a banner at the top of Watt2Buy for 30 days and the “Last updated” date above will be revised.