1. Introduction and Privacy Commitment
1.1 Shopolo Digital Private Limited is committed to the responsible, transparent, and lawful processing of personal data of every individual who uses its Services. This Privacy and Data Protection Policy describes the categories of personal data Shopolo Music collects, the purposes for which it is processed, the legal bases for processing, the manner in which it is stored and protected, the conditions under which it may be shared, and the rights Users have in relation to their personal data.
1.2 This Policy applies to: (a) all visitors to shopolomusic.com and associated subdomains; and (b) all registered users of the Ground1860 Dashboard at ground1860.shopolomusic.com. This Policy has been prepared in alignment with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023 (“DPDP Act”). All provisions shall be read and updated in a manner consistent with the DPDP Act as its requirements come into force.
1.3 These Services are currently available within India. International availability and the applicable data protection framework for international users will be addressed in separate terms published at the time of territorial expansion.
1.4 By registering on the platform or using the Services, the User acknowledges that they have read this Policy and, where required by law, provides explicit, informed, and withdrawable consent to the processing of their personal data as described herein.
2. Categories of Personal Data Collected
2.1 Shopolo Music collects the following categories of personal data:
- Identity data: full legal name, artist or stage name, date of birth, gender, nationality.
- Contact data: email address, mobile number (used as the primary account identifier and Rightholder ID anchor), mailing address.
- KYC and financial data: PAN card number (full); Aadhaar number (last four digits only, for identity confirmation purposes); bank account number; IFSC code; cancelled cheque or bank statement. Each bank account may only be registered once across all account types on the platform. Where additional identity verification is required beyond PAN, Users may alternatively submit a valid government-issued photo ID (passport, driving licence, or Voter ID).
- Content and metadata: music files, cover artwork, track titles, genre, language, ISRC codes, release dates, and all metadata submitted through the platform.
- Usage and analytics data: login timestamps, IP addresses, device identifiers, browser type, dashboard activity logs, and platform usage patterns.
- Communications data: support tickets, email correspondence, and any other communications with Shopolo Music.
2.2 PAN card number is collected in full as it is required for statutory TDS compliance under the Income Tax Act, 1961 and for GST reporting obligations. PAN is the primary tax identity document for all royalty disbursements.
2.3 Shopolo Music collects only the last four digits of the Aadhaar number for identity confirmation purposes. The full Aadhaar number is not collected or stored. Where robust identity verification beyond PAN is required, Shopolo Music may request a government-issued photo ID as an alternative.
2.4 The mobile phone number provided at registration is used as the primary account identifier and is permanently linked to the User’s Rightholder ID. Users are advised to register with a phone number they intend to retain long-term, as all catalogue access, royalty history, and payout records are tied to this Rightholder ID.
3. Purposes of Processing
3.1 Personal data is collected and processed solely for the following purposes:
- Account registration, verification, and management, including assignment and maintenance of the Rightholder ID.
- KYC compliance as required under applicable Indian law, including RBI guidelines and Income Tax Act provisions.
- Processing and disbursing royalty payments to verified bank accounts.
- Generating and publishing royalty reports and streaming analytics through the Ground1860 Dashboard.
- Delivering Content to DSPs and managing distribution logistics under Commercial Agreements.
- Communicating with Users regarding releases, accounts, royalties, and platform updates.
- Complying with legal obligations, including court orders, regulatory inquiries, and tax reporting.
- Detecting, investigating, and preventing fraud, artificial streaming activity, and unauthorised use of the platform.
- Marketing and promotional communications, subject to User consent where required.
- Improving the Services through aggregated, anonymised usage analysis.
4. Legal Bases for Processing
4.1 Personal data is processed on the following legal bases:
- Contractual necessity: processing required to perform the distribution and royalty services contracted for.
- Legal obligation: processing required to comply with KYC, tax, and regulatory requirements under Indian law, including TDS and GST obligations.
- Legitimate interest: fraud detection, platform security, and aggregated usage analysis, where such interests do not override the User’s fundamental rights.
- Consent: for processing not strictly necessary for the performance of Services, including direct marketing, where the User has provided explicit, informed, and withdrawable consent.
5. Data Retention
5.1 Shopolo Music retains personal data for the following minimum periods:
- KYC documentation and financial records: minimum 7 years from creation or last update, as required by Indian tax and financial regulations.
- Royalty reports and payment records: minimum 7 years from the date of generation.
- Account data and usage logs: for the duration of the active account, and 3 years after permanent account closure.
- Communications data: 2 years from the date of the communication.
5.2 Upon expiry of applicable retention periods, personal data will be securely deleted or irreversibly anonymised. Users may request deletion under Clause 9, subject to retention requirements imposed by law.
6. Data Security
6.1 Shopolo Music implements reasonable security practices as required under the SPDI Rules, 2011, including: encrypted storage of sensitive personal data, including PAN and bank account details; restricted access controls for KYC and financial data; secure communication protocols for all data transmissions; regular internal security reviews; and access logs for all sensitive data interactions.
6.2 In the event of a personal data breach likely to risk User rights and freedoms, Shopolo Music will: (a) immediately contain and assess the breach; (b) notify affected Users of the nature of the breach and remedial steps within 72 hours of becoming aware, where feasible; and (c) report to the Data Protection Board of India in accordance with the DPDP Act, 2023, as and when those requirements come into force.
7. Sharing of Personal Data with Third Parties
7.1 Shopolo Music does not sell, rent, or trade personal data. Personal data is shared with third parties only in the following circumstances:
- With DSPs and digital platforms: artist name, Content metadata, and ISRC codes transmitted as a condition of digital distribution under Commercial Agreements.
- With upstream Commercial Agreement partners: limited data necessary to facilitate Content licensing and royalty accounting under the Company’s upstream arrangements. No personally identifiable financial data is shared with upstream partners beyond what is required for royalty attribution.
- With payment processing partners: bank account details shared solely for processing royalty disbursements. These partners are bound by contractual data protection obligations.
- With cloud infrastructure providers: data may be stored on servers of third-party cloud providers, all bound by contractual data protection obligations consistent with this Policy.
- With legal and regulatory authorities: where required by applicable law, court order, or regulatory direction.
- With legal advisers: in connection with the defence or pursuit of legal claims, subject to professional confidentiality obligations.
- In connection with a merger, acquisition, or sale of all or a portion of the Company’s assets: disclosure to the extent reasonably necessary to proceed with such transaction.
7.2 Joint Data Controller Arrangements: Where Shopolo Music shares data with DSPs or platform partners in circumstances where both parties determine the purposes of processing, the parties may act as joint data controllers with respect to that shared data. In such circumstances, Shopolo Music will ensure that appropriate contractual arrangements are in place with the relevant joint controller and will inform Users through updates to this Policy.
7.3 Marketing and Advertising: Shopolo Music may use anonymised or aggregated usage data for marketing analytics and platform improvement. No personally identifiable information is included in data shared with third-party analytics providers. Direct marketing communications to Users are subject to prior consent where required by applicable law.
8. International Data Transfers
8.1 Distribution arrangements with DSPs located outside India necessarily involve transfer of personal data — primarily Content metadata and artist name information — to entities in jurisdictions outside India. Such transfers are inherent to worldwide digital distribution. All international data transfers are conducted with appropriate contractual safeguards and in compliance with applicable Indian data protection law, including the DPDP Act, 2023.
9. User Rights
9.1 Subject to applicable Indian law and the DPDP Act, 2023, Users have the following rights:
- Right of access: to request confirmation of whether Shopolo Music processes personal data and, if so, to receive a copy.
- Right to correction: to request correction of inaccurate or incomplete personal data.
- Right to erasure: to request deletion of personal data, subject to legal retention requirements.
- Right to withdraw consent: to withdraw consent for consent-based processing at any time, without affecting the lawfulness of prior processing.
- Right to grievance: to raise a complaint with Shopolo Music’s Grievance Officer under Clause 12, and thereafter with the Data Protection Board of India.
9.2 Requests to exercise any right should be submitted in writing to privacy@shopolo.in. Shopolo Music will acknowledge receipt within 3 working days and respond substantively within 30 working days.
10. Children’s Privacy
10.1 The Services are not directed at individuals under the age of 18. Shopolo Music does not knowingly collect personal data from minors. If the Company becomes aware that personal data from a minor has been collected without verified parental consent, it will immediately delete that data and close the associated account.
11. Cookies and Tracking Technologies
11.1 The Shopolo Music website and Ground1860 Dashboard use cookies and similar tracking technologies. The Company’s Cookie Policy (Policy VI) governs the use of cookies and is incorporated into this Privacy Policy by reference. Users may control cookie preferences through their browser settings and through the cookie consent mechanism on the Shopolo Music website.
12. Grievance Officer
12.1 In compliance with Rule 7 of the IT (Intermediary Guidelines) Rules, 2021 and the DPDP Act, 2023, Shopolo Digital Private Limited has designated a Grievance Officer as follows:
Grievance Officer Name: Biplab Bora
Designation: Director
Email: privacy@shopolo.in
Address: Shopolo Digital Private Limited, Glory Plaza, 2nd Floor, Mother Teresa Road, Guwahati – 781024, Assam, India
Acknowledgement Period: Within 3 working days of receipt
Resolution Period: Within 30 working days of receipt
13. Updates to This Policy
13.1 Shopolo Music may update this Privacy Policy to reflect changes in applicable law, regulatory requirements, or data processing practices. Users will be notified of material changes by email and through the Dashboard. Continued use of the Services after notification constitutes acceptance of the updated Policy, save as required by the DPDP Act, 2023 in respect of consent-based processing.