GDPR Compliance

MahanX is committed to complying with the General Data Protection Regulation (GDPR) — the European Union's data protection law. While MahanX is primarily built for Indian merchants, many of our merchants and their customers may be located in or interact with the European Economic Area (EEA).

This page explains our GDPR compliance posture, your rights as a data subject, and how we handle EU personal data.

Understanding the distinction is important:

MahanX as Data Controller:

When we collect and use your data as a merchant (account information, billing details, usage data), MahanX acts as the data controller — we determine the purposes and means of processing.

MahanX as Data Processor:

When Krato Bot processes your customers' personal data on behalf of you (the merchant), MahanX acts as a data processor — we process data according to your instructions.

As a merchant using Krato Bot on your store, you are the data controller for your customers' data. You are responsible for ensuring you have a lawful basis for processing that data.

Under GDPR, we process personal data on the following lawful bases:

Contract Performance: Processing your merchant account data to provide the services you've subscribed to.

Legitimate Interests: Improving our platform, detecting fraud, and communicating service updates — where our interests don't override your fundamental rights.

Consent: For marketing communications and optional analytics cookies. You can withdraw consent at any time.

Legal Obligation: Retaining billing records and other data required by applicable law.

If you are an individual in the EEA, you have the following rights under GDPR:

Right of Access (Article 15): You can request a copy of all personal data we hold about you.

Right to Rectification (Article 16): You can ask us to correct inaccurate data or complete incomplete data.

Right to Erasure / "Right to be Forgotten" (Article 17): You can ask us to delete your personal data in certain circumstances.

Right to Restriction of Processing (Article 18): You can ask us to pause processing of your data in certain scenarios.

Right to Data Portability (Article 20): You can request your data in a machine-readable format (JSON/CSV) for transfer to another service.

Right to Object (Article 21): You can object to our processing of your data based on legitimate interests or for direct marketing.

Rights Around Automated Decision-Making (Article 22): You have rights regarding any automated processing that significantly affects you.

To exercise any of these rights, email us at hello@mahanx.in with "GDPR Request" in the subject line. We will respond within 30 days.

MahanX stores data primarily in India. When data originating from the EEA is processed or stored by us or our sub-processors, we ensure appropriate safeguards are in place:

• We use sub-processors (cloud providers, analytics tools) that are either located in the EEA or have appropriate transfer mechanisms (Standard Contractual Clauses, adequacy decisions) in place
• Where we transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission

A list of our sub-processors is available upon request.

We retain personal data only as long as necessary for the purposes it was collected, or as required by law:

You may request early deletion (subject to legal retention obligations) by contacting hello@mahanx.in.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

1. Notify the relevant supervisory authority within 72 hours of becoming aware of the breach

2. Notify affected data subjects without undue delay if the breach is likely to result in a high risk

We maintain an internal data breach register and have incident response procedures in place.

MahanX does not currently meet the threshold requiring a formal Data Protection Officer (DPO) appointment under GDPR Article 37. However, data protection queries are managed by our founding team.

For all GDPR-related requests and queries, contact:

Email: hello@mahanx.in (Subject: "GDPR")

Response time: Within 30 days

If you are a MahanX merchant whose store serves customers in the EEA, you have additional GDPR obligations as a data controller:

• Ensure your store's privacy policy discloses the use of Krato Bot and the data it collects
• Have a lawful basis for processing customer data through Krato Bot (typically, legitimate interest or consent)
• Process Customer Data Subject Rights requests from your store's customers
• Ensure your Shopify store complies with GDPR requirements

MahanX provides a Data Processing Agreement (DPA) upon request at hello@mahanx.in.

If you are in the EEA and believe we are not handling your data in compliance with GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of supervisory authorities is available at: edpb.europa.eu

We would appreciate the opportunity to address your concerns directly before you approach a supervisory authority. Please contact us first at hello@mahanx.in.