Privacy Policy

I. Introduction

When you engage with 2497 Inc. (whether through enterprise consulting, ShelfPerks, ShelfPerks India, CoconutBills, R2OS or related platforms) (collectively the "Services"), you are trusting us with your information. 2497 Inc. and its affiliates ("Company", "we", "us" or "our") understand this responsibility. We are committed to protecting your information and data.

This Privacy Policy ("Privacy Policy") is designed to help you understand how we collect, store, use and share the personal information you provide to us and to assist you in making informed decisions when using our Products and Services.

Definitions

By accessing our Sites, Apps or Services, you accept this Privacy Policy and our Terms of Service and consent to our collection, storage, use and disclosure of your Personal Information as described herein. Continued interaction with our Apps, Sites or Services constitutes consent to the practices described in this Privacy Policy.

II. Information We Collect

We collect information to provide better service to all our users.

When You Are Signed In

We collect information and store it tied to your account credentials. We treat this as Personal Data.

Categories of Personal Data Collected

• Identifiers: Email address, first name, last name, employer identifier, taxpayer identifier, phone number, street address, ZIP/postal code, city, state, province, country, IP address and device identifiers.
• Personal Information: Contact preference, age, date of birth, credit/debit card information and payment card or contactless payment processing keys.
• Commercial Information: Transaction details, sales history, purchase history, inventory details, product information and supplier information.
• Geolocation Data: GPS data, store location, wireless network information and Bluetooth signals (collected only when location services are enabled).
• Professional Information: Business registration details, business name, business address, GSTIN, PAN, Shop & Establishment license and employee records.
• Internet/Network Activity: Usage data, device type, device settings, operating system, mobile network, crash reports, system activity, cookies, referrer URL, browser type and login information.
• Biometric Information: Fingerprint or facial recognition data (if applicable for authentication features and collected only with explicit consent).
• Inference Data: Product suggestions, sales analytics and business insights derived from collected data.
• Sensitive Personal Information: Government-issued identifiers (SSN, driver's license and passport), financial account details, precise geolocation and personal information of minors under 16.

Information Collected Automatically

We collect information about the Apps, browsers and devices you use to access our Sites or Services. This includes:

• Device type, settings, operating system and mobile network.
• Wireless network, Bluetooth signals and GPS data (when enabled).
• IP address, email address and phone number.
• Crash reports, system activity and diagnostics.
• Date, time, timezone, language, cookies and referrer URL.

Business and Transaction Data

We may collect:

• Store product information: Product name, code, pictures, inventory, suppliers, sales history, inventory history, product location and store map.
• Customer information: Name, email, phone number, device information, purchase receipt and payment information.
• Transaction details: Type of service or purchase, order details, inventory details, cost price, sales price, supplier information, date, delivery information, payment type, payment terms, discount applied, coupons used, amount charged and distance traveled.

Search and Usage Data

We may collect and store details of how you use our search function. This includes search queries, timestamp, location, IP information and login information. This may be used to improve the relevancy of results provided by our Services.

California Consumer Privacy Act (CCPA) Categories

Information we collect may fall into the following CCPA categories:

• Identifiers.
• Personal Information (Cal. Civ. Code Section 1798.80(e)).
• Age, gender and other protected classifications.
• Commercial Information.
• Biometric Information.
• Geolocation data.
• Professional or employment-related information.
• Inference data.
• Internet or other electronic network activity information.
• Sensitive Personal Information.

To read more about CCPA, visit https://oag.ca.gov/privacy/ccpa.

III. Other Sources of Personal Information

We may derive information about you from third parties. These include:

• Identity verification services.
• Background information and public records.
• Credit reports and compliance reports.
• Recruiters or external websites (for employment candidates).

We may receive Personal Data about you when others add you to their customer data, supplier data, contacts or calendar in our Services. We also receive data when others send messages through our Services (including receipt emails, purchase orders, invoices or gift cards).

We may accumulate Personal Data and usage data when you use the Services, Apps or sites of our merchants and partners.

If you are a potential candidate for employment with 2497 Inc., ShelfPerks or our subsidiaries or partners, we may receive your Personal Data directly or through third parties such as recruiters. We use this data to contact you about a job opportunity or to evaluate your candidacy. If you did not provide us with your Personal Data, we may inform you of the source when we first contact you.

IV. How We Use Your Data

Purposes of Processing

• Account Management: Create and update your account; verify your identity, your customers' identities and your employees' identities.
• Service Delivery: Enable commerce experiences, point-of-sale, deliveries, inventory management, purchase orders, order tracking, shipment, invoicing, receipt generation and product suggestions.
• Business Operations: Help you track sales, customer visits, supplier fulfillments, partner deliveries and fulfillment progress.
• Personalization & Improvement: Optimize and personalize products and services; aggregate information to provide tailored commerce experiences.
• Product Development: Develop, test and improve new or existing Apps, Sites and Services.
• Security & Fraud Prevention: Detect, deter and combat fraud, unsafe activities, unsafe products and unauthorized practices.
• Communications: Provide news, special offers, perks, general information, user manuals and usage alerts about our Apps, Services and Sites.
• Customer Support: Provide support and notify about changes to our Services, Apps or Sites.
• Legal Compliance: Comply with applicable laws including tax laws, GST regulations, RBI guidelines, GDPR, CCPA, PIPEDA, HIPAA and other regulatory requirements.

Legal Basis for Processing

Our processing of personal data is based on the following legal grounds:

• Performance of Contract: To provide the Services you have requested and agreed to through our Terms of Service.
• Legal Compliance: To comply with applicable laws and regulations (including tax laws, payment card industry standards, consumer protection laws and data protection requirements).
• Legitimate Interests: For fraud prevention, security, service improvement, business operations and analytics (where not overridden by your rights and interests).
• Consent: For marketing communications, optional features and processing of sensitive personal information (which can be withdrawn at any time).

V. Cookies and Other Tracking Technologies

Types of Cookies and Technologies We Use

• Session Cookies: Temporary cookies that expire when you close your browser; used to maintain your session.
• Preference Cookies: Store your settings and preferences to enhance your experience.
• Security Cookies: Help us identify and prevent security risks.
• Analytics Cookies: Help us understand how users interact with our services to improve functionality and user experience.
• Advertising Cookies: Used by third-party partners to deliver relevant advertisements (subject to your consent).

Other Tracking Technologies

We use beacons, tags and scripts to collect and track information and to improve and analyze our Services. Web beacons are electronic images used in our Services, Apps or emails to track visits.

Your Cookie Choices

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. If you do not accept cookies, you may not be able to use some or all portions of our Sites, Services or Apps.

• Global Privacy Control (GPC): We recognize and honor Global Privacy Control signals from your browser. When we detect a GPC signal, we treat it as a valid request to opt out of the sale and sharing of your personal information.
• Opt-Out Confirmation: When you submit an opt-out request through our cookie banner, a link or a universal opt-out signal like GPC, we will display an "Opt-Out Request Honored" message or update your privacy settings to confirm your request processing.

Learn more about cookies at http://www.allaboutcookies.org.

Learn more about Global Privacy Control at https://globalprivacycontrol.org.

VI. Disclosure to Third Parties

With Whom We Share Your Information

• Service Users: Share information with other users of our Services with whom you interact (merchants, stores, warehouses, customers and suppliers).
• Business Affiliates: Accept payments, schedule appointments, send invoices, process checks, fulfill orders, deliver orders and provide customer support.
• Service Providers & Partners: Provide, maintain and improve our Services, Apps, Sites and your operations; run advertising campaigns, contests, coupons and special offers.
• Analytics Partners: Provide aggregate statistics and insights (does not include your Personal Data).
• Vendors & Suppliers: Provide technical services, audit, payments, fraud detection, marketing and infrastructure.
• Payment Processors: Stripe, Razorpay, Fiserv, Helcim, Stax, Coinbase Commerce, Apple and Google (for payment processing only).
• Cloud Service Providers: Data storage and backup (under strict data processing agreements with encryption and security requirements).
• Legal Authorities: When required by law, court order or to prevent illegal activities.
• Business Transfers: In case of merger, acquisition or asset sale (with appropriate safeguards to protect your data).

Important Notes

VII. Sale and Sharing of Personal Data

California Residents (CCPA/CPRA)

ShelfPerks and 2497 Inc. do not sell or broker your personal information for monetary or other valuable consideration. We may share personal information as that term is defined under the CCPA (for example through third-party analytics and advertising services). You have the right to opt out of such sharing.

We have not sold any Personal Data of our consumers and merchants in the twelve months prior to the effective date of this Privacy Policy. We do not and will not sell personal data of consumers under 16 years of age.

Do Not Sell or Share My Personal Information

A "Do Not Sell or Share My Personal Information" link is available in the footer of all 2497 Inc. websites and applications. You may exercise this right by contacting us at privacy@2497inc.com.

VIII. Retention of Personal Data

We retain Personal Data and other information according to the following schedule:

• Active Accounts: Active Accounts: Duration of account plus 6 months after termination (to allow for reactivation and dispute resolution).
• Transaction Records: 8 years (as required by applicable tax laws, IRS regulations, GST regulations and financial record-keeping requirements).
• Customer Data:Customer Data: Duration of merchant account plus 3 years after termination (or as required by applicable consumer protection laws).
• User Activity Logs: 90 days for security and troubleshooting purposes.
• Support Tickets: 2 years to maintain service quality and resolve recurring issues.
• Backup Data: 6 months after account termination for disaster recovery purposes.
• Marketing Communications: Until you unsubscribe or request deletion.
• Healthcare/PHI Data: Healthcare/PHI Data: As required by HIPAA and applicable law; returned or destroyed per your written instructions upon termination.

We may retain transactions, location, usage and other information to address regulatory, tax, insurance or other statutory requirements in the places we operate. We may delete or anonymize any such data in accordance with applicable law after any retention period.

You may request deletion of your Personal Data and your account at any time by contacting us at privacy@2497inc.com or privacy@shelfperks.com. Certain information may be retained as required by law or for legitimate business purposes.

IX. Policy on Do Not Track Signals

Global Privacy Control (GPC)

As of 2026, we recognize and honor Global Privacy Control signals. When we detect a valid GPC signal from your browser, we will:

• Treat it as a request to opt out of the sale and sharing of your personal information.
• Display confirmation that your opt-out request has been honored.
• Apply your preference across our services.

Traditional DNT Signals

For traditional Do Not Track browser signals that do not follow the GPC standard, we do not currently respond to these signals. You can control tracking through your cookie preferences in our cookie banner or by adjusting your browser settings.

Enable Global Privacy Control at https://globalprivacycontrol.org.

Learn more about Do Not Track at https://allaboutdnt.com.

X. International Users and Jurisdiction-Specific Rights

European Economic Area Residents (GDPR)

If you reside in the European Union, European Economic Area (EEA) or Switzerland, you have certain data protection rights under the General Data Protection Regulation (GDPR).

Your GDPR Rights

• Right of Access: Obtain confirmation of processing and a copy of your personal data.
• Right to Rectification: Correct inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (subject to legal exceptions).
• Right to Restriction: Limit how we use your personal data in certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, commonly used and machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.
• Right Regarding Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

International Data Transfers (EEA)

Your data may be processed in countries outside the European Economic Area, including the United States. Such transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Binding Corporate Rules where applicable.
• Adequacy decisions from EU data protection authorities.
• Your explicit consent where legally required.

Canada Residents (PIPEDA and Provincial Laws)

If you reside in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including Quebec Law 25, British Columbia PIPA and Alberta PIPA).

Your Rights Under PIPEDA

• Right to Access: Request confirmation of whether we hold personal information about you and obtain access to that information.
• Right to Correction: Challenge the accuracy and completeness of your personal information and have it amended as appropriate.
• Right to Withdraw Consent: Withdraw consent for the collection, use or disclosure of your personal information at any time.
• Right to File a Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada.

Cross-Border Data Transfers (Canada)

Your personal information may be transferred to, stored and processed in countries outside Canada (including the United States and India). We ensure it receives protection consistent with PIPEDA principles through contractual safeguards such as Standard Contractual Clauses.

Breach Notification (Canada)

Under PIPEDA, we report any breach of security safeguards involving your personal information to the Office of the Privacy Commissioner of Canada and notify affected individuals if the breach creates a real risk of significant harm.

Quebec Law 25 Specifics

If you reside in Quebec, you have additional rights under Law 25. These include the right to be informed of automated decision-making, the right to request de-identification, the right to receive personal information in a structured format and the right to data portability.

India Residents (Digital Personal Data Protection Act 2023)

If you reside in India or use ShelfPerks India or CoconutBills, your data is processed in accordance with India Digital Personal Data Protection Act 2023. Under this framework, 2497 Inc. acts as a Data Fiduciary and users act as Data Principals.

Your Rights Under DPDP Act 2023

• Right to Access: Obtain confirmation of processing and a copy of your personal data.
• Right to Correction: Rectify inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (subject to legal exceptions).
• Right to Grievance Redressal: Lodge complaints with our Data Protection Officer.
• Right to Nominate: Designate a nominee to exercise data rights in case of death or incapacity.

International Data Transfers (India)

Your data will not be processed in countries outside India by ShelfPerks India Private Limited. Our cloud and payment partners may process data outside India (including in the United States and European Union countries). Such transfers are protected by Standard Contractual Clauses approved by Indian authorities, Binding Corporate Rules or explicit consent.

Healthcare Data (HIPAA)

For healthcare-related Services:

• We execute Business Associate Agreements (BAAs) where required before any Protected Health Information (PHI) is shared.
• PHI is encrypted in transit.
• Access controls, audit logging and breach notification procedures comply with the HIPAA Security Rule.
• Upon termination of a healthcare engagement, we will return all PHI in a mutually agreed format or securely destroy PHI and provide written certification of destruction (except where retention is required by law).

XI. Children's Privacy

Our Sites, Apps and Services are not directed to anyone under the age of 13. We do not knowingly collect personal information from children under 13 years of age.

Age Group Requirements

• Under 13: We do not knowingly collect personal information. If we learn we have gathered such information without parental consent, we remove it promptly.
• Ages 13 to 15: May use our Services only with the involvement of a parent or guardian.
• Ages 16 to 17: May use our Services with parental or guardian involvement. Under California law, personal information of consumers under 16 is considered sensitive personal information.
• Ages 18 and above: May use our Services independently.

Parental Rights

Parents or guardians may contact us at privacy@2497inc.com to:

• Review personal information collected from their child.
• Request deletion of their child's personal information.
• Refuse to permit further collection or use of their child's information.

XII. Your Rights and How to Exercise Them

Access, Correction and Deletion Requests

If you have an account with us, you can access and update the following information under your profile settings:

• Name, address, email address and phone number.
• Password to your account.
• Credit card or bank account information linked to your account.
• Business information and tax identifiers.

Additional Rights You May Exercise

You may contact us at privacy@2497inc.com or privacy@shelfperks.com to:

• Request access to personal information not accessible via your profile settings.
• Request deletion of your personal information.
• Request correction of inaccurate personal information.
• Request restriction of processing of your personal information.
• Request a copy of your personal information in a portable format.
• Object to processing of your personal information.
• Opt out of the sale or sharing of your personal information.
• Limit the use of your sensitive personal information.

Verification Process

Upon receipt of a request, we may ask for additional information to verify your identity before processing your request. This protects your privacy and prevents unauthorized access. Verification may include:

• Matching information you provide with information we have on file.
• Requiring you to log into your account.
• Requesting government-issued identification in certain circumstances.

Authorized Agents

You may designate an authorized agent to make requests on your behalf. We will require:

• Written permission from you authorizing the agent to act on your behalf.
• Verification of your identity.
• Verification of the agent's authority.

No Discrimination

We will not discriminate against you for exercising your privacy rights. This means we will not:

• Deny you goods or services.
• Charge you different prices or rates.
• Provide a different level or quality of goods or services.
• Suggest that you will receive a different price or quality of goods or services.

XIII. Data Security

Security Measures We Implement

• Encryption
• Access Controls: Role-based access controls with principle of least privilege; multi-factor authentication for employee access; regular access reviews.
• Security Monitoring: 24/7 security monitoring and incident response; intrusion detection and prevention systems; regular vulnerability assessments and penetration testing.
• Vendor Management: Due diligence on third-party service providers; contractual requirements for equivalent data protection standards; regular audits.
• Employee Training: Annual data privacy and security training; specialized training for employees handling sensitive data; confidentiality agreements.
• Incident Response: Documented incident response procedures; data breach notification processes compliant with applicable laws; regular testing.

Data Breach Notification

No system can guarantee total security. In the event of a data breach affecting your personal information, we will:

• Notify you without undue delay (within 72 hours under GDPR or as required by applicable law including PIPEDA breach reporting requirements).
• Notify relevant supervisory authorities as required by law.
• Provide information about the nature of the breach, the data affected and steps being taken to address it.
• Offer guidance on steps you can take to protect yourself.

Payment Card Security

We rely on our PCI DSS-compliant payment processor partners (including Stripe, Razorpay, Fiserv, Helcim, Stax, Apple and Google) to securely process payment card information. We do not directly store payment card details on our systems.

XIV. Mobile App Specific Privacy Information

iOS App (Apple App Store)

• Privacy Nutrition Label: Our app listing in the Apple App Store includes a Privacy Nutrition Label that discloses the types of data our app collects and how it is used.
• Privacy Manifest: Our iOS app includes a privacy manifest file that declares the types of data collected and the required reasons for using certain APIs.
• App Tracking Transparency: If our app engages in tracking as defined by Apple, we will request your permission through Apple App Tracking Transparency framework before tracking your activity across other companies' apps and websites.
• Privacy Policy Access: You can access this privacy policy from our App Store listing, within the app settings menu or our website.

Android App (Google Play Store)

• Data Safety Section: Our app listing in the Google Play Store includes a Data Safety section that discloses our data collection, sharing and security practices.
• Privacy Policy Access: You can access this privacy policy from our Google Play Store listing, within the app settings menu or our website.
• Permissions: Our app requests only the permissions necessary for functionality. You can review and manage these permissions in your device settings.

Data Collected Through Mobile Apps

Our mobile apps may collect:

• Device information (model, OS version and device identifiers).
• App usage data (features used, crash reports and performance data).
• Location data (if you enable location services).
• Camera/photo library access (only when you use features that require it).
• Push notification tokens (if you enable notifications).

All data collection through our mobile apps follows the same privacy principles described in this policy and complies with Apple and Google platform requirements.

XV. California-Specific Privacy Rights

California Consumer Privacy Act (CCPA/CPRA) Rights

California residents have specific rights under the CCPA. These include:

• Right to Know: Request disclosure of categories of personal information collected, sources, business purposes, third parties shared with and specific pieces of information.
• Right to Delete: Request deletion of personal information we have collected from you (subject to certain exceptions).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: Opt out of the sale or sharing of your personal information.
• Right to Limit Sensitive PI: Limit our use and disclosure of your sensitive personal information to purposes necessary to perform services or provide goods reasonably expected.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right Regarding ADMT: Receive notice of automated decision-making technology use (effective January 1 2026).

How to Exercise Your CCPA Rights

• Online: Visit our privacy request portal.
• Email: privacy@2497inc.com or privacy@shelfperks.com.
• Do Not Sell or Share Link: Click the "Do Not Sell or Share My Personal Information" link in our website footer.

Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not currently share personal information with third parties for their direct marketing purposes.

XVI. Opt-Outs and Communication Preferences

Marketing Communications

You can opt out of receiving marketing communications from us by:

• Clicking the "unsubscribe" link in any marketing email.
• Adjusting your communication preferences in your account settings.
• Contacting us at privacy@2497inc.com.
• For SMS messages, replying "STOP" to any message.

Even if you opt out of marketing communications, we will still send you transactional and service-related messages (such as order confirmations, account notifications and important service updates).

Cookie Preferences

You can manage your cookie preferences through:

• Our cookie banner when you first visit our website.
• Your browser settings.
• Third-party opt-out tools such as http://optout.networkadvertising.org.

Global Privacy Control

We recognize and honor Global Privacy Control (GPC) signals from your browser as a valid opt-out of the sale and sharing of personal information.

Push Notifications

You can control push notifications from our mobile apps through your device settings.

XVII. Updates to This Policy

We may update, amend or revise this Privacy Policy from time to time. The "Last Updated" date at the top of this document indicates the most recent revision.

How We Notify You of Changes

Material changes will be communicated via:

• Email notice to the address in your account.
• Prominent notice on our Sites.
• In-app notifications.
• Notice in your account dashboard.

Your Acceptance

Changes, updates and amendments to this Privacy Policy are effective when the revised version is posted on our Services, Apps and Sites. You are advised to review this Privacy Policy periodically for any changes. Your continued use of our Services, Apps or Sites after changes are posted constitutes your acceptance of the updated Privacy Policy.

If you disagree with the changes, you may cancel your account at any time by contacting support@2497inc.com.

XVIII. Contact Information

If you have any questions about this Privacy Policy, please contact us.