Jump to section
This Policy explains how Consumer Recreation Services Ltd (BRN C22187689), 04 Diego Garcia Street, Port Louis, Mauritius (“CRS”, “we”, “us”) handles personal data in connection with the DodoMarket-for-Business platform (“D4B”, the “Service”). It is drafted in line with the Mauritius Data Protection Act 2017 (“DPA”).
1.Who this applies to#
- Clients (Senders) — authorised users of a company account (Administrators, Finance, Senders).
- Recipients — individuals who receive a gift link.
- Visitors to our websites.
Our roles differ depending on the data:
- For Client account data (user profile, login, billing), we act as data controller.
- For Recipient personal data that a Client uploads into the Service, we act on the Client’s documented instructions. The Client is the controller of that data and is responsible for the legal basis on which it is collected and shared. Our role is strictly to deliver the Service the Client has asked us to perform.
2.What we collect#
From Clients and their users: name, email, phone, role, organisation details, logo, brand colours, authentication metadata, billing and payment information, invoicing details, usage and audit logs.
From Recipients (uploaded by Clients or entered by the Recipient during claim): name, email, phone, preferred language, delivery address, delivery date preference, one-time verification code metadata, gift selection, rating and feedback, and, where provided by the Client, date of birth / work anniversary and simple tags.
Automatically from any visitor: IP address, device and browser information, referring page, pages visited, and cookies (see section 8).
We do not intentionally collect special-category data, and Clients must not upload it.
3.Why we use it and our legal bases#
| Purpose | Legal basis |
|---|---|
| Create and operate Client accounts; authenticate users | Performance of a contract |
| Process wallet top-ups, issue invoices, comply with accounting and tax rules | Legal obligation; performance of a contract |
| Send gift invitations, reminders, and claim communications to Recipients | Performance of the Service we provide to the Client; the Client’s stated basis under the DPA |
| Fulfil claimed gifts (create orders, arrange delivery) | Performance of a contract (with the Recipient, once they claim) |
| Operate, secure, and improve the Service; fraud prevention; analytics | Our legitimate interests |
| Respond to legal requests; protect rights | Legal obligation; legitimate interests |
4.How we share#
We share personal data only as needed to deliver the Service and meet legal obligations:
- Within the Client organisation: a Client’s authorised users can see Recipient data that belongs to that Client’s campaigns, subject to role-based permissions.
- With service providers we engage to host, operate, and support the Service — for example, payment processing, email and messaging delivery, accounting, cloud hosting, and analytics. They act on our instructions and under written safeguards.
- With the DodoMarket retail operation (the same legal entity, CRS Ltd) for order creation, delivery, and after-sales service on claimed gifts.
- With authorities where required by law, regulation, court order, or to protect our or others’ rights.
- In a corporate transaction (merger, acquisition, reorganisation), subject to appropriate confidentiality and continuing application of this Policy.
We do not sell personal data.
5.International transfers#
Some of our service providers are located outside Mauritius. Where data is transferred internationally, we rely on reputable providers and put in place contractual safeguards appropriate for the transfer.
6.Retention#
We keep personal data for as long as necessary for the purposes described in this Policy and to comply with our legal, accounting, and tax obligations. When data is no longer needed, we delete or anonymise it.
7.Your rights#
Subject to the DPA, you may ask to:
- access a copy of your personal data;
- correct data that is inaccurate or incomplete;
- erase data where we no longer have a lawful basis to keep it;
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent, where consent is the legal basis.
How to exercise these rights. Recipients should normally contact the Client that sent them the gift, because the Client controls that data. You can also email us at privacy@dodomarket.mu and we will forward or respond as appropriate. We may verify your identity before acting on a request. You also have the right to lodge a complaint with the Data Protection Office of Mauritius (dataprotection.govmu.org).
8.Cookies#
We use a small number of cookies and similar technologies that are strictly necessary to operate the Service (for example, to keep you signed in and to remember campaign drafts), plus limited analytics to understand how the Service is used and to improve it. You can block cookies in your browser settings; strictly necessary cookies cannot be disabled without breaking parts of the Service.
9.Security#
We apply reasonable technical and organisational measures to protect personal data, including access controls, encryption in transit, audit logging, and rate limiting on public endpoints. No system is fully secure; we cannot guarantee absolute security.
10.Children#
The Service is not intended for anyone under 18. Clients must not upload data of minors. If we learn we hold data of a person under 18, we will delete it.
11.Changes#
We may update this Policy from time to time. Material changes will be notified by email to Clients or in-product notice. The Effective date at the top shows when the current version took effect.
12.Contact#
- Privacy and data requests: privacy@dodomarket.mu
- General legal: legal@dodomarket.mu
- Postal: Consumer Recreation Services Ltd, 04 Diego Garcia Street, Port Louis, Mauritius
This Policy is published in English. A French translation may be provided for convenience; in case of inconsistency, the English version prevails.