Privacy Policy

1 Scope & Applicability

• This policy covers personal data you provide directly (e.g. at registration, checkout, on the contact form) and data we generate in the course of serving you (e.g. order history, login activity).
• This policy does not cover third-party websites linked from our Site (e.g. Razorpay’s payment page, courier tracking portals). Their privacy practices are governed by their own policies.
• This policy is drafted to comply with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (as applicable in the current phase of rollout).

2 Information We Collect

We collect only the data we genuinely need to serve you. The categories are:

• Identity & contact data — name, email address, mobile number (used also for OTP-based verification), delivery address, pincode, GST number (only if you choose to add one for a GST invoice).
• Account credentials — the password you set during registration. We store this only in a one-way hashed form using industry-standard algorithms (bcrypt); we never see or keep the original password.
• Order & transaction data — products ordered, order number, order value, payment method (Online / COD), payment status. Full card or UPI credentials are never seen or stored by us — they are handled entirely by our payment gateway (Razorpay).
• Communication data — messages you send us via the contact form, email, or WhatsApp, and the replies we send you.
• Technical & usage data — IP address (captured at registration and login for security and fraud prevention), browser type, device type, timestamps of visits, pages viewed on the Site. This is collected automatically.
• Consent records — the fact that you accepted this policy and our Terms & Conditions at registration, along with timestamp, to demonstrate valid consent if required by law.

Sensitive Personal Data or Information (“SPDI”) under the IT Rules 2011 that we collect is limited to passwords (stored hashed only) and financial information processed by our payment gateway. We do not collect health, biometric, genetic, sexual orientation, political or religious data.

3 How We Use Your Information

We use personal data only for the purposes listed below:

• To fulfil your orders — process payment, package and dispatch goods, share the delivery address with the courier, send dispatch and delivery notifications via SMS / WhatsApp / email.
• To operate your account — authenticate you at sign-in, allow you to view your order history, manage delivery addresses, and reset your password.
• To communicate with you — respond to your enquiries, send transactional messages (order confirmation, dispatch, delivery, receipt) and service messages (password reset, OTP). You cannot opt out of strictly transactional messages while an order is active, as they are necessary to complete the service you requested.
• To secure the Site — detect and prevent fraud, abuse, account takeover attempts, rate-limit abuse of OTP endpoints, and protect our customers and ourselves.
• To meet legal and regulatory obligations — FSSAI compliance record-keeping, GST invoicing, responding to lawful requests from Indian authorities, and any retention requirement under applicable law.
• To improve our products and service — analyse aggregated, anonymised order and Site-usage patterns (no personal profiling).

4 Legal Basis for Processing

Under the DPDP Act, 2023, every processing activity requires a lawful basis. Ours are:

• Your consent — given when you register, tick the Terms & Privacy checkbox, place an order, or subscribe to any optional communication.
• Performance of a contract — when you place an order we must process your data (address, contact, payment) to deliver the goods and complete the transaction you requested.
• Legitimate uses (equivalent to DPDP § 7) — responding to your queries, notifying you about your own order, complying with legal requirements, and protecting the Site against fraud or misuse.

5 Sharing With Third Parties

We do not sell, rent, or trade your personal data. We share data only with carefully selected service providers who help us run the Site and fulfil your orders, and only to the extent required for their function. All are bound by confidentiality and data-protection obligations.

• Razorpay Software Pvt. Ltd. — payment gateway. Processes your card / UPI / netbanking details. We do not see these credentials; we receive only the payment result (success/failure, reference ID).
• MSG91 (Walkover Web Solutions Pvt. Ltd.) — DLT-registered SMS provider. Receives your mobile number and the transactional OTP / order message text, solely to deliver SMS to you.
• Meta Platforms / WhatsApp Business API — if you opt for WhatsApp ordering or receive WhatsApp order notifications, your mobile number and message content are routed through Meta’s infrastructure.
• Courier and logistics partners — receive your name, delivery address, pincode and phone number to deliver the goods. They act on our instructions for the duration of the delivery.
• Hostinger (hosting provider) and our email service (authenticated SMTP) — we use these to host the Site and to send transactional emails (order confirmation, dispatch, password reset). They process data only as necessary to keep the Site running.
• Legal & regulatory authorities — we will disclose data if legally compelled (court order, summons, statutory investigation) or to protect our rights, the rights of our customers, or public safety.
• Business transfer — in the unlikely event of a merger, acquisition, or sale of all or part of our business, customer data may be transferred to the successor entity as part of that transaction. You will be notified of any such transfer.

6 Cookies & Local Storage

• Strictly necessary cookies — we use a small number of first-party cookies and browser sessionStorage entries to keep you signed in, maintain your shopping cart across pages, protect forms against cross-site request forgery (CSRF), and remember that you have dismissed site-wide notices (such as our launch teaser).
• We do not use advertising cookies, third-party ad trackers, or cross-site tracking pixels.
• You can clear cookies / site data at any time from your browser settings. Doing so will sign you out and empty any guest cart; strictly-necessary cookies will be re-created when you use the Site again.

7 How Long We Keep Your Data

• Account data — retained while your account is active. If you request account deletion (see Your Rights below), your email and contact details are cleared from the account record within 30 days.
• Order and invoice records — retained for the period required by Indian tax and accounting law (typically eight financial years for GST), even after an account is deleted. Such records are retained in minimal form (name on invoice, order value, GST particulars) strictly for statutory compliance.
• OTP codes & short-lived tokens — valid for 90 seconds (login / verification OTPs) and deleted shortly after expiry.
• Server access logs — retained typically for up to 90 days for security and troubleshooting, then rotated out.
• Event logs (e.g. failed logins, OTP rate-limit hits) — retained for fraud prevention and security review, typically up to 180 days.

8 How We Protect Your Data

• The Site runs entirely over HTTPS (TLS); data in transit between your browser and our servers is encrypted.
• Passwords are stored only as a one-way salted hash (bcrypt). We cannot recover your password — if you forget it, the reset flow lets you set a new one.
• Payment card / UPI / netbanking credentials are never received or stored by us. They are collected by Razorpay directly on their PCI-DSS-compliant infrastructure.
• Access to customer data in our admin panel is restricted to authorised staff, protected by login credentials and session controls, and all privileged actions are logged.
• We follow a documented incident-response process. In the event of a personal data breach that is likely to cause significant harm, we will notify the Data Protection Board of India and affected individuals in accordance with the DPDP Act and applicable IT Rules.
• No system is perfectly secure. Please keep your login credentials confidential, use a strong unique password, sign out on shared devices, and notify us immediately at contactus@shuddhasattva.com if you suspect unauthorised use of your account.

9 Your Rights

Subject to applicable Indian law — principally the IT Rules 2011 and, once fully in force, the DPDP Act 2023 — you have the following rights over your personal data:

• Right to access — you may ask us what personal data we hold about you and obtain a summary of it.
• Right to correction — you may ask us to correct inaccurate or incomplete data. Most fields (name, email, phone, delivery address) you can update yourself from your Account page once signed in.
• Right to erasure — you may ask us to delete your account and associated personal data, subject to statutory retention (e.g. GST-mandated retention of order invoices). We will confirm the parts we can delete and the parts we are legally required to keep.
• Right to withdraw consent — where processing is based on your consent (e.g. optional promotional communications), you may withdraw that consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing done before withdrawal.
• Right to grievance redressal — you may raise any privacy-related complaint with our Grievance Officer (see Section 13 below). We commit to acknowledging every grievance within a reasonable timeframe and to closing it within 90 days as required by the DPDP Act.
• Right to nominate (DPDP-specific) — once Phase III of the DPDP Act is in force, you may nominate another person to exercise your rights on your behalf in the event of your death or incapacity. Contact us to record such a nomination.

To exercise any of these rights, email us at contactus@shuddhasattva.com from the email address registered on your account. We may ask for additional information to verify your identity before acting on the request, to protect you from impersonation.

10 Children’s Data

• Our Site and products are directed at adults. We do not knowingly collect personal data from children under 18 years of age.
• By registering or placing an order, you confirm that you are at least 18 and legally capable of entering into a binding agreement (see our Terms & Conditions).
• If you believe a child has provided personal data to us, please contact our Grievance Officer (Section 13) immediately and we will delete the record.

11 Cross-Border Data Transfers

• Our primary data storage and processing infrastructure is located in India.
• Some of our service providers (for example, the WhatsApp Business API operated by Meta) may process your data on servers outside India as part of their global operations. We only use providers who offer reasonable data-protection safeguards.
• Where cross-border transfer is involved, we rely on the provider’s contractual commitments and on the lawful-transfer framework under the DPDP Act, 2023 as it comes into effect.

12 Changes to This Policy

• We may update this Privacy Policy from time to time — for example, to reflect new features, new service providers, or changes in law.
• The “Last updated” date at the top of this page always reflects the most recent revision.
• For material changes (e.g. a new category of data collected or a new third-party recipient), we will take reasonable steps to bring the change to your attention — for example, a notice on the Site or an email to your registered address.