Privacy Policy

This Policy applies to all visitors, customers, and account holders who interact with the Cottonclaas website at cottonclaas.com (the “Platform”), our mobile applications, social media properties, and any related services operated by Cottonclaas. By accessing or using the Platform, you consent to the practices described in this Policy.

This Policy does not apply to third-party websites, services, or applications that are not owned or controlled by Cottonclaas, including payment gateways, social media platforms, and shipping carriers. Please review their respective privacy policies before sharing any personal data with them.

We collect the following categories of personal data, either directly from you or automatically through your use of the Platform:

2.1 Information You Provide

• Account data: name, email address, phone number, password (hashed), and profile photo when you create an account.
• Order & shipping data: billing and shipping addresses, GSTIN (optional), order history, and customer notes.
• Payment data: processed exclusively by our PCI-DSS compliant payment partner Razorpay. We do not store full card numbers, CVV, or expiry dates.
• Communications: any messages, reviews, or feedback you send to us.

2.2 Information Collected Automatically

• Device information (browser type, operating system, device identifiers).
• Log data (IP address, access times, pages visited, referring URL).
• Cookies and similar tracking technologies (see our Cookie Notice).

We process your personal data for the following purposes, each with a valid legal basis under the DPDP Act:

• To create and manage your account, fulfil orders, and provide customer support (“performance of a contract”).
• To send transactional communications such as order confirmations, shipping updates, and refund notices (“performance of a contract”).
• To personalise product recommendations and improve the Platform (“legitimate use” with notice).
• To detect and prevent fraud, unauthorised transactions, and abuse of the Platform (“legitimate use”).
• To comply with applicable laws and respond to lawful requests from public authorities (“compliance with legal obligations”).

Marketing communications are sent only with your explicit consent, which you may withdraw at any time using the “unsubscribe” link in any marketing email or by contacting us.

We do not sell your personal data. We share data only with vetted, contractually bound processors and only to the extent necessary:

• Payment gateway: Razorpay for processing transactions.
• Shipping partners: Delhivery, BlueDart, and similar carriers for order delivery and reverse pickups.
• Cloud infrastructure: Neon (PostgreSQL hosting), Cloudflare (Workers, R2), Resend (transactional email), and Clerk (authentication).
• Analytics: Google Analytics 4 and Google Tag Manager for aggregated, non-identifying usage statistics.
• Legal: government, law enforcement, or courts when compelled under applicable law.

All processors are governed by written data processing agreements aligned with the DPDP Act.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

• Account data: lifetime of the account + 3 years.
• Order and invoice data: 8 years (Income Tax Act, 1961 requirement).
• Customer support records: 3 years from last interaction.

On expiry, data is anonymised, archived, or securely deleted.

Subject to the DPDP Act and other applicable law, you have the right to:

1. Access a summary of your personal data and the processing activities.
2. Correct inaccurate or incomplete data.
3. Erase data, subject to legal retention obligations.
4. Withdraw consent at any time where processing is based on consent.
5. Nominate another individual to exercise your rights in the event of death or incapacity.
6. Lodge a complaint with the Data Protection Board of India.

To exercise any of these rights, write to our Grievance Officer at the address in Section 8. We will respond within 30 days.

We implement reasonable security practices and procedures commensurate with the nature of personal data, including:

• TLS 1.2+ encryption for all data in transit.
• AES-256 encryption at rest for sensitive data fields.
• Role-based access control and audit logging.
• Quarterly vulnerability scans and annual audits.

Despite our safeguards, no method of transmission over the Internet or electronic storage is 100% secure. We will notify affected users and the Data Protection Board of any breach that is likely to cause harm, in accordance with Rule 6 of the DPDP Rules.

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act, the Grievance Officer is:

Ms. Ananya Mehra
Grievance Officer, Cottonclaas
14, Mehrauli Design District, New Delhi 110030, India
Email: [email protected]
Phone: +91-11-4567-8900
Response window: 15 days from receipt

Our Platform is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact our Grievance Officer and we will delete the data within 30 days.

Personal data is primarily processed and stored in India. Some of our processors (e.g., Cloudflare) may process data in jurisdictions outside India. We rely on Standard Contractual Clauses or equivalent safeguards approved under the DPDP Act for such transfers.

We may update this Policy from time to time. Material changes will be notified via email and a prominent notice on the Platform at least 14 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance.