Legal
Privacy Policy
This policy explains how Shahya ("we", "us") handles your personal data when you shop, create an account, or contact us.
Last updated: 10 June 2025
1. Who we are
Shahya operates an online store for artificial jewellery. Our registered correspondence address is listed at the bottom of this page.
2. Information we collect
- Account data: name, email, phone, password (stored hashed), and profile preferences.
- Order data: shipping address, billing details, items purchased, payment references (we do not store full card numbers — payments are processed by Razorpay).
- Communications: messages you send us, support requests, and marketing opt-ins (email and WhatsApp where you consent).
- Technical data: IP address, browser type, device information, and cookies (see our Cookie Policy).
3. How we use your information
- Process and deliver orders, including shipping updates.
- Provide customer support and respond to enquiries.
- Send transactional messages (order confirmation, delivery status).
- Send marketing communications only when you have opted in; you may opt out at any time.
- Prevent fraud, secure our platform, and comply with law.
- Improve our website, products, and services.
4. Legal basis (India)
We process personal data based on your consent, performance of a contract (fulfilling your order), legitimate business interests (e.g. fraud prevention), and legal obligations under applicable Indian law, including the Digital Personal Data Protection Act, 2023 where applicable.
5. Sharing with third parties
We may share data with service providers who help us operate:
- Payment processing (Razorpay)
- Shipping and logistics partners
- Email and messaging (SMTP, WhatsApp Business API)
- Hosting and database infrastructure
We do not sell your personal data. We may disclose information if required by law or to protect our rights and users.
6. Data retention
We keep account data while your account is active. Order and invoice records are retained as required for tax, accounting, and consumer protection (typically up to 8 years). Marketing data is removed when you unsubscribe or request deletion, subject to legal exceptions.
7. Your rights
You may request to:
- Access or correct your personal data
- Withdraw marketing consent
- Delete your account or personal data (see our deletion request pages)
- Lodge a complaint with the relevant data protection authority
To exercise these rights, use our data deletion request or account deletion request forms, or email us directly.
8. Security
We use industry-standard measures including HTTPS, hashed passwords, and access controls. No method of transmission over the internet is 100% secure; we work to protect your data and review our practices regularly.
9. Children
Our services are not directed at children under 18. We do not knowingly collect data from minors.
10. Changes
We may update this policy from time to time. Material changes will be posted on this page with an updated date.