Privacy policy

Privacy Policy

Last updated: May 31, 2026

In short

We collect only what we need to take your order, deliver it, and stay in touch with you. We do not sell your data. We hold it securely and delete it when we no longer need it. You can ask us at any time what we hold, ask us to correct it, or ask us to delete it. Marketing emails are opt-in only and you can leave the list any time.

This policy explains the detail.

1. Who we are

Vritta is the Data Fiduciary in respect of the personal data you share with us through the site. We process data in line with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the rules made under both.

  • Data Fiduciary: Vritta
  • Operating area: Navi Mumbai, Maharashtra, 400709
  • Email: studio@vrittadesign.in
  • Grievance Officer: Srividya Menon (§5)

Full registered address is provided on request to any Data Principal or authority with a legitimate need.

2. What we collect

You give us directly: your name, billing address, shipping address, email, phone, and anything you write to us in a message.

We collect automatically when you use the site: IP address, device and browser details, pages viewed, and cookies (§6).

From third parties: payment confirmation data from your payment gateway. We do not see or store your card or bank details.

We do not knowingly collect data from anyone under 18.

3. Why we use it

  • To take your order, accept payment, and ship the object.
  • To send order confirmations, dispatch notes, and post-delivery follow-up.
  • To answer your questions and handle grievances.
  • To send marketing emails — only if you opt in. You can leave the list any time.
  • To improve the site, using aggregated data that does not identify you.
  • To meet legal obligations: tax records, dispute resolution, requests from authorities.

4. Legal basis

We process your data on the basis of your consent, given when you place an order, sign up for the waitlist, or write to us. You can withdraw consent at any time. Withdrawal does not affect what we did with your data before you withdrew.

5. Your rights under the DPDP Act

As a Data Principal you have the right to:

  • Access the personal data we hold about you.
  • Correct what is inaccurate or incomplete.
  • Erase your data when it is no longer needed for the purpose we collected it.
  • Withdraw consent at any time.
  • Nominate another person to exercise these rights for you, in the event of your death or incapacity.
  • Lodge a grievance with our Grievance Officer (§5).

To exercise any of these, write to studio@vrittadesign.in with the subject Data Request. We respond within the timelines the law requires.

You can also complain to the Data Protection Board of India if you believe your rights have been violated.

6. Cookies

The site uses cookies set by us and by services we use (Shopify, payment gateways, email providers). Cookies make the site work and help us understand how it is used. You can disable cookies in your browser; some features may stop working if you do.

7. Who we share it with

We do not sell your data. We share it only with the parties needed to run the service:

  • Shopify, our e-commerce platform.
  • Razorpay (or another gateway) for payments.
  • Shiprocket and our courier partners for delivery.
  • Our email service provider for transactional mail and (if you opt in) marketing.
  • Government authorities, when legally required.

We require each party to handle your data securely and only for the purpose we authorise.

8. How long we keep it

Only as long as we need it, plus any period the law requires.

  • Order records: 8 years, per the Income Tax Act.
  • Marketing list: until you withdraw consent.
  • Website analytics: typically up to 26 months.

After that, we delete or anonymise.

9. Security

We use SSL on the site, restricted access to data, and storage on platforms that meet commercially reasonable security standards. No system is fully secure. If a personal data breach occurs, we will notify the Data Protection Board of India and the affected Data Principals as the DPDP Act requires.

10. Cross-border transfers

Some of our service providers (Shopify, Google, email) hold data on servers outside India. We rely on the safeguards those providers offer. Transfers comply with the DPDP Act and the rules made under it.

11. Children

The site is not for anyone under 18. We do not knowingly collect data from children. If you believe a child has shared data with us, write to us and we will delete it.

12. Changes to this Policy

We may update this Policy. The current version is on the site. The date at the top reflects the latest change.

13. Contact and grievance

Grievance Officer: Srividya Menon

Email: studio@vrittadesign.in

Operating area: Navi Mumbai, Maharashtra, 400709

Full registered address provided on written request.