Privacy Policy
Executive Summary
This report synthesises Indian legal requirements for Driptopia's Privacy Policy and benchmarks common clause patterns visible on Indian fashion e-commerce sites, especially around marketing consent, fraud/abuse controls, and business-favourable operational language. It then provides a long, ready-to-publish Privacy Policy template (en-IN) with placeholders for Driptopia's brand identity and addresses, plus a suggested data-flow diagram in Mermaid.
The legal backbone used here is the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 (notified in November 2025, per Government communications), plus the Information Technology Act, 2000 (including the body-corporate reasonable security practices and compensation framework) and the Sensitive Personal Data/Information Rules, 2011, plus the Consumer Protection (E-commerce) Rules, 2020 (disclosure + consumer grievance timelines).
Legal Baseline for an Indian Clothing Brand Website or App
India's current privacy compliance stack for a D2C clothing brand selling online has three practical layers that show up directly in policy drafting:
First, the DPDP Act, 2023 is structured around a simple processing rule: a Data Fiduciary may process personal data only for a lawful purpose and (i) with consent, or (ii) for certain legitimate uses. Consent must be free, specific, informed, unconditional and unambiguous, collected via a clear affirmative action; withdrawal must be as easy as giving consent; and importantly for business-favourable drafting, the Act states that the consequences of withdrawing consent are borne by the Data Principal, with an illustration explicitly allowing an e-commerce provider to stop enabling further ordering if consent is withdrawn (while still permitting processing needed to fulfil already-paid orders).
Second, the DPDP Rules, 2025 add operational detail that Driptopia's Privacy Policy should reflect, especially on security, breach notice, retention triggers, and cross-border transfers. The Rules prescribe reasonable security safeguards (minimum expectations include encryption/obfuscation/masking or tokenisation, access controls, logs/monitoring, backups, and contractual controls over processors), and require retention of certain logs/personal data for at least one year for detection/investigation/remediation unless law requires otherwise. The Rules also mandate breach notification to affected users without delay with specific content, and notification to the Data Protection Board with additional details within 72 hours. They further describe privacy housekeeping around when purposes are deemed no longer served (including user notice 48 hours before scheduled erasure in certain scenarios) and set mechanics for enabling Data Principal rights and publishing grievance response timelines.
Third, the older but still practically referenced IT Act, 2000 + SPDI Rules, 2011 strongly shape how Indian e-commerce Privacy Policies are written, especially for security practices, sensitive personal data, policy publication, and grievance officer obligations. The IT Act reinforces liability/compensation where a body corporate handling sensitive personal data is negligent in implementing and maintaining reasonable security practices. The SPDI Rules require a body corporate to publish a privacy policy and include, at minimum, the types of data collected, purpose of collection/usage, disclosures, and security practices; they also require a grievance officer and contemplate withdrawal of consent (with the business-favourable option not to provide goods/services if data is not provided or consent is withdrawn). The IT Act also contains offences around breach of confidentiality/privacy and disclosure of information in breach of lawful contract, which supports strong confidentiality and access-control drafting.
Separately, the Consumer Protection (E-commerce) Rules, 2020 impose consumer-facing disclosure and complaint-handling requirements that intersect with privacy: e-commerce entities must prominently display the legal name, principal geographic address, website details, and customer care + grievance officer contact details; acknowledge consumer complaints within 48 hours and redress within one month. They also require marketplaces to display information relating to return/refund/exchange and other decision-relevant disclosures, and restrict cancellation charges unless similar charges are borne by the e-commerce entity when it cancels unilaterally.
Industry Clause Patterns (General)
Across Indian fashion e-commerce, privacy and return/refund practices commonly reflect a business-favourable posture while remaining compliant with applicable law. Typical patterns include short return windows, hygiene-based exclusions, credits or wallet refunds instead of bank refunds, verification steps (for example, unboxing evidence), and internal discretion to refuse returns or deny service in suspected abuse scenarios. Privacy language often supports fraud prevention, risk screening, and enforcement, while describing marketing consent and opt-out mechanisms.
Privacy Policy - Driptopia
Last Updated: [DD Month YYYY]
This Privacy Policy (Policy) describes how Driptopia (we, us, our) collects, uses, shares, stores, and protects information when you access our website [WEBSITE URL], our mobile application [APP NAME/URL] (if any), our social media pages, or otherwise interact with us (collectively, the Platform).
This Policy is intended to be read alongside our Terms of Use and our separate Return & Refund Policy. Returns/refunds are governed only by that separate policy; however, as explained below, we may use data and security signals to detect misuse and protect the Platform (including return/refund abuse).
A. Definitions (India-specific)
For the purposes of this Policy:
Personal Data means any data about an individual who is identifiable by or in relation to such data (including in digital form). Sensitive Personal Data or Information (SPDI) has the meaning assigned under the IT Act and SPDI Rules (e.g., passwords and certain financial information). Data Principal means the individual to whom the Personal Data relates. Data Fiduciary means the entity that determines the purpose and means of processing. Data Processor means any person/entity that processes Personal Data on behalf of the Data Fiduciary. Processing means operations performed on Personal Data (collection, storage, use, disclosure, etc.).
B. Scope and your acknowledgement
By using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Platform.
Where required under the DPDP framework, we will provide you a separate notice describing what data is collected and for which purpose, and how you may withdraw consent/exercise rights.
C. What we collect (exhaustive, clothing-brand relevant)
We collect data in the following categories (not all apply to every user):
C1. Identity and contact data: Name, phone number, email address, billing and shipping address, city, state, PIN code.
C2. Account and authentication data: Login identifiers, password/OTP status, device/session authentication signals, account settings, saved items, wishlists, and preferences.
C3. Order, delivery, and commerce data: Products viewed, cart contents, order history, order value, discount codes used, returns/exchanges history, delivery attempts, RTO/refusal events, support tickets, and any information you submit for size/fit assistance.
C4. Payment and transaction data: Payment mode, payment status, transaction reference IDs, UPI/VPA or masked card metadata where provided by payment partners, and fraud/chargeback indicators. We generally do not store full card details; payment is processed by authorised payment gateways/banking partners.
C5. Device, network, and usage data: IP address, browser type, device type, operating system, timestamps, referral URLs, approximate location derived from IP, pages visited, clickstream, and interaction patterns.
C6. Cookies and tracking data: Cookie identifiers, session identifiers, analytics events, and advertising/remarketing signals (where enabled). Blocking cookies may reduce functionality.
C7. Customer support and communications: Emails, chat transcripts, WhatsApp messages, call recordings (if used), attachments you send (such as unboxing videos/photos), and complaint records.
C8. Returns/refunds abuse-prevention and risk signals: Return patterns, repeated COD refusal/undelivered behaviour, device/linkage signals, claims history, and internal risk scoring. These are used to protect the Platform, prevent fraud, and reduce abusive return/refund behaviour.
C9. Optional verification data (only when needed): If we reasonably suspect fraud/abuse (including return/refund abuse) or need to comply with legal obligations, we may request additional verification such as address confirmation, alternate phone number, or proof-of-delivery clarifications. We do not require government ID for normal shopping, but may request it in narrowly-defined scenarios (e.g., high-risk orders/chargebacks) subject to applicable law.
D. Why we process data (purposes)
We process Personal Data for the following purposes: order fulfilment and service delivery; account management; customer support and dispute handling; quality control and product improvement; security, fraud prevention, and abuse detection; marketing and personalisation (subject to opt-out/withdrawal); legal compliance; and business continuity.
E. Lawful basis for processing (DPDP-aligned)
Under the DPDP Act, processing must be for a lawful purpose and is typically based on: your consent, or certain legitimate uses permitted under the DPDP Act, plus processing needed to comply with law.
Withdrawal consequences (business-favourable, DPDP-aligned): If you withdraw consent for a purpose that is necessary to provide Platform functionality (e.g., account login, delivery communication), we may be unable to provide that functionality. The DPDP Act recognises that the consequences of withdrawal are borne by the Data Principal, and an e-commerce provider may stop enabling future ordering if consent is withdrawn (while still processing already- paid orders).
F. Marketing communications (opt-in/out mechanics)
Transactional messages: We will send essential transactional communications (order confirmation, shipping, delivery attempts, OTPs, invoices, refund/exchange updates) as part of providing the service.
Promotional messages: Where required, we will obtain clear consent for promotional communications. You may opt-out at any time by using the unsubscribe link in emails; changing preferences in your account (if available); or emailing us at [PRIVACY EMAIL] with the subject Marketing Opt-Out. We maintain consent records to demonstrate compliance.
G. Cookies, analytics, and tracking
We use cookies and similar technologies for essential platform functions (login, cart, checkout), performance and analytics, and marketing/advertising (where enabled and permitted). Your browser/device settings may allow you to control cookies; disabling some cookies may break core features.
H. Sharing and disclosure (processors and third parties)
We share Personal Data only on a need-to-know basis with: payment and fraud-risk partners; logistics and fulfilment partners; customer support tools; IT and security providers; marketing partners where enabled and lawful; and professional advisors and authorities where required under law. Legal requests: We may disclose information when required for compliance with law or lawful requests; SPDI Rules specifically contemplate disclosure to government agencies under specified conditions.
I. Fraud, return/refund abuse, and denial of service (commercial safeguards)
To protect our customers and the business, we may use Personal Data and Platform signals to detect and prevent payment fraud, chargebacks, identity misuse, bots and automated abuse, and return/refund abuse. Controls we reserve include placing orders on hold pending verification; restricting certain payment modes; and refusing service, cancelling orders, or rejecting return/exchange claims where we reasonably suspect misuse or policy breach.
J. Data retention (business-favourable but DPDP-aware)
We retain Personal Data only as long as necessary for the purposes described in this Policy, including legal compliance, dispute resolution, and fraud prevention.
Indicative retention: order/invoice/accounting records typically retained for 5-7 years; customer support records retained for the duration of the dispute and a reasonable period thereafter; security logs retained for at least one year; marketing preferences retained until you withdraw consent/opt-out (with minimal records retained to honour opt-out). Where DPDP requires erasure once the specified purpose is no longer served and where retention is not required by law, we will erase or anonymise data and may notify users ahead of erasure in defined cases.
K. Security measures
We maintain reasonable security safeguards to protect Personal Data, including encryption/obfuscation/masking/tokenisation, access controls, monitoring/logging, secure backups and recovery, and vendor contracts requiring security safeguards for processors.
L. Personal data breach notification
If we become aware of a Personal Data breach, we will notify affected users and the Data Protection Board as required by DPDP Rules, including key breach details and recommended safety steps, and Board notification within mandated timelines.
M. Cross-border transfers
We may use vendors/cloud services that process data outside India. Cross-border transfers are permitted under the DPDP framework subject to Government restrictions. Where applicable, we will implement contractual and technical safeguards and transfer only as permitted.
N. Your rights (DPDP-aligned, with practical limitations)
Subject to applicable law, you may have the right to access information about your Personal Data, correction/completion/ updating, erasure (unless retention is necessary), grievance redressal, and nomination (where applicable). We may require reasonable verification before acting on rights requests.
O. Grievance officer and contact details
Grievance Officer: [NAME] | Designation: [DESIGNATION] | Email: [GRIEVANCE EMAIL] | Address: [REGISTERED OFFICE ADDRESS, CITY, STATE, PIN, INDIA] | Working hours: [MON-SAT, 10:00-18:00 IST]
For consumer grievances, e-commerce rules require acknowledgement within 48 hours and resolution within one month.
P. Children
Our Platform is intended for persons aged 18+. If we learn that we have collected a child's data without appropriate consent, we will take steps to delete it.
Q. Third-party links
Our Platform may link to third-party websites and services. Their privacy practices are governed by their own policies; we are not responsible for them.
R. Changes to this Policy
We may update this Policy to reflect changes in law, technology, or business practices. The updated version will be posted on the Platform with a revised Last Updated date.
S. Limitation of liability (privacy-specific)
To the maximum extent permitted by law, we disclaim liability for misuse of Personal Data caused by factors outside our reasonable control (e.g., user credential leakage, telecom compromise, third- party platform defects), and indirect or consequential losses.
Data Flow Diagram
flowchart LR A[User: visits site/app] --> B[Collection: forms, checkout, support] A --> C[Auto-collection: cookies, device, logs] B --> D[Processing: order mgmt, account, support] C --> D D --> E[Sharing: payment gateway & fraud checks] D --> F[Sharing: logistics/warehouse/reverse pickup] D --> G[Sharing: analytics/marketing tools (if enabled)] D --> H[Storage: databases, backups, consent logs] H --> I[Retention rules: 1y security logs; 5-7y tax/order records] I --> J[Erasure/Anonymisation: when purpose ends + law allows] D --> K[Controls: fraud/return abuse monitoring & deny/hold] K --> D
Primary Sources and Links
India legal sources: DPDP Act consent standards and Data Principal rights; DPDP cross-border transfer restriction power and DPDP Rules on security safeguards, breach notification timelines/content, erasure triggers, and transfer rules; Government communication that DPDP Rules, 2025 were notified in November 2025; IT Act basis for compensation for failure to protect data and breach/disclosure offences; SPDI Rules requirements to publish a privacy policy, define data types/purposes/disclosures/security, and appoint a grievance officer; Consumer Protection (E-commerce) Rules: mandatory disclosures on platform + grievance timelines + return/ refund information duties and cancellation-charge restrictions.
Official brand pages used for benchmarking: Bonkers Corner; Bewakoof; The Souled Store; Burger Bae.