Privacy Policy
Last updated: July 2025
DRPHAUS ("we," "us," or "our"), operated by Badolla Enterprises (GSTIN: 29BROPJ5794E1Z5), is committed to protecting your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you visit our website drphaus.com or make a purchase.
Seller Details (as required under Consumer Protection Act, 2019):
Business Name: DRPHAUS by Badolla Enterprises
GSTIN: 29BROPJ5794E1Z5
Registered Address: A-1904, Brigade Panorama, Mysore Main Road, Bengaluru - 560074, Karnataka, India
Email: hello@drphaus.com
Phone: +91-XXXXXXXXXX
1. Information We Collect
We collect the following categories of personal data. We only collect data that is necessary for the purposes described in this policy, in accordance with the DPDP Act's principle of data minimisation:
a) Information You Provide Directly
- Identity Information: Full name, shipping address, billing address, and phone number when you place an order.
- Contact Information: Email address when you sign up for our newsletter or create an account.
- Payment Information: Payment details are collected and processed by our third-party payment processors (Razorpay, Cashfree). We do not store full credit/debit card numbers or banking details on our servers.
- Account Information: Order history, wishlist items, loyalty points balance, and referral activity.
- Communications: Records of correspondence when you contact our support team, including emails, WhatsApp messages, and chat transcripts.
b) Information Collected Automatically
- Device & Browser Information: IP address, browser type and version, operating system, device type, screen resolution.
- Usage Data: Pages visited, time spent on pages, referral sources, click patterns, and navigation behaviour.
- Cookies & Tracking: We use essential cookies (cart functionality, session management) and analytics cookies (Google Analytics) to understand site performance. See our Cookie Policy section below for details.
2. Purpose of Data Collection (Why We Collect Your Data)
We use your personal data only for the following legitimate purposes, as permitted under the DPDP Act, 2023:
- Order Processing & Fulfilment: To process and deliver your purchases, including payment processing, shipping, delivery updates, and returns.
- Customer Support: To respond to your inquiries, resolve issues, and provide after-sales service.
- Marketing (with Consent): To send you newsletters, new collection alerts, and promotional offers — only if you have explicitly consented.
- Website Improvement: To analyse usage patterns and improve our website, products, and customer experience.
- Legal Compliance: To comply with Indian tax laws (GST), consumer protection regulations, and fraud prevention obligations.
- Loyalty & Referral Programs: To manage your loyalty points, referral credits, and reward redemptions.
3. Lawful Basis for Processing (DPDP Act 2023)
Under the DPDP Act, 2023, we process your personal data on the following lawful bases:
- Consent: For marketing communications, newsletter subscriptions, and non-essential cookies. You have the right to withdraw consent at any time.
- Contractual Necessity: To fulfil your orders and provide the services you have requested.
- Legal Obligation: To comply with tax laws (GST), consumer protection laws, and other applicable Indian regulations.
4. Data Retention (How Long We Store Your Data)
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, as required under the DPDP Act:
- Order Information: Retained for 8 years from the date of the order to comply with Indian tax and accounting regulations (Income Tax Act, GST laws).
- Account Information: Retained until you request deletion or after 3 years of account inactivity.
- Newsletter/Consent Data: Retained until you unsubscribe or withdraw consent. Unsubscribe records are retained permanently to honour your opt-out preference.
- Communication Records: Retained for 2 years after the last interaction.
- Analytics Data: Retained for 26 months as per Google Analytics data retention policy.
Once the retention period expires, your personal data will be securely deleted or anonymised.
5. Data Subject Rights (DPDP Act 2023)
Under the Digital Personal Data Protection Act, 2023, you have the following rights regarding your personal data. You can exercise these rights by contacting our Grievance Officer:
a) Right to Access
You have the right to know what personal data we hold about you, the purpose of processing, and with whom it has been shared.
b) Right to Correction
You have the right to request correction of inaccurate or incomplete personal data we hold about you.
c) Right to Erasure (Right to be Forgotten)
You have the right to request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, pending transactions).
d) Right to Grievance Redressal
You have the right to have any grievance regarding your personal data addressed by our Grievance Officer within a reasonable timeframe.
e) Right to Withdraw Consent
Where we process your data based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
f) Right to Nominate
Under the DPDP Act, you have the right to nominate a person who will exercise your data rights in the event of your death or incapacity.
To exercise any of these rights, contact our Grievance Officer at:
Email: grievance@drphaus.com
Response Time: We will respond to your request within 15 business days as required under the DPDP Act.
6. Grievance Officer (DPDP Act 2023)
In compliance with Section 5(9) of the DPDP Act, 2023, we have appointed a Grievance Officer to address any concerns or complaints regarding the processing of your personal data:
Grievance Officer: Yash Badolla
Designation: Proprietor, Badolla Enterprises
Email: grievance@drphaus.com
Phone: +91-XXXXXXXXXX
Address: A-1904, Brigade Panorama, Mysore Main Road, Bengaluru - 560074, Karnataka, India
Response Time: All grievances will be acknowledged within 24 hours and resolved within 15 business days.
Escalation: If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India (DPBI) as established under the DPDP Act, 2023.
7. Data Sharing and Disclosure
We do not sell your personal information to third parties. We may share your data only with:
- Service Providers: Shipping carriers (Delhivery, India Post), payment processors (Razorpay, Cashfree), and fulfilment partners who need the data to perform their contracted services. These parties are contractually bound to process data only on our instructions and in compliance with the DPDP Act.
- Legal Requirements: When required by law, court order, or government regulation under Indian law.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to you.
We do not transfer your personal data outside India except as necessary for payment processing or where you have provided explicit consent.
8. Data Security Measures
We implement reasonable security practices and procedures as required under the DPDP Act, 2023, and the IT (Reasonable Security Practices) Rules, 2011:
- SSL/TLS encryption (HTTPS) for all data transmissions
- Encrypted storage of sensitive data
- Regular security audits and vulnerability assessments
- Access controls restricting data access to authorised personnel only
- Secure payment processing via PCI-DSS compliant payment gateways
- Firewall and intrusion detection systems on our servers
9. Data Breach Notification Procedure
In compliance with the DPDP Act, 2023, we have established a data breach response and notification procedure:
- Detection & Assessment: Upon discovering a data breach, we will immediately assess the nature, scope, and potential impact.
- Containment: We will take immediate steps to contain the breach and prevent further unauthorised access.
- Notification to Data Protection Board: We will notify the Data Protection Board of India (DPBI) within 72 hours of becoming aware of a breach that is likely to cause harm.
- Notification to Affected Data Principals: We will notify affected individuals promptly, including: (a) description of the breach, (b) nature of data compromised, (c) measures taken, (d) recommended actions for affected individuals, and (e) contact details of our Grievance Officer.
- Remediation: We will take corrective actions to prevent recurrence and strengthen our security posture.
10. Cookie Policy
Our website uses cookies and similar tracking technologies. You can manage your preferences through our cookie consent banner.
Types of Cookies We Use:
- Essential/Necessary Cookies: Required for the website to function (cart management, session persistence, security). These do not require consent.
- Analytics Cookies: Google Analytics cookies that help us understand how visitors use our site. These are set only with your consent.
- Functional Cookies: Remember your preferences (size selections, wishlist items) for a better experience.
You can withdraw or modify your cookie consent at any time by clearing your browser cookies and refreshing the page.
11. Consent for Marketing Communications
We will only send you marketing communications (newsletters, promotional emails, WhatsApp broadcasts) if you have given us your explicit, freely given, specific, informed, and unambiguous consent by checking the consent checkbox on our newsletter sign-up form. You can withdraw your consent at any time by:
- Clicking the "Unsubscribe" link in any marketing email
- Contacting our Grievance Officer at grievance@drphaus.com
- Replying "STOP" to any WhatsApp message
12. Legal Compliance (IT Act, 2000 & DPDP Act, 2023)
DRPHAUS complies with the following Indian laws and regulations:
- Digital Personal Data Protection Act, 2023 (DPDP Act): Full compliance with data processing principles, consent requirements, data subject rights, and breach notification obligations.
- Information Technology Act, 2000 (IT Act): Compliance with Section 43A (compensation for failure to protect data) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021: Compliance as an intermediary, including the grievance redressal mechanism and takedown procedures under Rule 3 and Rule 4.
- Consumer Protection Act, 2019: Compliance with e-commerce rules regarding seller disclosure, return/refund policies, and pricing transparency.
- Legal Metrology Act, 2009: Compliance with packaging and labelling requirements, including MRP display, net quantity, and date of manufacture.
- Goods and Services Tax (GST) Laws: All transactions processed in Indian Rupees (₹) with 5% GST (HSN Code 61091000) with applicable CGST/SGST/IGST split.
13. International Transfers
Your information may be transferred to and processed in countries other than India only where necessary for payment processing. We ensure appropriate safeguards are in place for such transfers in accordance with the DPDP Act. For data stored within India, your data is hosted on servers located in Mumbai, India.
14. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. Under the DPDP Act, processing of data of children below 18 years requires verifiable parental consent. If you believe a child has provided us with personal data, please contact our Grievance Officer immediately.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
- Posting the updated policy on this page with an updated "Last updated" date
- Sending an email notification (where we have your email address)
- Displaying a notice on our website for 30 days
We encourage you to review this policy periodically.
16. Contact & Grievance Redressal
If you have questions about this Privacy Policy, wish to exercise your data subject rights, or have a grievance regarding your personal data:
Grievance Officer: Yash Badolla
Email: grievance@drphaus.com
Alternate Email: privacy@drphaus.com
Phone: +91-XXXXXXXXXX
Address: A-1904, Brigade Panorama, Mysore Main Road, Bengaluru - 560074, Karnataka, India
IT Act Grievance Officer for Intermediary Compliance: Same as above. Complaints under the IT Act, 2000 and IT Rules, 2021 may be sent to grievance@drphaus.com. We will acknowledge receipt within 24 hours and resolve within 15 days.