Privacy Policy
Your privacy is important to us. Learn how we collect, use, and protect your information.
Last Updated: January 21, 2026
Effective Date: January 21, 2026
DPDPA 2023 Compliance
This Privacy Policy is compliant with India's Digital Personal Data Protection Act, 2023 (DPDPA) and Consumer Protection (E-Commerce) Rules, 2020. We are committed to protecting your personal data and respecting your privacy rights under Indian law.
Introduction
Welcome to Junooni, a creator merchandise marketplace platform operating in India. We are committed to protecting your privacy and ensuring the security of your personal data in accordance with India's Digital Personal Data Protection Act, 2023 (DPDPA) and all applicable Indian laws.
This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you use our website, mobile applications, and services. Please read this policy carefully to understand our practices regarding your personal data and how we will treat it.
1. What Personal Data We Collect
Under DPDPA 2023, "personal data" means any data about an individual who is identifiable by or in relation to such data. We collect the following categories of personal data:
A. Information You Provide to Us
We collect personal data that you voluntarily provide when you:
Account Registration
- Full name
- Email address
- Phone number (mobile)
- Password (encrypted)
- Date of birth (to verify age 18+)
Order & Delivery Information
- Shipping address (name, street, city, state, PIN code)
- Billing address
- Order details and preferences
- Product customizations (designs, text, images you upload)
Payment Information
- Payment method details (processed securely by Razorpay)
- Transaction history
- Billing information
Note: We do NOT store full credit/debit card numbers. Payment processing is handled by our PCI-DSS compliant payment processor, Razorpay.
Communications
- Customer service inquiries and correspondence
- Product reviews and ratings
- Survey responses
- Feedback and complaints
Marketing Preferences (Optional)
- Newsletter subscription preferences
- Communication channel preferences (email, SMS, WhatsApp)
- Product and creator interests
B. Information Collected Automatically
When you visit our website or use our services, we automatically collect certain technical information:
- Device Information: Device type, operating system, browser type and version, device identifiers
- Usage Data: Pages visited, time spent on pages, navigation paths, features used
- Location Data: IP address, approximate geographic location (city/state level)
- Cookies & Tracking: Cookie identifiers, session data (see Cookie Policy section)
- Analytics Data: Aggregated website performance and user behavior metrics
Data Minimization Principle
In compliance with DPDPA 2023, we only collect personal data that is necessary for the specific purposes outlined in this policy. We do not collect excessive or irrelevant information.
2. Legal Basis for Processing Your Data
Under DPDPA 2023, we can only process your personal data based on one of the following legal grounds:
1. Your Consent
For most processing activities, we rely on your explicit, informed, and freely given consent. This includes:
- Marketing communications (newsletters, promotional offers)
- Non-essential cookies and analytics
- Sharing data with third-party partners (beyond essential service providers)
You can withdraw your consent at any time (see Section 9: Consent Management).
2. Legitimate Uses (Without Consent)
We may process your data without explicit consent for certain legitimate purposes under DPDPA 2023:
- Order Fulfillment: Processing orders and delivering products you purchased
- Legal Compliance: Complying with tax, accounting, and regulatory obligations
- Fraud Prevention: Preventing fraud, unauthorized transactions, and security threats
- Contractual Necessity: Performing our contract with you (Terms of Service)
- Voluntary Data Sharing: When you voluntarily provide data and do not indicate non-consent
3. How We Use Your Personal Data (Purposes)
We use your personal data only for the specific purposes for which it was collected, as disclosed at the time of collection. These purposes include:
A. Order Processing & Fulfillment
To process your orders, coordinate with our fulfillment partner (Qikink), arrange shipping with logistics providers, handle returns/refunds, and provide customer support related to your purchases.
Legal Basis: Contractual necessity
B. Account Management & Authentication
To create and manage your account, verify your identity, enable secure login, maintain order history, and provide personalized account features.
Legal Basis: Contractual necessity
C. Transaction Processing & Payment
To process payments securely through Razorpay, maintain transaction records, detect fraudulent transactions, and comply with financial regulations.
Legal Basis: Contractual necessity, Legal compliance
D. Communication & Customer Service
To send order confirmations, shipping notifications, delivery updates, respond to inquiries, provide technical support, and communicate important service changes.
Legal Basis: Contractual necessity
E. Marketing & Promotional Communications (WITH CONSENT)
To send newsletters, promotional offers, personalized product recommendations, new creator announcements, and special deals. You must opt-in to receive marketing communications.
Legal Basis: Explicit consent (can be withdrawn anytime)
F. Platform Improvement & Analytics
To analyze website usage patterns, understand user preferences, improve our services, develop new features, optimize user experience, and fix technical issues.
Legal Basis: Consent (for analytics cookies)
G. Security & Fraud Prevention
To detect and prevent fraud, unauthorized access, security threats, spam, and abuse of our platform. To maintain security logs and conduct security audits.
Legal Basis: Legitimate use (security)
H. Legal Compliance & Regulatory Requirements
To comply with tax regulations (GST), maintain financial records, respond to legal requests, enforce our Terms of Service, and fulfill regulatory obligations under Indian law.
Legal Basis: Legal compliance
Purpose Limitation Principle
We will ONLY use your personal data for the specific purposes disclosed in this policy. We will NOT use your data for any other purpose without obtaining your fresh consent.
4. How We Share Your Personal Data (Data Processors)
We share your personal data with trusted third-party service providers ("Data Processors" under DPDPA 2023) who help us operate our business. All data processors are contractually obligated to protect your data and use it only for the specific purposes we authorize.
Creator Partners (Limited)
For creator-specific merchandise, we may share minimal order information (order ID, product, status) with the relevant creator. We do NOT share your personal contact details or payment information with creators.
Legal Authorities
We may disclose your information if required by law, court order, government investigation, or to protect our legal rights, prevent fraud, or ensure public safety.
Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email and website notice before such transfer.
What We DO NOT Do
- We do NOT sell your personal data to third parties
- We do NOT rent or trade your information for marketing purposes
- We do NOT share your data for purposes other than those disclosed in this policy
5. Data Security Measures
We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, accidental loss, destruction, or damage, as required by DPDPA 2023:
Technical Measures
- SSL/TLS encryption for data transmission
- Encrypted storage of sensitive data
- Secure password hashing (bcrypt)
- Firewall protection
- Regular security updates and patches
- Intrusion detection systems
Organizational Measures
- Access controls and authentication
- Employee data protection training
- Confidentiality agreements
- Regular security audits
- Incident response procedures
- Data minimization practices
Payment Security
All payment transactions are processed through Razorpay, a PCI-DSS Level 1 certified payment gateway. We do NOT store your complete credit/debit card numbers on our servers. Only the last 4 digits are stored for order reference purposes.
Security Logging & Monitoring
In compliance with DPDPA 2023, we maintain security logs to detect and prevent unauthorized access to personal data. These logs are retained for a minimum of one (1) year.
Important Disclaimer: While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account password and for any activities under your account.
6. Data Retention & Deletion
Under DPDPA 2023, we must delete your personal data once the purpose for which it was collected has been fulfilled, unless retention is required by law. Here are our retention periods:
Account Information
Retention: Until account deletion + 30 days for backup removal
Deletion Trigger: When you delete your account or request data deletion
Order & Transaction Data
Retention: 7 years from transaction date
Legal Basis: Required for tax compliance (GST, Income Tax Act), accounting records, and dispute resolution
Marketing Communications Data
Retention: Until unsubscribe + 30 days
Deletion Trigger: When you withdraw marketing consent or unsubscribe
Customer Service Communications
Retention: 3 years from last interaction
Purpose: Quality assurance, dispute resolution, service improvement
Security Logs
Retention: Minimum 1 year (as required by DPDPA Rules)
Purpose: Security monitoring, breach detection, compliance verification
Website Analytics Data
Retention: 26 months (anonymized after 14 months)
Purpose: Website improvement, user experience optimization
Cookie Data
Retention: Varies by cookie type (see Cookie Policy)
Typical Range: Session cookies (deleted on browser close) to 2 years (persistent cookies)
Automated Deletion Workflows
We have implemented automated systems to delete personal data when retention periods expire:
- Automated account data deletion 30 days after account closure
- Automated marketing list cleanup after unsubscribe
- Scheduled purging of expired cookies and session data
- 48-hour advance notice before automated deletion (as required by DPDPA)
7. Your Rights Under DPDPA 2023
As a "Data Principal" under India's Digital Personal Data Protection Act, 2023, you have the following rights:
Right to Access
Request a summary of your personal data we have processed, details about how we use it, and a list of all data processors who have access to your data.
Right to Correction
Request correction or completion of inaccurate or incomplete personal data. You can also update most information directly in your account settings.
Right to Erasure (Deletion)
Request deletion of your personal data when it is no longer necessary for the purpose collected, or when you withdraw consent (subject to legal retention requirements).
Right to Data Portability
Request a copy of your personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON) to transfer to another service provider.
Right to Withdraw Consent
Withdraw your consent for any processing activities based on consent (e.g., marketing, analytics cookies). Withdrawal does not affect past processing but stops future processing.
Right to Nominate
Nominate another individual (during your lifetime) to exercise your rights in the event of death or incapacity. Contact us to set up a nominee.
Right to Grievance Redressal
File complaints with our Grievance Officer or with the Data Protection Board of India if you believe your rights have been violated.
How to Exercise Your Rights
To exercise any of the above rights, please contact us:
- Email: support@junooni.com
- Subject Line: Include "DPDPA Rights Request" with specific right (e.g., "Right to Access")
- Information Needed: Your full name, registered email, order ID (if applicable), and specific request details
Response Timeline
We will respond to your request within a reasonable timeframe as required by DPDPA 2023. In most cases, we aim to respond within 30 days of receiving your complete request. Complex requests may require additional time, and we will notify you of any extension.
9. Consent Management
Under DPDPA 2023, your consent must be free, specific, informed, unconditional, and unambiguous. Here's how we obtain and manage your consent:
How We Obtain Consent
- Clear Affirmative Action: You must actively check boxes or click buttons - no pre-checked boxes
- Granular Consent: Separate consent options for different purposes (e.g., separate checkboxes for marketing emails vs SMS)
- Informed Notice: We provide clear information about what data we collect and why before asking for consent
- Easy to Understand: Consent requests use simple, plain language (no legal jargon)
- No Bundling: Consent for one purpose is not bundled with consent for unrelated purposes
Types of Consent We Seek
1. Account Creation: Consent to create account and process your data for service delivery
2. Marketing Communications: Separate consent for email newsletters, SMS, and WhatsApp promotions
3. Analytics Cookies: Consent for non-essential cookies that track website usage
4. Third-Party Data Sharing: Consent for sharing data with partners beyond essential service providers
How to Withdraw Consent
You can withdraw your consent at any time, easily and free of charge:
- Marketing Emails: Click "Unsubscribe" link in any marketing email
- Account Settings: Manage communication preferences in your account dashboard
- Cookies: Adjust cookie preferences through our cookie banner or browser settings
- Email Request: Send withdrawal request to support@junooni.com
Note: Withdrawing consent does not affect the lawfulness of processing before withdrawal and does not affect processing based on other legal grounds (contractual necessity, legal compliance).
Consequences of Withdrawing Consent
If you withdraw consent for essential services (e.g., order processing, account management), we may not be able to provide you with our services. However, you can always withdraw consent for non-essential activities like marketing communications without affecting your ability to use the platform.
11. Children's Privacy & Age Verification
AGE REQUIREMENT: 18 Years and Above
Our services are intended ONLY for individuals who are 18 years of age or older. Under DPDPA 2023, individuals under 18 are considered "children" and require verifiable parental consent for data processing.
WE DO NOT KNOWINGLY COLLECT PERSONAL DATA FROM ANYONE UNDER 18 YEARS OF AGE.
Age Verification
During account registration, you must confirm that you are at least 18 years old. By creating an account, you represent and warrant that you meet this age requirement.
If You Are a Parent or Guardian
If you believe your child under 18 has provided us with personal data without your knowledge:
- Contact us immediately at support@junooni.com
- Provide proof of parental authority
- We will verify and delete the account and all associated data within 48 hours
DPDPA 2023 Compliance for Children's Data
If we become aware that we have collected personal data from anyone under 18 without verifiable parental consent, we will:
- Immediately cease processing the data
- Delete all personal data from our systems
- Notify the Data Protection Board of India if required
- Take steps to prevent future collection
12. Data Breach Notification Protocol
Under DPDPA 2023, we have implemented a comprehensive data breach response protocol to protect your personal data and notify you promptly in case of any breach.
72-Hour Notification Requirement
If we detect a data breach that poses a risk to your rights, we will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by DPDPA Rules.
What Constitutes a Data Breach
- Unauthorized access to personal data
- Accidental loss or destruction of personal data
- Unlawful disclosure or sharing of personal data
- Alteration or modification of personal data without authorization
How We Will Notify You
If a breach affects your personal data, we will notify you promptly through:
- Email to your registered email address
- Prominent notice on our website homepage
- In-app notification (if applicable)
- SMS notification (for high-risk breaches)
Information We Will Provide
Our breach notification will include:
- Description of the breach and types of data affected
- Estimated number of affected users
- Potential consequences and risks
- Actions we have taken to address the breach
- Steps you should take to protect yourself
- Contact information for questions and concerns
Our Breach Response Procedures
- Detection & Containment: Identify and contain the breach immediately
- Assessment: Evaluate the scope, severity, and affected data
- Notification: Notify DPB within 72 hours and affected users promptly
- Remediation: Fix vulnerabilities and strengthen security measures
- Documentation: Maintain detailed records of the breach and response
- Review: Conduct post-incident review to prevent future breaches
13. Grievance Redressal Mechanism
In compliance with Consumer Protection (E-Commerce) Rules 2020 and DPDPA 2023, we have established a comprehensive grievance redressal mechanism to address your concerns and complaints.
Grievance Officer Details
Name: Meenal Aggarwal
Designation: Grievance Officer - Data Privacy & Consumer Protection
Email: grievance@junooni.com
Phone: +91 8694062222
Address: Junooni, Saharanpur, Uttar Pradesh, India
Working Hours: Monday-Friday, 10:00 AM - 6:00 PM IST
How to File a Complaint
- Send an email to grievance@junooni.com
- Include "Privacy Complaint" or "Consumer Complaint" in the subject line
- Provide your full name, registered email, order ID (if applicable)
- Describe your complaint in detail with supporting documents/screenshots
- State the resolution you are seeking
Response Timeline
Acknowledgment: Within 48 hours of receiving your complaint
Resolution: Within 30 days (1 month) of acknowledgment
Complex Cases: May require additional time; we will inform you of any extension
Complaint Tracking
Upon filing a complaint, you will receive a unique complaint ID. You can track the status of your complaint by emailing our Grievance Officer with this ID.
Escalation to Data Protection Board of India
If you are not satisfied with our response or resolution, you have the right to file a complaint with the Data Protection Board of India (DPB).
Data Protection Board of India
Website: [DPB website will be announced by government]
Contact: [DPB contact details will be published upon establishment]
Note: The Data Protection Board of India was established on November 13, 2025. Contact details and complaint procedures will be available on their official website.
14. International Data Transfers
Your personal data is primarily stored and processed in India. However, some of our service providers (such as cloud hosting or email services) may process data outside India.
Countries Where Data May Be Transferred
- Primary Location: India (all core data)
- Cloud Services: May use servers in USA, Singapore (with appropriate safeguards)
- Email Services: May process through servers globally
Safeguards for International Transfers
When transferring data outside India, we ensure:
- Data Processing Agreements with all international processors
- Compliance with DPDPA 2023 requirements for cross-border transfers
- Encryption during transfer and storage
- Equivalent level of data protection as in India
15. Third-Party Websites and Links
Our website may contain links to third-party websites, social media platforms, or services that are not operated or controlled by Junooni. This includes:
- Creator social media profiles (Instagram, YouTube, Twitter, etc.)
- Payment gateway interfaces (Razorpay)
- Third-party product or service recommendations
- External blog posts or articles
Important: We are not responsible for the privacy practices or content of these third-party websites. When you click on external links, you leave our website and are subject to the privacy policies and terms of those sites. We strongly encourage you to review their privacy policies before providing any personal information.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. Any changes will be posted on this page with an updated "Last Updated" date.
How We Notify You of Changes
- Minor Changes: Posted on this page with new "Last Updated" date
- Material Changes: Email notification to registered users + prominent website banner
- Changes Requiring New Consent: Explicit consent request before applying changes
Your Rights Regarding Changes
If you do not agree with any changes to this Privacy Policy, you have the right to:
- Request deletion of your account and personal data
- Withdraw consent for specific processing activities
- Stop using our services
Your continued use of our services after policy changes indicates acceptance of the updated policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. The "Last Updated" date at the top of this page indicates when the policy was last revised.
17. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data, or our privacy practices, please contact us:
General Privacy Inquiries
Grievance Officer
Data Subject Rights Requests
For requests to access, correct, delete, or port your data, please email:
support@junooni.com with subject line: "DPDPA Rights Request - [Your Request Type]"
We aim to respond to all legitimate requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India.
Legal Compliance Statement
This Privacy Policy is compliant with:
- ✓ Digital Personal Data Protection Act, 2023 (DPDPA)
- ✓ Consumer Protection (E-Commerce) Rules, 2020
- ✓ Information Technology Act, 2000
- ✓ Information Technology (Reasonable Security Practices) Rules, 2011
Governing Law: This Privacy Policy is governed by the laws of India.
Jurisdiction: Courts of Saharanpur, Uttar Pradesh, India shall have exclusive jurisdiction.
By using Junooni's services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.