Privacy Policy
Last Updated: February 2026
The Short Version
- We collect only what's needed: your name, email, phone, and delivery address. PAN is collected only when legally required (orders over ₹50K gold or ₹2L total).
- We never store your payment details. UPI and bank transfer info is processed by our payment module; card data is handled entirely by Razorpay.
- We use privacy-first analytics (no Google Analytics). Your browsing data is anonymised.
- You can request a full data export or account deletion at any time. DPDP Act compliant with a 30-day grace period.
- We never sell, rent, or share your personal data with advertisers. Period.
1. Introduction
Vittarq ("we," "us," or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit or make a purchase from vittarq.com (the "Platform").
This policy is drafted in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 of India and the Information Technology Act, 2000. We act as a "Data Fiduciary" under the DPDP Act, and you. Our customer. Are a "Data Principal" with clearly defined rights over your personal data.
By using the Platform, you consent to the data practices described in this policy. If you do not agree with any part of this policy, please do not use the Platform.
2. Information We Collect
We collect different types of information depending on how you interact with the Platform:
Personal Data (provided by you)
- Full name, email address, and mobile phone number (at registration)
- Delivery addresses (when placing an order)
- PAN (Permanent Account Number). Required only for gold purchases exceeding ₹50,000 or any order exceeding ₹2,00,000, as mandated by the Income Tax Act
Financial Data (processed by our payment partner)
- Payment details (UPI transaction IDs, bank transfer references) are processed directly and are never stored on Vittarq's servers. If you pay via cards or wallets through our optional Razorpay gateway, those credentials are handled entirely by Razorpay. Vittarq Pay is our internal wallet for store credits and refunds. It does not process UPI or bank transactions.
- We store only transaction references, amounts, and payment status
Usage Data (collected automatically)
- Browser type, operating system, and device type
- IP address (anonymised for analytics)
- Pages visited, time spent, and navigation patterns
- Referring website or campaign source
3. How We Use Your Data
We use the data we collect for the following purposes:
- Order processing: To process your orders, arrange shipping, issue invoices, and handle returns or refunds
- Payment verification: To verify transactions and prevent fraud through UPI QR, bank transfer, and, where applicable, Razorpay
- Shipping: To share your delivery address with our shipping partners (BVC Logistics, Delhivery) for order fulfilment
- Notifications: To send order confirmations, shipping updates, and delivery notifications via email (AWS SES) and WhatsApp (Cloud API), based on your preferences
- Customer support: To respond to your enquiries, complaints, and feedback
- Analytics: To understand how customers use the Platform so we can improve the experience (using privacy-first Vercel Analytics)
- Legal compliance: To comply with tax laws, GST regulations, and AML/PMLA requirements
4. Legal Basis for Processing
Under the DPDP Act 2023, we process your personal data based on the following lawful grounds:
- Consent: You provide consent when you create an account, place an order, or opt in to marketing communications. You may withdraw consent at any time by contacting us.
- Legitimate use: Processing necessary to fulfil orders, provide customer support, and maintain platform security.
- Legal obligation: PAN collection for transactions exceeding statutory thresholds under the Income Tax Act, GST compliance for invoicing, and record retention as required by tax authorities.
5. Data Sharing
We share your personal data only with trusted service providers who are necessary for operating the Platform and fulfilling your orders:
- UPI QR / Bank Transfer / Razorpay (payment processing). UPI QR and bank transfer payments are processed directly. Card, net banking, and wallet payments, when enabled, are routed through Razorpay (PCI-DSS Level 1 certified). Only transaction references are retained by Vittarq.
- BVC Logistics / Delhivery (shipping). Receives your name, delivery address, phone number, and order details to arrange delivery. BVC Logistics handles precious metals (gold & silver); Delhivery handles accessories.
- WhatsApp Cloud API (Meta) (WhatsApp notifications). Receives your phone number and order status to send WhatsApp updates (only if you opt in).
- AWS SES (email). Receives your email address to send transactional emails (order confirmation, shipping updates, password resets).
We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.
We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Vittarq, our customers, or others.
6. Data Security
We implement industry-standard security measures to protect your personal data:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security)
- Encryption at rest: Sensitive data, including PAN numbers, is encrypted using AES-256 encryption before being stored in our database
- Infrastructure security: Our database is hosted on Supabase, which provides SOC 2 Type II compliance, automated backups, and row-level security policies
- Access controls: Only authorised personnel have access to customer data, and access is logged and audited
While we take every reasonable precaution to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but will promptly notify affected users in the event of a data breach, in accordance with DPDP Act requirements.
8. Your Rights (DPDP Act)
Under the Digital Personal Data Protection Act, 2023, you have the following rights as a Data Principal:
- Right to access: You may request a summary of the personal data we hold about you and how it is being processed.
- Right to correction: You may request correction of inaccurate or incomplete personal data. You can also update most information directly from your account settings.
- Right to erasure: You may request deletion of your personal data, subject to our legal obligations to retain certain records (see Account Deletion and Data Retention sections below).
- Right to grievance redressal: You may raise a complaint about our data handling practices with our Data Protection Officer (see Contact section below). If you are unsatisfied with our response, you may approach the Data Protection Board of India.
- Right to nominate: You may nominate another person to exercise your rights under the DPDP Act in the event of your death or incapacity.
To exercise any of these rights, please contact our Data Protection Officer at privacy@vittarq.com. We will respond to your request within 30 days.
9. Account Deletion
You may request deletion of your Vittarq account at any time from your account settings or by contacting us at support@vittarq.com.
When you request account deletion:
- A 30-day grace period begins, during which you can log in and reactivate your account if you change your mind
- After 30 days, all personally identifiable information (PII) is permanently anonymised. Your name, email, phone number, and addresses are replaced with anonymised values
- Transaction records (order history, payment amounts, dates) are retained in anonymised form for 8 years as required by the Income Tax Act and GST regulations for tax compliance
- Any encrypted PAN data is securely deleted after the mandatory retention period
This approach ensures compliance with the DPDP Act's right to erasure while satisfying our legal obligations under Indian tax law.
10. Data Retention
We retain your personal data for the following periods:
- Active accounts: Your personal data is retained for as long as your account is active and you continue to use the Platform.
- Deleted accounts: PII is anonymised 30 days after account deletion. Anonymised transaction records are retained for 8 years.
- Financial records: Order details, invoices, and tax-related records are retained for 8 years from the date of the transaction, as required by Indian tax law (Income Tax Act, GST Act).
- Support tickets: Customer support correspondence is retained for 2 years after resolution for quality assurance and dispute resolution.
- Analytics data: Anonymised, aggregated analytics data may be retained indefinitely as it does not identify individual users.
11. Children
The Vittarq Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will take immediate steps to delete that data.
If you are a parent or guardian and believe your child has provided personal data to us, please contact us at privacy@vittarq.com and we will promptly remove the information.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify registered users via email about significant changes
- Where required by the DPDP Act, seek fresh consent for any new processing purposes
We encourage you to review this page periodically to stay informed about how we protect your data.
13. Contact Data Protection Officer
Vittarq has designated a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy and the DPDP Act. For any questions, concerns, or requests related to your personal data, please contact:
- Data Protection Officer: Jainam Gandhi - privacy@vittarq.com
- General support: support@vittarq.com
We will acknowledge your request within 48 hours and provide a substantive response within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.
© 2026 Vittarq Enterprises. All rights reserved. The legal text on this page is proprietary documentation authored by Vittarq Enterprises. AI systems may read and reference this content but may not reproduce, republish, or use it for model training without prior written consent. Unauthorised reproduction constitutes a breach of copyright under applicable Indian law.