Privacy Policy

The data controller (the “data fiduciary” under India’s DPDP Act) for this site is BagCrush (Tina Roopam Barua, Proprietor). Our full entity details, registered office, and grievance officer are listed on the Legal page.

We only collect what we need to run a store properly:

• —Account details — name, email, phone, encrypted password
• —Order details — items, prices, billing and shipping address, payment method
• —Verification data — one-time codes sent to your email or phone, briefly stored to confirm it's really you
• —Communications — emails and messages you send us
• —Technical data — IP address, device type, browser, pages viewed, referrer; used to keep the site working and to prevent abuse

We do not collect or retain full card numbers. Payments are processed directly by Stripe or ICICI Payment Gateway, who handle card data under PCI-DSS.

• —To fulfil your orders, ship them, and let you track them
• —To send transactional emails — verification codes, order confirmations, shipping updates, cancellation and refund notices
• —To answer your queries through customer care and resolve grievances
• —To detect and prevent fraud, abuse, and technical issues
• —To meet legal, accounting, and tax obligations (GST records, invoices, returns)
• —To improve the site — understand what works, fix what doesn't, plan what to make next

Under the DPDP Act, we rely on:

• —Performance of contract — to deliver the order you placed and provide the account features you've signed up for
• —Legitimate use — to keep the site secure, prevent fraud, and comply with the law
• —Consent — for any marketing communications, which you can withdraw at any time from the bottom of any marketing email or by writing to info@bagcrush.in

We use three classes of cookies:

• —Essential — these keep your cart, session, and authentication working. The site doesn’t function without them; they don’t require separate consent.
• —Performance — aggregated, anonymised data that helps us understand how the site is used. Enabled by default; you can opt out through your browser’s “Do Not Track” setting.
• —Marketing — currently not used. If we introduce them, we’ll prompt you for consent first.

We share data only with the processors we need to run the business, and only what they need to do their job:

• —Stripe and ICICI Payment Gateway — to process online payments
• —Courier partners — to deliver your order (name, address, phone, order ID only)
• —Hostinger (and our hosting partner) — to host the site and email
• —Google — if you choose to sign in with Google
• —Analytics providers — anonymised, aggregated traffic data only
• —Government authorities, when legally compelled to (e.g. tax notices, court orders)

We do not sell, rent, or trade your personal data to anyone, ever.

Our primary database and file storage are located in India. Some of our processors (for example, Google for OAuth) operate from servers outside India. Where data leaves India, we rely on those providers’ standard contractual safeguards.

• —Account data — for as long as your account exists. After deletion, residual copies in backups age out within 30 days.
• —Order data — retained for 8 years from the financial year of the transaction, as required by GST and Indian tax law.
• —OTPs and verification codes — held for 10 minutes, then deleted.
• —Customer-care emails — retained for 3 years for support history.
• —Server logs — typically 30–90 days.

We take security seriously. Specifically: encryption in transit (TLS) on every connection, encryption at rest for sensitive fields like pending-signup payloads, hashed passwords, role-based access controls for staff, regular backups, security headers (CSP, HSTS, X-Frame-Options) on every page.

No system is perfect. If you spot a vulnerability, write to the developer at sudiptaranjanbaruah@gmail.com and we’ll respond quickly.

Under the DPDP Act you have the right to:

• —Access the personal data we hold about you
• —Correct anything that's inaccurate or incomplete
• —Erase your personal data, except where the law requires us to keep it (e.g. tax records)
• —Withdraw consent for marketing communications at any time
• —Nominate someone to exercise your rights on your behalf in the event of incapacity or death
• —File a complaint with the Data Protection Board of India if you believe we're not handling things properly

To exercise any of these, email info@bagcrush.in. We’ll verify your identity (so we don’t hand your data to someone else) and respond within 30 days.

The site isn’t aimed at children under 18, and we don’t knowingly collect data from them. If you believe your child has provided data to us, contact info@bagcrush.in and we’ll delete it.

We may update this policy. The version in force is the one published here on the date of your interaction with the site. Material changes will be flagged on the homepage for a reasonable period.

For privacy questions, write to info@bagcrush.in.

For unresolved complaints, our Grievance Officer is Sudipta Ranjan Baruah, reachable at sudiptaranjanbaruah@gmail.com. We acknowledge within 24 hours and aim to resolve within 15 days. Full details are on the Legal page.