Subtotal ₹0.00
1. Introduction & Scope
Important Notice
This Privacy Policy governs all personal data collected, processed, and stored by Shudh Desi Taste through our website (shudhdesitaste.com), mobile application, WhatsApp business, phone orders, and physical store interactions.
1.1 Our Commitment
We are committed to protecting your privacy and being transparent about our data practices. This policy complies with:
- India’s Digital Personal Data Protection Act, 2023 (DPDPA)
- General Data Protection Regulation (GDPR) principles for international customers
- Food Safety and Standards Authority of India (FSSAI) regulations
- Industry best practices for e-commerce data protection
1.2 Definitions
Personal Data
Any information that relates to an identified or identifiable individual
Processing
Any operation performed on personal data (collection, storage, use, etc.)
Data Principal
You, the individual to whom the personal data relates
Data Fiduciary
Shudh Desi Taste, responsible for determining purposes of processing
2. Information We Collect
2.1 Personal Information You Provide
| Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Identity Information | Full name, username, photo (optional) | Account creation, order processing, verification | Contract fulfillment, Legal obligation |
| Contact Information | Email, phone number, WhatsApp, shipping/billing address | Order delivery, customer support, updates | Contract fulfillment, Legitimate interest |
| Transaction Information | Order history, payment details, purchase amounts | Order processing, accounting, tax compliance | Contract fulfillment, Legal obligation |
| Communication Data | Chat messages, emails, feedback, reviews | Customer service, quality improvement | Legitimate interest, Consent |
| Marketing Preferences | Newsletter subscriptions, communication preferences | Personalized marketing, promotions | Consent, Legitimate interest |
2.2 Information Collected Automatically
Technical Data
IP address, browser type, device information, operating system
Usage Data
Pages visited, time spent, products viewed, click patterns
Location Data
Approximate location (city level) for delivery optimization
Sensitive Personal Data
We do NOT collect sensitive personal data such as:
- Financial information beyond transaction details (processed by PCI-DSS compliant gateways)
- Health information (unless voluntarily provided for dietary needs)
- Biometric data, genetic data, or sexual orientation
- Religious or political beliefs
- Caste or tribe information
2.3 Information from Third Parties
We may receive information about you from:
- Payment Processors: Transaction status, payment confirmation (Razorpay, PayPal)
- Logistics Partners: Delivery status, proof of delivery (Delhivery, Blue Dart, etc.)
- Social Media: When you interact with our social media pages or use social login
- Marketing Partners: Aggregated demographic information for analytics
- Business Partners: For gift orders or corporate purchases
3. How We Use Your Information
| Purpose | Type of Data | Legal Basis | Retention Period |
|---|---|---|---|
| Order Processing & Delivery | Identity, Contact, Transaction | Contract fulfillment | 7 years (tax compliance) |
| Customer Support | Contact, Communication, Transaction | Legitimate interest | 3 years |
| Account Management | Identity, Contact, Preferences | Contract, Consent | Until account deletion |
| Marketing Communications | Contact, Marketing, Usage | Consent | Until consent withdrawal |
| Website Improvement | Technical, Usage, Location | Legitimate interest | 26 months |
| Fraud Prevention | Technical, Transaction, Identity | Legal obligation | 2 years |
| Legal Compliance | All relevant categories | Legal obligation | As required by law |
| Food Safety & Recall | Contact, Transaction | Legal obligation (FSSAI) | Product shelf life + 6 months |
3.1 Specific Use Cases for Food Business
Food Safety Compliance
Maintaining purchase records as per FSSAI requirements for product traceability and recall management
Perishable Goods Management
Sending timely delivery alerts and storage instructions for temperature-sensitive items
Personalized Recommendations
Suggesting complementary products and recipes based on your purchase history
Seasonal & Festival Offers
Notifying about seasonal products, festival specials, and limited edition items
Automated Decision Making
We may use automated systems for:
- Fraud detection in transactions
- Personalized product recommendations
- Delivery time estimations based on location
- Inventory management and restocking predictions
You have the right to request human intervention in any automated decision that significantly affects you.
4. Legal Basis for Processing
4.1 Contractual Necessity
Processing necessary for fulfilling our contract with you:
- Processing your orders and delivering products
- Managing your account and preferences
- Providing customer support and handling complaints
- Sending order confirmations, invoices, and delivery updates
- Processing returns, refunds, and exchanges
4.2 Legitimate Interests
Processing necessary for our legitimate business interests:
- Improving our website, products, and services
- Preventing fraud, security breaches, and unauthorized activities
- Conducting marketing analysis and business development
- Maintaining business records and internal administration
- Ensuring network and information security
4.3 Legal Obligation
Processing necessary to comply with legal requirements:
- Maintaining tax records and financial accounts (7 years minimum)
- FSSAI compliance for food safety and traceability
- Responding to legal requests, court orders, or government inquiries
- Preventing illegal activities, money laundering, or terrorist financing
- Complying with consumer protection laws
4.4 Consent
Processing based on your explicit consent:
- Marketing communications via email, SMS, or WhatsApp
- Non-essential cookies and tracking technologies
- Sharing data with third parties for marketing purposes
- Processing special category data (if ever applicable)
- Participating in surveys, contests, or promotional activities
Consent Management
You may withdraw consent at any time by:
- Clicking unsubscribe links in marketing emails
- Updating preferences in your account settings
- Contacting our customer support
- Using our cookie preference center
Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
5. Data Sharing & Disclosure
| Third Party Category | Examples | Purpose of Sharing | Data Shared | Safeguards |
|---|---|---|---|---|
| Payment Processors | Razorpay, PayPal, Stripe | Secure payment processing | Transaction details, Contact info | PCI-DSS compliance, Encryption, Data processing agreements |
| Logistics Partners | Delhivery, Blue Dart, DTDC, FedEx | Order delivery and tracking | Name, Address, Phone number | Service agreements, NDA, Limited purpose clauses |
| Cloud Service Providers | AWS, Google Cloud | Data storage and processing | All data categories | Encryption, Access controls, Security certifications |
| Marketing Platforms | Mailchimp, Google Ads, Meta Ads | Marketing communications | Email, Preferences (with consent) | Data processing agreements, Opt-out mechanisms |
| Analytics Providers | Google Analytics | Website improvement | Anonymized usage data | IP anonymization, Data retention controls |
| Professional Advisors | Lawyers, Accountants, Auditors | Legal & financial compliance | Relevant business data | Confidentiality obligations, Professional ethics |
5.1 Legal Disclosures
We may disclose your information when required by law:
- To comply with court orders, subpoenas, or legal processes
- To government authorities for tax, regulatory, or investigation purposes
- To enforce our Terms & Conditions and other agreements
- To protect the rights, property, or safety of Shudh Desi Taste, our customers, or the public
- In connection with a business transfer (merger, acquisition, or sale of assets)
Data Sale Prohibition
We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes. Any sharing is strictly for business operations as described above and is governed by appropriate data processing agreements.
5.2 International Data Transfers
Your data may be transferred to and processed in countries outside India:
United States
Cloud services, analytics, marketing platforms
Protected by Standard Contractual Clauses
European Union
International orders, payment processing
Adequacy decisions apply
Other Countries
International deliveries, local service providers
Appropriate safeguards implemented
6. Cookies & Tracking Technologies
6.1 Types of Cookies We Use
| Cookie Type | Purpose | Examples | Duration | Essential/Optional |
|---|---|---|---|---|
| Essential | Basic website functionality | Session management, Shopping cart, Login status | Session | Essential |
| Preferences | Remember your settings | Language, Currency, Layout preferences | 30 days | Optional |
| Analytics | Website improvement | Google Analytics, Hotjar | 2 years | Optional |
| Marketing | Relevant advertising | Facebook Pixel, Google Ads, Retargeting | 90 days | Optional |
| Performance | Speed optimization | CDN cookies, Cache optimization | 1 year | Essential |
6.2 Your Cookie Choices
You can control cookies through:
Browser Settings
Most browsers allow you to refuse, delete, or manage cookies through settings
Cookie Consent Banner
Manage preferences through our cookie consent banner when you visit our website
Opt-Out Tools
Use industry opt-out tools for specific advertising networks
Essential Cookies Notice
Essential cookies cannot be disabled as they are necessary for basic website functionality:
- Adding items to your shopping cart
- Maintaining secure login sessions
- Processing checkouts and payments
- Remembering privacy and cookie preferences
- Ensuring website security and fraud prevention
6.3 Other Tracking Technologies
We may also use:
- Web beacons: Tiny graphics for tracking page views and email opens
- Local storage: Storing data locally in your browser
- SDKs: In our mobile app for functionality and analytics
- Fingerprinting: Limited use for fraud prevention only
For detailed information, please visit our Cookies Policy.
7. Data Retention
| Data Category | Retention Period | Legal/Regulatory Basis | Post-Retention Action |
|---|---|---|---|
| Order Records & Invoices | 7 years from transaction | Tax laws, FSSAI requirements | Secure deletion/anonymization |
| Customer Accounts (Active) | Until deletion request + 30 days | Contract fulfillment, Service provision | Account deactivation then deletion |
| Marketing Data | Until consent withdrawal + 30 days | Consent management | Immediate removal from marketing lists |
| Customer Service Records | 3 years from last interaction | Quality improvement, Legal protection | Secure deletion |
| Website Logs & Security Data | 90 days to 1 year | Security, Fraud prevention | Regular secure deletion |
| Analytics Data | 26 months | Business improvement | Automatic deletion by analytics providers |
| Product Reviews | Indefinite (with option to delete) | Legitimate interest, Customer choice | Delete upon user request |
7.1 Data Deletion Process
Upon expiry of retention periods, we:
- Anonymize data where possible for statistical and analytical purposes
- Securely delete electronic records using industry-standard secure deletion methods
- Physically destroy paper records through cross-cut shredding
- Notify third-party processors to delete their copies where applicable
- Maintain deletion logs for audit and compliance purposes
Legal Holds & Extended Retention
In certain circumstances, we may be required to retain data longer due to:
- Ongoing legal proceedings or disputes
- Government investigations or regulatory audits
- Active fraud investigations or security incidents
- Compliance with specific sectoral regulations
- FSSAI-mandated retention for food safety incidents
8. Data Security
8.1 Technical Security Measures
Encryption
SSL/TLS encryption for data in transit, AES-256 for data at rest
Access Controls
Role-based access, Multi-factor authentication, Regular access reviews
Network Security
Firewalls, Intrusion detection/prevention, DDoS protection
Secure Development
Regular security testing, Code reviews, Vulnerability assessments
8.2 Organizational Security Measures
- Employee Training: Regular privacy and security awareness training for all staff
- Data Protection Officer: Designated DPO overseeing compliance with privacy laws
- Incident Response: Documented procedures for data breach response and notification
- Vendor Management: Due diligence and regular audits of third-party processors
- Business Continuity: Regular backups, Disaster recovery planning, Redundancy
- Physical Security: Secure premises, Access controls, Surveillance for physical records
Security Certifications & Compliance
- PCI-DSS compliant payment processing through certified partners
- Regular security audits and penetration testing by independent firms
- ISO 27001 aligned information security management practices
- GDPR compliance for international customer data processing
- FSSAI mandated food safety and hygiene protocols
- Regular vulnerability assessments and patch management
8.3 Data Breach Notification Protocol
In the event of a data breach affecting your personal information, we will:
- Notify you within 72 hours of becoming aware of the breach
- Provide details of the breach, including nature and extent
- Outline steps we’re taking to address the breach and mitigate harm
- Suggest protective measures you can take
- Report to relevant authorities as required by law (DPB under DPDPA)
- Maintain transparent communication throughout the resolution process
Your Role in Security
You also play a crucial role in protecting your information:
- Use strong, unique passwords for your account
- Enable two-factor authentication if available
- Keep your login credentials confidential
- Log out after using shared or public devices
- Regularly update your contact information for security alerts
- Be cautious of phishing attempts and suspicious communications
- Keep your devices and browsers updated with security patches
9. Your Privacy Rights
| Right | Description | How to Exercise | Response Time |
|---|---|---|---|
| Right to Access & Confirmation | Obtain confirmation of processing and copy of your data | Submit Data Access Request Form | 15 days |
| Right to Correction | Correct inaccurate or incomplete data | Update account or submit Correction Request | 7 days |
| Right to Erasure | Request deletion of your data (subject to exceptions) | Submit Deletion Request Form | 15 days |
| Right to Grievance Redressal | File complaints regarding data processing | Contact DPO or use grievance portal | 30 days |
| Right to Nominate | Nominate another person to exercise rights on your behalf | Submit Nomination Form with authorization | 7 days |
| Right to Withdraw Consent | Withdraw previously given consent | Use unsubscribe links or consent management | Immediate |
9.1 How to Exercise Your Rights
To exercise any of these rights:
- Submit a written request to our Data Protection Officer via email or postal mail
- Include sufficient information to verify your identity (we may ask for additional verification)
- Specify the right(s) you wish to exercise and any relevant details
- We will acknowledge receipt within 7 days and respond substantively within 15 days
- No fee unless requests are manifestly unfounded, excessive, or repetitive
9.2 Verification Process
For security and to prevent unauthorized access, we may need to verify your identity before processing requests. This may involve:
- Asking security questions based on your account information
- Requesting identification documents (with sensitive information redacted)
- Verifying through your registered email or phone number via OTP
- Checking recent order history or transaction details
- For sensitive requests, additional verification may be required
Quick Actions You Can Take
- Update Account: Log in to your account to update personal information
- Unsubscribe: Click unsubscribe link in any marketing email
- Cookie Preferences: Use our cookie banner to manage tracking settings
- Close Account: Request account deletion through customer support
- Download Data: Request data portability for your information
9.3 Limitations & Exceptions
Your rights may be limited in certain circumstances:
- When necessary to comply with legal obligations
- For prevention, detection, investigation, or prosecution of offences
- For enforcement of legal rights or claims
- When processing is necessary for public interest
- For research, statistical, or archival purposes (with appropriate safeguards)
- When data has been anonymized for statistical purposes
10. Children’s Privacy
Age Restrictions
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18.
10.1 Our Policy Regarding Children
- Our website and services are intended for adults (18 years and older)
- Children may use our services only with parental consent and supervision
- Accounts can only be created by individuals 18 years or older
- We do not market directly to children
- We do not collect age information unless necessary for age-restricted products
10.2 Parental Controls & Responsibilities
If you are a parent or guardian and believe your child has provided us with personal information:
- Contact us immediately using the contact details in Section 12
- Provide proof of your relationship to the child (birth certificate, guardianship papers)
- We will promptly investigate and delete such information if verified
- We may require additional verification to protect the child’s privacy
- We will confirm deletion and provide details of actions taken
Gift Orders for Children
For gift orders intended for children:
- Orders must be placed by adults (18+)
- Delivery and contact information should be for the purchasing adult
- Gift messages should avoid collecting the child’s personal information
- Special dietary or allergy-related products should consider child safety
- Age-appropriate products should be selected by the purchasing adult
11. Policy Updates & Changes
11.1 Update Notification Process
| Change Type | Notification Method | Timeline | Your Options |
|---|---|---|---|
| Major Changes (New data uses, Sharing changes) |
Email + Website banner + SMS for critical changes | 30 days before effective date | Accept, Reject, or Delete Account |
| Moderate Changes (Clarifications, Process updates) |
Website banner + Updated policy date | 15 days before effective date | Continue using services implies acceptance |
| Minor Changes (Typos, Formatting, Grammar) |
Updated policy date only | Immediate upon publication | Automatic acceptance |
11.2 Your Acceptance of Changes
By continuing to use our services after policy updates, you accept the revised policy. If you disagree with material changes:
- You may discontinue using our services
- You may request deletion of your data as per your rights
- You may contact us with concerns before the effective date
- You may opt out of specific new processing activities where possible
Update History
- Version 2.2 (December 27, 2025): Comprehensive update with enhanced DPDPA compliance, added data retention schedule, expanded rights explanation
- Version 2.1 (March 27, 2025): Added international transfer details, enhanced security measures description
- Version 2.0 (January 15, 2025): Major update for DPDPA 2023 compliance, added Data Principal rights
- Version 1.2 (October 5, 2024): Enhanced cookie policy details, added data breach notification protocol
- Version 1.1 (June 20, 2024): FSSAI compliance updates, added food safety data processing details
- Version 1.0 (March 15, 2023): Initial privacy policy at business launch
11.3 How to Stay Informed
To stay informed about policy changes:
- Check the “Last Updated” date at the top of this policy
- Subscribe to policy update notifications in your account preferences
- Regularly review this policy when making significant transactions
- Follow our website announcements and banners
12. Contact Information
Data Protection Officer
Email: dpo@shudhdesitaste.com
Phone: +91-7011993433 (Ext. 2 for DPO)
Hours: Mon-Sat, 10 AM – 6 PM IST
General Privacy Inquiries
Email: privacy@shudhdesitaste.com
Phone: +91-7011993433
WhatsApp: Same number for messages
Registered Office
Shudh Desi Taste
38, Block-F, Uttam Nagar
Delhi – 110059, India
12.1 Business Hours & Response Times
| Contact Type | Business Hours | Initial Response | Resolution Time |
|---|---|---|---|
| General Inquiries | Mon-Sat, 9 AM – 7 PM IST | 24 hours | 3-5 business days |
| Privacy Rights Requests | Mon-Fri, 10 AM – 6 PM IST | 7 days (acknowledgment) | 15-30 days |
| Data Breach Reports | 24/7 Emergency Line | Immediate | 72 hours for notification |
| Grievance Redressal | Mon-Sat, 10 AM – 5 PM IST | 48 hours | 30 days |
Business Registration & Compliance
- FSSAI License No.: 13325998000807
- GST Registration No.: 07ASUPY8592K1ZA
- MSME Registration: Government of India Recognized
- Business Started: 2023
- DPDPA Compliance: Since January 2025
12.2 How to Contact Us
For fastest response:
- Email: Preferred for privacy matters (creates audit trail)
- Registered Post: For formal legal notices or documents
- Phone: For urgent matters requiring immediate attention
- Website Contact Form: For general inquiries
- In-Person: By appointment only at registered office
13. Grievance Redressal Mechanism
13.1 Complaint Submission Process
Step 1: Internal Resolution
Contact DPO with detailed complaint including evidence, timeline, and desired resolution
Step 2: Acknowledgment
We acknowledge receipt within 48 hours with complaint reference number
Step 3: Investigation
Thorough investigation conducted within 15 business days
Step 4: Resolution
Final response with findings and resolution within 30 days total
13.2 Escalation to Authorities
If unsatisfied with our resolution, you may escalate to:
| Jurisdiction | Authority | Contact Information | Time Limit for Escalation |
|---|---|---|---|
| India | Data Protection Board of India (Under DPDPA) | As designated by Government (to be established) | 30 days from our final response |
| European Union | Respective National Data Protection Authority | EDPB Members List | 1 year from awareness |
| United Kingdom | Information Commissioner’s Office (ICO) | ico.org.uk | 3 months from last communication |
| Other Countries | Relevant Privacy/Consumer Protection Authority | Check local government websites | Varies by jurisdiction |
Important Notes on Grievance Redressal
- Maintain records of all communications and reference numbers
- Provide complete and accurate information in complaints
- Cooperate with the investigation process
- Respect timelines for responses and escalations
- False or malicious complaints may lead to legal action
13.3 Alternative Dispute Resolution
For certain types of disputes, we may suggest:
- Mediation: Through neutral third-party mediators
- Arbitration: Binding arbitration as per Indian Arbitration Act
- Consumer Forums: Appropriate consumer dispute resolution forums
- Ombudsman: Sector-specific ombudsman schemes where applicable
14. Related Policies & Documents
Comprehensive Policy Framework
This Privacy Policy should be read in conjunction with our other policies:
14.1 Additional Legal Documents
- Website Terms of Use – Rules for website access and usage
- Disclaimer – Limitations of liability and warranties
- FSSAI Compliance Statement – Food safety standards adherence
- Quality Policy – Our commitment to product quality
- Contact Us – All contact methods and locations
Policy Integration
These policies work together to provide comprehensive protection:
- Privacy Policy covers data protection and privacy rights
- Terms & Conditions cover contractual relationships
- Shipping Policy covers delivery and logistics
- Return Policy covers post-purchase rights
- Cookies Policy covers online tracking and preferences
In case of conflict between policies, the most specific provision or the one providing greater protection to you will prevail.