Privacy Policy

1. Introduction

This Privacy Policy describes how Mug Factory ("Company", "we", "us", "our"), a registered business operating from Bangalore, Karnataka, India, collects, uses, stores, shares, and protects your personal data when you visit our website (mugfactory.in) , create an account, place an order, or otherwise interact with our services (collectively, the "Services").

This Privacy Policy is published in compliance with, and is intended to be read in accordance with: (a) the Information Technology Act, 2000; (b) the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; (c) the Digital Personal Data Protection Act, 2023 ("DPDP Act"); and (d) the Consumer Protection (E-Commerce) Rules, 2020, along with any other applicable Indian laws and regulations.

By accessing or using the Website or Services, you acknowledge that you have read and understood this Privacy Policy and agree to be bound by its terms. If you do not agree with this Privacy Policy, you should immediately discontinue use of the Website and Services.

This Privacy Policy forms an integral part of and should be read together with our Terms and Conditions and any other policies made available on the Website from time to time.

2. Information We Collect

We collect the following categories of information in connection with your use of the Website and Services:

3. How We Use Your Information

We use your personal data only for lawful purposes and in a manner that is reasonably expected in the context of providing our Services. Specifically, we use your information for the following purposes:

• Order Fulfillment: To process and fulfil your orders, including custom printing of your designs, packaging, dispatch, delivery coordination with logistics partners, and handling of returns or replacements.
• Payment Processing: To facilitate payments, verify transactions, and process refunds through Razorpay.
• Customer Communication: To communicate with you regarding order confirmations, shipment and delivery updates, service notifications, and to respond to your queries, support requests, and complaints via email, phone, or messaging platforms (including WhatsApp, where applicable).
• Product Printing: To use the images, text, and design files you upload exclusively for the purpose of producing and fulfilling your specific order. We do not use your designs for marketing, advertising, display in our portfolio, training data, or for resale to other customers.
• Legal Compliance: To maintain records and comply with our legal obligations under applicable laws, including the Income Tax Act, 1961, the Central Goods and Services Tax Act, 2017, rules made thereunder, and other regulatory requirements, as well as to respond to lawful requests from government or regulatory authorities and to enforce our legal rights and Terms.
• Website Improvement and Analytics: To analyse anonymised or aggregated usage patterns in order to improve the functionality, performance, and user experience of the Website, including troubleshooting, testing, and enhancing features.
• Security and Fraud Prevention: To monitor, detect, and prevent fraudulent transactions, abuse of our Services, and unauthorised access to accounts or systems, and to maintain the integrity and security of our technical infrastructure.

4. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023, we process your personal data on one or more of the following lawful bases:

• Consent: Where you voluntarily provide your personal data and consent to its processing, for example when you create an account, place an order, upload design files, or submit a contact form.
• Performance of a Contract: Where processing is necessary to perform our contract with you, including processing your order, arranging delivery, providing customer support, and handling returns or warranties.
• Legal Obligation: Where processing is required to comply with legal obligations under applicable Indian laws, including record-keeping for taxation, accounting, and regulatory compliance, and to respond to lawful directions or orders from authorities.
• Legitimate Interests: Where processing is necessary for our legitimate business interests, such as ensuring the security of our systems, preventing fraud, improving our Services, or defending legal claims, provided that such interests do not override your fundamental rights and freedoms as a data principal.

5. Data Sharing & Third Parties

We do not sell your personal data. We share your personal data only with trusted third-party service providers, and strictly on a need-to-know basis, for the limited purposes described below.

Each of the above service providers processes your personal data only in accordance with our instructions and applicable law, and is contractually bound to implement appropriate technical and organisational measures to protect your data.

We do not:

• Sell or rent your personal data to any third party;
• Share your personal data with advertising networks or data brokers for targeted marketing;
• Use your uploaded designs or content for any purpose other than fulfilling your specific order; or
• Disclose your personal data to any third party not listed above, unless required to do so by applicable law, court order, or with your explicit consent.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required under applicable law. Specific retention periods are as follows:

• Uploaded Designs: Design files and related assets are retained until order fulfilment is complete, plus an additional 90 (ninety) days to handle returns, reprints, or replacements. After this period, such assets are permanently deleted from our active storage systems.
• Order & Payment Records: Order details, invoices, and transaction records are retained for 7 (seven) years from the date of the transaction, or such other period as may be mandated under the Income Tax Act, 1961, the Central Goods and Services Tax Act, 2017, and other applicable laws. Thereafter, records are either anonymised or securely deleted.
• Account Data: Account-related data (such as profile details and login identifiers) are retained for as long as your account remains active. Upon your request for account deletion, we will delete or anonymise such data within 30 (thirty) days, except where retention is required by law.
• Contact Form Submissions: Queries and submissions received through contact forms are retained for up to 2 (two) years from the date of submission and are then deleted.
• Analytics Data: Analytics information is stored in anonymised or aggregated form. Because such data does not identify you personally, it may be retained for an extended period for statistical and analytical purposes.
• Chat / Support Data: Customer support records, including chat transcripts and relevant notes, are retained for up to 1 (one) year from the date of the last interaction, after which they are deleted or anonymised.

7. Your Rights Under DPDP Act 2023

As a data principal under the Digital Personal Data Protection Act, 2023, you are entitled to exercise the following rights in relation to your personal data processed by us:

• Right to Access: You may request confirmation as to whether we are processing your personal data and obtain a summary of such data and the processing activities undertaken.
• Right to Correction: You may request correction of inaccurate or misleading personal data relating to you and completion of any incomplete data.
• Right to Erasure: You may request deletion of your personal data, subject to our obligation to retain certain data for statutory or regulatory purposes (for example, tax and accounting records).
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw such consent at any time. The process for withdrawal of consent shall be as easy as the process for giving consent. Withdrawal will not affect the lawfulness of processing based on consent prior to its withdrawal.
• Right to Grievance Redressal: You have the right to lodge a complaint regarding our processing of your personal data with our Grievance Officer and to receive a response within the timelines prescribed by law.
• Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity, in accordance with the DPDP Act and applicable rules.

How to exercise your rights: To exercise any of the above rights, please send an email to legal@mugfactory.in with the subject line "Data Rights Request", and include your full name, registered email address, and a clear description of your request. We may verify your identity before acting on the request. We will respond to your request within 30 (thirty) days, or such other period as may be prescribed under applicable law.

8. Data Security

We implement reasonable security practices and procedures, as required under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These measures include, without limitation:

• Encryption of data in transit between your browser and our Website using Transport Layer Security (TLS) 1.2 or higher.
• Reliance on Razorpay to process payment information in accordance with PCI-DSS Level 1 and other applicable security standards.
• Use of access controls, authentication mechanisms, and role-based access restrictions to limit access to personal data to authorised personnel only.
• Storage of data on cloud infrastructure (Supabase on AWS) with encryption at rest (e.g., AES-256) and standard cloud security safeguards.
• Periodic internal reviews, monitoring, and security assessments to identify and address vulnerabilities in our systems and processes.

While we take commercially reasonable and legally mandated measures to protect your personal data, no method of electronic transmission or storage is completely secure. Accordingly, we cannot guarantee absolute security. In the event that we become aware of any security incident or data breach affecting your personal data, we will take prompt steps to mitigate the impact and, where required, notify you and the relevant authorities in accordance with applicable law.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in significant harm to you, we shall comply with our obligations under the DPDP Act and any applicable directions issued by the Data Protection Board of India.

• We will notify the Data Protection Board of India of the occurrence of such breach within seventy-two (72) hours of becoming aware of it, or within such other timeline as may be prescribed.
• We will notify affected data principals (users) via email within three (3) business days of becoming aware of the breach, providing at least the following information, to the extent available:
  • The nature and categories of personal data affected;
  • Likely consequences and risks arising from the breach;
  • Measures taken or proposed to be taken by us to address and mitigate the breach; and
  • Recommended steps that you may take to reduce the potential adverse impact.

10. Cookies Policy

We use cookies and similar technologies on the Website for limited and specific purposes, as described below:

• Essential Cookies: Session cookies and similar technologies that are strictly necessary for the operation of the Website, including to maintain your login session, remember items in your cart, and preserve your design configuration in the editor. These cookies are essential and cannot be disabled without affecting the core functionality of the Website.
• Analytics Cookies: Cookies used to collect anonymised or aggregated information about how visitors use the Website (such as pages visited and time spent). This data helps us improve performance and user experience. These cookies do not identify you directly and can be managed through your browser settings.
• Third-Party Cookies (Zoho SalesIQ): Our customer support chat widget, provided by Zoho SalesIQ, may place cookies or similar technologies on your browser in order to enable chat functionality and maintain the chat session across pages.

We do not use advertising cookies, cross-site tracking cookies, or cookies from advertising networks to profile you or deliver targeted ads. You can manage or delete cookies through your browser settings. Disabling essential cookies may impact the stability and functionality of certain parts of the Website.

11. Children's Privacy

Our Services are not directed to individuals under the age of 18 years. We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a child under 18 years of age without valid parental or guardian consent (where required by law), we will take steps to delete such data from our systems at the earliest reasonably practicable time.

If you believe that a child has provided us with personal data, please contact us at legal@mugfactory.in so that we can take appropriate action.

12. International Data Transfers

Our Website and Services are primarily intended for customers located within India. However, certain service providers involved in hosting, storage, or processing of your data (such as Supabase and its underlying cloud infrastructure) may operate servers or facilities outside India.

Where your personal data is transferred outside India, we ensure that such transfers are undertaken in compliance with applicable provisions of the DPDP Act and any notifications or rules issued thereunder, including requirements relating to data protection standards in the destination jurisdiction.

We do not knowingly transfer personal data to any country or territory that is specifically restricted by the Central Government of India for the purposes of data transfer. If such restrictions are introduced in the future, we will update our practices and this Policy accordingly.

13. Grievance Officer

In accordance with Rule 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Consumer Protection (E-Commerce) Rules, 2020, we have designated the following Grievance Officer:

If you are dissatisfied with the response or resolution provided by us, you may escalate the matter to the Data Protection Board of India (for data-related grievances under the DPDP Act) or to the appropriate Consumer Disputes Redressal Commission (for consumer-related grievances) in accordance with applicable law.

14. Changes to This Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our business practices, technology, or applicable legal requirements.

• The "Last Updated" date at the top of this Privacy Policy will be revised to indicate the effective date of the latest version.
• Where changes are material and adversely impact your rights, we will make reasonable efforts to notify registered users through email or prominent notifications on the Website.
• We will make the updated Privacy Policy available on the Website. Your continued use of the Website or Services after the effective date of any changes will constitute your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal data.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, you may contact us using the details below: