Privacy Policy

This privacy policy applies to information we collect when you browse our store, place an order, register for an account, contact our support team, or otherwise interact with Naman Electronics. It is written to align with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

We only collect what we need to operate the store and fulfil your orders. Specifically:

• Account information: name, email, phone number, password (stored as a one-way bcrypt hash; we never see your plaintext password).
• Order information: shipping and billing addresses, items, prices, taxes, GSTIN if you ask for a GST invoice, communications you send our support team.
• Payment information: we never see your card, UPI ID, or net-banking credentials. Razorpay handles all payment data inside their PCI DSS-scoped iframe and shares only a payment reference and status with us.
• Device and log data: IP address, user agent, pages viewed, timestamps — used for fraud prevention and abuse mitigation.
• Cookies: see our Cookie Policy for the full list and your controls.

• To create your account, authenticate you, and keep your session secure.
• To process orders, payments, shipping, returns, refunds, and GST invoicing.
• To respond to your questions and complaints.
• To detect, investigate, and prevent fraud, abuse, and security incidents.
• To meet our legal, tax, and accounting obligations.
• To send you transactional notifications (order confirmation, shipping, delivery, refund). You cannot opt out of these because they are required to operate your order; you can opt out of marketing emails at any time from your account settings.

We share the minimum information needed with carefully chosen processors. We do not sell your personal information to anyone.

• Razorpay — payment processing. Receives your name, email, phone, and transaction details to enable checkout.
• Shiprocket and partner courier companies — shipping and delivery. Receive your shipping address, phone, and order contents (label only).
• Cloudinary — image hosting. Does not receive personal information.
• Resend and MSG91 — transactional email and SMS. Receive your email or phone number and the message body.
• Cloud infrastructure — Vercel for hosting, Neon for database storage, Upstash for rate limiting and background jobs. They store the data we record about you, encrypted at rest.
• Government authorities — when we are required to disclose information by law, court order, or to comply with a legal request that we believe in good faith is valid.

We retain your account information for as long as your account is active. We retain order records, invoices, and tax-related information for at least 8 years to meet our obligations under the Companies Act and the GST Act. After that, we either delete or anonymise the data.

Under the DPDP Act, you have the right to:

• Ask for a summary of the personal information we hold about you.
• Ask us to correct or update incorrect information.
• Ask us to erase your personal information (subject to retention required by law — for example, tax records).
• Withdraw consent you previously gave for marketing communications.
• Nominate another individual to exercise these rights on your behalf.
• File a grievance with our Grievance Officer, whose details are on the Contact page.

To exercise any of these rights, write to grievance@naman-ent.example from the email address registered on your account. We will acknowledge your request within 48 hours and respond within 30 days.

• TLS 1.3 in transit, AES-256 at rest.
• Passwords stored as bcrypt hashes; we cannot recover them.
• Payment data never touches our servers — Razorpay's PCI DSS-compliant iframe handles all card and UPI input.
• Strict access controls and audit logging on administrative actions.
• Rate limiting and bot mitigation on sensitive endpoints (login, OTP, checkout).

No system is impenetrable. If we ever discover a breach affecting your information, we will notify you and the Data Protection Board of India in accordance with the DPDP Act.

Naman Electronics is not intended for users under 18. We do not knowingly collect information from minors. If you believe a minor has provided us information, write to our Grievance Officer and we will delete it.

Some of our processors (for example Cloudinary and Resend) operate servers outside India. When we transfer your information to them we do so under contractual safeguards that require equivalent protection to that of the DPDP Act. We will not transfer personal information to a country that the Government of India has notified as restricted.

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the current version. Material changes will be communicated to registered users by email at least seven days before they take effect.

For questions, requests, or grievances, write to our Grievance Officer, [TODO: Grievance Officer Name], at grievance@naman-ent.example. You can also reach customer support at support@naman-ent.example.