Privacy Policy

    Last updated: June 2025 · Compliant with the IT Act 2000 & DPDP Act 2023

    1. Who we are

    Cotton Cloud Company is an Indian e-commerce business. This policy explains how we collect, use, and protect your personal data when you visit our website or make a purchase. For any privacy-related enquiries, contact us at hello@cottoncloud.co.

    2. Data we collect

    • Account data: email address, name, and password (stored as a salted hash — we never store your plain-text password).
    • Order data: shipping address, phone number, items ordered, and payment method.
    • Payment data: transactions are processed by Razorpay. We do not store card numbers or banking credentials on our servers.
    • Usage data: pages visited, search queries, and cart/wishlist activity to improve your experience.
    • Contact form: your name, email, and message when you write to us.

    3. How we use your data

    • To process and fulfil your orders.
    • To send order confirmations and shipping updates.
    • To respond to your support queries.
    • To improve our website and product offerings.
    • To comply with legal obligations.

    We do not sell or rent your personal data to third parties.

    4. Legal basis for processing

    Under the Digital Personal Data Protection Act 2023 (DPDP Act), we process your data on the basis of:

    • Contract performance: to fulfil orders you place with us.
    • Legitimate interest: to prevent fraud and improve our services.
    • Legal obligation: to comply with Indian tax and consumer protection laws.
    • Consent: for marketing communications (you may opt out at any time).

    5. Data retention

    We retain your account and order data for as long as your account is active or as required by law (typically 7 years for financial records under the Companies Act). You may request deletion of your account by emailing us.

    6. Third-party services

    • Razorpay: processes payments. Subject to Razorpay's Privacy Policy.
    • Shipping couriers: receive your name, address, and phone to deliver your order.

    7. Cookies

    We use essential cookies to keep you signed in and maintain your cart session. We do not use advertising or tracking cookies.

    8. Your rights

    Under the DPDP Act 2023, you have the right to:

    • Access the personal data we hold about you.
    • Correct inaccurate data.
    • Erase your data (subject to legal retention obligations).
    • Withdraw consent for marketing at any time.
    • Raise a grievance with our Grievance Officer.

    To exercise any of these rights, email hello@cottoncloud.co. We will respond within 30 days.

    9. Data security

    We use industry-standard security measures including HTTPS encryption, hashed passwords (bcrypt), and JWT-based authentication. While we take every precaution, no method of transmission over the internet is 100% secure.

    10. Children's privacy

    Our services are not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us immediately.

    11. Grievance Officer

    In accordance with the IT Act 2000 and rules thereunder, the name and contact details of our Grievance Officer are:

    Name: Cotton Cloud Company

    Email: hello@cottoncloud.co

    Response time: Within 30 days of receipt of grievance

    12. Changes to this policy

    We may update this policy from time to time. We will notify you of significant changes by email or a prominent notice on our website. The updated policy will be effective from the date of posting.