top of page

Privacy Policy

Privacy Policy – candylove.in

 

Candylove.in cares about your privacy and handles your personal information carefully, transparently, and in line with Indian law and international best practices. This policy explains what data is collected, why it is collected, how it is used and shared, and what choices and rights you have.​

 

Introduction

 

This Privacy Policy describes how [CANDYLOVE LEGAL NAME] (“Company”, “we”, “us”, “our”) collects, uses, discloses, and protects personal information when you use the website 

www.candylove.in

 (the “Site”) and related services. By accessing or using the Site, placing an order, creating an account, or interacting with us, you agree to the practices described in this Policy.​

We aim to comply with applicable Indian laws, including the Information Technology Act, 2000 and related rules, and the Digital Personal Data Protection Act, 2023 (“DPDP Act”), as well as core principles of the EU General Data Protection Regulation (“GDPR”) where relevant to users in the EU/EEA. Please review this Policy with your legal advisor before publication to ensure full compliance with your specific obligations.​

 

Scope

 

This Policy applies to:

  • Users who browse the Site without creating an account

  • Users who create an account or checkout as guests

  • Customers who place orders on the Site

  • Individuals who subscribe to our newsletter or marketing communications

  • Individuals who contact us through email, forms, chat, or social media channels​

This Policy does not apply to third-party websites, apps, or services that we do not control, even if linked from our Site.​

 

Information Collected

 

Personal Identification Data

We may collect the following personal information:

  • Name and title

  • Billing address and shipping address

  • Email address

  • Mobile number or phone number

  • Account username and password (hashed or otherwise protected)​

Transactional and Order Data

When you make a purchase or interact with your orders, we may collect:

  • Order details (products purchased, quantities, prices, discounts)

  • Order history and preferences

  • Payment method type and payment status (e.g., success, failure, refund)

  • Partial payment identifiers or tokens shared by payment gateways (but not full card details)​

Technical and Usage Data

When you visit or use the Site, we may automatically collect:

  • IP address and approximate location

  • Device identifiers, browser type, and operating system

  • Referring URLs, pages visited, time and date of visit, and session duration

  • Clickstream data, log files, and interactions with features on the Site​

Marketing and Communication Data

If you opt in or interact with marketing, we may collect:

  • Email address and mobile number for newsletters, offers, or alerts

  • Your marketing preferences (e.g., email, SMS, WhatsApp)

  • Records of marketing communications sent and your interactions with them (opens, clicks, unsubscribes)​

Sensitive and Special Category Data (Limited)

In limited situations, and only when you voluntarily provide it, we may collect:

  • Gift messages or personal notes that may reveal personal opinions or relationships

  • Any other information you choose to share in free-text fields that may be considered sensitive under applicable law​

We request that you avoid sharing unnecessary sensitive personal data on the Site.

 

How Information Is Collected

 

We collect information in the following ways:

  • Directly from you when you:

    • Create an account or update your profile

    • Place an order or request a refund

    • Subscribe to newsletters or marketing communications

    • Fill in forms, submit reviews, participate in surveys or contests

    • Contact customer support or interact via email, chat, or social media messages​

  • Automatically when you use the Site via:

    • Cookies, pixels, tags, and similar technologies

    • Server logs and analytics tools that record usage information​

  • From third parties, such as:

    • Payment gateways providing confirmation of payment status

    • Shipping partners providing delivery and tracking information

    • Marketing platforms and social networks when you connect or interact with our accounts​

 

Purpose and Legal Basis for Processing

 

For Indian users, we process personal data in line with the DPDP Act principles of consent, purpose limitation, and data minimization. For EU/EEA users, processing is based on GDPR legal bases such as contractual necessity, consent, legitimate interests, and legal obligations.​

Key purposes, data types, and legal bases (including GDPR where applicable):

  • Order processing and delivery

    • Data: Name, billing/shipping address, contact details, order details, payment identifiers, delivery information

    • Legal bases:

      • Contractual necessity (to process and deliver your order) – especially for EU/EEA users

      • Legal obligation (tax, accounting, and regulatory requirements)

      • Legitimate interests (efficient order management and customer service)​

  • Account creation and management

    • Data: Name, email, mobile number, login credentials, order history, preferences

    • Legal bases:

      • Contractual necessity (manage your account and purchases)

      • Legitimate interests (improving services, personalizing your experience)​

  • Customer support and communication

    • Data: Contact details, order information, communication logs, support tickets

    • Legal bases:

      • Contractual necessity (responding to queries related to your orders)

      • Legitimate interests (resolving issues, improving customer experience)​

  • Marketing and promotions (email, SMS, WhatsApp, social ads)

    • Data: Name, email, mobile number, marketing preferences, order history, browsing behavior

    • Legal bases:

      • Consent (where required by law, including GDPR for electronic marketing)

      • Legitimate interests (sending relevant offers to existing customers, subject to opt-out)​

  • Personalization and analytics

    • Data: Technical usage data, cookies, order history, browsing patterns

    • Legal bases:

      • Legitimate interests (understanding usage, improving Site performance and features)

      • Consent (for non-essential cookies and tracking under GDPR)​

  • Fraud prevention and security

    • Data: Device information, IP address, transaction data, behavioral patterns

    • Legal bases:

      • Legitimate interests (protecting our Site, users, and business from fraud or misuse)

      • Legal obligation (cooperating with law enforcement or regulatory authorities)​

  • Legal compliance and enforcement

    • Data: Any relevant personal data necessary for compliance, dispute handling, or enforcement

    • Legal bases:

      • Legal obligation (responding to lawful requests and statutory requirements)

      • Legitimate interests (defending our rights and interests)​

Where consent is used as a legal basis, you may withdraw it at any time, without affecting prior lawful processing.​

 

Cookies & Tracking

 

We use cookies and similar technologies to operate the Site, understand usage, and improve your experience.​

Types of Cookies

  • Strictly necessary cookies

    • Required for the Site to function (e.g., shopping cart, checkout, login).

    • Cannot usually be switched off in our systems.​

  • Preference cookies

    • Remember your choices such as language, location, or saved addresses.​

  • Statistics/analytics cookies

    • Help us understand how visitors use the Site, which pages are popular, and how users move around the Site (e.g., Google Analytics).​

  • Marketing cookies

    • Used to deliver relevant ads and measure campaign performance (e.g., remarketing pixels from social networks or ad networks).​

Managing Cookies

  • Browser settings: You can block or delete cookies using your browser settings. This may impact certain Site features or functionality.​

  • Cookie tools: Where required, especially for EU/EEA visitors, we may display a cookie banner or consent manager allowing you to accept or reject non-essential cookies.​

 

Third-Party Sharing and Integrations

 

We do not sell your personal data. We may share personal data with trusted third parties for the purposes described above:​

  • Payment gateways and processors

    • Examples: Razorpay, PayPal, Stripe, [OTHER PAYMENT PROVIDERS USED]

    • Purpose: Processing payments, fraud prevention, refunds.​

  • Shipping and logistics partners

    • Examples: Delhivery, Blue Dart, FedEx, [OTHER COURIERS]

    • Purpose: Order shipping, delivery updates, and returns handling.​

  • Analytics and performance tools

    • Examples: Google Analytics, [OTHER ANALYTICS TOOLS]

    • Purpose: Understanding Site usage, improving user experience and performance.​

  • Email, SMS, and marketing platforms

    • Examples: Mailchimp, Sendinblue/Brevo, [OTHER PROVIDERS]

    • Purpose: Sending newsletters, transactional emails, offers, and surveys.​

  • Customer support and communication tools

    • Examples: Helpdesk or chat tools like Zendesk, Freshdesk, WhatsApp Business

    • Purpose: Managing support tickets, chats, and communications.​

  • Social media and login integrations

    • Examples: Facebook/Meta, Google, Instagram, [OTHER SOCIAL PLATFORMS]

    • Purpose: Social logins, social sharing, marketing and retargeting campaigns.​

  • Professional advisors and legal authorities

    • Examples: Auditors, accountants, legal counsel, regulators, data protection authorities

    • Purpose: Legal compliance, enforcement of rights, handling disputes or investigations.​

Each third party processes your data as an independent controller or processor subject to their own privacy policies.​

 

International Transfers

 

Your personal data may be transferred to and processed in countries other than your country of residence, including locations where servers, cloud providers, or service providers are based.​

For EU/EEA users, where data is transferred outside the EU/EEA, we aim to ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses or equivalent safeguards approved under GDPR

  • Transfers to countries recognized as providing an adequate level of data protection​

 

Data Retention

 

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law.​

Typical retention periods (subject to change based on legal requirements):

  • Order and transaction data: normally kept for 7–10 years to comply with tax and accounting laws.

  • Account data: retained while your account is active and for up to 3 years after inactivity or account closure, unless longer retention is required for legal claims.

  • Marketing data (e.g., email subscription details): retained until you unsubscribe or withdraw consent, and for a reasonable period thereafter to record your opt-out preference.

  • Technical logs and analytics data: kept for up to 24 months, or longer in anonymized or aggregated form.​

If data is needed to comply with legal obligations or to defend against legal claims, we may retain it for longer as permitted by law.​

 

Data Security

 

We use reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or alteration. These may include:​

  • TLS/HTTPS encryption on the Site for data in transit

  • Restricted access to personal data based on need-to-know principles

  • Encryption and pseudonymization where appropriate

  • Secure password practices and authentication controls

  • Regular backups and security monitoring

  • Incident detection and response processes​

Where required by applicable law, if a data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify the relevant authority and affected individuals without undue delay.​

 

Minors

 

Our Site is intended for use by individuals who can enter into a legally binding contract under applicable law (generally adults 18+ in India). We do not knowingly collect personal data from children in violation of applicable laws and will delete such data if discovered or notified.​

If you are a parent or guardian and believe your child has provided personal data, please contact us using the details below to request deletion or appropriate handling.​

 

User Rights and Choices

 

Your rights may vary depending on your jurisdiction, but generally include:​

  • Right to access

    • You can request confirmation whether we process your personal data and obtain a copy of such data.

  • Right to correction/rectification

    • You can request that inaccurate or incomplete personal data be corrected.

  • Right to deletion/erasure

    • You can request that we delete your personal data, subject to legal or contractual obligations (for example, retention of order data for tax compliance).​

  • Right to restriction (GDPR/EU)

    • You may request limited processing of your data in specific circumstances.

  • Right to data portability (GDPR/EU)

    • You can request a structured, commonly used, and machine-readable copy of certain data you provided.

  • Right to object (GDPR/EU)

    • You may object to processing based on legitimate interests, including profiling, and to direct marketing at any time.​

  • Right to withdraw consent

    • Where processing is based on consent, you may withdraw it at any time without affecting past lawful processing.​

How to Exercise Your Rights

  1. Submit a request

    • Email: [info@candylove.in]

    • For India, you may also contact our Grievance Officer (details below).​

  2. Provide necessary information

    • Describe the right you wish to exercise and the data concerned.

    • Provide information to verify your identity (e.g., order ID, registered email or phone).​

  3. Response timelines

    • We will acknowledge and respond to your request within a reasonable time and in accordance with applicable law (for example, within 30 days where required).​

Please note:

  • We may retain certain data even after account closure or a deletion request if required for legal compliance (e.g., tax records) or legitimate business purposes such as handling disputes.​

  • Account closure generally means your profile is deactivated and personal data not required for legal purposes is deleted or anonymized, while order history may continue to be stored for legal and audit reasons.​

 

Marketing Communications & Opt-Out

We may send you marketing communications about new products, offers, and updates if:

  • You have opted in to receive such communications; or

  • You are an existing customer and laws allow limited marketing based on legitimate interests, subject to your opt-out rights.​

You can opt out by:

  • Clicking the “unsubscribe” link in marketing emails

  • Replying “STOP” or using other instructions in SMS/WhatsApp messages (where available)

  • Changing your preferences in your account settings (if available)

  • Contacting us at [PRIVACY CONTACT EMAIL] with your opt-out request​

Even after opting out of marketing, you may continue to receive transactional messages related to orders, shipping, account changes, or service communications.​

 

Payment Information

We use third-party payment gateways (such as Razorpay, PayPal, Stripe, [OTHERS]) to process payments. Your card details and other sensitive payment information are collected and processed directly by these providers, not stored in full on our servers.​

We may receive and store:

  • Limited payment information such as last four digits of card, payment method type, payment token, and transaction status. This is used for order confirmation, fraud prevention, and refunds.​

You should review the privacy policies of the payment providers for details on how they handle your payment data.​

 

Links to Other Sites

Our Site may contain links to third-party websites, apps, or services. We are not responsible for the privacy practices of such third parties, and their policies may differ from ours.​

You are encouraged to read the privacy policies of every website you visit.​

 

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technology. The “Effective date” at the top indicates when the Policy was last updated.​

Where required by law, we will notify you of material changes (for example, via email, notices on the Site, or other appropriate means).​

 

Contact & Grievance Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

  • Company name: [CANDYLOVE]

  • Registered address: [1424/11, Gala: H-103, 1st floor, Shree Sambhav Complex, Rahnal, Thane, Bhivandi- 421302]

  • Email: [info@candylove.in]

  • Phone: [+91 7400057919]​

In accordance with Indian law, you may also contact our designated Grievance Officer:

  • Name: [Hitesh Patel]

  • Title: [GRIEVANCE OFFICER]

  • Email:[info@candylove.in]

  • Phone: [+91 7400057919]

 

 

Governing Law and Dispute Resolution

 

This Privacy Policy is governed by and construed in accordance with the laws of India, without regard to conflict of law principles.​

In case of any concerns or disputes, you are encouraged to first contact us or the Grievance Officer so that we can attempt to resolve the issue amicably. If a dispute cannot be resolved, it shall be subject to the exclusive jurisdiction of the courts located in [Mumbai/Maharastra], subject to applicable law.​

bottom of page