This Privacy Policy explains how we collect, use, share, and protect personal data when you use Phulkario, an online marketplace connecting boutiques/tailors ("Vendors") with customers ("Customers"). By using the Platform you consent to the practices described here.
1. Who is responsible for your data
The Company is the Data Fiduciary for personal data processed through the Platform. Where Vendors process Customer data to fulfil orders (e.g., shipping address, measurements), the Vendor is an independent recipient/processor responsible for its own handling of that data.
2. Personal data we collect
2.1 Information you provide
Account & profile
Name, email address, phone number, password (stored hashed), date of birth, gender, profile photo (avatar).
Addresses
Recipient name and phone; house/flat number, building/society, landmark, street, city, state, PIN code, country; address type (home/work/other); and approximate geo-coordinates (latitude/longitude) from map/geocoding when you select a location.
Measurements and custom-stitching data (sensitive)
Body measurements (e.g., chest, waist, hips, shoulder, neck, length, sleeve, and preset-specific fields), units (inches/cm), notes, and the gender associated with a measurement preset.
Reference/inspiration photos and special instructions you upload for custom orders.
Orders
Order contents, shipping address snapshot, measurement snapshot for custom items, and communications related to the order.
Reviews, chat, and support
Review titles, comments, and images; chat messages and attachments (images/videos) with Vendors; support-ticket messages, categories, and attachments.
Vendor (business) data — for users onboarding as Vendors
Owner name; business address; GST number, PAN, Aadhaar number; bank account details (account holder, number, IFSC, bank name) and/or UPI ID; and uploaded KYC documents (GST certificate, PAN card, Aadhaar front/back). Payout identifiers are created with our payment partner.
Newsletter
Email address, if you subscribe to marketing updates.
2.2 Information collected automatically
Authentication tokens stored locally on your device (browser
localStorage), used to keep you signed in.Device push tokens (Firebase Cloud Messaging) when you enable notifications, along with the platform type (web/mobile).
Basic technical and usage information necessary to operate and secure the service (e.g., request metadata, error logs).
2.3 Cookies and local storage
The storefront primarily uses browser local storage (not advertising cookies) for essential functions such as keeping you logged in (boutique_token) and remembering UI preferences (e.g., whether the newsletter prompt was shown). Third-party services used at checkout or for maps/notifications may set their own cookies or identifiers under their policies.
2.4 Children
The Platform is not intended for individuals under 18, and we do not knowingly collect their data.
3. How we use your data
We process personal data to:
create and manage your account and authenticate you (OTP/password);
list, process, and fulfil orders, including custom stitching using your measurements;
enable delivery (sharing address with the Vendor and/or logistics partner);
process payments and issue GST-compliant invoices/receipts, and make Vendor payouts;
power chat, reviews, support tickets, and notifications (in-app, SSE, and push);
verify Vendor identity/KYC and prevent fraud;
comply with tax, accounting, and other legal obligations;
improve, secure, and troubleshoot the Platform; and
send service messages and, with your consent where required, marketing/newsletter communications.
Legal bases include performance of a contract with you, your consent (e.g., marketing, push notifications, certain measurement data), our legitimate interests in operating and securing the Platform, and compliance with legal obligations.
4. How we share your data
We share personal data only as needed:
With Vendors — to fulfil your orders and services (e.g., name, contact, shipping address, order details, and measurements for custom items).
With service providers / processors:
Razorpay / RazorpayX — payment processing and Vendor payouts (we do not store full card details).
Shiprocket (or other logistics partners) — shipping, tracking, and delivery.
Firebase Cloud Messaging — push notifications.
Cloudinary (or equivalent) — image/file hosting.
Mapping/geocoding providers — address selection and coordinates.
For legal reasons — to comply with law, court orders, or lawful requests, and to protect rights, safety, and prevent fraud.
Business transfers — in connection with a merger, acquisition, or asset sale, subject to this Policy.
We do not sell your personal data.
5. Payment data
Online payments are handled by our PCI-DSS-compliant gateway. We receive and store transaction references (e.g., gateway order/payment IDs, status) but not your full card number, CVV, or banking credentials. Vendor bank/UPI details are collected for payouts and are handled with restricted access.
6. Data retention
We retain personal data for as long as your account is active and as needed to provide the service.
Order, payment, invoice, and tax records are retained for the periods required under tax and accounting law (typically several years) even after account deletion.
KYC and payout records are retained as required by law and our payment partners.
Marketing data is retained until you unsubscribe.
7. Account deletion and anonymisation
When you delete your account from the profile section:
your profile is deactivated and anonymised — your name is replaced (e.g., "Deleted User") and your email and phone are removed;
your avatar, push tokens, cart, wishlist, and saved addresses are deleted; and
orders, payments, invoices, and existing reviews are retained (reviews appear under an anonymised name) for legal, accounting, and record-keeping purposes.
After deletion you can no longer sign in, and a previously used email/phone may become available for a new account. To request deletion you can also contact support@phulkario.com.
8. Your rights
Subject to applicable law (including the DPDP Act, 2023), you may have the right to:
access and obtain a copy of your personal data;
correct or update inaccurate data (you can edit much of this in your profile);
request erasure/withdrawal of consent (account deletion as above);
opt out of marketing communications at any time;
To exercise these rights, contact us at support@phulkario.com. We may need to verify your identity before acting on a request.
9. Security
We implement reasonable technical and organisational measures to protect personal data, including hashed passwords, access controls, encrypted transport (HTTPS), and use of compliant third-party processors. No method of transmission or storage is fully secure; we cannot guarantee absolute security. Please keep your credentials and OTPs confidential.
10. Notifications and marketing
Service notifications (order updates, payments, messages) are part of using the Platform.
Push notifications require your device permission and can be disabled in your device/browser settings.
Marketing/newsletter emails are sent only where permitted; you can unsubscribe at any time.
11. Data location and transfers
Personal data is processed in India and may be processed by service providers in other locations consistent with applicable law. Where data is transferred outside India, we take steps required by law to protect it.
12. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date reflects the current version; material changes will be notified through the Platform or by other reasonable means.
13. Contact
For privacy questions or to exercise your rights:
Contact: support@phulkario.com
We aim to acknowledge requests within 48 hours and resolve them within the timelines prescribed by applicable law.