1.  OVERVIEW

Cherizo (“Cherizo”, “we”, “us”, “our”) operates an online store that sells handmade, personalized and creative gift products. This Privacy Policy explains how we collect, use, disclose, store and protect the personal data of visitors to our website (https://cherizo.com/) and customers who purchase products from us (collectively, “you”, “your” or “user”).

This Privacy Policy applies to all users who access or use our website, place orders, subscribe to newsletters, contact our support team, or otherwise interact with Cherizo offline or online. By using our website or providing personal data to us, you consent to the collection, processing and transfer of your personal data in accordance with this Privacy Policy and applicable law. We process personal data in compliance with applicable Indian law, including the Information Technology Act, 2000 and its Reasonable Security Practices Rules (2011), and the other applicable laws as amended from time to time (collectively referred to as “Data Protection Laws”).

Note: This Privacy Policy forms an integral part of the Terms & Conditions and other policies, disclaimers etc. available on the website of Cherizo and shall be read in conjunction.

Please read this Privacy Policy carefully before proceeding. If you do not agree with the provisions of this Privacy Policy, then please do not access the Website.

Note: Our Privacy Policy is subject to change at any time without notice. To make sure you are aware of any changes, please review this policy periodically.

2.  INFORMATION WE COLLECT

We collect Personal Data and Non-Personal Data as described below:

2.1  Personal Data

We may collect the following categories of personal data when you interact with Cherizo:

·  Identity & contact: full name, delivery address, billing address, email address, phone number.

·  Account & authentication: username, password (hashed), account preferences.

·  Order & payment: order details, billing information, invoice data, payment transaction identifiers (we do not store your card details; see Section 6).

·  Customer support: messages, correspondence, return requests, photos or videos you provide when reporting a defect.

·  Marketing preferences: subscription preferences and consent records.

·  KYC/verification data where required for onboarding or regulatory purposes (e.g., PAN/GST for business accounts).

2.2  Non-Personal Data

We automatically collect non-identifying information about your device and usage, including:

·  IP address, browser type and version, device identifiers, operating system, referring URL, pages visited, and timestamps.

·  Cookies and similar technologies (see Section 5).

·  Aggregated and anonymised analytics used to improve the website.

2.3  Data From Third Parties

We integrate with third parties such as Zoho Commerce (our store host), payment gateways (Razorpay, Paytm and other authorised partners), logistics partners, analytics providers and marketing platforms. Where permitted, we receive and store data that they share about transactions, payment confirmations, tracking updates, tokenized payment references, and analytics. We also use public information or data provided by third-party identity verification services where necessary.

Note: Zoho provides the e-commerce platform used by Cherizo; we receive platform-level information and transaction records from Zoho. (Zoho’s services may involve cross-border processing; see Section 11.)

3.  PURPOSES OF DATA COLLECTION & USE

We collect and process personal data for the following purposes:

·  Order fulfilment & delivery: to process orders, prepare invoices, arrange shipment, deliver products, process returns and refunds, and manage cancellations.

·  Payments & billing: to validate and settle payments via PCI-DSS compliant gateways, reconcile transactions, and handle refunds/chargebacks.

·  Customer service & support: to respond to queries, investigate complaints, handle product issues and provide after-sales support.

·  Legal compliance & fraud prevention: to comply with laws (tax, customs, consumer protection), prevent and detect fraud, and resolve disputes.

·  Product & service improvement: to analyse site usage, personalise user experience, conduct quality control, and improve our offerings.

·  Marketing & promotions: to send marketing communications, offers and newsletters (only with your consent, where required).

·  Security & IT administration: monitoring, threat detection, and ensuring the security and integrity of our systems.

We will only use your personal data for the purposes described above and will not process your data for materially different purposes without your consent or as permitted by law.

4.  LEGAL BASIS FOR PROCESSING (DPDP & GENERAL PRINCIPLES)

Under the DPDP Act framework and general data protection principles, we rely on one or more lawful bases to process your personal data, including:

·  Consent: we obtain your explicit consent where required (e.g., for marketing, certain profiling or optional cookies).

·  Performance of contract: processing necessary to enter into or perform our contract with you (order fulfilment, shipping, payments).

·  Legitimate interests: where processing is necessary for Cherizo’s legitimate business interests (fraud prevention, improving services, direct communications) provided your rights are not overridden.

·  Legal obligations: to comply with statutory or regulatory obligations (tax, customs, consumer law, court orders).

You can withdraw consent where the processing is consent-based (see Section 9). Withdrawal will not affect processing already completed while consent was valid.

(We monitor legislative developments and will continue to update this Policy to reflect DPDP Act obligations and any implementing rules.)

5.  COOKIES & TRACKING TECHNOLOGIES

We use cookies, web beacons, pixels and similar technologies to operate and improve our site.

Cookie categories

·  Essential cookies: required for the website to function (cart, login, security).

·  Performance cookies: collect anonymous analytics to improve site speed and usability (e.g., Google Analytics).

·  Functional cookies: remember preferences and personalize your experience.

·  Advertising/targeting cookies: used for ad targeting, retargeting and measuring campaign performance (e.g., Facebook Pixel).

Managing cookies

Most browsers allow you to block or delete cookies via browser settings. You can also manage cookie preferences through any cookie banner or control centre we present on the site. Disabling certain cookies may affect functionality (for example, the shopping cart or saved preferences).

For details on third-party cookies and opt-outs, please refer to the privacy settings of the relevant third-party provider (e.g., Google, Facebook).

6.  PAYMENT INFORMATION & SECURITY

Payment processing

All online payments on Cherizo are processed through PCI-DSS compliant third-party payment gateways such as Razorpay, Paytm or other approved payment gateways. Cherizo does not store your card number or CVV code on its servers. Where you choose to save card details for convenience, the payment gateway stores a secure token representing your card; Cherizo uses that token to initiate future payments via the gateway.

Encryption & secure transmission

We use industry standard encryption (HTTPS/SSL) to protect data transmitted between your browser and our servers. Payment and sensitive data transmitted to payment gateways are encrypted and processed over secure channels.

PCI & tokenization

We rely on the tokenization and security controls of certified payment processors. Please note that full cardholder data storage, if any, is controlled by our payment gateway partner and is subject to their PCI compliance controls. For more information about the payment gateways’ practices, please review the gateway provider’s privacy and security documentation.

7.  DATA RETENTION

We retains your Personal Data for as long as necessary to provide the access to and use of the Website, or for other essential purposes such as complying with our legal obligations, resolving disputes and enforcing our agreements. As these needs can vary for different data types and purposes, actual retention periods can vary significantly.

After expiration of the retention period, your Personal Information will be deleted. If we are unable to completely delete the Personal Information from our systems, we will ensure that there are appropriate measures in place to secure the information and protect it from further use.

8.  SHARING & DISCLOSURE OF INFORMATION

We may share personal data in limited circumstances and only to the extent necessary:

·  Service providers & processors: payment gateways (Razorpay, Paytm or other approved payment gateways), Zoho Commerce (hosting / store platform), logistics and courier partners, customer service providers, analytics and marketing platforms, IT & security providers. We require these parties to use data only as directed and to maintain appropriate security measures.

·  Legal compliance & safety: to comply with lawful requests by courts, government agencies, law enforcement, or to respond to subpoenas or other legal process; or to protect the rights, property or safety of Cherizo, our users or others.

·  Business transfers: in the case of corporate transaction (sale, merger, reorganization), personal data may be transferred or assigned as part of that transaction—subject to applicable confidentiality and data protection obligations.

·  Aggregated / anonymised data: we may share non-identifying aggregated analytics for business or research purposes.

Cherizo does not sell or rent personal data to third parties for their own direct marketing. We will not share personal data with third parties for unrelated commercial purposes without your consent.

9.  YOUR RIGHTS & HOW TO EXERCISE THEM (DPDP-ALIGNED)

Subject to applicable law, you have the following rights with respect to your personal data processed by Cherizo:

·  Right to confirm & access: obtain confirmation whether we are processing your personal data and request access to the data.

·  Right to correction: request correction of inaccurate personal data.

·  Right to withdraw consent: where processing is based on consent, withdraw your consent at any time (withdrawal does not affect processing already completed).

·  Right to erasure / deletion: request deletion of personal data, subject to legal or contractual retention obligations (for example, tax records).

·  Right to data portability (where applicable): request transfer of your personal data in a commonly used, machine-readable format where technically feasible.

·  Right to object / restrict processing: object to certain processing (e.g., direct marketing) or request restriction of processing during dispute resolution.

·  Right to lodge a complaint: seek redress with our Grievance Officer (details under Section 17) or with the relevant data protection authority as permitted under law.

How to exercise your rights

To exercise any of the above rights, please contact our Grievance Officer (Komal Gupta) at s.gupta98@outlook.com or call +91 7483093192. We will acknowledge receipt of your request within 48 hours and endeavour to respond within a reasonable timeframe (typically within 30 days), subject to verification requirements and legal exceptions.

We may require proof of identity and additional information to process your request.

10.  DATA SECURITY MEASURES

We implement organisational, technical and administrative measures aimed at protecting personal data against unauthorised access, disclosure, alteration or destruction. These include, but are not limited to:

·  Use of encryption for data in transit (HTTPS/SSL) and where appropriate at rest.

·  Access controls, unique user credentials and role-based permissions.

·  Regular security reviews and vulnerability assessments; periodic audits.

·  Limiting employee access to personal data on a need-to-know basis and training staff on data protection.

·  Contracts and data processing agreements with third-party processors requiring appropriate security measures.

We follow the Reasonable Security Practices and Procedures set out under the Information Technology Rules (2011) and align our procedures to industry best practices. However, no method of transmission or storage is 100% secure; if we detect a security incident, we will follow the breach notification procedures set out in Section 15.

11.  INTERNATIONAL DATA TRANSFERS

Some service providers and cloud platforms we use (including Zoho, payment processors, analytics and hosting providers) may process or store data outside India. Where cross-border transfers occur, we will ensure appropriate safeguards are in place and that such transfers comply with applicable law (for example, contractual protections, vendor assurances, or other lawful transfer mechanisms). We will take reasonable steps to ensure your data receives comparable protection irrespective of where it is processed.

12.  MARKETING & COMMUNICATION PREFERENCES

We may contact you with order updates, transactional messages and service-related communications without additional consent. For promotional emails, SMS or calls, we will seek your consent where required. You can opt out of marketing communications at any time by:

·  clicking the “unsubscribe” link in an email, or

·  replying STOP to SMS messages if provided, or

·  contacting our Grievance Officer at s.gupta98@outlook.com.

Even after you opt out, we may send you non-marketing communications (e.g., order confirmations, legal notices).

13.  THIRD-PARTY LINKS & INTEGRATIONS

Our website contains links, widgets or embedded content from third parties (payment gateways, social media, external tracking, shipping partners). These third parties operate under their own privacy policies and terms; Cherizo is not responsible for their practices. Please review the privacy policies of any third-party site you visit.

14.  CHILDREN’S PRIVACY

Our services are not directed at children under 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data of a person under 18 without parental/guardian consent, we will take steps to delete such information as soon as practicable. If you believe a child has provided us personal data without consent, please contact our Grievance Officer.

15.  DATA BREACH NOTIFICATION

In the event of a data breach that compromises personal data, Cherizo will: (a) promptly investigate and take remediation measures; (b) notify affected users; and (c) inform relevant regulators as required by applicable law (including provisions of the DPDP Act and other statutes). We will provide affected users with information about the nature of the breach, the likely consequences, and the corrective steps being taken.

(We will coordinate with law enforcement and our service providers as appropriate in the course of remediation.)

16.  POLICY UPDATES & REVISIONS

We may update this Privacy Policy from time to time to reflect legal, regulatory or business changes. We will post the revised Privacy Policy on our website with a new “Last updated” date. Where changes are material, we will take reasonable steps to notify you (for example, by email to account holders). Your continued use of the website after publication of revised terms constitutes acceptance of the updated Policy.

17.  GRIEVANCE OFFICER & CONTACT INFORMATION

If you have questions, concerns or requests relating to this Privacy Policy or your personal data, please contact:

Grievance Officer: Komal Gupta
Email: s.gupta98@outlook.com
Phone: +91 7483093192
Registered Office: Cherizo, WeWork Embassy TechVillage, Block L, Devarabisanahalli, Outer Ring Rd, Bellandur, Bengaluru – 560103, India

We will acknowledge receipt of any grievance within 48 hours and endeavour to resolve it within 15 business days.

18.  GOVERNING LAW & JURISDICTION

This Privacy Policy is governed by the laws of India. Any disputes arising out of or relating to this Policy shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India.