Privacy Policy

1. Scope & Applicability

This Privacy Policy applies to all users of the Website, including visitors, registered customers, and anyone who interacts with TheBookX through associated channels such as WhatsApp, email, or telephone. It is published in compliance with:

• The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "IT Rules")
• The Digital Personal Data Protection Act, 2023 ("DPDP Act") to the extent applicable
• Rule 3 of the Consumer Protection (E-Commerce) Rules, 2020

By accessing or using the Website, you confirm that you have read, understood, and consented to the collection and use of your information in accordance with this Privacy Policy.

2. Information We Collect

We collect only the information that is reasonably necessary to deliver our services. The categories of information collected are described below.

2.1 Information You Provide Directly

• Identity information: full name, gender (where voluntarily provided)
• Contact information: mobile number, email address (where applicable), shipping and billing address, pincode, city, district, and state
• Order information: products selected, order history, gift-wrap preferences, delivery instructions
• Communication content: messages, queries, or feedback sent via WhatsApp, email, contact forms, or telephone

2.2 Information Collected Automatically

• Device & technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, time zone
• Usage data: pages visited, products viewed, time spent on pages, click paths, referring URL, search queries on the Website
• Cookies and similar technologies: as described in Section 9

2.3 Payment Information

When you make a payment, you provide payment credentials (UPI ID, card number, etc.) directly to our third-party payment processors. We do not collect, view, or store any card numbers, CVV, UPI PINs, net banking passwords, or any other sensitive payment credentials on our servers. We receive only a transaction confirmation, the masked last four digits of the payment instrument (where applicable), and the transaction reference number.

2.4 Information We Do NOT Collect

We do not knowingly collect or process: biometric data, government identity documents (Aadhaar, PAN, passport, etc.), genetic data, health records, religious or political beliefs, sexual orientation, or any other category of "sensitive personal data" beyond what is minimally necessary for transaction processing.

3. How We Collect Information

Information is collected through the following channels:

• Forms you complete when placing an order, signing up, or communicating with us
• Automated technologies such as cookies, server logs, and analytics tools when you visit the Website
• Communications via WhatsApp, email, or telephone with our customer support team
• Third-party logistics partners who confirm delivery status (e.g. India Post, Delhivery)
• Payment processors who confirm transaction success or failure

4. Purpose of Collection

Your information is used strictly for the following purposes:

• Order fulfillment: processing, packing, shipping, tracking, and delivering products you have purchased
• Communication: sending order confirmations, shipping updates, delivery notifications, and responding to your queries
• Customer support: handling returns, refunds, replacements, and grievance redressal
• Payment processing: facilitating secure transactions via authorised payment gateways
• Fraud prevention: detecting, investigating, and preventing fraudulent transactions, abuse, or violations of our Terms
• Service improvement: analysing aggregated and anonymised usage patterns to improve the Website, product recommendations, and overall user experience
• Legal compliance: complying with applicable laws, tax regulations, court orders, or lawful requests from government authorities
• Marketing (with consent): sending promotional offers, new arrival notifications, and seasonal discounts where you have opted in. You may opt out at any time.

5. Legal Basis for Processing

We process your personal information on one or more of the following legal grounds:

• Performance of a contract: processing necessary to fulfil your Order and provide customer support
• Consent: where you have given explicit consent, such as for marketing communications or cookies
• Legitimate interests: for fraud prevention, security, and improving our services, balanced against your rights
• Legal obligation: compliance with applicable laws, including taxation and consumer protection regulations

6. Sharing & Disclosure

We share your personal information only when strictly necessary, with the following categories of recipients:

6.1 Service Providers

• Logistics & courier partners (India Post, Delhivery, etc.), to facilitate delivery of your order. Shared data is limited to name, delivery address, contact number, and order details.
• Payment gateways (Razorpay, PhonePe, Cashfree, or equivalent), to process payments securely. These processors are PCI-DSS certified and handle payment credentials independently.
• Cloud & hosting providers, for secure storage of order data and website infrastructure. All hosting providers are bound by data protection agreements.
• Communication tools (WhatsApp Business, SMS providers), for order updates and customer support, limited to phone numbers and order references.
• Analytics services (Google Analytics, Meta Pixel, or equivalent), to understand aggregated usage trends. Data is anonymised wherever possible.

6.2 Legal & Regulatory Disclosures

We may disclose your information when required to do so by law, regulation, court order, or other legitimate request from public authorities, including for the purpose of meeting national security or law enforcement requirements.

6.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred to the successor entity, subject to the same protections set out in this Policy. You will be notified of any such change in ownership or control of your personal data.

6.4 With Your Consent

We may share your information with other third parties when you have provided explicit consent to do so.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Upon expiry of the applicable retention period, your data will be securely deleted or anonymised in a manner that no longer permits identification.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: all data exchanged between your browser and our servers is encrypted using TLS/HTTPS
• Access controls: strict role-based access restrictions for administrative systems
• Secure infrastructure: hosting on reputable cloud providers with industry-standard security certifications
• Regular security reviews: ongoing assessment of systems and processes to identify and mitigate vulnerabilities
• Tokenised payments: all payment credentials are handled exclusively by PCI-DSS compliant payment gateways

While we adopt reasonable security practices, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we continuously work to maintain the integrity and confidentiality of your information.

In the event of a data breach affecting your personal information, we will notify you and the relevant authorities in accordance with applicable law.

9. Cookies & Tracking Technologies

A cookie is a small text file placed on your device when you visit a website. We use cookies and similar technologies to recognise you, remember your preferences, and analyse Website usage.

9.1 Types of Cookies We Use

• Essential cookies: required for basic Website functionality such as your shopping cart, login session, and checkout. These cannot be disabled.
• Preference cookies: remember your settings such as preferred language, recently viewed books, and wishlist items.
• Analytics cookies: help us understand how visitors interact with the Website (page views, click paths) so we can improve the experience. These are anonymised wherever possible.
• Marketing cookies: placed by advertising partners (where applicable) to display relevant offers. These require your consent and can be withdrawn at any time.

9.2 Managing Cookies

You can control or delete cookies through your browser settings. Most browsers allow you to refuse all cookies or accept only certain types. Please note that disabling essential cookies may affect the functionality of the Website.

10. Third-Party Services & Links

The Website may contain links to third-party websites, services, or social media platforms (e.g. WhatsApp). This Privacy Policy applies only to TheBookX. We are not responsible for the privacy practices, content, or policies of any third-party site or service. We encourage you to review the privacy policies of any third party you interact with through our Website.

Our use of information received from Google APIs (if applicable) will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

11. Your Rights & Choices

Subject to applicable law, you have the following rights with respect to your personal information:

• Right to access: obtain confirmation of whether we process your personal data and request a copy of the data we hold about you
• Right to correction: request that inaccurate or incomplete information be corrected or updated
• Right to erasure: request deletion of your personal data, subject to our legal retention obligations
• Right to withdraw consent: withdraw any consent you have previously provided, including for marketing communications
• Right to grievance redressal: file a complaint with our designated Grievance Officer (see Section 14)
• Right to data portability: where technically feasible, request a copy of your data in a structured, machine-readable format

To exercise any of these rights, please contact us using the details provided in Section 16. We will respond to verified requests within 30 days. We may need to verify your identity before processing your request to protect your information.

12. Children's Privacy

The Website is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child without verifiable parental consent, we will take steps to delete such information promptly.

If you believe that a child has provided us with personal information without parental consent, please contact us immediately at the email listed in Section 16.

13. International Users

The Website is hosted and operated in India. If you access the Website from outside India, please be aware that your information may be transferred to, stored, and processed in India, where data protection laws may differ from those in your jurisdiction. By using the Website, you consent to such transfer.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The revised version will be effective immediately upon being posted on the Website with an updated "Effective Date" at the top. For material changes, we will provide a more prominent notice (such as an email or in-app notification) where appropriate.

Your continued use of the Website after the posting of changes constitutes acceptance of the revised Privacy Policy. We encourage you to review this Policy periodically.