Privacy Policy
We take your privacy seriously. This policy explains every detail of what personal data we collect, why we collect it, how we protect it, and your rights over it.
Table of Contents
Introduction
This Privacy Policy describes how Krishnendu Kar, trading as Vilarci (hereinafter "Vilarci", "we", "us", or "our"), collects, uses, processes, shares, stores, and protects your personal data when you use our website at https://vilarci.in/, our mobile applications, and any associated services (collectively, the "Platform").
This Policy is published in compliance with the Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian laws relating to privacy and data protection.
We do not offer any product or service on this Platform outside India. Your personal data will primarily be stored and processed in India, subject to the exceptions described in the International Transfers section.
Scope & Applicability
This Privacy Policy applies to:
- All users who access or browse the Platform, whether or not they are registered.
- Buyers, guests, and any person who places an order or inquires about our products or services.
- Any person who contacts us via our support channels, including email, WhatsApp, or the contact form on the Platform.
- Third-party sellers and merchants listed on the Platform, to the extent their data is processed by us.
This Policy does not apply to:
- Third-party websites linked from our Platform. Those sites operate under their own privacy policies, which you should read independently.
- Data processed by third-party sellers on their own systems, even if you found them through Vilarci.
Key Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information that identifies or can be used to identify an individual directly or indirectly — e.g., name, mobile number, email, address, or device ID. |
| Sensitive Personal Data (SPD) | Financial information (card/bank details), authentication credentials, biometric data, and any other data classified as sensitive under Rule 3 of the IT (SPDI) Rules, 2011. |
| Data Fiduciary | Vilarci — the entity that determines the purpose and means of processing personal data. |
| Data Principal | You — the individual whose personal data is being processed. |
| Data Processor | Third-party entities that process personal data on our behalf (e.g., Supabase, Cloudflare, payment gateways). |
| Processing | Any operation performed on personal data, including collection, recording, organisation, storage, retrieval, use, sharing, or deletion. |
| Consent | Freely given, specific, informed, and unambiguous indication of your agreement to the processing of your personal data. |
| OTP | One-Time Password — a time-limited, single-use code sent to your registered WhatsApp number or email address for identity verification. |
| Cookie | A small text file stored on your device by your browser at the request of a website, used to remember information about you across sessions. |
Information We Collect
We collect information in three ways: information you give us directly, information generated by your use of the Platform, and information received from third parties. A complete breakdown is below:
| Category | What We Collect | When Collected |
|---|---|---|
| Identity Data | Full name, date of birth, gender | Registration, profile update |
| Contact Data | Mobile number, email address, postal / delivery address | Registration, checkout, contact form |
| Authentication Data | OTP hash (not the OTP itself), session tokens, login timestamps | Account creation, sign-in |
| Transaction Data | Order ID, products ordered, quantities, amounts, payment status, invoice details | Every purchase or transaction |
| Financial Data | Masked card/UPI/bank reference numbers (full card numbers are not stored by us) | Checkout via payment gateway |
| Device & Technical Data | IP address, browser type & version, operating system, device identifiers, screen resolution, time zone | Every Platform visit (automatic) |
| Usage & Behaviour Data | Pages viewed, clicks, scroll depth, session duration, search queries on Platform, add-to-cart events | Continuous during session |
| Location Data | Approximate location derived from IP address; precise GPS location (only if you grant permission) | Platform visit; location-based features |
| Communications Data | Content of messages sent to us via support channels, chat logs, complaint records | Customer support interactions |
| Marketing Preferences | Opt-in / opt-out status for promotional emails, SMS, and WhatsApp messages | Registration, settings update |
Authentication via OTP
Vilarci uses One-Time Password (OTP) verification to secure your account creation and login. We offer two OTP channels:
- WhatsApp OTP: When you register or log in using your mobile number, a time-limited OTP is sent to your registered WhatsApp number via Meta's WhatsApp Business API. This OTP is typically valid for 10 minutes and can only be used once. Your WhatsApp number is used solely for authentication and, if you opt in, for transactional notifications (order confirmations, shipping updates).
- Email OTP: When you register or log in using your email address, a time-limited OTP is dispatched to your registered email address. This OTP is valid for 10 minutes and is single-use. Your email is used for authentication, transactional updates, and, with your consent, promotional communications.
Regarding security of the OTP process:
- OTPs are cryptographically hashed before storage. The raw OTP is never logged or stored by us.
- Failed OTP attempts are rate-limited to prevent brute-force attacks. Repeated failures may temporarily lock your account.
- Session tokens generated upon successful OTP verification are stored securely using Supabase Auth and are invalidated on logout or expiry.
- We never ask for your OTP via call, email, or any channel other than the automated delivery described above.
Cookies & Tracking
We use cookies, web beacons, local storage, and similar technologies to operate and improve the Platform. Cookies are small text files stored on your device. You can control cookies through your browser settings, but disabling certain cookies may affect the functionality of the Platform.
Infrastructure & Servers
Vilarci is built on industry-standard infrastructure. Understanding these services helps you know where your data travels and how it is protected:
| Service | Role | Data Involved |
|---|---|---|
| Cloudflare | Content Delivery Network (CDN), DDoS protection, WAF (Web Application Firewall), bot management, TLS/SSL termination, DNS, and edge caching. All traffic to vilarci.in passes through Cloudflare's global edge network. | IP addresses, HTTP headers, request metadata. Cloudflare processes this as a data processor under our instruction. Cloudflare's privacy policy applies: cloudflare.com/privacypolicy |
| Supabase | Backend database (PostgreSQL), authentication system (user sessions, OTP management), file storage, and serverless functions (Edge Functions). All application data is stored in Supabase. | Account data, order data, session tokens, OTP hashes, product data. Supabase acts as a data processor. Supabase's privacy policy applies: supabase.com/privacy |
| Meta WhatsApp Business API | Delivery of WhatsApp OTP messages for account verification and transactional notifications (order confirmations, shipping updates). | Your WhatsApp-registered mobile number and the OTP message content. Meta's data policy applies for messages delivered through WhatsApp. |
| Email Service Provider | Delivery of email OTPs, transactional emails (order confirmations, invoices), and (with consent) marketing emails. | Your email address and email content. The ESP processes this as our data processor. |
| Payment Gateway | Secure processing of payment transactions. We use PCI-DSS compliant third-party gateways. We do not store full card details on our servers. | Payment reference IDs, transaction status. Full card data is handled exclusively by the payment gateway. |
| Logistics Partners | Courier and delivery companies used to ship your orders. | Your name, delivery address, and mobile number (for delivery coordination). |
Purpose of Use
We process your personal data strictly for defined, lawful purposes. We do not use your data for purposes incompatible with those listed below:
- Account Creation & Authentication: To register your account, verify your identity via OTP (WhatsApp/email), manage sessions, and enable secure login.
- Order Processing & Fulfilment: To process your orders, coordinate delivery with logistics partners, send order confirmations, invoices, and shipping updates.
- Payment Processing: To facilitate secure payment transactions through our third-party payment gateway partners.
- Customer Support: To respond to your queries, complaints, and requests, and to resolve disputes efficiently.
- Platform Improvement: To analyse usage patterns (in aggregated, anonymised form) to improve features, performance, and user experience.
- Personalisation: To tailor product recommendations, display relevant content, and remember your preferences.
- Security & Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, unauthorised access, and other illegal activities.
- Legal Compliance: To comply with applicable laws, court orders, and requests from government or law enforcement authorities.
- Marketing & Promotions (with consent): To send you promotional offers, newsletters, and updates via email, SMS, or WhatsApp — only if you have opted in. You may opt out at any time.
- Transactional Communications: To send non-promotional messages directly related to your account or orders (e.g., OTPs, shipping updates, refund status). These are not subject to opt-out as they are essential to service delivery.
Legal Basis for Processing
Under the Digital Personal Data Protection (DPDP) Act, 2023 and applicable Indian law, we rely on the following lawful bases for processing your personal data:
| Legal Basis | When We Rely on It |
|---|---|
| Consent | Marketing communications, optional analytics, personalisation features, and collection of sensitive personal data such as payment instrument details. You may withdraw consent at any time. |
| Contractual Necessity | Processing necessary to perform our contract with you — account creation, order processing, payment, and delivery of products or services you've purchased. |
| Legitimate Interests | Fraud prevention, security monitoring, improving the Platform, and internal analytics — where such interests are not overridden by your rights and freedoms. |
| Legal Obligation | Complying with court orders, regulatory requirements, tax obligations, and requests from authorised government or law enforcement agencies. |
| Vital Interests | In rare circumstances, to protect the vital interests of a person (e.g., safety-related emergencies). |
Data Sharing
We do not sell your personal data to third parties for monetary consideration. We share your data only in the following limited circumstances:
- Sellers & Merchants: When you place an order with a third-party seller on the Platform, we share your name, contact number, and delivery address with them solely to fulfil your order.
- Logistics & Courier Partners: We share your name, contact number, and delivery address with our delivery partners to arrange shipment and delivery of your orders.
- Payment Service Providers: Transaction details are shared with our payment gateway partners to process payments securely. These providers are PCI-DSS compliant.
- Group Entities & Affiliates: We may share your data within our group entities and affiliates to provide you access to their services or products, subject to the same data protection standards. You may opt out of cross-entity marketing.
- Technology Service Providers: We share data with our infrastructure and technology partners (Cloudflare, Supabase, email providers, SMS gateways) as data processors strictly for operating the Platform.
- Legal & Regulatory Authorities: We may disclose your data to government agencies, law enforcement, or other authorities when required by law, court order, subpoena, or in good faith belief that such disclosure is necessary to comply with legal obligations or protect rights, property, or safety.
- Business Transfers: In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the successor entity, subject to the same privacy protections as set out in this Policy.
Third-Party Processors
A data processor is a third party that processes personal data on our behalf and only under our written instructions. All our data processors are contractually required to maintain appropriate security standards and are prohibited from using your data for their own purposes.
| Processor | Purpose | Privacy Policy |
|---|---|---|
| Cloudflare, Inc. | CDN, security, DDoS protection, edge caching | cloudflare.com/privacypolicy |
| Supabase, Inc. | Database, authentication, file storage, serverless functions | supabase.com/privacy |
| Meta Platforms (WhatsApp) | WhatsApp OTP delivery and transactional notifications | WhatsApp Privacy Policy |
| Payment Gateway Partner(s) | Secure payment processing (PCI-DSS compliant) | Refer to the specific gateway displayed at checkout |
| Email Service Provider | Email OTP delivery, transactional & marketing emails | Available on request |
| Logistics Partners | Order shipping and last-mile delivery | Refer to respective courier's policy |
When you interact directly with any third-party website or service (e.g., by clicking a link), their own privacy policies govern your data. We are not responsible for the data practices of third parties that independently collect data from you.
Security Measures
We take the security of your personal data seriously and employ multi-layered technical and organisational measures to protect it against unauthorised access, disclosure, alteration, and destruction:
- TLS/HTTPS Encryption: All data transmitted between your browser and the Platform is encrypted using Transport Layer Security (TLS 1.2 or higher), enforced at Cloudflare's edge. We do not serve any content over unencrypted HTTP.
- Data Encryption at Rest: Personal data stored in Supabase is encrypted at rest using AES-256 encryption at the database and storage layer.
- Cloudflare WAF & DDoS Protection: Our traffic is protected by Cloudflare's enterprise-grade Web Application Firewall, which filters malicious requests, blocks known threat actors, and mitigates distributed denial-of-service (DDoS) attacks in real-time.
- Row-Level Security (RLS): Supabase Row-Level Security policies are enforced at the database layer, ensuring that each user can only access data that belongs to them. No cross-user data leakage is architecturally possible under normal operation.
- OTP Rate Limiting & Expiry: OTPs expire within 10 minutes and are rate-limited. Failed attempts trigger temporary lockouts to prevent brute-force attacks.
- Secure Session Management: Session tokens are cryptographically signed JWTs with short expiry times. Sessions are invalidated upon logout or expiry. Supabase Auth manages token refresh securely.
- Access Controls: Internal access to personal data is restricted on a need-to-know basis. All administrative access is logged and audited.
- No Storage of Sensitive Payment Data: We do not store credit/debit card numbers, CVV codes, or bank account details on our servers. All payment data is handled by PCI-DSS compliant third-party gateways.
- Vulnerability Management: We conduct periodic reviews of our security posture and apply security patches promptly.
Data Retention
We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention schedule applies:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & Profile Data | Duration of account + 3 years after closure | Contractual, legal obligation |
| Order & Transaction Data | 7 years from date of transaction | Taxation, legal & audit requirements |
| Payment Reference Data | 7 years from transaction | Financial regulations |
| OTP Logs (hashed) | 90 days | Security audit trail |
| Session Tokens | Until logout or token expiry (max 7 days inactive) | Functional necessity |
| Customer Support Records | 3 years from last interaction | Legal, dispute resolution |
| Marketing Consent Records | Until withdrawal + 1 year | Proof of consent |
| Analytics Data (aggregated) | Up to 3 years (anonymised) | Legitimate interest |
| Server / Access Logs | 90 days (Cloudflare logs) / 30 days (Supabase) | Security monitoring |
Upon expiry of the applicable retention period, your data is securely deleted or anonymised so it can no longer identify you. Anonymised data may be retained indefinitely for analytical and research purposes.
You may request deletion of your account and personal data at any time. However, we may retain certain data for the periods specified above where required by law or for legitimate business purposes, including pending grievances, unresolved claims, or ongoing disputes.
International Data Transfers
Your personal data is primarily stored and processed in India. However, certain infrastructure and third-party service providers operate from or have servers in other countries. Specifically:
- Cloudflare: As a global CDN, Cloudflare routes traffic through its nearest edge node, which may be outside India. However, Cloudflare does not store personal data on edge nodes beyond the transaction duration. Their Privacy Shield / SCCs and data centre commitments apply.
- Supabase: Your data is stored in the AWS region selected during our setup. We have selected the ap-south-1 (Mumbai, India) region to keep data in India. Supabase's US-based engineering and support teams may have access to infrastructure metadata under contractual obligations.
- Meta WhatsApp: When OTPs are delivered via WhatsApp Business API, message routing may pass through Meta's global infrastructure, including servers in the United States and Europe.
Where data is transferred internationally, we ensure that appropriate safeguards are in place — including Standard Contractual Clauses (SCCs), data processing agreements, and compliance with the receiving country's data protection standards — in accordance with the DPDP Act, 2023 provisions on cross-border data transfers.
Your Rights
Under the Digital Personal Data Protection Act, 2023 and other applicable Indian laws, you have the following rights regarding your personal data. To exercise any of these rights, contact our Grievance Officer at the details in Section 20.
Right to Access
Request a copy of the personal data we hold about you, along with information about how it is used and shared.
Right to Correction
Request correction of inaccurate, incomplete, or outdated personal data we hold about you. Update most data directly via your account settings.
Right to Erasure
Request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.
Right to Withdraw Consent
Withdraw any consent you have previously given at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to Data Portability
Request a copy of your personal data in a structured, commonly used, machine-readable format for transfer to another service.
Right to Grievance Redressal
Lodge a complaint with our Grievance Officer or approach the Data Protection Board of India if your request is not resolved satisfactorily.
Right to Information
Know what personal data we collect, how it is used, who it is shared with, and the retention period — all covered in this Privacy Policy.
Right to Nominate
Under the DPDP Act, 2023, you may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.
Children's Privacy
The Platform is not directed at individuals under the age of 18 years. We do not knowingly collect personal data from children without verified parental or guardian consent.
- In compliance with the Digital Personal Data Protection Act, 2023, where a user is identified as a child (below 18 years), we require verifiable parental or guardian consent before processing their personal data.
- We do not engage in tracking or behavioural monitoring of children, nor do we send targeted advertising to users identified as minors.
- If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact our Grievance Officer immediately. We will take steps to promptly delete such data.
- If a minor uses the Platform under the supervision of a parent or guardian, the parent or guardian consents to these Terms on the minor's behalf and accepts responsibility for the minor's use of the Platform.
Opt-Out & Consent Management
We respect your communication preferences. Here is how you can manage your consent and opt-out of various types of data processing:
| Communication Type | How to Opt-Out |
|---|---|
| Marketing Emails | Click the "Unsubscribe" link in any marketing email, or update preferences in your account settings. |
| WhatsApp Promotional Messages | Reply "STOP" to any WhatsApp message from us, or write to our Grievance Officer with subject "WhatsApp Opt-Out". |
| SMS Promotions | Reply "STOP" to any promotional SMS, or register on the DND (Do Not Disturb) list via TRAI's DND portal. |
| Personalised Recommendations | Disable this in your account settings under Privacy Preferences. |
| Analytics Cookies | Manage via your browser's cookie settings or use browser tracking protection features. |
| All Consent (Global Withdrawal) | Write to our Grievance Officer with subject "Withdrawal of Consent for Processing Personal Data". Note: withdrawal does not affect prior lawful processing and may restrict access to certain services. |
Do Not Sell My Personal Data
This commitment applies to all categories of personal data, including contact information, browsing behaviour, purchase history, and device identifiers. Our data sharing (described in Section 10) is limited to what is necessary to operate our Platform and deliver our services to you.
We do not participate in third-party data broker networks, and we do not share your data with advertising networks for the purpose of targeting you with third-party advertisements.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, legal requirements, or business operations.
- The "Effective Date" at the top of this page indicates when the Policy was last revised.
- For material changes (changes that significantly affect your rights or how we use your data), we will notify you via a prominent banner on the Platform and/or by email to your registered address at least 14 days before the change takes effect.
- For minor changes (typographical corrections, clarifications that do not alter the substance of the Policy), the updated Policy will be posted on this page without individual notification.
- Your continued use of the Platform after any change takes effect constitutes your acceptance of the revised Policy.
- If you do not agree to the revised Policy, you must stop using the Platform and may request account deletion.
We encourage you to review this Privacy Policy periodically. You can bookmark this page at vilarci.in/privacy_policy.html for easy reference.
Grievance Officer
In accordance with the Information Technology Act, 2000, the IT (Intermediaries Guidelines) Rules, 2011, and the Digital Personal Data Protection Act, 2023, Vilarci has appointed a Grievance Officer to address privacy-related concerns.
If you have any concerns about how your personal data is being used, wish to exercise your data rights, or want to report a privacy violation, please contact our Grievance Officer. We will acknowledge your complaint within 48 hours and resolve it within 30 days.
Grievance Officer — Vilarci
Available Monday to Friday, 9:00 AM – 6:00 PM IST. Privacy requests are prioritised.
— Data Access Request: "Access My Personal Data"
— Correction Request: "Correct My Personal Data"
— Deletion Request: "Delete My Account and Personal Data"
— Consent Withdrawal: "Withdrawal of Consent for Processing Personal Data"
— Privacy Complaint: "Privacy Policy Complaint"