Vilarci Vilarci
Effective: 9 May 2025
Privacy & Data Protection

Privacy Policy

We take your privacy seriously. This policy explains every detail of what personal data we collect, why we collect it, how we protect it, and your rights over it.

Effective Date 9 May 2025
Platform Owner Krishnendu Kar (Vilarci)
Governed By Indian DPDP Act, 2023 & IT Act, 2000
Contact vilarci.in
Infrastructure & Integrations Used on This Platform Cloudflare CDN & Security Supabase (Database & Auth) Email OTP Verification India-primary Data Storage
01

Introduction

This Privacy Policy describes how Krishnendu Kar, trading as Vilarci (hereinafter "Vilarci", "we", "us", or "our"), collects, uses, processes, shares, stores, and protects your personal data when you use our website at https://vilarci.in/, our mobile applications, and any associated services (collectively, the "Platform").

This Policy is published in compliance with the Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian laws relating to privacy and data protection.

Please read this policy carefully. By visiting, registering on, or using the Platform in any manner, you acknowledge that you have read, understood, and unconditionally agree to be bound by the terms of this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

We do not offer any product or service on this Platform outside India. Your personal data will primarily be stored and processed in India, subject to the exceptions described in the International Transfers section.


02

Scope & Applicability

This Privacy Policy applies to:

This Policy does not apply to:


03

Key Definitions

Term Meaning
Personal Data Any information that identifies or can be used to identify an individual directly or indirectly — e.g., name, mobile number, email, address, or device ID.
Sensitive Personal Data (SPD) Financial information (card/bank details), authentication credentials, biometric data, and any other data classified as sensitive under Rule 3 of the IT (SPDI) Rules, 2011.
Data Fiduciary Vilarci — the entity that determines the purpose and means of processing personal data.
Data Principal You — the individual whose personal data is being processed.
Data Processor Third-party entities that process personal data on our behalf (e.g., Supabase, Cloudflare, payment gateways).
Processing Any operation performed on personal data, including collection, recording, organisation, storage, retrieval, use, sharing, or deletion.
Consent Freely given, specific, informed, and unambiguous indication of your agreement to the processing of your personal data.
OTP One-Time Password — a time-limited, single-use code sent to your registered WhatsApp number or email address for identity verification.
Cookie A small text file stored on your device by your browser at the request of a website, used to remember information about you across sessions.

04

Information We Collect

We collect information in three ways: information you give us directly, information generated by your use of the Platform, and information received from third parties. A complete breakdown is below:

Category What We Collect When Collected
Identity Data Full name, date of birth, gender Registration, profile update
Contact Data Mobile number, email address, postal / delivery address Registration, checkout, contact form
Authentication Data OTP hash (not the OTP itself), session tokens, login timestamps Account creation, sign-in
Transaction Data Order ID, products ordered, quantities, amounts, payment status, invoice details Every purchase or transaction
Financial Data Masked card/UPI/bank reference numbers (full card numbers are not stored by us) Checkout via payment gateway
Device & Technical Data IP address, browser type & version, operating system, device identifiers, screen resolution, time zone Every Platform visit (automatic)
Usage & Behaviour Data Pages viewed, clicks, scroll depth, session duration, search queries on Platform, add-to-cart events Continuous during session
Location Data Approximate location derived from IP address; precise GPS location (only if you grant permission) Platform visit; location-based features
Communications Data Content of messages sent to us via support channels, chat logs, complaint records Customer support interactions
Marketing Preferences Opt-in / opt-out status for promotional emails, SMS, and WhatsApp messages Registration, settings update
What We Never Collect: We do not collect your full card numbers, CVV codes, net-banking passwords, or OTPs from third-party services. If anyone claims to be from Vilarci and asks for such details, it is a fraudulent attempt — please report it immediately.

05

Authentication via OTP

Vilarci uses One-Time Password (OTP) verification to secure your account creation and login. We offer two OTP channels:

Regarding security of the OTP process:

Never share your OTP with anyone — including individuals claiming to be Vilarci representatives. Vilarci will never call or message you asking for an OTP.

06

Cookies & Tracking

We use cookies, web beacons, local storage, and similar technologies to operate and improve the Platform. Cookies are small text files stored on your device. You can control cookies through your browser settings, but disabling certain cookies may affect the functionality of the Platform.

Managing Cookies: You can configure your browser to refuse all cookies, or to alert you when cookies are being set. However, note that disabling strictly necessary cookies will prevent login and core shopping functions from working. To opt out of analytics cookies, please contact us or use your browser's built-in tracking protection settings.

07

Infrastructure & Servers

Vilarci is built on industry-standard infrastructure. Understanding these services helps you know where your data travels and how it is protected:

Service Role Data Involved
Cloudflare Content Delivery Network (CDN), DDoS protection, WAF (Web Application Firewall), bot management, TLS/SSL termination, DNS, and edge caching. All traffic to vilarci.in passes through Cloudflare's global edge network. IP addresses, HTTP headers, request metadata. Cloudflare processes this as a data processor under our instruction. Cloudflare's privacy policy applies: cloudflare.com/privacypolicy
Supabase Backend database (PostgreSQL), authentication system (user sessions, OTP management), file storage, and serverless functions (Edge Functions). All application data is stored in Supabase. Account data, order data, session tokens, OTP hashes, product data. Supabase acts as a data processor. Supabase's privacy policy applies: supabase.com/privacy
Meta WhatsApp Business API Delivery of WhatsApp OTP messages for account verification and transactional notifications (order confirmations, shipping updates). Your WhatsApp-registered mobile number and the OTP message content. Meta's data policy applies for messages delivered through WhatsApp.
Email Service Provider Delivery of email OTPs, transactional emails (order confirmations, invoices), and (with consent) marketing emails. Your email address and email content. The ESP processes this as our data processor.
Payment Gateway Secure processing of payment transactions. We use PCI-DSS compliant third-party gateways. We do not store full card details on our servers. Payment reference IDs, transaction status. Full card data is handled exclusively by the payment gateway.
Logistics Partners Courier and delivery companies used to ship your orders. Your name, delivery address, and mobile number (for delivery coordination).
All our third-party infrastructure partners are bound by data processing agreements that require them to process your data only on our instructions, maintain adequate security measures, and not use your data for their own purposes beyond what is necessary to provide the service.

08

Purpose of Use

We process your personal data strictly for defined, lawful purposes. We do not use your data for purposes incompatible with those listed below:



10

Data Sharing

We do not sell your personal data to third parties for monetary consideration. We share your data only in the following limited circumstances:

We will never share your data with advertisers for targeted advertising purposes without your explicit prior consent. We do not participate in data broker networks.

11

Third-Party Processors

A data processor is a third party that processes personal data on our behalf and only under our written instructions. All our data processors are contractually required to maintain appropriate security standards and are prohibited from using your data for their own purposes.

Processor Purpose Privacy Policy
Cloudflare, Inc. CDN, security, DDoS protection, edge caching cloudflare.com/privacypolicy
Supabase, Inc. Database, authentication, file storage, serverless functions supabase.com/privacy
Meta Platforms (WhatsApp) WhatsApp OTP delivery and transactional notifications WhatsApp Privacy Policy
Payment Gateway Partner(s) Secure payment processing (PCI-DSS compliant) Refer to the specific gateway displayed at checkout
Email Service Provider Email OTP delivery, transactional & marketing emails Available on request
Logistics Partners Order shipping and last-mile delivery Refer to respective courier's policy

When you interact directly with any third-party website or service (e.g., by clicking a link), their own privacy policies govern your data. We are not responsible for the data practices of third parties that independently collect data from you.


12

Security Measures

We take the security of your personal data seriously and employ multi-layered technical and organisational measures to protect it against unauthorised access, disclosure, alteration, and destruction:

Despite our best efforts, no method of data transmission over the internet or electronic storage is 100% secure. You accept the inherent risks of using internet-based services and are responsible for maintaining the security of your account credentials.

13

Data Retention

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention schedule applies:

Data Category Retention Period Basis
Account & Profile Data Duration of account + 3 years after closure Contractual, legal obligation
Order & Transaction Data 7 years from date of transaction Taxation, legal & audit requirements
Payment Reference Data 7 years from transaction Financial regulations
OTP Logs (hashed) 90 days Security audit trail
Session Tokens Until logout or token expiry (max 7 days inactive) Functional necessity
Customer Support Records 3 years from last interaction Legal, dispute resolution
Marketing Consent Records Until withdrawal + 1 year Proof of consent
Analytics Data (aggregated) Up to 3 years (anonymised) Legitimate interest
Server / Access Logs 90 days (Cloudflare logs) / 30 days (Supabase) Security monitoring

Upon expiry of the applicable retention period, your data is securely deleted or anonymised so it can no longer identify you. Anonymised data may be retained indefinitely for analytical and research purposes.

You may request deletion of your account and personal data at any time. However, we may retain certain data for the periods specified above where required by law or for legitimate business purposes, including pending grievances, unresolved claims, or ongoing disputes.


14

International Data Transfers

Your personal data is primarily stored and processed in India. However, certain infrastructure and third-party service providers operate from or have servers in other countries. Specifically:

Where data is transferred internationally, we ensure that appropriate safeguards are in place — including Standard Contractual Clauses (SCCs), data processing agreements, and compliance with the receiving country's data protection standards — in accordance with the DPDP Act, 2023 provisions on cross-border data transfers.


15

Your Rights

Under the Digital Personal Data Protection Act, 2023 and other applicable Indian laws, you have the following rights regarding your personal data. To exercise any of these rights, contact our Grievance Officer at the details in Section 20.

Right to Access

Request a copy of the personal data we hold about you, along with information about how it is used and shared.

Right to Correction

Request correction of inaccurate, incomplete, or outdated personal data we hold about you. Update most data directly via your account settings.

Right to Erasure

Request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.

Right to Withdraw Consent

Withdraw any consent you have previously given at any time. Withdrawal does not affect the lawfulness of prior processing.

Right to Data Portability

Request a copy of your personal data in a structured, commonly used, machine-readable format for transfer to another service.

Right to Grievance Redressal

Lodge a complaint with our Grievance Officer or approach the Data Protection Board of India if your request is not resolved satisfactorily.

Right to Information

Know what personal data we collect, how it is used, who it is shared with, and the retention period — all covered in this Privacy Policy.

Right to Nominate

Under the DPDP Act, 2023, you may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.

How to Exercise Your Rights: Send a written request to our Grievance Officer (details in Section 20). We will respond within 30 days. Some rights may be limited where legal obligations require us to retain or process certain data.

16

Children's Privacy

The Platform is not directed at individuals under the age of 18 years. We do not knowingly collect personal data from children without verified parental or guardian consent.


17

Opt-Out & Consent Management

We respect your communication preferences. Here is how you can manage your consent and opt-out of various types of data processing:

Communication Type How to Opt-Out
Marketing Emails Click the "Unsubscribe" link in any marketing email, or update preferences in your account settings.
WhatsApp Promotional Messages Reply "STOP" to any WhatsApp message from us, or write to our Grievance Officer with subject "WhatsApp Opt-Out".
SMS Promotions Reply "STOP" to any promotional SMS, or register on the DND (Do Not Disturb) list via TRAI's DND portal.
Personalised Recommendations Disable this in your account settings under Privacy Preferences.
Analytics Cookies Manage via your browser's cookie settings or use browser tracking protection features.
All Consent (Global Withdrawal) Write to our Grievance Officer with subject "Withdrawal of Consent for Processing Personal Data". Note: withdrawal does not affect prior lawful processing and may restrict access to certain services.
Transactional communications (OTPs, order confirmations, shipping updates, account security alerts) are not subject to marketing opt-out as they are essential to service delivery and your account security. These will continue regardless of your marketing preferences.

18

Do Not Sell My Personal Data

Vilarci does not sell your personal data. We do not sell, rent, trade, or otherwise transfer your personal information to third parties for their own commercial or marketing purposes, in exchange for monetary consideration or any other form of value.

This commitment applies to all categories of personal data, including contact information, browsing behaviour, purchase history, and device identifiers. Our data sharing (described in Section 10) is limited to what is necessary to operate our Platform and deliver our services to you.

We do not participate in third-party data broker networks, and we do not share your data with advertising networks for the purpose of targeting you with third-party advertisements.


19

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, legal requirements, or business operations.

We encourage you to review this Privacy Policy periodically. You can bookmark this page at vilarci.in/privacy_policy.html for easy reference.


20

Grievance Officer

In accordance with the Information Technology Act, 2000, the IT (Intermediaries Guidelines) Rules, 2011, and the Digital Personal Data Protection Act, 2023, Vilarci has appointed a Grievance Officer to address privacy-related concerns.

If you have any concerns about how your personal data is being used, wish to exercise your data rights, or want to report a privacy violation, please contact our Grievance Officer. We will acknowledge your complaint within 48 hours and resolve it within 30 days.

Grievance Officer — Vilarci

Available Monday to Friday, 9:00 AM – 6:00 PM IST. Privacy requests are prioritised.

Name Krishnendu Kar
Designation Founder & Grievance Officer
Platform Vilarci
Registered Address Tamluk, Purba Medinipur — 721627, West Bengal, India
Website vilarci.in
Support Hours Monday – Friday, 9:00 – 18:00 IST
Email Subject Lines to Use:
— Data Access Request: "Access My Personal Data"
— Correction Request: "Correct My Personal Data"
— Deletion Request: "Delete My Account and Personal Data"
— Consent Withdrawal: "Withdrawal of Consent for Processing Personal Data"
— Privacy Complaint: "Privacy Policy Complaint"
Data Protection Board of India: If you are not satisfied with the resolution provided by our Grievance Officer, you may escalate your complaint to the Data Protection Board of India, as constituted under the Digital Personal Data Protection Act, 2023. Details of the Board will be published on the Ministry of Electronics and Information Technology (MeitY) website once operational.
Security Alert: Vilarci will never contact you requesting your OTP, card PIN, net-banking password, or any other sensitive credential via phone call, SMS, email, or WhatsApp. If you receive any such communication claiming to be from Vilarci, it is fraudulent. Please report it immediately to your nearest law enforcement agency and notify us.