Effective Date:[dd Month yyyy] Last Updated:[dd Month yyyy]
1. Who We Are
LushFemme (“we”, “us”, “our”) is an online boutique dedicated exclusively to modern and elegant women’s wear, including regular wear, partywear, lingerie, and intimate apparel for high-fashion women. We operate the website https://lushfemme.com and (where applicable) related mobile applications, social channels, or digital storefronts (collectively, the “Platform”).
Legal Entity Name:[Insert registered company name] Registered Address:[Insert full registered address] Corporate Registration / CIN (if applicable):[Insert] GSTIN (if applicable):[Insert] Primary Business Email:[Insert] Customer Care / Support Phone:[Insert]
Indian e‑commerce rules require online sellers to clearly disclose their legal identity, contact details, and customer support information to consumers. (thc.nic.in, teamleaseregtech.com, indialaw.in)
2. Scope & Applicability
This Privacy Policy explains how we collect, use, disclose, store, secure, and otherwise process personal data when you visit our Platform, create an account, place an order, subscribe to marketing, interact with customer support, post content (such as reviews or comments), or otherwise engage with LushFemme.
The Digital Personal Data Protection Act, 2023 (DPDP Act) applies to the processing of digital personal data in India and to processing outside India when offering goods or services to individuals in India. Until all provisions of the DPDP Act are notified and in force, Indian privacy compliance remains grounded in the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which continue to inform good practice. (meity.gov.in, dataguidance.com, dlapiperdataprotection.com)
If we serve customers in other jurisdictions (for example, the European Economic Area, United Kingdom, or California), additional rights and disclosures may apply; see Section 21 – Regional Supplements below. (dlapiperdataprotection.com, iapp.org)
3. Key Terms (Plain Language)
Personal Data: Any data that identifies or can reasonably identify an individual. (Examples: name, email, phone, order history, device ID.)
Digital Personal Data: Personal data in digital form.
Data Principal: The individual to whom the data relates (you). For children, this includes a parent/guardian.
Data Fiduciary: The entity deciding why and how personal data is processed (us, LushFemme).
Data Processor: A third party processing data on our instructions (e.g., payment gateway, shipping provider, email service).
We collect different categories of information depending on how you interact with us. You control many of these data points; some are collected automatically.
Send offers, style drops, and updates (opt‑in; unsubscribe anytime).
Contest / Campaign Entries
Name, social handle, content submissions
Administer promotions; display user-generated content with permission.
Collection for lawful purposes, notice at/before collection, and use limited to stated purpose are baseline requirements under Indian privacy rules and the DPDP Act. (meity.gov.in, dataguidance.com, dlapiperdataprotection.com)
4.2 Data Collected Automatically
When you use our Platform, certain technical data are captured automatically:
IP address & approximate geolocation (derived from IP).
Device & browser information (user agent, OS version, screen resolution).
Log files (time of access, pages viewed, error logs).
Cookie identifiers and similar technologies (see Section 8).
Platforms commonly log these data for security, fraud prevention, performance, and analytics; Indian SPDI guidance and emerging DPDP norms recognize such operational processing when tied to a lawful purpose and backed by notice. (meity.gov.in, dataguidance.com, iapp.org)
4.3 Payment Information
Payments are processed through secure, PCI‑DSS compliant payment gateways or aggregators. We typically receive a payment confirmation token (not full card details). Where legally required (e.g., GST invoicing) we may collect limited billing data. Indian e‑commerce rules emphasize secure payment disclosures and transparent fee presentation. (teamleaseregtech.com, indialaw.in, thc.nic.in)
4.4 Comments, Reviews & Community Posts
If you leave a product review, comment on a blog post, or participate in community features, we collect the information you submit plus metadata such as IP address and browser user agent to help detect spam and abuse. Similar practices are reflected in widely used content platforms (e.g., Gravatar integration) and align with lawful security/fraud purposes under Indian rules. (dataguidance.com, thc.nic.in, indialaw.in)
4.5 Media Uploads
If you upload photos (for reviews, style inspiration, or contests), please remove embedded EXIF GPS location data before uploading. Visitors may download and extract such data from publicly visible images. Disclosure guidance and user‑submitted content responsibilities appear in India’s e‑commerce and IT regulatory frameworks. (thc.nic.in, teamleaseregtech.com, indialaw.in)
5. Sensitive Personal Data & Special Categories
Under the SPDI Rules, certain data types (including financial information, passwords, health data, sexual orientation, and biometric identifiers) are treated as “sensitive.” LushFemme seeks to minimize sensitive collection. However, depending on the products or services you use, we may process:
Encrypted payment tokens or partial payment references (handled primarily by payment processors).
Fit or sizing information that could indirectly indicate health/physical characteristics (e.g., mastectomy support garments, maternity fit notes) if you choose to provide them.
Intimate apparel preferences that, if linked to an identifiable person, could be considered sensitive contextually.
Where sensitive data are collected, we will obtain appropriate consent, restrict use to the stated purpose, apply heightened security controls, and limit retention. These principles mirror SPDI consent, purpose limitation, retention, and security requirements, and are consistent with DPDP safeguards for personal data. (dataguidance.com, meity.gov.in, dlapiperdataprotection.com)
Analytics to improve products, sizing accuracy & site performance.
Compliance with tax, accounting, and legal obligations.
Responding to law enforcement or regulatory requests where required by law.
Indian privacy and e‑commerce frameworks require that personal data be collected for lawful purposes, used only for the stated purpose, and retained only as necessary; grievance handling and transparent disclosures are mandatory for online sellers. (meity.gov.in, dataguidance.com, teamleaseregtech.com)
7. Lawful Grounds / Legal Bases for Processing
Below is a high‑level mapping of common processing activities to legal bases recognized or emerging under Indian law (DPDP + legacy SPDI practice) and consumer protection requirements.
Processing Activity
Example Data
Primary Legal Basis
Notes
Account setup & login
Name, email, password
Consent (sign‑up action) / Contractual necessity
Notice required at or before collection; user may withdraw consent but service impact may follow.
Order fulfillment
Shipping address, contact, order items
Contractual necessity
Needed to supply goods; withdrawal may prevent completion.
Payments
Billing info, payment token
Contractual necessity & Legal obligation
Required for transaction, invoicing, tax/GST compliance.
Marketing emails
Email, marketing prefs
Consent (opt‑in)
Easy unsubscribe required; no pre‑checked boxes under e‑commerce rules.
Personalization
Size, style history
Consent / Legitimate use (service requested)
Provide requested shopping experience; user controls profile.
Must acknowledge & resolve within prescribed timeframes.
DPDP requires consent or certain legitimate uses for processing; SPDI requires prior consent and purpose limitation for sensitive data; consumer e‑commerce rules require explicit consent (no pre‑ticked boxes) and robust grievance handling. (meity.gov.in, dataguidance.com, teamleaseregtech.com)
8. Cookies & Similar Technologies
Cookies are small data files placed on your device to make our site work, remember preferences, analyze traffic, and deliver relevant marketing.
Performance & Analytics: Help us understand traffic patterns and improve site usability.
Functional: Remember region, language, and size preferences.
Marketing / Advertising: Deliver tailored offers, retargeting, and campaign measurement (only where permitted).
Explicit, informed consent for non‑essential cookies and tracking is a recommended best practice in India’s evolving privacy environment and aligns with DPDP consent standards and e‑commerce transparency expectations (no bundled or pre‑ticked consents). (meity.gov.in, teamleaseregtech.com, indialaw.in)
8.2 Managing Cookies
You can manage cookie preferences through our on‑site Cookie Settings panel, your browser controls, and (where implemented) platform‑level privacy tools (e.g., mobile OS ad settings). Disabling certain cookies may impact site functionality (cart, login persistence).
Purpose limitation, opt‑out options, and clear disclosures support compliance under Indian SPDI and consumer e‑commerce guidance. (dataguidance.com, teamleaseregtech.com)
9. Comments, Reviews & Community Participation
When you post a comment or review:
We collect the content you submit.
We capture your IP address and browser user agent to help detect spam and abusive behavior.
If we integrate avatar services (e.g., Gravatar), an anonymized hash of your email may be sent to that service to display your profile image (subject to that service’s privacy policy).
Approved comments may show publicly with your display name and avatar.
Collecting limited technical metadata for security and anti‑spam aligns with lawful purpose requirements under Indian privacy and IT rules; public display of submitted content is disclosed as part of user notice. (dataguidance.com, thc.nic.in, indialaw.in)
10. Media & User‑Generated Content
If you upload images (e.g., style gallery submissions, product try‑ons):
Remove embedded EXIF location data before uploading.
Uploaded images may be viewable and downloadable by other users depending on Platform settings.
We may moderate or crop images to meet community guidelines.
User‑submitted content is subject to disclosure and authenticity rules under Indian e‑commerce compliance guidance; displaying accurate product representations and preventing misleading content are regulated expectations. (thc.nic.in, teamleaseregtech.com, indialaw.in)
11. Embedded Content & Third‑Party Links
Our Platform may include embedded videos, lookbooks, payment widgets, social media plugins, or size‑recommendation tools hosted by third parties. Embedded content behaves as if you visited the third‑party site directly; those sites may collect data, use cookies, or track your interaction (including if you are logged in to their service).
Indian e‑commerce rules stress transparency about third‑party services in checkout, payment, and product display flows; disclose where third parties process consumer data. (thc.nic.in, teamleaseregtech.com, indialaw.in)
12. Payments & Financial Data
We partner with reputable payment gateways / aggregators to process online payments using encryption and industry standards (e.g., PCI‑DSS). We do not store full card numbers, CVV, or UPI PINs on our servers. We receive a confirmation (tokenized) that payment succeeded or failed and limited billing details needed for invoicing, GST, refunds, or chargebacks.
Indian e‑commerce compliance emphasizes secure payment handling, disclosure of fees, and prompt refund processing consistent with Reserve Bank of India (RBI) and consumer protection requirements. (teamleaseregtech.com, indialaw.in, thc.nic.in)
13. How We Share Personal Data
We do not sell personal data. We share personal data only as needed for the purposes described above:
Service Providers / Data Processors – Hosting, cloud storage, email delivery, SMS vendors, analytics, marketing automation, personalization engines, payment processors, logistics and courier partners. Professional Advisors – Auditors, accountants, legal counsel (under confidentiality). Regulatory & Legal Authorities – Where required by law, regulation, court order, or lawful request from government agencies. Business Transfers – In connection with a merger, acquisition, financing, insolvency, or sale of assets, subject to continued protections. With Your Direction – When you request that we share data (e.g., stylist consultation, influencer collaboration, gift delivery).
SPDI Rules limit disclosure of sensitive data without consent except as contractually agreed or required by law; e‑commerce rules require transparent display of seller, payment, and grievance information to consumers. (dataguidance.com, thc.nic.in, teamleaseregtech.com)
14. Cross‑Border Data Transfers
Because we use global cloud and service providers, personal data may be processed in jurisdictions outside India. Under the DPDP Act, cross‑border transfers are permitted except to countries that may be specifically restricted by the Central Government (to be notified). The SPDI Rules allow transfer of sensitive data to another entity in India or abroad that ensures the same level of data protection and where necessary to perform a lawful contract or with consent. We require appropriate contractual and technical safeguards when data moves internationally. (meity.gov.in, dataguidance.com, dlapiperdataprotection.com)
15. Data Retention
We retain personal data only as long as necessary to fulfill the purposes described in this Policy, including:
Order & tax records: retained to meet accounting, audit, and legal retention obligations.
Customer support & grievance files: retained through resolution + statutory limitation periods.
Marketing data: retained until you unsubscribe or withdraw consent, then moved to a suppression list.
Sensitive sizing/fit notes: retained while your account is active or until you delete them; anonymized for analytics where possible.
SPDI Rules require that sensitive personal data not be retained longer than necessary for lawful use and permit review/correction; DPDP codifies storage limitation principles; leading India privacy guidance echoes data minimization and retention control. (dataguidance.com, meity.gov.in, dlapiperdataprotection.com)
16. Your Rights & Choices
Subject to applicable law, you may have the following rights:
Access: Ask what personal data we hold about you.
Correction / Update / Completion: Fix inaccurate or incomplete data.
Erasure: Request deletion of data that is no longer required or where consent is withdrawn (subject to legal retention).
Consent Withdrawal: Revoke marketing or other consents; effect is prospective.
Data Portability (where feasible): Request a machine‑readable export of certain account data.
Grievance / Complaint: Escalate unresolved concerns to our Grievance Officer; once operational, you may also complain to the Data Protection Board of India under the DPDP Act.
DPDP establishes rights of access, correction, erasure, and grievance to the Data Protection Board; SPDI Rules require review and correction mechanisms; current India privacy commentary highlights preparation for Data Principal rights workflows. (meity.gov.in, dataguidance.com, iapp.org)
To exercise these rights, log in to your account or contact us (see Section 19).
17. Managing Marketing Preferences
Click Unsubscribe in any promotional email to stop receiving marketing emails.
Reply STOP (or platform equivalent) to opt out of SMS campaigns.
Adjust Notifications in your account dashboard or device settings for push alerts.
Update Style Preferences to refine personalized recommendations (does not remove transactional emails).
Indian e‑commerce rules prohibit pre‑ticked consent boxes and require transparent customer controls for marketing and purchase authorization. (teamleaseregtech.com, indialaw.in)
18. Grievance Redressal & Data Protection Contact
We take your privacy seriously and are required under Indian law to provide a grievance mechanism.
Grievance Officer:[Name] Email:[Insert] Phone:[Insert] Postal Contact:[Insert]
Response Timelines
We will acknowledge consumer complaints within 48 hours (working days) where feasible.
We aim to resolve grievances within 30 days (or the timeframe prescribed by applicable law).
SPDI Rules require designation of a Grievance Officer and resolution within one month; Consumer Protection (E‑Commerce) Rules call for timely acknowledgment (commonly interpreted as 48 hours in practice) and resolution within one month; current DPDP commentary notes that significant data fiduciaries must provide a contact/DPO in India for grievance and rights handling. (dataguidance.com, teamleaseregtech.com, mondaq.com)
19. Security Measures
We implement administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. Measures may include encryption in transit, access controls, audit logging, secure development practices, routine vulnerability scanning, employee confidentiality agreements, and incident response procedures.
Indian SPDI Rules mandate “reasonable security practices and procedures” (often mapped to ISO/IEC 27001 or similar frameworks); the DPDP Act requires Data Fiduciaries to implement appropriate safeguards to prevent personal data breaches; industry guidance urges strong cybersecurity readiness in anticipation of DPDP enforcement. (dataguidance.com, meity.gov.in, iapp.org)
20. Children’s Privacy
LushFemme is intended for purchase by adults. We do not knowingly collect personal data from children under 18 without appropriate parental or guardian involvement. If we learn that we have collected personal data from a child without such authorization, we will take reasonable steps to delete it.
The DPDP Act defines a child as an individual who has not completed 18 years and contemplates enhanced protections for children’s data; India privacy guidance recommends parental consent and minimization for minors online. (meity.gov.in, dlapiperdataprotection.com)
21. Regional Supplements (If You Sell Internationally)
If you ship or market outside India, additional rights may apply (GDPR – EU/EEA & UK; CCPA/CPRA – California; PIPEDA – Canada, etc.). Provide jurisdiction‑specific disclosures, lawful bases, and data transfer safeguards (e.g., SCCs, UK IDTA) as needed. International privacy compliance is discussed in India‑focused global guidance comparing DPDP to other regimes. (dlapiperdataprotection.com, iapp.org)
22. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices. When we post changes, we will revise the Last Updated date above. Where required by law (e.g., material changes or new consents under DPDP), we will notify you and, if needed, request renewed consent before continuing processing. (meity.gov.in, dlapiperdataprotection.com)
23. Contact Us
Questions about this Privacy Policy? Please contact us:
Privacy / Data Protection:[Insert dedicated privacy email] Grievance Officer:[Name] (see Section 18) Mailing Address:[Insert] Customer Support:[Insert]
Clear disclosure of contact details and grievance pathways is required for e‑commerce entities serving Indian consumers. (thc.nic.in, teamleaseregtech.com, indialaw.in)
