MadsKraft

Privacy Policy

Last updated · 01 April 2026

This policy explains how MadsKraft (operated by MadsKraft Prints Pvt. Ltd.) collects, uses, stores, transfers and protects your personal data. We comply with India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 read with the IT (Reasonable Security Practices) Rules, 2011, and the Consumer Protection (E-Commerce) Rules, 2020.

1. Who we are

MadsKraft Prints Pvt. Ltd. (CIN: U18101MH2026PTC123456, GSTIN: 27AABCM1234R1ZK) operates the MadsKraft brand and the website at madskraft.in. Our registered office is at 12-B, Sea Breeze Apartments, Linking Road, Bandra West, Mumbai 400050, Maharashtra, India. For the purposes of the DPDP Act, we are the Data Fiduciary and you are the Data Principal.

2. What we collect

We collect only the data we need to fulfil your order and run our store:

  • Identity & contact: name, email, phone number, billing and shipping addresses.
  • Order data: products purchased, sizes, quantities, order value, payment status, returns / refund history.
  • Custom-poster uploads: images you upload to our custom builder, used solely to print your order.
  • Account data: email and a hashed password if you sign up; OAuth tokens if you sign in via Google.
  • Device & usage data: IP address, browser type, page views, basic analytics — collected via first-party cookies and anonymised analytics.

We do not knowingly collect biometric data, financial-account credentials, health information, or any other sensitive personal data outside what's required for payment, which is handled directly by Razorpay.

3. Why we process your data — purposes & lawful basis

Under DPDP Act §4 and §7, we process your data for these specific purposes:

  • To create and manage your account (consent / legitimate use).
  • To accept, process, ship and refund your orders (performance of contract).
  • To send transactional messages — order confirmations, dispatch alerts, delivery updates (legitimate use under §7).
  • To comply with tax, accounting and consumer-protection laws (legal obligation).
  • To send marketing emails or SMS — only if you have given explicit consent and only until you opt out (see §7 below).
  • To detect and prevent fraud, abuse and security incidents (legitimate use).

4. Who we share your data with

We share the minimum data required with these processors, all bound by contractual confidentiality and security obligations:

  • Razorpay Software Pvt. Ltd. — for payment processing (no card details stored on our servers).
  • Delhivery, Shiprocket, Blue Dart — for shipping and tracking your order.
  • Cloudinary — for hosting and serving product images and any custom-poster uploads.
  • Google (NextAuth) — only if you choose to sign in with Google.
  • Vercel — for hosting infrastructure and edge caching.

We do not sell your personal data. We do not share it for third-party advertising or profiling.

5. Data storage and transfer

Your data is primarily stored on servers located in India and the European Union (Vercel and Neon Postgres regions in ap-south-1 Mumbai and EU-Frankfurt as backup). Custom-poster uploads are stored on Cloudinary (encrypted at rest, AWS Mumbai region).

Where personal data is transferred outside India — for example, to AWS or Vercel infrastructure abroad — such transfers are conducted in accordance with DPDP Act §16, only to countries not specifically restricted by the Central Government, and under contractual safeguards equivalent to those required under Indian law.

We retain your data only as long as necessary for the purposes set out in this policy or as required by tax / consumer-protection law (typically eight years for invoices, two years for marketing consent records). After that, your data is securely deleted or irreversibly anonymised.

6. Cookies and analytics

We use first-party cookies for cart persistence (madskraft-cart), authentication session (authjs.session-token), and recent searches. We use anonymised analytics that do not identify individuals. You can clear cookies any time via your browser settings; doing so will sign you out and reset your cart.

7. Marketing & opt-out

You will only receive marketing emails or SMS (new drops, sales, drops you might like) if you explicitly opted in — usually by ticking the subscription box at checkout or via the footer newsletter form. You can opt out at any time by:

Opting out of marketing does not affect transactional messages such as order confirmations and delivery updates — these are required to fulfil your contract with us.

8. Your rights as a Data Principal

Under §11–§14 of the DPDP Act, you have the following rights regarding your personal data. We will respond to any verified request within 30 days of receipt:

  • Right to information: a summary of the personal data we hold about you and how we process it.
  • Right to correction and erasure: request correction of inaccurate data or deletion of data that is no longer needed.
  • Right to grievance redressal: escalate any complaint to our Grievance Officer (see §10).
  • Right to nominate: nominate another individual to exercise these rights on your behalf in case of death or incapacity.
  • Right to withdraw consent: withdraw consent for any processing based on consent, with effect for the future.

To exercise any of these rights, email [email protected] from the address registered with your account, with the subject line stating the right you wish to exercise.

9. Security

We use industry-standard safeguards: TLS 1.3 in transit, encryption at rest, hashed passwords (bcrypt), least-privilege database access, and role-based admin access controls. Payments route through Razorpay's PCI-DSS Level 1 gateway — your card details never touch our servers.

In the event of a personal-data breach that is likely to result in harm, we will notify the Data Protection Board of India and affected Data Principals as required by DPDP Act §8(6).

10. Grievance Officer

In line with DPDP Act §10 and IT Rules 2011 §5(9), we have appointed a Grievance Officer to address your privacy and data-protection concerns:

  • Name: Aanya Mehta
  • Designation: Grievance & Data Protection Officer
  • Email: [email protected]
  • Postal address: 12-B, Sea Breeze Apartments, Linking Road, Bandra West, Mumbai 400050, Maharashtra, India
  • Response timeline: we acknowledge complaints within 48 hours and resolve them within 30 days.

If you are unsatisfied with the resolution, you may escalate to the Data Protection Board of India once it is operational, or to the appropriate adjudicating officer under §27 of the DPDP Act.

11. Children's data

We do not knowingly collect data from individuals under 18 years of age. If you are under 18, please use our website only with the consent and supervision of a parent or guardian. If we become aware that we have collected data from a minor without verifiable parental consent, we will delete it promptly in line with DPDP Act §9.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email to your registered address at least 14 days before taking effect, and the "Last updated" date at the top of this page will be revised.

13. Contact us

For privacy questions: [email protected]. For general support: [email protected]. For any grievance: contact our Grievance Officer (see §10 above).