Adalwin Commerce LLP (operating the Dropkyd brand) is the data fiduciary for personal data collected through dropkyd.com. This policy explains what we collect, why, who sees it, and what you control. We've written it to be readable — there's a long-form version on request.
We comply with India's Digital Personal Data Protection Act, 2023 (DPDP). For data subjects in the EU/UK, the GDPR sections of our long-form policy also apply.
1. What we collect
- You give us: email or phone (for sign-in), name, shipping address, payment info (handled by Razorpay — we never see card numbers), and any review or message you post.
- We observe: pages visited, drop you bought from, source of click (Instagram link, etc.), hashed IP, user agent.
- From partners: Razorpay (payment status), Delhivery (shipment status), Brevo (email delivery receipts).
2. What we share with creators
Creators see limited buyer data on their dashboard: first name, last initial, city, and source post. They do not see email addresses, phone numbers, or full names. Dropkyd holds the buyer relationship.
3. Why we use it
- Sign-in (one-time codes; no passwords).
- Process orders, manufacture, ship, refund.
- Talk to you about your orders (receipts, shipping updates).
- Improve the product — what's selling, what isn't.
- Fraud detection.
- Marketing — only if you opted in. Opt-out is one click in any email.
4. Who we share with
- Razorpay — payments and refunds.
- Brevo — transactional email + SMS delivery.
- Delhivery — shipping label and tracking.
- Production partners in Tirupur, Bengaluru, Delhi — name and shipping address, nothing else.
- Vercel — our hosting provider.
- Neon — our database provider (data resides in Mumbai region).
- Google Analytics — anonymised usage analytics (pages visited, device type) to improve the product.
We don't sell personal data, ever. We don't share it with advertisers, brokers, or model trainers. If a partner above changes, we'll update this list.
5. How long we keep it
- Order & invoice data — 8 years (CGST Act § 36 retention requirement).
- Sign-in OTPs — 24 hours after consumption, then deleted.
- Session tokens — 30 days, then expire automatically.
- Marketing preferences — until you change them.
6. Your rights
- Access — request a copy of everything we have on you.
- Correct — fix anything wrong.
- Erase — delete your account. We anonymise rather than hard-delete order records (we need them for tax) but everything that can be erased, will be.
- Export — JSON dump on request.
- Object — to any specific processing.
Email privacy@dropkyd.com with the subject "DPDP request". We respond within 7 days.
7. Security
- TLS everywhere.
- PAN, bank details, and IFSC are encrypted at rest (AES-256).
- Bank account numbers are masked in every UI — even our own admin.
- Session tokens are signed (HS256, 32-byte secret rotated annually).
- Razorpay handles card vault; we never receive PANs.
8. Cookies
We use strictly-necessary cookies for sign-in (dropkyd_sess) and cart state (dropkyd_cart). With your consent, we also use Google Analytics (see §4), which sets first-party analytics cookies to measure how the site is used — these load only after you choose “Accept all” in our cookie banner, and never if you choose “Necessary only”. We do not use advertising, ad-retargeting, or cross-site tracking cookies. If you block the strictly-necessary cookies, parts of the site won't work.
9. Children
Dropkyd isn't intended for users under 18. If we discover an account belongs to a minor, we'll close it and delete the data.
10. Grievance officer
Under the DPDP Act 2023, you can reach our Grievance Officer at grievance@dropkyd.com ·Adalwin Commerce LLP, Pune. We respond within 30 days.
Pune, Maharashtra 411013
India