Privacy Policy

Last updated: 13 May 2026

This Privacy Policy explains how Vishal Mobile(“we”, “us”, “our”) — operating from Shop No 5, Surbhi Complex, Paligaon Road, Sachin, Surat, Gujarat — 394230 (GSTIN: 24BEVPS9584M1Z5) — collects, uses, discloses and safeguards your personal information when you use vishalmobile.storeor our mobile experiences. We comply with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000.

1. Information we collect

1.1 You give us directly

• Account data: name, email, phone, password (stored as an argon2 hash — we never see your plain password).
• Shipping & billing: delivery address, pincode, GSTIN (if you ask for a tax invoice).
• Order & payment: the items you buy, payment method (Razorpay or Cash on Delivery). Card / UPI / bank details are processed directly by Razorpay; we never store them on our servers.
• Customer support: the messages, tickets and call notes you share with our team.
• Marketing preferences: consent for cookies, email, SMS and WhatsApp marketing — captured via the cookie banner and your account settings.

1.2 We capture automatically

• Device / browser: IP address, user-agent, screen size, referring URL.
• Usage: pages viewed, products viewed, items added to cart, time spent — used to improve the catalog and recommend relevant products.
• Cookies and similar: see our Cookie Policy.

2. How we use your data

We process your personal data for the following purposes:

• To fulfil your orders: process payment, ship the order, generate GST invoices, handle returns and refunds.
• To run your account: sign-in, password reset, security audits, fraud prevention.
• To communicate: order status updates by email, WhatsApp and SMS; reply to your support tickets.
• Marketing (only with your consent): product recommendations, abandoned-cart reminders, loyalty/referral benefits, seasonal offers. You can opt out at any time.
• Analytics & improvement: aggregated, mostly anonymous usage data to make the site faster and more useful.
• Legal: comply with statutory obligations such as GST, income tax, consumer-protection rules and lawful requests from authorities.

3. Legal basis (DPDP)

Under the DPDP Act, we process your data under one or more of: your consent; contract performance (your order); our legitimate business interests (such as fraud prevention); and legal compliance. Wherever consent is the basis, you may withdraw it any time without affecting prior processing.

4. Sharing your data

We share data only with the following categories of recipients:

• Payment processors: Razorpay (Razorpay Software Private Limited) to collect online payments. They are PCI-DSS Level 1 certified.
• Courier & logistics partners: Shiprocket and the carrier they assign (Delhivery, DTDC, BlueDart, India Post, etc.) to deliver your order.
• Communication providers: our SMTP host, Twilio for SMS, AiSensy / Gupshup for WhatsApp Business messages.
• Cloud infrastructure: our VPS hosting provider (India) and Cloudflare R2 (object storage) for product images.
• Authorised franchisees: name + delivery details of customers in their store catchment area, only when needed for a specific order.
• Legal & statutory: tax authorities, courts, law-enforcement bodies — only when compelled by law.

We never sell your personal data, and we never share it for third-party marketing.

5. International transfers

Your personal data is stored on servers located in India. Some of our service providers (e.g. Cloudflare, certain SMTP providers) may store edge cache / metadata outside India. Wherever this happens we ensure they meet the standard of protection required under the DPDP Act.

6. Data retention

• Account & profile: until you ask us to delete it.
• Orders, invoices & financial records: 8 years (statutory under GST + Income Tax Act).
• Order tracking + support tickets: 3 years.
• Marketing analytics: rolling 24-month window, anonymised thereafter.

7. Your rights under DPDP

You have the right to:

• Access the personal data we hold about you — available as a JSON download from your account.
• Correct inaccurate or out-of-date data — edit it from your profile page.
• Erase your account and personal data — request deletion from your account settings or by writing to us.
• Withdraw consent to marketing or analytics cookies — toggle in the cookie banner or unsubscribe link.
• Nominate an individual to exercise your rights in case of death or incapacity (DPDP §14).
• Grievance redressal:if any of the above isn't resolved to your satisfaction, you may complain to the Data Protection Board of India once it is operational.

8. How we secure your data

• HTTPS / TLS on every connection.
• Passwords hashed with argon2id, never stored in plain text.
• JWT-based access tokens with a 15-minute lifetime + short-lived refresh tokens.
• Optional Two-Factor Authentication on admin accounts.
• Webhook signatures verified with HMAC + idempotency keys to prevent replay attacks.
• Daily encrypted database backups with 14-day retention.
• Continuous error monitoring via Sentry to detect anomalies fast.

9. Children

Our services are not directed at children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has shared their data with us, please contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where required, notify you via email or an in-app banner.

11. Grievance Officer

In accordance with the Information Technology Act, 2000 and Rule 5(9) of the IT (Reasonable Security Practices) Rules, 2011 and the DPDP Act 2023, the contact details of our Grievance Officer are:

Name: Grievance Officer, Vishal Mobile
Address: Shop No 5, Surbhi Complex, Paligaon Road, Sachin, Surat, Gujarat — 394230
Email: support@vishalmobile.store
We acknowledge complaints within 24 hours and resolve them within 15 days.