Privacy Policy

BEAUTY GARAGE LIMITED

This Privacy Policy ("Policy") governs how Beauty Garage Limited ("Beauty Garage", "we", "us", "our") collects, uses, shares, and protects Personal Data when you interact with us through beautygarage.com, our mobile applications, customer support channels, and any other channel that links to this Policy.

It has been prepared in compliance with the following legislation: the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), effective 13 November 2025; the Information Technology Act, 2000; the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; and the Consumer Protection (E-Commerce) Rules, 2020.

Who We Are
Beauty Garage Limited (CIN: U20237MH2021PLC354428) is incorporated under the Companies Act, 2013. Our registered office is at Ground Floor, 17, MIDC Industrial Area, Road No. 9, Behind Tunga Paradise Hotel, Andheri (E), Mumbai – 400093, Maharashtra, India.

We manufacture and market professional hair care products. This website, beautygarage.com, is our direct-to-consumer (D2C) platform intended solely for individual consumers. Beauty Garage Limited is the Data Fiduciary for all Personal Data described in this Policy.

Personal Data We Collect
Data you provide directly
Identity and contact: name, email address, mobile number, date of birth.
Address: delivery address, billing address, and pincode.
Transaction and payment: order history, payment method type, and masked card or UPI identifiers. We do not store full card numbers or CVV.
Account data: username, login history, and saved preferences.
Communications: emails, chat messages, support tickets, product reviews, and survey responses.

Data collected automatically
Device and technical: IP address, device type, browser version, operating system, and app version.

Usage and behavioural: pages visited, products viewed, search queries, cart activity, and session duration.

Location: approximate location derived from your IP address. Precise GPS location is collected only if you grant permission in-app.

Data received from third parties
Updated delivery status from logistics and courier partners.

Payment confirmation and fraud-risk signals from payment gateways.

Basic profile data from social login providers (e.g., Google, Meta) if you choose to sign in that way, consistent with your settings on that platform.

Legal Basis for Processing
We process your Personal Data on one or more of the following grounds under the DPDP Act, 2023, the DPDP Rules, 2025, and other applicable Indian law:

Consent: marketing communications (email, SMS, WhatsApp, push notifications); non-essential cookies; and any other processing for which you have given explicit, specific, and informed consent as required under the DPDP Rules, 2025. You may withdraw consent at any time without affecting prior processing.

Performance of contract: processing your orders, managing your account, arranging delivery, and handling returns and refunds.

Legal obligation: retaining GST and financial records and responding to court orders, regulatory audits, and law enforcement requests.

Legitimate use: fraud prevention, network and platform security, and internal analytics to improve products and services, where our interests do not override your fundamental rights as a Data Principal.

The DPDP Rules, 2025 require that consent notices be provided in plain language, independently from other terms, and be available in English or any Eighth Schedule language upon request.

How We Use Your Personal Data
We use your Personal Data only for the following purposes, consistent with the purpose-limitation principle under the DPDP Act:

Order fulfilment: processing purchases, payments, delivery, tracking, returns, refunds, and issuing GST invoices.

Account management: creating and maintaining your account, authenticating your identity, and saving your preferences.

Customer support: responding to queries, resolving complaints, and processing product warranty claims.

Personalisation: tailoring product recommendations, offers, and content based on your browsing and purchase history, where you have consented to such profiling.

Marketing and communications: sending promotional messages where you have consented or are otherwise permitted by law. You may withdraw consent or opt out at any time.

Platform improvement: analysing usage data in aggregated or pseudonymised form to fix bugs, improve features, and develop new products.

Safety and fraud prevention: detecting and preventing fraudulent transactions, account takeover, and abuse.

Legal and regulatory compliance: meeting our obligations under the GST Act, Companies Act, consumer protection rules, and other applicable legislation.

Cookies and Tracking Technologies
We use cookies, pixel tags, and similar technologies on our website and app. Our full Cookie Policy is available at beautygarage.com/pages/cookie-policy. We use four categories of cookies:

Strictly necessary: login sessions, cart functionality, fraud prevention, and security. The site cannot function without these and they cannot be disabled.

Functional: saving your language, region, and accessibility preferences. You can disable these via your browser settings.

Performance and analytics: understanding how the site is used, A/B testing, and performance monitoring. You can opt out via our cookie consent banner.

Marketing and advertising: interest-based advertising on our site and on third-party platforms such as Google and Meta. You can opt out via the cookie consent banner or the relevant ad platform’s settings.

Under the DPDP Rules, 2025, consent for non-essential cookies must be obtained through a clear, standalone notice before processing begins. Our consent banner is designed to meet this requirement.

Sharing and Disclosure
We do not sell your Personal Data. We share it only where necessary and only with the following categories of recipient, each subject to appropriate contractual safeguards including Data Processing Agreements where required under the DPDP Rules, 2025:

Logistics partners (e.g., Shiprocket, Delhivery, Blue Dart): for delivery, returns, and address verification.

Payment gateways (e.g., Razorpay, PayU, Gokwik): for payment processing and fraud prevention. All payment processors are PCI-DSS compliant.

Technology and cloud providers (e.g., Shopify, AWS): for platform hosting and infrastructure.

Marketing and analytics platforms (e.g., WebEngage, Google Analytics, Meta Pixel): for campaign measurement and push notifications, using pseudonymised identifiers. You may opt out at any time.

Auditors and legal advisors: for statutory audit and legal advice, under professional confidentiality obligations.

Law enforcement and regulators: to comply with court orders, regulatory directions, and other lawful requests, only to the extent legally required.

Group companies and affiliates: for shared services and consolidated reporting, under an intra-group data sharing agreement.

We require all third-party service providers to implement appropriate security measures and to process your Personal Data only on our documented instructions.

Data Security
We implement the following technical and organisational measures in accordance with Rule 6 of the DPDP Rules, 2025 and the IT (Reasonable Security Practices) Rules, 2011:

Encryption of data in transit (TLS/SSL) and, where applicable, at rest through encryption, obfuscation, or masking.

Role-based access controls with access logs and regular reviews, limiting data access to authorised personnel only.

Data backups to ensure continuity of processing in the event of loss of data or access.

Regular security assessments, vulnerability scanning, and penetration testing.

Employee training on data protection and information security.

Incident response procedures, including breach notification to the Data Protection Board of India and affected Data Principals within 72 hours of becoming aware of a breach, as required under the DPDP Rules, 2025.

We will never ask for your full card number, CVV, OTP, PIN, or password over phone, email, or chat. Please report any such request immediately to help@beautygarage.com.

Data Retention
We retain Personal Data for as long as necessary for the purposes described in this Policy, or as required by law, whichever is longer. In all cases, data is retained for a minimum of one year as required under Rule 8 and the Third Schedule of the DPDP Rules, 2025. When data is no longer required, we delete it or render it permanently non-identifiable, and direct our Data Processors to do the same.

Customer account and order data: 5 years from last transaction (Consumer Protection Act; GST Act).

GST invoices and financial records: 8 years from end of relevant financial year (GST Act, 2017; Companies Act, 2013).

Payment transaction logs: 5 years (RBI Payment Aggregator Guidelines).

Marketing consent records: Duration of consent plus 3 years (DPDP Act, 2023; DPDP Rules, 2025).

Customer support records: 3 years from ticket closure (Grievance redressal best practice).

Security and access logs: 1 year minimum (IT (Reasonable Security Practices) Rules, 2011; DPDP Rules, 2025).

Job applicant data (unsuccessful): 6 months from rejection (Data minimisation – DPDP Act, 2023).

Your Rights as a Data Principal
Under the DPDP Act, 2023 and the DPDP Rules, 2025, you have the following rights:

Right to access (Section 11): request a summary of the Personal Data we hold about you and the purposes for which it is processed.

Right to correction and erasure (Section 12): request correction of inaccurate, incomplete, or outdated Personal Data, and request deletion of your Personal Data subject to our legal retention obligations. Erasure requests will be addressed within 90 days as required under Rule 14.

Right to withdraw consent (Section 7): withdraw consent for marketing and other consent-based processing at any time, without affecting prior lawful processing.

Right to opt out of marketing: unsubscribe from promotional communications at any time using the opt-out link in any message or by contacting us. Transactional and service messages will continue.

Right to grievance redressal (Section 13): lodge a complaint with our Grievance Officer about how we handle your Personal Data.

Right to nominate (Section 14): nominate another individual to exercise your data rights in the event of your death or incapacity.

Right to approach the Data Protection Board of India: if you are not satisfied with our response, you may escalate to the Data Protection Board once it is fully constituted under the DPDP Act, 2023.

To exercise any of these rights, please email grievance@beautygarage.com with the subject line “Data Rights Request”, including your registered name, email address or phone number, and order ID if applicable. We will acknowledge your request within 48 hours and respond within 30 days. We may ask you to verify your identity before acting on your request.

Grievance Officer
In accordance with the DPDP Act, 2023, the DPDP Rules, 2025, and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer:

Name: Diksha Sharma
Designation: Legal Advisor, Beauty Garage Limited
Email: legal@beautygarage.com

Postal Address
Beauty Garage Limited, Ground Floor, 17, MIDC Industrial Area, Road No. 9, Behind Tunga Paradise Hotel, Andheri (E), Mumbai – 400093, Maharashtra, India

Working Hours
Monday to Friday, 10:30 AM – 7:00 PM IST (excluding public holidays)

Acknowledgement
Within 48 hours of receipt

Resolution Target
Within 15 business days; complex matters within 30 business days
If you are not satisfied with our response, you may escalate to the Data Protection Board of India (once fully constituted under the DPDP Act, 2023), or approach the appropriate consumer forum or court of competent jurisdiction.

Third-Party Links
Our platform may contain links to third-party websites, social media platforms, and payment gateways. This Policy does not govern those sites. We encourage you to read their privacy policies before interacting with them.

Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will post the updated version at beautygarage.com/pages/privacy-policy with a revised effective date and notify you via email or a prominent notice on the platform. Where required under the DPDP Rules, 2025, we will seek fresh, specific consent before processing Personal Data under any new or changed purpose.

Governing Law and Jurisdiction
This Policy is governed by the laws of India. Any dispute arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra.

Data Rights and Grievances
legal@beautygarage.com

Phone+91 9987217646 | Monday to Sunday, 10:30 AM – 7:00 PM IST

Registered Office
Beauty Garage Limited, Ground Floor, 17, MIDC Industrial Area, Road No. 9, Behind Tunga Paradise Hotel, Andheri (E), Mumbai – 400093, Maharashtra, India

Website
beautygarage.com/pages/privacy-policy

— End of Privacy Policy —

Legal Department, Beauty Garage Limited 22 June 2026