Dropkyd Studios Pvt Ltd is the data fiduciary for personal data collected through dropkyd.com. This policy explains what we collect, why, who sees it, and what you control. We've written it to be readable — there's a long-form version on request.
We comply with India's Digital Personal Data Protection Act, 2023 (DPDP). For data subjects in the EU/UK, the GDPR sections of our long-form policy also apply.
1. What we collect
- You give us: email or phone (for sign-in), name, shipping address, payment info (handled by Razorpay — we never see card numbers), and any review or message you post.
- We observe: pages visited, drop you bought from, source of click (Instagram link, etc.), hashed IP, user agent.
- From partners: Razorpay (payment status), Delhivery (shipment status), Brevo (email delivery receipts).
2. What we share with creators
Creators see limited buyer data on their dashboard: first name, last initial, city, and source post. They do not see email addresses, phone numbers, or full names. Dropkyd holds the buyer relationship.
3. Why we use it
- Sign-in (one-time codes; no passwords).
- Process orders, manufacture, ship, refund.
- Talk to you about your orders (receipts, shipping updates).
- Improve the product — what's selling, what isn't.
- Fraud detection.
- Marketing — only if you opted in. Opt-out is one click in any email.
4. Who we share with
- Razorpay — payments and refunds.
- Brevo — transactional email + SMS delivery.
- Delhivery / Shiprocket — shipping label and tracking.
- Production partners in Tirupur, Bengaluru, Delhi — name and shipping address, nothing else.
- Vercel — our hosting provider.
- Neon — our database provider (data resides in Mumbai region).
We don't sell personal data, ever. We don't share it with advertisers, brokers, or model trainers. If a partner above changes, we'll update this list.
5. How long we keep it
- Order & invoice data — 8 years (CGST Act § 36 retention requirement).
- Sign-in OTPs — 24 hours after consumption, then deleted.
- Session tokens — 30 days, then expire automatically.
- Marketing preferences — until you change them.
6. Your rights
- Access — request a copy of everything we have on you.
- Correct — fix anything wrong.
- Erase — delete your account. We anonymise rather than hard-delete order records (we need them for tax) but everything that can be erased, will be.
- Export — JSON dump on request.
- Object — to any specific processing.
Email privacy@dropkyd.com with the subject "DPDP request". We respond within 7 days.
7. Security
- TLS everywhere.
- PAN, bank details, and IFSC are encrypted at rest (AES-256).
- Bank account numbers are masked in every UI — even our own admin.
- Session tokens are signed (HS256, 32-byte secret rotated annually).
- Razorpay handles card vault; we never receive PANs.
8. Cookies
We use strictly-necessary cookies for sign-in (dropkyd_sess) and cart state (dropkyd_cart). No third-party tracking, no advertising cookies. If you block them, parts of the site won't work.
9. Children
Dropkyd isn't intended for users under 18. If we discover an account belongs to a minor, we'll close it and delete the data.
10. Grievance officer
Under DPDP Act 2023, Sameer Kapoor is our Grievance Officer. grievance@dropkyd.com · Dropkyd Studios Pvt Ltd, Bengaluru. Responses within 30 days.
Bengaluru, Karnataka 560066
India