Privacy Policy

Last Updated: March 12, 2026

1. Data Controller

The data controller for personal data collected through PersonaCart (personacart.com) is:

ByteSigma Technologies Private Limited
Registered Office: Pune, Maharashtra, India
Email: [email protected]

For data protection enquiries, including requests from EU residents and complaints under the India Digital Personal Data Protection Act 2023, please contact our Grievance Officer / Data Protection Contact at [email protected].

2. Information We Collect

Account Data

  • Name and email address
  • Password (stored as a bcrypt hash, cost factor 12 — your plaintext password is never stored)
  • Profile information you choose to provide

Transaction Data

  • Purchase history and subscription details
  • Billing address (where required by payment processor)
  • Payment instrument details — card data is handled exclusively by our payment processors (Stripe for international transactions, Razorpay and PayU for India); we do not store raw card numbers

Usage and Technical Data

  • Pages visited, features used, and session duration
  • Device type, operating system, and browser type
  • IP address — immediately anonymized via SHA-256 hash upon receipt; raw IP addresses are never stored
  • Referral source

Communications

  • Support tickets and messages you send us
  • Email correspondence

3. Legal Basis for Processing (GDPR — Art. 6)

Where the EU General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:

  • Account data — performance of a contract with you (Art. 6(1)(b))
  • Transaction and financial data — performance of a contract and compliance with legal obligations, including Indian accounting and tax law (Art. 6(1)(b) and Art. 6(1)(c))
  • Analytics and platform improvement — our legitimate interests in maintaining and improving a secure, functional service (Art. 6(1)(f))
  • Marketing communications — your consent, which you may withdraw at any time (Art. 6(1)(a))

For Indian residents, all processing of digital personal data is on a consent basis as required under the Digital Personal Data Protection Act 2023 (DPDP Act), except where processing is necessary to perform a contract or comply with a legal obligation.

4. How We Use Your Information

  • To create and manage your account
  • To process transactions and deliver services
  • To send transactional emails via AWS SES (receipts, password resets, notifications)
  • To provide customer support
  • To detect, prevent, and investigate fraud and security incidents
  • To analyse platform usage and improve our services
  • To comply with applicable legal obligations
  • To send marketing communications where you have consented

5. Data Retention

  • Account data: retained for the duration of your account plus 3 years after account closure
  • Transaction and financial records: retained for 7 years in accordance with Indian accounting and tax law
  • Log and technical data: retained for 90 days
  • Backup data: purged within 30 days of the underlying data being deleted

6. Information Sharing

We do not sell your personal data. We may share data with:

  • Payment processors: Stripe (United States), Razorpay (India), PayU (India) — each under their own privacy and security standards
  • Infrastructure providers: cloud hosting and AWS SES for email delivery
  • Professional advisors: lawyers and accountants bound by confidentiality obligations
  • Law enforcement or regulators: where required by applicable law or a valid legal order

Creator stores on PersonaCart operate as independent data controllers for their buyers' personal data. PersonaCart is not responsible for the data practices of individual creator stores.

7. Cross-Border Data Transfers

PersonaCart is operated from India. When you use our platform, your data may be transferred to and processed in the United States (for example, by Stripe and our cloud infrastructure providers). Such transfers are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) where required under GDPR. By using PersonaCart you acknowledge these transfers.

8. IP Address Anonymization

All IP addresses are anonymized using a SHA-256 cryptographic hash immediately upon receipt at our servers. Raw IP addresses are never written to persistent storage. The hash cannot be reversed to recover the original IP address.

9. Cookies

Essential Cookies (always active)

  • Authentication session cookie: keeps you logged in during your session
  • CSRF token cookie: protects against cross-site request forgery attacks

Functional Cookies

  • Preference cookies: remember your language, theme, and display settings

Analytics Cookies (optional — consent required)

  • Used to understand how visitors use the platform, which features are popular, and where errors occur. These cookies are only set with your explicit consent via our cookie banner.

You can manage or withdraw cookie consent at any time through the cookie settings accessible in the site footer.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Correction: request correction of inaccurate or incomplete data
  • Erasure: request deletion of your personal data (subject to legal retention obligations)
  • Restriction: request that we limit processing of your data in certain circumstances
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests or for direct marketing
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

11. India DPDP Act 2023 — Rights of Data Principals

If you are an Indian resident, the Digital Personal Data Protection Act 2023 applies to our processing of your personal data. In addition to the rights listed above, you have the right to:

  • Nominate: nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity
  • Grievance redressal: raise a complaint with our Grievance Officer at [email protected]
  • Complaint to the Data Protection Board of India: if your grievance is not resolved to your satisfaction, you may file a complaint with the Data Protection Board of India once it is constituted and operational

Grievance Officer: [email protected] — ByteSigma Technologies Private Limited, Pune, Maharashtra, India

12. EU Residents — Supervisory Authority

If you are located in the European Union and believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the data protection supervisory authority in your EU member state of habitual residence, place of work, or where the alleged infringement occurred.

13. Children

PersonaCart is not directed at children. You must be at least 18 years of age to create an account or use our services. We do not knowingly collect personal data from persons under 18. If we become aware that we have collected data from a person under 18, we will delete it promptly.

14. Security

We implement industry-standard technical and organisational measures to protect your data, including bcrypt password hashing (cost factor 12), SHA-256 IP anonymization, full audit logging, and complete tenant data isolation. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on our platform. The "Last Updated" date at the top of this page reflects the most recent revision.

16. Contact

For any questions or concerns about this Privacy Policy or our data practices, contact us at:
[email protected]
ByteSigma Technologies Private Limited, Pune, Maharashtra, India