Privacy Policy

This Privacy Policy describes how Maheshwari Plastics (“we”, “us”) collects, uses, stores, discloses, and protects your personal data when you visit maheshwariplastics.in(the “Site”), create an account, place an order, or otherwise interact with us.

It is published in compliance with:

• The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
• The Digital Personal Data Protection Act, 2023 (“DPDPA”), as and when its provisions are operationalised.
• The Consumer Protection (E-Commerce) Rules, 2020.

The Data Fiduciary for the purposes of the DPDPA is:

We collect the following categories of personal data:

• Account information — name, email address, and a one-way bcrypt hash of your password (we never store the password itself). If you sign in with Google, we additionally store your Google account identifier.
• Contact information — phone or WhatsApp number you provide so that the cargo service can call you on goods arrival.
• Order information — items ordered, pickup town, preferred cargo service, buyer state (for GST place-of-supply), order timestamps, status transitions, and refund history.
• Payment metadata — Razorpay payment reference (e.g., pay_XXXXXXXXXXXX) and amounts. We do not store card numbers, CVVs, UPI VPAs, or net-banking credentials.
• Customer correspondence — queries you raise on orders, return requests, photographs you attach, and email exchanges.
• Reviews and ratings — content you submit publicly against products you have purchased.
• Usage & device data — IP address, browser user-agent, request paths, and timing, collected automatically by our application logs and rate-limiter for security, abuse-prevention, and analytics.
• Authentication tokens — short-lived hashed tokens we send to your email for sign-up verification, password reset, and email-change confirmation.

We process your personal data on the following lawful grounds:

• Performance of contract — to accept and fulfil your orders, raise tax invoices, dispatch goods, coordinate cargo pickup, process refunds, and provide customer support.
• Compliance with legal obligation — to retain order and tax records under the CGST Act, 2017 and the Income Tax Act, 1961; to respond to lawful requests from authorities; and to comply with the Consumer Protection (E-Commerce) Rules, 2020.
• Legitimate interest — to operate, secure, and improve the Site (e.g., abuse detection, rate-limiting, debugging).
• Consent — where required by law, such as for any future optional features (newsletters, analytics cookies); consent can be withdrawn at any time.

• To create and authenticate your account.
• To process orders end-to-end: payment confirmation, stock allocation, tax invoice, dispatch, and pickup coordination.
• To send transactional emails — sign-up verification, password reset, order confirmation, dispatch / pickup-ready, delivery, and refund notifications.
• To handle returns, refunds, replacements, and any disputes you raise.
• To investigate suspected fraud, abuse, account take-overs, or any breach of our Terms & Conditions.
• To produce internal aggregate analytics (no profiling for advertising) — counts of orders, popular SKUs, regional split.
• To comply with statutory obligations (GST returns, audit, judicial summons, etc.).

We do not sell, rent, lease, or trade your personal data. Sharing is strictly limited to the third parties below, each engaged for a specific operational purpose:

• Razorpay Software Private Limited — to accept online payments. Subject to Razorpay's own privacy policy at razorpay.com/privacy.
• Cargo services (VRL Logistics, Adishakthi) — we hand them your name and phone number when booking a consignment so they can call you on goods arrival. We do not share email or order line-items with them.
• Resend — our transactional email infrastructure, used to deliver verification, order, refund, and grievance emails to your inbox.
• Google LLC — only if you choose to sign in via Google OAuth, in which case Google handles your authentication.
• Cloud infrastructure — our application runs on Amazon Web Services in the Mumbai region (ap-south-1); data at rest is encrypted under AWS-managed keys.
• Law-enforcement and judicial authorities — only when compelled by lawful written process (subpoena, summons, court order) under Indian law.

All personal data is stored on infrastructure located in India (AWS Mumbai region, ap-south-1). We do not currently transfer your personal data outside India, except to the extent third-party processors named above (Razorpay, Google, Resend) operate global control planes governed by their own privacy commitments.

We retain personal data only as long as we have a legitimate reason to keep it:

• Account data — for as long as your account is active. On account closure we retain a minimum identifier set linked to orders for the legal periods below.
• Order records, tax invoices, payment references — up to 8 years after the financial year of the transaction, as required under Section 36 of the CGST Act, 2017 and Section 44AA of the Income Tax Act, 1961.
• Authentication tokens — single-use tokens expire within minutes to hours; we store only a SHA-256 hash and the use timestamp, never the raw value.
• Server logs — typically 30 days, longer if investigating an active security incident.
• Customer correspondence (queries, returns) — for the life of the order plus 3 years for dispute resolution.

You can clear or block our cookies in your browser settings, but signing in will not work without the session cookie.

Under the SPDI Rules and the DPDPA, you have the following rights with respect to your personal data:

• Right to access — request a summary of personal data we hold about you.
• Right to correction — request correction of any inaccurate or incomplete data. Most account fields (name, email) can also be edited directly from your Account page.
• Right to erasure — request deletion of your account and associated personal data, subject to the statutory retention obligations above.
• Right to grievance redressal — escalate to our Grievance Officer at any time without first contacting Customer Care.
• Right to withdraw consent — withdraw any consent previously given for non-essential processing. This may limit your ability to use parts of the Site.
• Right to nominate (DPDPA) — nominate another individual to exercise your rights in the event of death or incapacity. Contact us in writing to record a nominee.

To exercise any of these rights, contact our Grievance Officer at grievance@maheshwariplastics.in with your registered email address and the specific request. We will respond within the timelines in Section 14 below.

We implement reasonable security practices as required under Rule 8 of the SPDI Rules:

• Encryption in transit — all connections are forced over HTTPS (TLS 1.2+).
• Encryption at rest — the database is encrypted using AWS-managed keys (AES-256).
• Password hashing — passwords are stored as bcrypt hashes; we never log or transmit plain-text passwords.
• Session security — sign-in cookies are HttpOnly, SameSite-protected, and bound to a short-lived signed JWT.
• Authentication tokens — verification and reset tokens are stored as SHA-256 hashes so a database compromise cannot resurrect live links.
• Rate limiting — sensitive endpoints (sign-in, sign-up, password reset, payment verification) are rate-limited per IP and per account to deter brute force and abuse.
• Payment isolation — payment instruments are handled entirely by Razorpay; we receive only a reference and an outcome.
• File upload validation — uploaded media (review photos, return-claim photos) is server-validated for content type and size.
• Access control — admin actions are gated by role-based authorisation and recorded in an immutable audit log.

The Site is intended for users aged 18 years and above. We do not knowingly collect personal data from children. If we learn that we have inadvertently collected personal data from a person under 18, we will delete that data promptly. If you believe a child has provided us their personal data, please contact the Grievance Officer.

In the event of a personal data breach affecting your account, we will notify both the relevant authority (CERT-In under the Information Technology Act and, where applicable, the Data Protection Board under the DPDPA) and the affected users as soon as reasonably practicable — generally within 72 hours of confirming the breach. The notification will describe what was affected, what we are doing to contain it, and what steps you can take to protect yourself.

As required under Rule 5(9) of the SPDI Rules, 2011 and Rule 3(11) of the Information Technology (Intermediary Guidelines) Rules, 2021, our Grievance Officer is responsible for receiving and addressing privacy and data-related grievances.

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the third parties we engage. The “Last updated” date at the top of this page will be revised accordingly. For material changes, we will notify registered users by email. Your continued use of the Site after the change takes effect constitutes acceptance.