1. Who We Are (Data Fiduciary)
Amstaz is operated by Priyabrata Chowdhury, sole proprietor, Durgapur, West Bengal, India. Under the DPDP Act 2023, Amstaz is the Data Fiduciary — the entity responsible for decisions about the purpose and means of processing your personal data.
Privacy contact: priyabrata.amstaz@gmail.com | +91 6294152501
2. What Personal Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Identity | Full name, gender | Account creation and personalisation |
| Contact | Email address, phone number | Order confirmation, communication, support |
| Delivery | Full delivery address, PIN code, state | Shipping your orders accurately |
| Transaction | Products ordered, amounts paid, Order IDs, UPI payment confirmation | Processing and fulfilling orders, accounting |
| Account | Encrypted password, AMS points balance | Secure account management |
| Technical | Cart data stored in browser (localStorage) | Maintaining your shopping cart between sessions |
We do not collect: government ID numbers, biometric data, financial account details, health records, or any sensitive personal data as defined under the DPDP Act 2023.
3. Legal Basis for Processing
We process your personal data under these lawful bases under the DPDP Act 2023:
- Consent — you explicitly agree at account creation by checking the Terms & Conditions box
- Contractual necessity — processing required to fulfil your orders
- Legitimate interest — fraud prevention, platform security, service improvement
- Legal obligation — GST records, compliance with Consumer Protection Act 2019
4. How We Use Your Data
- Creating and managing your Amstaz account
- Processing, confirming, and fulfilling your orders
- Verifying UPI payments and updating order status
- Sending order confirmations, shipping updates, and important notices via email or WhatsApp
- Managing your AMS rewards points balance
- Sending promotional updates — only with your consent, opt-out available anytime
- Maintaining GST records as required by Indian tax law
- Detecting and preventing fraud
5. Data Sharing
We share your data only in these strictly limited situations:
- Sellers / Brands — your name, phone, and delivery address are shared with the seller or brand you purchase from, solely to ship your order
- Logistics partners — name, phone, address shared with delivery companies to fulfil your order
- Technology partners — Supabase (secure database, Singapore), EmailJS (email notifications). Both are contractually bound to protect your data and are used solely for platform operations
- Legal requirements — if required by a court order, Indian government authority, or applicable law
We never sell, rent, or share your data with advertisers or data brokers. We do not run advertisements on Amstaz.
6. Data Storage & Security
Your personal data is stored on Supabase servers (AWS, Singapore region). Supabase is SOC 2 Type 2 certified.
Security measures we have in place:
- Row-Level Security (RLS) — you can only read your own data
- Passwords are hashed using bcrypt — we never store plain-text passwords
- All data transmitted over HTTPS/TLS 1.2+
- Access controls limiting who can view your data
No digital system is 100% immune to breaches. If you suspect unauthorized access to your account, contact us immediately at priyabrata.amstaz@gmail.com.
7. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account deletion request (except where legally required to retain)
- Order and transaction data: retained for 7 years as required by Indian GST law and accounting standards
- Promotional communications: you may unsubscribe at any time
8. Your Rights Under DPDP Act 2023
As a Data Principal, you have these rights:
- Right to access — request a summary of all personal data we hold about you
- Right to correction — request correction of inaccurate data
- Right to erasure — request deletion of your data (subject to legal retention obligations)
- Right to grievance redressal — raise a complaint with our Grievance Officer (see below)
- Right to nominate — nominate someone to exercise your rights in the event of death or incapacity
- Right to withdraw consent — you may withdraw consent at any time by deleting your account; this may limit your ability to use the platform
To exercise any right, email priyabrata.amstaz@gmail.com. We will respond within 30 days.
9. Cookies & Local Storage
Amstaz uses browser localStorage only to save your shopping cart between visits. We do not use tracking cookies, advertising cookies, or third-party analytics that track you across websites. No cookie consent banner is required as we do not set tracking cookies.
10. Children's Privacy
Amstaz is strictly for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If we discover a minor has registered, we will immediately delete their account and data. To report such a case, email priyabrata.amstaz@gmail.com.
11. Third-Party Links
Our website may link to external sites (brand websites, social media). We are not responsible for their privacy practices. Please review their policies before sharing any data with them.
12. Changes to This Policy
We may update this Privacy Policy as our platform or applicable law changes. We will notify you by email or on-site notice. Continued use of Amstaz after notification means acceptance of the updated policy.
13. Grievance Officer
As required by the Consumer Protection (E-Commerce) Rules 2020 and the DPDP Act 2023:
- Name: Priyabrata Chowdhury
- Role: Owner & Grievance Officer, Amstaz
- Email: priyabrata.amstaz@gmail.com
- Phone: +91 6294152501
- Address: Durgapur, West Bengal, India
- Response time: Within 48 hours of receipt
- Resolution time: Within 30 days of receipt
If unresolved within 30 days, you may approach the Data Protection Board of India (once constituted under DPDP Act 2023) or the National Consumer Helpline at 1800-11-4000.
14. Contact
For any privacy questions: priyabrata.amstaz@gmail.com | +91 6294152501