Privacy Policy

1. Who we are

BambooPaper.in ("we", "us", "our") is operated by Agochar Tech LLP, a Limited Liability Partnership registered in India with its principal place of business in Rajkot, Gujarat. We are the Data Fiduciary for personal data collected on this website, as defined in §2(i) of the Digital Personal Data Protection Act, 2023 ("DPDP Act").

This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have as a Data Principal under the DPDP Act, the Information Technology Act, 2000 (and Rules thereunder), and the Consumer Protection Act, 2019.

2. Personal data we collect

2.1 Data you provide directly

• Name, email, mobile number, billing address, shipping address (collected at checkout, account signup, or wholesale inquiry).
• Company name and GSTIN (for B2B wholesale orders that need input tax credit).
• Account credentials (email + hashed password) if you create an account.
• Messages you send via the contact form, WhatsApp, or email.

2.2 Data collected automatically

• Device type, browser, operating system, screen resolution.
• Pages viewed, time on page, referral source (Google Analytics 4, with IP anonymisation enabled).
• Aggregated session recordings and heatmaps (Microsoft Clarity). Keystrokes inside password fields are masked at source.
• IP address and approximate location, used for fraud prevention and to display correct shipping rates.

2.3 Payment data

We never store your card number, CVV, UPI PIN or net-banking credentials. Payments are processed by Razorpay Software Private Limited, a PCI-DSS Level 1 compliant Payment Aggregator licensed by the Reserve Bank of India. We receive only the transaction ID, transaction amount, payment status, and the last 4 digits of the card / UPI VPA mask for invoice matching.

3. Purposes for which we use your data

Each item below is a specified, lawful purpose as required by DPDP § 5. We will not use your data for any other purpose without obtaining fresh consent.

• Order fulfilment — process payments, generate invoices, hand the package to Shiprocket, send tracking updates.
• Statutory invoicing — issue GST-compliant tax invoices, as required by §31 of the Central Goods and Services Tax Act, 2017.
• Customer support — respond to inquiries, handle returns and refunds.
• Account management — let you log in, view past orders, manage subscriptions.
• Marketing communications — newsletter and promotional emails, sent only after explicit opt-in (DPDP § 6, free + specific + informed consent). One-tap unsubscribe in every email.
• Transactional SMS / WhatsApp — order confirmation, dispatch alerts, delivery and refund notifications, sent under DLT registration as per TRAI's TCCCPR-2018 framework.
• Fraud prevention & legal compliance — detect suspicious orders, comply with court / law-enforcement requests (DPDP §17).
• Service improvement — analyse aggregate, de-identified usage patterns to improve the site.

4. Cookies and similar technologies

See our full Cookie Policy for the complete cookie inventory, the consent model, and your opt-out controls. In brief: strictly-necessary cookies (cart, login, CSRF) are always on; analytics and marketing cookies load only after you accept on the cookie banner.

5. Who we share your data with

We share only the minimum data required, only with the following Data Processors, and only for the purposes listed in §3:

• Razorpay — payment processing, subscription mandate management, fraud screening.
• Shiprocket — courier label generation, AWB allocation, RTO/forward tracking.
• ZeptoMail (a Zoho Corporation product) — transactional email delivery (order confirmation, dispatch, OTP, refund notifications).
• Zoho Campaigns — marketing email distribution, used only if you opt into the newsletter.
• Hosting infrastructure — our application and database run on a privately-managed VPS hosted in an Indian data centre. Cloudflare, Inc. sits in front as CDN and Web Application Firewall (some edge processing in transit).
• Analytics — Google Analytics 4 (Google LLC) and Microsoft Clarity (Microsoft Corporation), loaded only on consent.
• Government authorities — when legally required (CGST/SGST registers, GST returns, income-tax assessment, court orders, valid law-enforcement requests under §91 of the Code of Criminal Procedure or §17 DPDP Act).

We do not sell your data, ever. We do not run third-party advertising on this site.

6. International data transfers

Our primary infrastructure and your order records are stored in India. Some Data Processors (Cloudflare, Google, Microsoft, Zoho) operate edge nodes outside India and may process certain data abroad for the limited purposes described in §5. Such transfers are made in compliance with DPDP §16, which permits cross-border transfer except to countries the Central Government has specifically notified.

7. How long we keep your data

• Order & invoice records: 8 years — mandatory retention under §36 of the CGST Act, 2017 and §44AA of the Income-tax Act, 1961.
• Account profile: until you delete your account, or 3 years of complete inactivity, whichever comes first.
• Subscription records (active & cancelled): 8 years after final cycle, alongside invoice records.
• Marketing contact list: until you unsubscribe.
• Analytics (GA4): 14 months (Google default).
• Session recordings (Clarity): 12 months rolling.
• Customer support tickets: 3 years for service-quality auditing.

8. Your rights as a Data Principal (DPDP Act, 2023)

Under §11–§14 of the DPDP Act you have the following rights, exercisable free of charge:

• Right to access (§11) — request a summary of personal data we hold and the processing activities applied to it.
• Right to correction (§12) — ask us to correct inaccurate or misleading personal data.
• Right to completion / updating (§12) — ask us to complete incomplete personal data.
• Right to erasure (§12) — ask us to delete personal data, subject to the legal retention obligations in §7 above (e.g., tax records must be kept for 8 years).
• Right of grievance redressal (§13) — raise grievances with the Grievance Officer named in §11 below.
• Right to nominate (§14) — nominate another individual to exercise these rights on your behalf in the event of death or incapacity. Email us to file a nomination.
• Right to withdraw consent (§6(4-6)) — withdraw consent for any purpose at any time, with the same ease as it was given. Withdrawal does not affect lawful processing already carried out.
• Right to complain to the Data Protection Board of India — if our response is unsatisfactory, escalate at meity.gov.in (DPDP §27 onwards).

To exercise any of these rights, email hello@bamboopaper.in with the words "DPDP request" in the subject line. We will respond within 30 days and almost always faster.

9. How we protect your data

• TLS 1.2+ encryption on all data in transit, end-to-end.
• Passwords stored as salted Argon2 hashes — we cannot read your password.
• Payment credentials handled exclusively by Razorpay; we never see card numbers or CVV.
• Database access restricted by IAM + IP allowlist + audit log.
• Daily encrypted Postgres backups, off-site, with quarterly restore drills.
• Application secrets rotated on a quarterly schedule.
• Reasonable security practices and procedures as defined in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

10. Personal Data Breach notification

Under §8(6) of the DPDP Act, if a personal data breach occurs we will notify the Data Protection Board of India and each affected Data Principal without undue delay, in the manner the Board prescribes.

11. Grievance Officer

In compliance with Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and §10(2)(c) of the DPDP Act, our designated Grievance Officer is:

The Grievance Officer will acknowledge any complaint within 48 hours and resolve it within 15 days of receipt, in keeping with Rule 3(2)(a) of the IT Intermediary Rules, 2021.

12. Children's data

The Site is not directed at children under 18. We do not knowingly collect personal data of children, and where we discover such data we delete it promptly. Processing of children's personal data under §9 of the DPDP Act is not part of our operations.

13. Changes to this policy

We update this policy when laws or our practices change. The "Last updated" date at the top of this page reflects the most recent revision. Material changes are emailed to all account holders at least 14 days before they take effect, with a clear summary of what changed.

14. Governing law and jurisdiction

This policy is governed by the laws of India. Disputes arising under it are subject to the exclusive jurisdiction of the courts at Rajkot, Gujarat.