Privacy Policy

This Privacy Policy explains how Valley Fragrances ("we", "us", "our") collects, uses, stores, shares, and protects information about you when you visit valleyfragrances.com (the "Site") or place an order with us. We are committed to handling your data responsibly and in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the rules made under it.

By using the Site or placing an order, you confirm that you have read, understood, and agreed to this Policy. If you do not agree with any part of it, please do not use the Site.

1. Who We Are (Data Fiduciary)

Valley Fragrances is the Data Fiduciary for any personal data you share with us. Our registered place of business is:

Valley Fragrances
Peer Bagh, Hyderpora
Srinagar, 190014
Jammu and Kashmir, India
Email: hello@valleyfragrances.com
Phone: +91 91499 98180

2. Information We Collect

We collect only the data we need to operate the Site, fulfil orders, and meet our legal obligations.

a) Information you give us directly (when you place an order, contact us, sign up for marketing, or use chat):

• Full name
• Shipping and billing address
• Phone number
• Email address
• Order details (products purchased, quantities, price, applied coupons)
• Communications you send us (chat messages, emails, return requests, unboxing videos submitted as part of an authenticity claim)

b) Payment information (handled directly by our payment partner — see Section 4):

• UPI ID, card number, card expiry, CVV, net-banking credentials, or wallet identifiers — entered on Cashfree Payments' checkout interface, not on our servers.
• Cashfree returns to us only a transaction reference, payment method label (e.g., "UPI", "Visa Credit Card"), the last 4 digits of a card, status (success / failed), and amount.

c) Information collected automatically when you visit the Site:

• IP address and approximate location (city / region) inferred from it
• Device type, browser, operating system, screen size
• Pages visited, time spent, referring URL, search terms used on the Site
• Cookies and similar technologies (see Section 7)

We do not knowingly collect data from anyone under 18. The Site is not directed at children. If you believe a minor has provided us data, please contact us and we will delete it.

3. How We Use Your Information (Purpose)

We process your data only for these specific purposes:

• Order fulfilment: processing your order, verifying payment, packing and shipping the product, sending you tracking links and delivery updates.
• Customer support: answering your questions, handling authenticity / damage claims, processing refunds.
• Fraud prevention & security: detecting unusual activity, blocking fraudulent orders, protecting against chargebacks and abuse.
• Legal & tax compliance: issuing invoices, maintaining records under the GST and Income Tax laws, responding to lawful requests from authorities.
• Service improvement: aggregated analytics to understand which products and pages perform well, fix bugs, and improve the Site.
• Marketing (optional, with consent): sending you order-related communications you've opted into, like restock alerts or seasonal offers. You can unsubscribe at any time.

We will not use your data for any new purpose without informing you and, where required, obtaining your consent.

4. Payment Information & Cashfree Payments

All online payments on the Site are processed by Cashfree Payments India Private Limited ("Cashfree"), a payment aggregator authorised by the Reserve Bank of India and certified to PCI DSS Level 1 — the highest standard for handling card data.

• When you pay, Cashfree's secure checkout opens within our Site (or, on some devices, redirects briefly to Cashfree's domain). Your full card number, CVV, UPI PIN, and net-banking password are entered on Cashfree's systems and are never seen, transmitted, or stored by Valley Fragrances.
• Cashfree's own privacy policy governs how Cashfree handles your data. You can read it at cashfree.com/privacy-policy.
• We receive only a sanitised payment confirmation (transaction ID, amount, method, last 4 digits of card if applicable, status) so we can match the payment to your order.
• If you choose Cash on Delivery, no card or bank data is collected — only your address and phone number for delivery.

5. When We Share Your Information

We do not sell, rent, or trade your personal data. We share it only with the third parties below, and only to the extent necessary for them to perform their function for us:

Each of these processors is bound, either by contract or by their own published terms, to use your data only for the agreed purpose and to keep it secure.

6. Cross-Border Data Transfer

Some of our service providers (e.g., Cloudflare, Google Analytics, Tawk.to, Trustpilot) operate servers outside India. When data is transferred outside India, it is done in compliance with the DPDP Act and the IT Rules, and only to jurisdictions where reasonable security safeguards apply. The Government of India may, at its discretion, restrict transfer to certain countries — we will adjust our processors accordingly if such a restriction applies.

7. Cookies & Similar Technologies

We use cookies and similar technologies to make the Site work and to understand how it is used:

• Strictly necessary cookies — for cart contents, checkout state, fraud protection. The Site will not function correctly without these.
• Analytics cookies — Google Analytics 4 uses cookies to count visits and understand which pages are popular, in an aggregated, pseudonymised way.
• Third-party cookies — set by Cashfree Payments (during checkout), Tawk.to (during a chat session), and Trustpilot (on the order-confirmation page) to operate their respective services.

You can disable cookies in your browser, but parts of the Site (especially checkout) may stop working.

8. Data Retention

We keep personal data only for as long as we have a clear reason to keep it:

• Order & invoice records — retained for at least 8 years, as required by Indian tax and accounting law (GST & Income Tax).
• Payment confirmations — retained alongside the corresponding order record.
• Customer support communications — retained for up to 3 years from the last interaction, for dispute resolution and recurring queries.
• Marketing preferences — retained until you unsubscribe, after which we keep only a minimal record (your email on a suppression list) so we don't accidentally email you again.
• Analytics data — retained in pseudonymised form per Google Analytics' default 14-month window.

After the relevant retention period, we delete or anonymise the data unless we are legally required to keep it longer.

9. Data Security

We follow reasonable, industry-standard security practices:

• All traffic to the Site is encrypted in transit using HTTPS (TLS 1.2 or higher) with HSTS preloading.
• Access to our admin systems and order database is restricted, role-based, and logged.
• Payment data is handled exclusively by PCI-DSS Level 1 certified Cashfree Payments; we hold no card data on our systems.
• We use Cloudflare for DDoS mitigation and a strict Content Security Policy to limit cross-site script risks.
• Passwords (where applicable) are hashed with industry-standard algorithms; we never store them in plain text.

No system is 100% secure. If a data breach occurs that affects you, we will notify you and the Data Protection Board of India in line with the DPDP Act.

10. Your Rights (Data Principal)

Under the DPDP Act, you have the following rights with respect to data we hold about you:

• Right to access: ask for a summary of the personal data we hold about you and how it is being processed.
• Right to correction: ask us to correct inaccurate or incomplete data.
• Right to erasure: ask us to delete data we no longer need (subject to our legal retention obligations under tax law).
• Right to withdraw consent: withdraw any consent you previously gave us (e.g., for marketing). Withdrawal will not affect processing carried out before the withdrawal.
• Right to grievance redressal: contact our Grievance Officer (Section 11) if you are unsatisfied with how we handle your data.
• Right to nominate: nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, email us at hello@valleyfragrances.com with the subject line "DPDP Request". We will respond within 30 days. We may need to verify your identity (e.g., confirm details of a recent order) before acting on your request.

11. Grievance Officer

In line with the Information Technology Act, 2000 and the DPDP Act, we have appointed a Grievance Officer to address your data and privacy concerns:

Grievance Officer — Valley Fragrances
Email: hello@valleyfragrances.com
Phone: +91 91499 98180
Postal address: Peer Bagh, Hyderpora, Srinagar, 190014, Jammu and Kashmir, India
Hours: Monday–Saturday, 10:00 AM – 7:00 PM IST

We will acknowledge your complaint within 48 hours and resolve it within 30 days of receipt. If you are not satisfied with the outcome, you may escalate the matter to the Data Protection Board of India.

12. Third-Party Links

The Site may contain links to third-party websites (e.g., Instagram, brand websites, Trustpilot). We are not responsible for the privacy practices or content of those sites. Please review their privacy policies before sharing data with them.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or our service providers. The "Last Updated" date at the top of this page will always show the most recent revision. If the changes are material, we will notify you by email (where we have your address) or by a prominent notice on the Site before the change takes effect.

14. Contact Us

For any privacy-related question, request, or complaint, please contact us at hello@valleyfragrances.com. For everything else — orders, returns, product questions — the same email address works, and we typically reply within a few hours on business days.