Privacy Policy

1. Introduction

Welcome to The Decent Aurelle ("we," "our," "us," or the "Platform"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, share, and protect your data when you access or use our e-commerce platform at thedecentaurelle.com (the "Website").

By registering, browsing, or making purchases on our Website, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of our services immediately.

Who We Are: The Decent Aurelle is an online fashion retailer specializing in women's ethnic wear, including kurtis, jewellery, accessories, and essentials. Our registered office is located in Ayodhya, Uttar Pradesh, India.

2. Information We Collect

We collect and process the following categories of personal information:

2.1 Information You Provide to Us

• Account Registration: When you create an account, we collect your name, email address, password (encrypted using bcrypt hashing), and phone number.
• Profile Information: You may optionally upload a profile picture (stored securely on Cloudinary) and provide additional details such as your address and pincode.
• Order and Delivery Information: During checkout, we collect your full name, delivery address (including street, city, state, pincode), and a valid 10-digit Indian mobile number for order fulfillment and delivery notifications.
• Payment Details: We collect payment method preferences (Cash on Delivery, UPI, or Razorpay). Note: We do not store your credit/debit card details; payments are processed securely through third-party payment gateways (Razorpay).
• Product Reviews: If you leave a review, we collect your rating (1-5 stars), comment, and associate it with your user account. Reviews are visible publicly with your name.
• Wishlist Data: We store the product IDs of items you add to your wishlist for personalized recommendations and easy access.
• Support Communications: Any messages, emails, or inquiries you send to our customer support team are retained for service improvement and dispute resolution.

2.2 Information Collected Automatically

• Device and Browser Information: Standard web server logs capture device type, operating system, browser type and version for compatibility purposes.
• IP Address and Location: Your IP address is logged temporarily for security purposes (rate limiting and fraud prevention). If you grant location permissions, we use geolocation services (OpenStreetMap Nominatim API) to detect your city, state, and pincode to pre-fill delivery addresses and check pincode serviceability.
• Cookies and Session Data: We use HTTP-only cookies to maintain your login session (JWT tokens with 5-hour expiry). These cookies are essential for authentication and cannot be accessed via JavaScript (XSS protection).
• Shopping Cart Data: Cart contents are stored in your browser's local storage and synchronized with our servers when you place an order.
• Rate Limiting Data: To prevent abuse, we log IP addresses and request counts for authentication attempts (max 20 per 15 minutes), coupon applications (max 30 per 15 minutes), and order placements (max 60 per 15 minutes).
• Error Logs: Server errors and failed requests are logged (without personal data) for debugging and service reliability purposes.

2.3 Third-Party Data

• Payment Gateway Data: Razorpay may collect additional information during payment processing, subject to their privacy policy.
• Cloud Storage Metadata: Images uploaded to Cloudinary (product images, profile pictures) are processed with metadata such as upload time and file dimensions.

3. How We Use Your Information

We use your personal data for the following purposes:

3.1 Order Fulfillment

• Process and confirm your orders
• Calculate delivery charges based on tiered pricing and your pincode
• Validate and apply discount coupons (server-side validation to prevent fraud)
• Manage inventory and stock levels (including size/color variants)
• Generate and send order invoices (PDF format)
• Track order status (Pending → Confirmed → Shipped → Delivered)
• Handle cancellations, returns, and refunds

3.2 Account Management

• Create, maintain, and authenticate your user account
• Enable profile updates (name, phone, address, pincode, profile picture)
• Facilitate password changes and account recovery
• Manage wishlist and shopping cart functionality
• Enforce account status (active/deactivated) for policy violations

3.3 Communication

• Send order confirmations, shipping updates, and delivery notifications
• Provide customer support and respond to inquiries
• Send promotional emails, discount offers, and new arrival alerts (you may opt-out anytime)
• Notify you of policy changes or service updates

3.4 Security and Fraud Prevention

• Detect and prevent fraudulent transactions, unauthorized access, and security breaches
• Implement rate limiting on sensitive endpoints (login, coupon application, order placement)
• Monitor for suspicious activity such as excessive failed login attempts or rapid coupon enumeration
• Validate stock availability in real-time to prevent overselling

3.5 Analytics and Improvement

• Generate sales reports, revenue analytics, and dashboard statistics (visible to admin users)
• Identify low-stock items and popular products based on order data
• Optimize website performance and user interface
• Monitor server errors and technical issues for service improvement

3.6 Legal Compliance

• Comply with applicable laws, regulations, and court orders
• Respond to lawful requests from government authorities
• Enforce our Terms of Service and investigate violations
• Resolve disputes, chargebacks, and customer complaints

4. Data Sharing and Third-Party Disclosures

We do not sell, rent, or trade your personal information to third parties for marketing purposes. However, we share data with the following trusted partners:

4.1 Service Providers

• Cloudinary: Cloud-based image hosting for product images, category banners, profile pictures, and PDF invoices. Data is stored on secure servers with encryption at rest.
• MongoDB Atlas: Database hosting service that stores user accounts, orders, products, coupons, and reviews. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Razorpay: Payment gateway for processing online transactions (UPI, credit/debit cards, net banking). Razorpay complies with PCI-DSS standards. We never store card details.
• OpenStreetMap Nominatim API: Used for reverse geocoding (converting GPS coordinates to human-readable addresses). No personally identifiable information is shared beyond latitude/longitude.

4.2 Logistics Partners

• We share your name, delivery address, phone number, and order details with courier/shipping companies to fulfill deliveries. Partners include Delhivery, Blue Dart, India Post, and local courier services.
• Delivery partners are required to maintain confidentiality and use data solely for shipment purposes.

4.3 Legal Authorities

• We may disclose personal information to law enforcement, regulatory bodies, or courts if required by law (e.g., subpoenas, court orders, tax investigations).
• We cooperate with authorities to prevent fraud, illegal activities, or threats to public safety.

4.4 Business Transfers

• In the event of a merger, acquisition, sale of assets, or bankruptcy, your data may be transferred to the acquiring entity. You will be notified via email or website notice.

4.5 Aggregated Data

• We may share anonymized, aggregated analytics (e.g., "70% of users prefer Cash on Delivery") with business partners or investors. Such data cannot be used to identify individuals.

5. Cookies and Tracking Technologies

We use the following types of cookies and tracking mechanisms:

5.1 Essential Cookies

• Authentication Token (token): HTTP-only, secure cookie containing a JWT (JSON Web Token) valid for 5 hours. This cookie is essential for maintaining your logged-in session and cannot be disabled.
• Cookie settings: httpOnly: true (prevents XSS attacks), secure: true (HTTPS only in production), sameSite: 'none' (cross-origin support).

5.2 Local Storage

• Cart Data (dz_cart): Stores your shopping cart items locally (product ID, name, price, quantity, size, color) to persist across sessions even if you close the browser.
• User Data (dz_user): Cached copy of your profile (name, email, role) for instant UI rendering on page load. Cleared upon logout.
• Redirect Path (redirectAfterLogin): Remembers the page you were on before login to redirect you back after authentication.

5.3 Managing Cookies

You can disable cookies in your browser settings (Chrome → Settings → Privacy → Cookies; Firefox → Options → Privacy → Cookies). However, disabling cookies will prevent you from:

• Logging into your account
• Adding items to your cart
• Completing purchases

We do not use third-party advertising cookies or trackers (e.g., Google Analytics, Facebook Pixel) at this time.

6. Data Security Measures

We implement robust security practices to protect your data:

6.1 Encryption

• HTTPS (TLS 1.2+): All data transmitted between your browser and our servers is encrypted using industry-standard SSL/TLS protocols.
• Password Hashing: Passwords are hashed using bcrypt (salt rounds: 10) before storage. We never store plaintext passwords.
• API Response Encryption: Sensitive data in API responses is encrypted using AES-256-CBC encryption with a 32-byte secret key and unique initialization vectors (IV) per request.

6.2 Access Controls

• Role-Based Permissions: Access to admin features (user management, order updates, reports) is restricted to users with "admin" or "subadmin" roles.
• Subadmin Restrictions: Subadmins cannot access sensitive features like user account creation/deletion or store settings modifications.
• Account Deactivation: Admins can deactivate user accounts to prevent access in case of policy violations or suspicious activity.

6.3 Rate Limiting and Abuse Prevention

• Login/Registration: Maximum 20 attempts per 15 minutes per IP address (prevents brute-force attacks)
• Coupon Application: Maximum 30 attempts per 15 minutes per IP address (prevents coupon enumeration)
• Order Placement: Maximum 60 orders per 15 minutes per IP address (prevents order flooding)

6.4 Server Security

• Helmet.js: Security headers (Content-Security-Policy, X-Frame-Options, etc.) prevent common web vulnerabilities.
• CORS Policy: Cross-Origin Resource Sharing is restricted to whitelisted domains (localhost:3000, localhost:3001, thedecentaurelle.com) to prevent unauthorized API access.
• Environment Variables: Sensitive keys (JWT secret, encryption keys, database credentials, Cloudinary API keys) are stored in environment variables, never in source code.

6.5 Limitations

Despite our best efforts, no system is 100% secure. We cannot guarantee absolute protection against unauthorized access, hacking, data breaches, or hardware failures. You are responsible for keeping your password confidential and logging out from shared devices.

7. Data Retention and Deletion

7.1 Retention Periods

• Account Data: Retained as long as your account is active or for 3 years from the last login, whichever is longer.
• Order History: Retained for 7 years from order date for tax, accounting, and legal compliance purposes.
• Payment Records: Transaction IDs and Razorpay order IDs are retained for 7 years as per financial record-keeping laws.
• Product Reviews: Retained indefinitely unless you request deletion or the reviewed product is permanently removed.
• Wishlist Data: Cleared automatically upon account deletion or when you remove all items.
• Server Logs: Error logs and rate limiting records (IP addresses, request timestamps) are retained for 90 days for security monitoring and troubleshooting.

7.2 Account Deletion

You may request permanent deletion of your account by emailing support@thedecentaurelle.com with the subject "Account Deletion Request." Upon verification, we will:

• Delete your profile information (name, email, phone, address)
• Remove your profile picture from Cloudinary
• Clear your wishlist and saved addresses
• Anonymize your product reviews (replace name with "Deleted User")
• Retain order records for legal compliance but mark them as "User Deleted"

Note: Deletion requests are processed within 30 days. Some data may remain in backup systems for up to 90 days.

8. Your Rights and Choices

Under Indian data protection laws and international standards, you have the following rights:

8.1 Right to Access

You can view and download your personal data (profile, order history, wishlist) by logging into your account. For a comprehensive data export, contact us at support@thedecentaurelle.com.

8.2 Right to Correction

Update incorrect or incomplete information directly in your profile settings (Account → Profile → Edit). For changes to email or phone number, verification may be required.

8.3 Right to Deletion

Request account deletion as described in Section 7.2. Note that some data (order records) must be retained for legal compliance.

8.4 Right to Object

Opt-out of promotional emails by clicking the "Unsubscribe" link in any marketing email or by updating your communication preferences in account settings.

8.5 Right to Portability

Request a machine-readable copy (JSON/CSV format) of your data by emailing support@thedecentaurelle.com.

8.6 Right to Withdraw Consent

You may withdraw consent for non-essential data processing (e.g., promotional emails, location tracking) at any time. Essential processing (order fulfillment) cannot be withdrawn while using the service.

9. Children's Privacy

The Decent Aurelle is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If you believe a child has provided us with data, contact us immediately at support@thedecentaurelle.com and we will delete it.

Parents/guardians may create accounts on behalf of minors (e.g., for family purchases) but assume full responsibility for such use.

10. Third-Party Links and Services

Our Website may contain links to external websites (e.g., social media, payment gateways, delivery tracking portals). We are not responsible for the privacy practices of these third parties. Please review their privacy policies before providing any information.

Examples of external services:

• Razorpay (payment processing) - Privacy Policy
• Cloudinary (image hosting) - Privacy Policy
• OpenStreetMap (geocoding) - Privacy Policy

11. International Data Transfers

Your data is primarily stored on servers located in India (Mumbai region for MongoDB Atlas and Cloudinary Asia Pacific). By using our services, you consent to the transfer and processing of data in these jurisdictions.

If you access our Website from outside India, your data may transit through international networks. We ensure all transfers comply with applicable data protection laws and use encryption during transmission.

12. Updates to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or business operations. Updates will be posted on this page with a revised "Effective Date" at the top.

Material changes (e.g., significant alterations to data sharing practices) will be communicated via:

• Email notification to registered users
• Prominent notice on the homepage/login screen
• In-app notification upon next login

Continued use of the Website after changes constitutes acceptance of the revised policy. If you disagree with updates, you must discontinue use and request account deletion.

Version History: You may request previous versions of this policy by emailing support@thedecentaurelle.com.

13. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

• Notify affected users via email within 72 hours of discovering the breach
• Provide details about the nature of the breach, data impacted, and remedial actions taken
• Report the incident to relevant authorities as required by law
• Offer guidance on protective measures (e.g., password reset, account monitoring)

14. Grievance Redressal

If you have concerns about how your data is handled, please contact our Grievance Officer:

We will acknowledge your complaint within 48 hours and aim to resolve it within 30 days.

15. Contact Information

For general privacy inquiries, data access requests, or questions about this policy, contact us:

Business Hours: Monday to Saturday, 10:00 AM - 7:00 PM IST (Indian Standard Time)