Privacy Policy

Paperbag ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, why we collect it, how it is used, and your rights over your data. This policy applies to all users of our website (paperbag.in) and related services. By using Paperbag, you consent to the practices described in this policy.

We collect the following categories of personal data: Account Information • Name, email address, and password (stored as a bcrypt hash — never in plain text) • Mobile number (optional, used for order updates) • Google profile information if you sign in via Google OAuth (name, email, profile picture) Order Information • Shipping address, city, PIN code • Order history and product preferences • Payment reference IDs (we do not store card or bank details — payments are handled by Razorpay) Usage Data • Browser type, IP address, device type • Pages visited, time spent on site, referral source • Cookies and session tokens (see Section 7) Communications • Messages sent via the Contact form • Product reviews and testimonials you submit

We use the data we collect to: • Process and fulfil your orders • Send order confirmation, shipping updates, and invoices via email • Provide account access and authentication (including OTP verification) • Personalise your shopping experience and wishlist • Process subscription billing and manage plan benefits • Respond to support queries and contact form submissions • Send promotional emails (only with your explicit consent — you can unsubscribe anytime) • Improve our website performance and user experience • Comply with legal obligations and prevent fraudulent activity

We do not sell or rent your personal data to any third party. We share your data with trusted third parties only as necessary to operate our service: • Razorpay — payment processing (governed by Razorpay's Privacy Policy) • Google — authentication via Google OAuth (governed by Google's Privacy Policy) • MongoDB Atlas — secure cloud database storage (governed by MongoDB's Privacy Policy) • Render / Vercel — hosting and deployment infrastructure • Gmail SMTP / Nodemailer — transactional email delivery All third-party partners are required to process your data only as instructed and in compliance with applicable data protection laws. We may disclose your information if required by law, court order, or government authority.

We implement industry-standard security measures to protect your data: • Passwords are hashed using bcrypt (salt rounds: 12) and never stored in plain text • OTP codes are hashed before storage and expire automatically after 10 minutes via MongoDB TTL indexes • Authentication uses signed JWT tokens with expiry • All data in transit is encrypted using HTTPS/TLS • Rate limiting is applied to sensitive endpoints (OTP, login) to prevent brute-force attacks • Failed OTP attempts are tracked and accounts are locked after 5 consecutive failures While we take every precaution, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

We retain your personal data for as long as your account is active or as needed to provide services. Specific retention periods: • Account data: Retained until you request deletion • OTP records: Automatically deleted after 10 minutes (MongoDB TTL) • Order history: Retained for 7 years for tax and legal compliance • Contact form messages: Retained for 2 years • Analytics/usage logs: Retained for 12 months You may request deletion of your account and associated data at any time by contacting us at privacy@paperbag.in.

We use the following types of cookies and local storage: Essential Cookies • Authentication tokens (JWT) stored in localStorage for session management • Cart data stored in localStorage for a seamless shopping experience Analytics Cookies • We may use anonymised analytics to understand site traffic and user behaviour. No personally identifiable information is shared with analytics providers. You can clear cookies and local storage at any time via your browser settings. Disabling essential cookies may affect functionality such as login and cart persistence. We do not use third-party advertising cookies or tracking pixels.

Under applicable data protection laws (including India's Digital Personal Data Protection Act, 2023), you have the right to: • Access — Request a copy of the personal data we hold about you • Rectification — Correct inaccurate or incomplete data via your profile settings • Erasure — Request deletion of your account and personal data • Restriction — Request that we limit processing of your data in certain circumstances • Data Portability — Request your data in a structured, machine-readable format • Withdraw Consent — Opt out of marketing emails at any time via the unsubscribe link To exercise any of these rights, contact us at privacy@paperbag.in. We will respond within 30 days.

Paperbag is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with their personal data, please contact us immediately and we will delete it promptly.

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. When we make material changes, we will notify you via email or a prominent notice on our website at least 14 days before the changes take effect. Your continued use of Paperbag after the effective date constitutes acceptance of the updated policy.

For privacy-related queries, data access requests, or concerns: Email: privacy@paperbag.in Phone: +91-8291569470 Address: Borivali West, Mumbai 400092, Maharashtra, India We aim to respond to all privacy enquiries within 5 business days.