Privacy Policy

Your data, in safe hands

We collect only what we need, use it only for what we tell you, and keep it only as long as we must. Plain English. No buried clauses.

Last updated: 25 May 2026
|
Effective: 1 January 2024
|
Version 2.1

This Privacy Policy explains how Lakhdata Riyan ("we", "us", "our") collects, uses, shares, and protects the personal data you give us when you visit lakhdatariyan.com, place an order, or contact us in any way.

This policy is governed by India's Digital Personal Data Protection Act 2023 (DPDP Act), the Information Technology Act 2000, and applicable consumer protection laws. If anything here is unclear, write to us. We will explain in plain language.

01

Who we are

Lakhdata Riyan is an Indian online jewelry house operating at lakhdatariyan.com. We are a registered business in India, certified by IGI and SGL for our diamond pieces, and hallmark our metal pieces through BIS-licensed centres.

For the purposes of the DPDP Act 2023, Lakhdata Riyan is the "Data Fiduciary" - the organisation that decides what data is collected and how it is used. You, the customer or website visitor, are the "Data Principal" whose data we hold and protect.

Registered office: Surat, Gujarat, India

Email for privacy matters: privacy@lakhdatariyan.com

02

Data we collect

We collect only what is genuinely needed to serve you. Here is the complete list - nothing hidden.

Category What it includes
Identity & contact Name, email, mobile, billing/shipping address, gender (optional)
Account data Password (encrypted), login history, saved addresses, wishlist, cart contents
Order data Items purchased, prices, dates, invoice numbers, IGI/SGL cert numbers
Payment metadata Transaction ID, method (UPI/card type/net banking), success status. We never store your card numbers, CVV or UPI PIN.
Communication Emails, WhatsApp messages, support tickets, call recordings (if any)
Technical data IP address, browser, device type, OS, pages visited, session duration
Marketing preferences Newsletter subscription, WhatsApp opt-in, referral code usage

What we do not collect

  • We do not collect Aadhaar, PAN, or any government ID unless legally mandated for high-value transactions
  • We do not collect bank account numbers or credit card details - those go directly to Razorpay
  • We do not collect biometric data, racial or religious information, or sexual orientation
  • We do not track you across other websites using third-party cookies for advertising
03

How we use your data

Every piece of data we collect has a specific, defined purpose. We do not collect data "just in case."

  • To process your order: deliver the right piece to the right address, send hallmark and certificate details, generate invoices
  • To support you: answer questions, process returns, honour the lifetime buy-back guarantee, send shipping updates
  • To improve the site: understand which products are popular, fix bugs, optimise page speed
  • To send updates you opted into: newsletter, new launches, referral program updates - only if you said yes
  • To prevent fraud: verify suspicious orders, comply with anti-money-laundering requirements for high-value jewelry
  • To meet legal duties: tax compliance (GST), HUID traceability, regulatory audits
05

When we share your data

We do not sell your data. Ever. Period. The only entities we share data with are service providers we need to operate:

Who What & why
Razorpay (payments) Your card/UPI details go directly from your browser to Razorpay's PCI-DSS certified servers. We see only the transaction status.
Shipping partners Your name, phone, and delivery address shared with insured couriers (BlueDart, Delhivery, India Post, FedEx). They use it only to deliver.
IGI & SGL labs Anonymised diamond/jewelry data sent for certification. Your personal data is never shared.
Email service Your email address and name shared with our transactional email provider to send order confirmations and shipping updates.
Hosting (Rebootns) Our hosting provider stores the database. They are bound by data protection contracts and do not access your data.
Legal authorities Only when legally compelled by a valid court order, tax notice, or law enforcement request - and only the specific data requested.

All third parties listed above are contractually required to use your data only for the stated purpose, keep it confidential, and delete it after the job is done.

06

Cookies & tracking

We use a small number of cookies - all functional, none for cross-site advertising:

  • Session cookie: keeps you logged in and keeps items in your cart - deleted when you close the browser
  • Preference cookie: remembers your wishlist if you are not logged in - kept for 30 days
  • Analytics cookie: anonymised page visit data to improve the site (we use Google Analytics with IP anonymisation)
  • Security cookie: CSRF protection token, prevents fraudulent form submissions

You can disable cookies in your browser settings. The site will still work, but your cart and wishlist will reset on each visit. We do not use cookies for third-party advertising or behavioural retargeting.

07

Payments & Razorpay

All payments on lakhdatariyan.com are processed by Razorpay, India's PCI-DSS Level 1 certified payment gateway. This is the same standard banks use.

What this means for you:

When you enter your card number, UPI ID, or net banking details, that data goes directly from your browser to Razorpay's encrypted servers. Our website never sees, stores, or has access to your full payment information.

We receive only: transaction ID, payment method type (e.g. "UPI" or "Visa"), success/failure status, and the amount paid.

Razorpay has its own privacy policy governing how it handles your payment data. You can read it at razorpay.com/privacy.

08

How we protect your data

We treat your data with the same care we treat a piece of jewelry waiting to be packed.

  • HTTPS everywhere: the entire site uses TLS 1.3 encryption. Look for the padlock in your browser bar.
  • Encrypted database: all sensitive data is encrypted at rest. Passwords are hashed with industry-standard bcrypt.
  • Access control: only authorised employees have access to customer data, on a need-to-know basis. Every access is logged.
  • Regular security audits: we run vulnerability scans monthly and patch within 48 hours of any critical issue.
  • Backup & recovery: automated daily backups, encrypted and stored in a separate location.
  • Breach notification: in the unlikely event of a data breach, we will notify affected customers and the Data Protection Board within 72 hours, as required by the DPDP Act.
09

How long we keep data

We keep your data only as long as we have a legitimate reason to. Here is exactly how long:

Data type Retention period
Order & invoice records 8 years (legal requirement under GST law)
Customer account data Until you delete the account, then 90 days
Marketing consent records 3 years from last interaction, then deleted
Support emails & chats 2 years from resolution
Analytics data (anonymised) 26 months
Server logs & security data 90 days, then deleted
10

Your rights under the DPDP Act

India's Digital Personal Data Protection Act 2023 gives you specific rights over your data. We honour all of them.

  • Right to access: request a complete copy of all data we hold about you
  • Right to correction: ask us to correct any data that is wrong or outdated
  • Right to deletion ("Right to be Forgotten"): ask us to delete your data, subject to legal retention requirements
  • Right to withdraw consent: stop us from using your data for purposes that need consent (like marketing)
  • Right to grievance redressal: escalate complaints to the Data Protection Board of India if we fail to address them
  • Right to nominate: nominate a person to exercise these rights on your behalf in case of death or incapacity

How to exercise these rights:

Email privacy@lakhdatariyan.com with your request. We will respond within 7 business days and complete the action within 30 days, as required by law.

11

Children's data

Lakhdata Riyan is intended for adult buyers. We do not knowingly collect personal data from anyone under 18 years of age.

If you are under 18, please do not create an account or place an order without parental consent. If we discover that we have collected data from a minor without proper consent, we will delete it immediately.

Parents and guardians who believe their child has provided data to us can contact privacy@lakhdatariyan.com for immediate deletion.

12

Policy updates

We may update this Privacy Policy from time to time - to reflect changes in law, our practices, or our services. When we do:

  • We will update the "Last updated" date at the top of this page
  • For material changes (anything that affects your rights), we will notify you by email at least 30 days before the change takes effect
  • For minor changes (typos, clarifications), we will just update the page
  • We keep a public changelog of all past versions - email us if you would like to see it

By continuing to use the site after we publish updates, you accept the revised policy. If you disagree, you can delete your account at any time.

13

Contact & grievance

Under the DPDP Act 2023 and IT Rules 2011, we have appointed a Grievance Officer who handles all data protection complaints and questions.

If you have any question about this policy, want to exercise your rights, or believe we have mishandled your data:

  • First step: email us at privacy@lakhdatariyan.com - we respond within 7 business days
  • Escalation: if our response is unsatisfactory, you can escalate to the Data Protection Board of India at meity.gov.in

We commit to addressing every privacy complaint with the same care we take with the jewelry we sell. Your trust is the foundation of this brand.

संपर्क करें

Questions about your privacy?

Reach out through whichever channel suits you. We respond personally - no chatbots, no canned replies.

Privacy Email
privacy@lakhdatariyan.com
Grievance Officer
grievance@lakhdatariyan.com
General Support
Contact form & phone