Privacy Policy

Last updated: 25 June 2026. This Privacy Policy describes how Florish collects, uses and protects your personal information when you visit florish.dcrayons.app or purchase from us. By using the Site or placing an order you consent to the practices below.

1. Information we collect

We collect only what we need to run the Site, deliver your orders and improve your experience.

• Account details: name, email, phone number, password (always stored hashed).
• Order & shipping data: billing & delivery addresses, items purchased, GST details if you provide them.
• Payment information: handled entirely by our payment gateway partners (Razorpay, PhonePe, etc.). We do not store full card numbers or UPI PINs on our servers.
• Communications: emails, WhatsApp / SMS messages, reviews and customer-support tickets you send us.
• Device & usage: IP address, browser type, pages viewed, referring URL and approximate location — via cookies and standard server logs.

2. How we use your information

• To fulfil orders — process payment, prepare packaging, ship through courier partners and notify you of delivery status.
• To run your account and let you view past orders, reviews and addresses.
• To respond to your enquiries by email, phone, WhatsApp or chat.
• To send transactional messages (order confirmations, dispatch updates, delivery alerts).
• With your consent, to send marketing emails or SMS about new launches, offers and beauty tips. You can opt out anytime.
• To prevent fraud, abuse and unauthorised access — including IP-level rate limiting and order pattern analysis.
• To improve the Site — understand which products, pages and categories you engage with through anonymised analytics.
• To comply with Indian tax, accounting and consumer-protection regulations.

3. How we share your information

We never sell your personal data. We share specific information only with the partners below and only for the purpose stated.

• Payment gateways — Razorpay, PhonePe, Cashfree (to process your payment).
• Courier partners — Delhivery, Blue Dart, Ekart, India Post (to deliver your order — we share only name, address and phone).
• Analytics & advertising — Google Analytics, Meta Pixel (anonymised behavioural data, no order details).
• Email / SMS providers — for transactional and marketing communication.
• Authorities — if compelled by law, court order or to prevent ongoing fraud or harm.

4. Cookies and tracking

We use cookies to keep you signed in, remember your cart, measure traffic and personalise content. Essential cookies are required for the Site to work; analytics and marketing cookies are optional and you can refuse them through your browser settings. See our Cookie Policy for the full list.

5. Data retention

We keep your information only as long as needed:

• Order, invoice and accounting data — retained for at least 8 years under the Income-Tax Act and GST Act.
• Account profile — kept until you ask us to delete it (or for two years of inactivity, whichever comes first).
• Marketing consent — until you withdraw it.
• Server logs — rotated after 90 days.

6. Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or outdated information from your account dashboard.
• Request deletion of your account and personal data (subject to retention obligations above).
• Withdraw consent to marketing communication at any time (unsubscribe link in every email, STOP keyword in SMS).
• Export your data in a machine-readable format.
• Lodge a complaint with the Data Protection Authority once it is constituted under the Digital Personal Data Protection Act 2023.

To exercise any of these rights, write to us through the Contact page. We respond within 7 working days.

7. Security

We protect your data through industry-standard measures: TLS 1.2+ on every page, bcrypt password hashing, encrypted backups, role-based admin access, and regular security audits. No system is 100% secure — if you suspect unauthorised access to your account, please reset your password immediately and notify us.

8. Children

The Site is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us information, contact us and we will delete it promptly.

9. Third-party links

The Site may contain links to external sites (Instagram, YouTube, news articles). We are not responsible for the privacy practices of those sites — please read their policies.

10. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated by email if you have an account with us.

11. Contact

Questions, requests or concerns about your privacy? Reach the Florish team through the Contact page or use the email address listed there. We aim to respond within one business day.