Free shipping on orders above ₹2,000

KARANÉ
Home
Account

Your Data, Your Rights

Privacy Policy

Effective Date: 1 January 2025  |  Last Updated: 11 February 2026

1. Introduction

Karané (“we,” “us,” or “our”) is committed to protecting the privacy of every individual who visits or transacts on karane.in (the “Website”). This Privacy Policy describes the categories of personal data we collect, the purposes for which we process it, the safeguards we employ, and the rights available to you under the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (collectively, “Applicable Law”).

By accessing or using the Website, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal data as described herein. If you do not agree with any part of this policy, please discontinue use of the Website immediately.

2. Data Controller

The data controller responsible for your personal data is Karané, a sole proprietorship operating from Assam, India. For any data-related inquiries, you may contact us at support@karane.in.

3. Information We Collect

3.1 Information You Provide Directly

  • Full name, email address, and mobile phone number (during account creation or guest checkout).
  • Shipping and billing addresses, including city, state, PIN code, and landmark.
  • Order details, including product selections, sizes, colours, quantities, and payment preferences.
  • Product review content, star ratings, and photographs voluntarily submitted.
  • Messages submitted through the Contact Us form or customer-support channels.
  • Newsletter subscription preferences.

3.2 Information Collected Automatically

  • Device identifiers, browser type and version, operating system, and screen resolution.
  • IP address and approximate geographic location derived therefrom.
  • Browsing behaviour on the Website: pages visited, products viewed, search queries, and click patterns for personalised recommendations.
  • Session cookies and authentication tokens necessary to maintain your logged-in state.

3.3 Information from Third-Party Services

  • Google account profile information (name, email, avatar) if you choose to sign in via Google Identity Services.
  • Firebase phone-authentication tokens when you verify your mobile number via SMS OTP.

4. Purpose of Processing

We process your personal data strictly for the following legitimate purposes:

  • Order Fulfilment — to process, ship, and deliver your orders; generate invoices and shipping labels; and handle returns or exchanges.
  • Identity Verification — to verify your email via OTP (Brevo SMTP) and your mobile number via SMS OTP (Firebase) during checkout and account actions.
  • Customer Support — to respond to inquiries, process return/exchange requests, and issue store credits.
  • Personalisation — to recommend products based on your browsing and purchase history, and to display relevant content.
  • Communication — to send transactional emails (order confirmations, shipping updates, invoice attachments) and, with your explicit consent, promotional newsletters.
  • Fraud Prevention & Security — to detect and prevent fraudulent transactions, maintain Website integrity, and comply with legal obligations.
  • Analytics & Improvement — to analyse aggregate usage patterns and improve the Website’s performance, features, and user experience.

5. Payment Data

All online payments are processed exclusively by Razorpay Software Private Limited, a PCI-DSS Level 1 certified payment gateway. We never receive, store, or have access to your credit/debit card numbers, CVV, UPI PIN, or net-banking credentials. Payment data is transmitted directly from your browser to Razorpay over TLS-encrypted channels. For Cash on Delivery orders, no payment information is collected online.

6. Data Sharing & Third-Party Processors

We share your personal data only with trusted third-party service providers, strictly to the extent necessary to operate our business. We do not sell, rent, lease, or trade your personal data to any third party for marketing or advertising purposes.

  • Razorpay — payment processing (PCI-DSS Level 1 compliant).
  • Delhivery — order fulfilment, shipment creation, delivery tracking, and reverse logistics.
  • Brevo (formerly Sendinblue) — transactional and promotional email delivery, newsletter management, and email-OTP dispatch.
  • Firebase (Google) — phone-number verification via SMS OTP.
  • Cloudinary — product and review image hosting, optimisation, and CDN delivery.
  • Google Identity Services — optional Google Sign-In authentication.
  • Vercel Inc. — Website hosting, serverless function execution, and edge-network delivery.
  • Railway — backend database and cache infrastructure hosting.

Each processor is bound by contractual obligations to process data only for specified purposes and to implement appropriate technical and organisational security measures.

7. Cookies, Local Storage & Tracking

We use the following client-side storage mechanisms:

  • karane_session — a secure, HTTP-only session cookie with a 30-day expiry, used to authenticate your session.
  • karane_user_email — a client-readable cookie storing your email address for display purposes only.
  • localStorage — used to persist your cart, wishlist, browsing preferences, and interaction history entirely on your device. This data is not transmitted to our servers.

We do not use third-party advertising cookies or cross-site trackers. You may clear cookies and localStorage at any time through your browser settings, though doing so may require you to log in again and will reset your cart and wishlist.

8. Data Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

  • TLS/SSL encryption for all data in transit between your browser and our servers.
  • Encrypted database connections to our hosted PostgreSQL instance.
  • Secure HTTP-only session cookies to prevent client-side script access.
  • Server-side HMAC-SHA256 signature verification for all payment callbacks.
  • Access controls limiting backend and database access to authorised personnel only.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly in the event of any data breach as required by Applicable Law.

9. Data Retention

  • Account Data — retained for as long as your account remains active. You may request deletion at any time.
  • Order Records — retained for eight (8) years from the date of transaction to comply with the Income Tax Act, 1961 and the GST Act, 2017.
  • Store Credits — retained until expiry (6 months from issuance) or until redeemed, whichever is earlier.
  • Newsletter Subscriptions — retained until you unsubscribe via the link provided in each email.
  • Client-Side Data — cart, wishlist, and interaction history are stored on your device and controlled solely by you.

10. Your Rights

Under Applicable Law, you have the following rights with respect to your personal data:

  • Right of Access — request confirmation of whether we process your data and obtain a copy thereof.
  • Right of Correction — request correction or completion of inaccurate or incomplete personal data.
  • Right of Erasure — request deletion of your account and all associated personal data, subject to statutory retention requirements.
  • Right to Withdraw Consent — withdraw consent for data processing at any time, without affecting the lawfulness of processing based on consent prior to withdrawal.
  • Right to Grievance Redressal — lodge a grievance with our Grievance Officer or with the Data Protection Board of India.
  • Right to Opt Out — opt out of promotional communications at any time by clicking “Unsubscribe” in any email or by contacting us directly.

To exercise any of these rights, please write to support@karane.in. We will respond to verifiable requests within thirty (30) days.

11. Children’s Privacy

The Website is not intended for individuals under the age of eighteen (18) years. We do not knowingly collect or solicit personal data from minors. If you believe that a minor has provided us with personal data, please contact us immediately and we will take prompt steps to delete such information.

12. Cross-Border Data Transfers

Certain third-party processors (e.g., Vercel, Firebase, Cloudinary) may process data on servers located outside India. In such cases, data is transferred in compliance with Applicable Law, and we ensure that the receiving entity maintains a standard of data protection substantially equivalent to that provided under Indian law.

13. Amendments

We reserve the right to amend this Privacy Policy at any time. Material changes will be indicated by an updated “Last Updated” date at the top of this page. We encourage you to review this policy periodically. Continued use of the Website following any amendments shall constitute your acceptance of the revised policy.

14. Grievance Officer

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the Grievance Officer for the purposes of this Privacy Policy is:

  • Name: Ranjan Sharma
  • Email: support@karane.in
  • Response Time: Within 30 days of receipt of a grievance in writing.

15. Contact

For questions, concerns, or requests relating to this Privacy Policy or our data-handling practices, please contact us at: