Privacy Policy

Saffron Food Company | Saffron Masala Chai | saffrontea.in

Effective date: [01/06/2026]

1. About this Policy

Saffron Food Company, a sole proprietorship of Faizahmad Mubarak Mullani with its operating address at [Pune, Maharashtra, India], owns and operates the website saffrontea.in and the WhatsApp Business channel associated with the brand Saffron Masala Chai. For the purposes of the Digital Personal Data Protection Act, 2023 (DPDP Act), Saffron Food Company is the Data Fiduciary in respect of personal data collected through these channels.

This policy describes what personal data we collect, the purposes for which we collect it, how we use it, who we share it with, how long we retain it, and the rights available to you as a Data Principal. It applies to every visitor to the website, every person who messages us on WhatsApp, and every customer who places an order.

2. Personal Data We Collect

We collect only the data we need to take, fulfil, and account for an order. Specifically:

  • Identity and contact data: name, mobile number, delivery address, and email address if you provide one.
  • Transaction data: order details, GST invoice records, and the UPI transaction reference number generated by your bank for each payment. We do not collect or store your UPI ID, bank account number, debit or credit card details, or any payment credentials. All payments are made directly through your chosen UPI application.
  • Communication data: messages, queries, and complaints that you send us on WhatsApp or by email.
  • Website usage data: server logs containing IP address, browser type, device type, pages viewed, time spent, and referral source, collected through standard website analytics.

We do not collect Sensitive Personal Data or Information as defined under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including financial credentials, passwords, biometric information, health data, or information about religious or political beliefs.

3. Purposes for Which We Use Your Data

  • To process, fulfil, and deliver the order you have placed.
  • To issue a tax invoice as required under the Central Goods and Services Tax Act, 2017.
  • To respond to your queries, complaints, and after-sale requests.
  • To maintain records required under tax, food safety, and consumer protection laws.
  • To send you transactional updates about your specific order.
  • To improve the website and the product, using only aggregated, non-identifying information.
  • To send you marketing communication, only where you have provided explicit, opt-in consent.

4. Legal Basis for Processing

Under the DPDP Act, 2023, our processing of your personal data is grounded in the following bases:

  • Performance of contract: to fulfil the order you have placed with us.
  • Compliance with legal obligation: to meet our duties under tax law, the Food Safety and Standards Act, 2006, and the Consumer Protection (E-Commerce) Rules, 2020.
  • Consent: for any marketing communication. You may withdraw this consent at any time without it affecting our ability to fulfil orders you have already placed.

5. Sharing of Personal Data

We share only the minimum necessary personal data, and only with the following categories of recipients:

  • Our courier partner Borzo, for last-mile delivery in Pune. They receive your name, delivery address, and contact number.
  • Our bank and UPI service providers, for processing transactions. They receive only what is required for the payment to settle.
  • Our chartered accountant and tax consultant, for GST and income tax filings.
  • Government authorities or courts, where we are required to disclose data under applicable law, a court order, or a valid government request.

We do not sell, rent, or trade your personal data to any third party for marketing or any other purpose. This is a binding commitment, not a marketing line.

6. Retention

  • Order, invoice, and transaction records: retained for eight years from the end of the relevant financial year, as required under Section 36 of the CGST Act, 2017.
  • WhatsApp messages and customer support records: retained for two years from your last interaction, for service continuity and dispute resolution.
  • Website analytics data: retained for thirteen months.
  • Marketing consent records: retained for as long as you remain subscribed, plus one year after withdrawal, to evidence that the prior communication was consented to.

After the applicable retention period, data is permanently deleted or irreversibly anonymised.

7. Your Rights as a Data Principal

Under Sections 11 to 14 of the DPDP Act, 2023, you have the right to:

    • Obtain a summary of the personal data we hold about you and the processing activities undertaken.
    • Request correction of inaccurate or outdated data, and completion of incomplete data.
    • Request erasure of your data, subject to our legal retention obligations described in Section 6.
    • Withdraw consent at any time for any processing that is based on consent.
    • Nominate another person to exercise these rights on your behalf in the event of your death or incapacity.
    • Raise a grievance with our Grievance Officer (Section 12), and thereafter, if unresolved, with the Data Protection Board of India.

To exercise any of these rights, write to the Grievance Officer at the address in Section 12. We will respond within thirty days.

8. Security

We follow reasonable security practices and procedures consistent with Section 43A of the Information Technology Act, 2000 and Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These include HTTPS encryption on the website, restricted access to order data on a need-to-know basis, secure storage of physical and digital records, and periodic review of access logs.No system is fully secure. In the event of a personal data breach that is likely to result in significant harm to a Data Principal, we will notify you and the Data Protection Board of India within the timelines prescribed under the DPDP Act, 2023.

9. Cookies

The website uses essential cookies necessary for core functionality and analytics cookies that help us understand usage patterns in aggregate. You can disable non-essential cookies through your browser settings. Disabling essential cookies may affect site functionality.

10. Children

The website and our products are not directed at persons below the age of eighteen. We do not knowingly collect personal data from minors. If we become aware that we have done so, we will delete the data promptly.

11. Changes to this Policy

We may update this policy from time to time to reflect changes in law, technology, or business practice. Material changes will be communicated by posting the revised policy on this page with an updated effective date. Continued use of the website or the WhatsApp ordering channel after such an update constitutes acceptance of the revised policy.

12. Grievance Officer

In accordance with Section 10 of the DPDP Act, 2023 and Rule 5(9) of the Information Technology (Reasonable Security Practices) Rules, 2011, we have appointed the following Grievance Officer:

  • Name: Faizahmad Mubarak Mullani
  • Designation: Grievance Officer, Saffron Food Company
  • Email: [teasaffronservices@gmail.com]
  • Postal address: [Pune, Maharashtra, India]
  • Response time: within thirty days of receipt of a complaint.

13. Governing Law and Jurisdiction

This policy is governed by, and shall be construed in accordance with, the laws of India. Any dispute arising out of or in connection with this policy shall be subject to the exclusive jurisdiction of the competent courts at Pune, Maharashtra.

CONSUMER CARE
Contact:
+91 7263032270
E-mail
teasaffronservices@gmail.com