SOISU Furniture LLP (“SOISU,” “we,” “us”) is the Data Fiduciary for all personal data collected through decor.soisu.com. This Policy explains how we handle your data in compliance with the Digital Personal Data Protection Act 2023 (DPDP Act), the Information Technology Act 2000, and allied rules.
1 · What we collect
- Identity & contact data — name, email address, phone number, and (optionally) a profile photo when you create an account.
- Order & transaction data — shipping address, items ordered, order history, and invoice details.
- Payment metadata — Razorpay transaction ID, payment method type, and last 4 digits of card. We never see or store your full card number, CVV, or UPI PIN — that is handled exclusively by Razorpay (PCI-DSS Level 1).
- Device & usage data — IP address, browser type, pages visited, items added to cart, session duration, and referral source. Collected via Google Analytics 4 and Plausible Analytics.
- Communications data — WhatsApp and email messages you send us, including pre-purchase consultations and support requests.
- Cookies — strictly necessary cookies (cart state, session, locale preference) and analytics cookies. We do not use advertising or tracking cookies from third-party ad networks.
2 · Legal basis for processing
Under the DPDP Act 2023, we process your personal data on the following lawful bases:
- Consent — when you create an account, place an order, or opt in to marketing communications.
- Contractual necessity — to fulfil your order, process payment, and arrange delivery.
- Legal obligation — GST invoicing, tax filings, and compliance with court orders or government requisitions.
- Legitimate interests — fraud prevention, website security, and improving our products and services.
3 · How we use your data
- To process and fulfil your orders and send order-related communications.
- To send transactional messages via WhatsApp and email — order confirmation, QC photo, dispatch notification, delivery update, and (where applicable) return/replacement updates.
- To send editorial communications — Journal articles, festive drop announcements, Studio program invitations — only if you have opted in. You can opt out at any time via the unsubscribe link in our emails or by messaging us on WhatsApp.
- To improve the Website, our products, and our customer experience.
- To detect and prevent fraud, abuse, and illegal activity.
- To comply with our legal obligations under Indian law.
4 · Who we share your data with
We share only the minimum data each partner requires to perform their function. We do not sell, rent, or trade your personal data.
- Razorpay Software Private Limited — payment processing (name, email, phone, transaction amount).
- Blue Dart / DTDC / Delhivery — logistics partners (name, shipping address, phone, order details).
- Sanity.io — content management for editorial content. No customer personal data is stored in Sanity.
- AiSensy / WhatsApp Business API — transactional and (with consent) marketing WhatsApp messages.
- Google Analytics 4 — anonymised aggregate analytics. IP addresses are anonymised before storage.
- Netlify — website hosting and edge delivery (processes request logs, no long-term storage of personal data).
- Law enforcement / government authorities — only when legally required to do so.
5 · Data retention
- Account data — retained while your account is active and for up to 3 years after your last interaction.
- Order and invoice data — retained for 8 years to comply with GST and taxation requirements under Indian law.
- Marketing consent records — retained until you withdraw consent.
- Analytics data — retained in aggregated, anonymised form; no personally identifiable analytics data beyond 26 months.
6 · Your rights under the DPDP Act 2023
As a Data Principal under India's Digital Personal Data Protection Act 2023, you have the following rights:
- Right to access — to obtain a summary of the personal data we hold about you and how we process it.
- Right to correction — to correct inaccurate or incomplete personal data.
- Right to erasure — to request deletion of your personal data, except where we are required to retain it by law.
- Right to withdraw consent — to withdraw consent for any processing based on consent. Withdrawal does not affect the lawfulness of prior processing.
- Right to grievance redressal — to have grievances addressed by our Data Protection Officer within the timelines below.
- Right of nomination — to nominate another person to exercise your rights on your behalf in the event of your death or incapacity.
To exercise any of these rights, write to decor@soisu.com with the subject line “DPDP Request”. We will respond within 30 days.
7 · Children's privacy
SOISU Home Decor is not intended for children under 18. We do not knowingly collect personal data from anyone under 18 years of age. If you believe we have inadvertently collected data from a minor, please contact us immediately at decor@soisu.com and we will delete it promptly.
8 · Security
We implement appropriate technical and organisational measures to protect your personal data:
- TLS 1.3 encryption in transit for all Website traffic (Netlify).
- Payment data handled exclusively by Razorpay (PCI-DSS Level 1).
- Passwords are bcrypt-hashed; we never see your password in plain text.
- Access to personal data is restricted to personnel on a need-to-know basis.
No security system is impenetrable. In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify you and the relevant authorities as required by applicable law.
9 · Data localisation
We primarily store and process your data in India. Where data is processed outside India (e.g., via Google Analytics servers), we ensure that appropriate safeguards are in place as required by the DPDP Act 2023 and applicable cross-border transfer rules.
10 · Cookies
We use the following cookies:
- Strictly necessary — cart contents, session identifier, locale preference. These cannot be disabled without affecting core Website functionality.
- Analytics — Google Analytics 4 (anonymised) and Plausible Analytics (privacy-first, no personal data). You can opt out of GA4 via browser settings or a GA opt-out extension.
We do not serve advertising cookies or track you across third-party websites.
11 · Grievance Officer and Data Protection Officer
In accordance with the Information Technology Act 2000 (as amended), the IT (Intermediary Guidelines) Rules 2021, and the DPDP Act 2023, our Grievance Officer and Data Protection Officer is:
Rohan (Partner, SOISU Furniture LLP)
decor@soisu.com
4th Floor, Orbit Plaza, New Prabhadevi Road, Prabhadevi, Mumbai 400025, Maharashtra, India.
Response time: Acknowledgement within 48 hours; resolution within 30 days.
12 · Changes to this Policy
We may update this Policy to reflect changes in our practices or applicable law. We will post the revised Policy on this page with an updated “last revised” date. For material changes, we will notify you by email or via a notice on the Website.
13 · Contact
For any privacy-related question, write to decor@soisu.com or WhatsApp +91 79779 59379 .