This Privacy Policy describes how Nitya Tattva Consumer Foods LLP (“Nitya Tattva”, “we”, “us”, “our”) — operating the website https://nityatattva.in (the “Site”) — processes personal data of users (“you”) in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 (and the SPDI Rules, 2011), and the Consumer Protection (E-Commerce) Rules, 2020.
1. Who we are (Data Fiduciary)
| Data Fiduciary | Nitya Tattva Consumer Foods LLP |
|---|---|
| Registered Office | Pukhraj Residency, Near Mohan Bagh, Alkapuri, Ratlam, 457001, Madhya Pradesh, India |
| GSTIN | __FILL_IN_GSTIN__ |
| FSSAI Licence | __FILL_IN_FSSAI_LICENCE__ |
| Privacy Contact | privacy@nityatattva.in |
2. Personal data we collect
2.1 You give us directly
- Account data: name, email address, phone number, password (stored as a hashed token by our auth provider — we never see your plaintext password).
- Order & delivery data: billing & shipping address, recipient name and phone, GST number if requested for a tax invoice, order history, item preferences.
- Payment data: processed end-to-end by Razorpay. We store only the payment status, the Razorpay payment / order identifiers, the last 4 digits and brand of the card (if displayed back by Razorpay), and the amount. We do not store full card numbers, CVV, UPI PIN, or net-banking credentials.
- Communications: messages you send through the Contact form, customer support emails / WhatsApp, and reviews you post.
2.2 We collect automatically
- Device & usage data: IP address, user-agent, browser type, pages visited, timestamps, referring URL, session cookies.
- Analytics: if you consent via the cookie banner, anonymised analytics via Google Analytics 4 (page views, conversion events). You can opt out at any time from the cookie banner or your browser settings.
3. Purposes & lawful basis
| Account creation, login, password recovery | Contract performance |
|---|---|
| Order processing, payment, dispatch, returns | Contract performance |
| Tax invoice issuance under the CGST Act, 2017 | Legal obligation |
| Fraud prevention, abuse detection, security | Legitimate use under DPDP §7 |
| Customer support replies | Contract performance |
| Marketing emails / SMS (only if you opt in) | Consent |
| Analytics & advertising cookies | Consent |
4. How long we keep your data
- Order & tax records: 8 financial years (CGST Act, 2017 §36).
- Account data: until you delete your account; we then retain the minimum required for tax compliance.
- Marketing consent records: until you withdraw consent + 1 year.
- Web analytics (anonymised): 14 months.
5. Who we share data with
We share the minimum necessary personal data with these Data Processors. Each is bound by a written contract that requires equivalent protection.
| Supabase (database, auth, file storage) | EU/Singapore region |
|---|---|
| Razorpay (payment processing) | India — PCI-DSS Level 1 |
| Vercel / Netlify (hosting, CDN) | Multi-region |
| Shipping partner (when an order ships) | India — name, phone, address only |
| Google Analytics (anonymised, with consent) | EU/US |
| Meta (Instagram Graph API — no customer data) | For our own social posts only |
We do not sell your personal data. We do not rent or trade mailing lists. We do not use your personal data for automated decision-making that produces legal effects.
6. International transfers
Some of our processors store data outside India. Such transfers are made only to jurisdictions not restricted by the Central Government under DPDP §16 and under contractual safeguards. We will update this list if the notified jurisdictions change.
7. Your rights as a Data Principal
- Right to access & summary: request a summary of personal data we process about you.
- Right to correction & erasure: ask us to correct inaccurate data or erase data that is no longer required.
- Right to grievance redressal: contact our Grievance Officer; we respond per the timelines below.
- Right to nominate: nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
- Right to withdraw consent: at any time, with effect from the time of withdrawal. Withdrawal does not affect lawful processing already done.
Exercise any right by writing to privacy@nityatattva.in with proof of identity. We will acknowledge within 48 working hours and respond within 30 days.
8. Security
- TLS 1.2+ for all traffic (HSTS preload).
- Row-level security on every database table; per-user isolation at the storage layer.
- Payments tokenised at Razorpay — card data never reaches our servers.
- Service-role credentials are stored as encrypted secrets, never in client bundles.
- Access logs reviewed for anomalous activity.
In the event of a personal-data breach, we notify the Data Protection Board of India and affected users without undue delay, per DPDP §8(6).
9. Children
Our Site is intended for users aged 18 or above. We do not knowingly collect personal data from children. Where we learn we have done so, we will erase it. Parents/guardians may contact our Grievance Officer.
10. Cookies
We use strictly-necessary cookies (session, cart, CSRF) without consent because the Site cannot function without them. Analytics and marketing cookies load only after you click “Accept” on the cookie banner. You can change your preference at any time by clearing site cookies in your browser.
11. Grievance Officer
| Name | __FILL_IN_OFFICER_NAME__ |
|---|---|
| Designation | Grievance Officer |
| grievance@nityatattva.in | |
| Phone | +91 93801 89014 |
| Hours | Mon–Sat, 10:00–18:00 IST |
| Response SLA | 48 working hours for acknowledgement, 30 days for resolution |
12. Changes to this Policy
We may amend this Policy. The current version always lives at this URL with an updated “Last updated” date. Material changes will be notified by email to account-holders at least 7 days in advance.