Privacy Policy

Last Updated: January 2025

Compliance and Data Protection

At StepCraft, we are committed to ensuring full compliance with all applicable laws and regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and India's Information Technology Act, 2000 with its amendments. We prioritize the protection of your data and privacy, implementing industry-standard security measures to safeguard your personal information against unauthorized access, disclosure, alteration, and destruction.

Our data protection framework is regularly audited by independent third parties to ensure ongoing compliance with evolving global standards. We maintain comprehensive documentation of our data processing activities and have appointed a dedicated Data Protection Officer to oversee compliance matters. All employees undergo mandatory privacy training annually, with additional training for staff handling sensitive personal data.

We participate in the EU-US Privacy Shield Framework for international data transfers and adhere to the APEC Cross-Border Privacy Rules system. Our compliance program includes regular Privacy Impact Assessments, especially when implementing new technologies or processing methods that may impact data subject rights.

Data Collection and Usage

We collect, store, and process personal information strictly in accordance with legal requirements and ethical standards. Our data-handling practices are regularly reviewed to maintain compliance with evolving regulations and industry best practices. The types of data we collect include:

  • Identity Data: Full name, username, marital status, title, date of birth, gender, and images (for custom fittings).
  • Contact Data: Billing/delivery addresses, email addresses, and telephone numbers.
  • Financial Data: Bank account and payment card details (processed securely through PCI-DSS compliant providers).
  • Transaction Data: Details about payments and purchases.
  • Technical Data: IP address, login data, browser type/version, time zone, operating system.
  • Profile Data: Username/password, purchase history, preferences, feedback.
  • Usage Data: Information about how you use our website/products.
  • Marketing Data: Preferences for receiving marketing communications.

We use this data to process orders, provide customer support, improve our products/services, prevent fraud, personalize your experience, and (with consent) send marketing communications. Data minimization principles guide our collection practices, ensuring we only gather what's necessary for specified purposes.

Data Sharing and International Transfers

We may share personal data with:

  • Service providers (payment processors, delivery companies, IT support)
  • Professional advisers (lawyers, bankers, auditors)
  • Government bodies that require reporting
  • Third parties during business transfers

All third parties must demonstrate GDPR/equivalent compliance and sign strict data processing agreements. We never sell personal data. International transfers use EU-approved Standard Contractual Clauses or other valid mechanisms.

Specific third parties include:

  • Razorpay (payment processing)
  • FedEx/DHL (delivery services)
  • Google Analytics (website analytics)
  • Zoho CRM (customer management)

Data Retention

We retain personal data only as long as necessary for the purposes collected, including legal, accounting, or reporting requirements. Typical retention periods:

  • Customer account data: 7 years after last activity
  • Transaction records: 10 years for tax compliance
  • Marketing consents: 2 years after last interaction
  • Website analytics: 26 months

After retention periods expire, data is securely deleted or anonymized for statistical purposes. Backup systems may retain data for additional limited periods as part of disaster recovery protocols.

Security Measures

We implement robust technical and organizational measures to protect personal data:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security patching and vulnerability scanning
  • Role-based access controls and multi-factor authentication
  • Secure development lifecycle for all applications
  • 24/7 monitoring for suspicious activities
  • Regular penetration testing by certified ethical hackers
  • Physical security controls at data centers
  • Comprehensive incident response plan

Despite these measures, no system is 100% secure. We commit to notifying relevant authorities and affected individuals within 72 hours of becoming aware of any data breach that may risk rights and freedoms.

User Rights and Choices

As part of our commitment to compliance, we respect your rights under applicable data protection laws:

  • Access: Request copies of your personal data
  • Rectification: Correct incomplete/ inaccurate data
  • Erasure: Request deletion under certain circumstances
  • Restriction: Limit processing of your data
  • Portability: Receive your data in machine-readable format
  • Objection: Object to certain processing activities
  • Withdraw Consent: Where processing is consent-based
  • Lodge Complaints: With relevant supervisory authority

To exercise these rights or for any privacy-related inquiries, please contact our Data Protection Officer at . We respond to all legitimate requests within 30 days, providing information free of charge unless requests are manifestly unfounded or excessive.

You may opt-out of marketing communications at any time using the unsubscribe link in emails or by contacting us. Even if you opt-out, we may still send you non-marketing communications related to transactions or service announcements.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies to:

  • Enable basic site functionality
  • Analyze website traffic and usage patterns
  • Personalize content and advertisements
  • Integrate social media features

We categorize cookies as:

  • Essential: Necessary for core functionality (always active)
  • Performance: Help improve user experience
  • Functional: Enable additional features
  • Targeting: Used for advertising purposes

You can manage cookie preferences via our Cookie Settings tool or browser settings. Disabling cookies may impact website functionality. We honor Global Privacy Control (GPC) signals and Do Not Track browser settings where technically feasible.

Policy Updates

We may update this policy periodically to reflect changes in our practices or legal requirements. The "Last Updated" date at the top indicates when revisions were made. Material changes will be communicated through prominent notices on our website or direct notifications when appropriate.

We encourage you to review this policy regularly to stay informed about how we protect your information. Continued use of our services after updates constitutes acceptance of the revised policy.

This policy does not create contractual rights or form part of any agreement with customers. We reserve the right to make non-material changes without notification.