Privacy Policy

This Privacy Policy ("Policy") was updated at 1st November, 2025 ("Effective Date").

This Policy is issued by SHOEGSM PRIVATE LIMITED, operating the e-commerce platform https://shoegsm.shop ("Shoegsm" or "Company"). It governs the processing of Personal Data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable Indian laws. By using the Platform, you agree to this Policy.

• Data Principal: The individual to whom Personal Data relates (i.e., you, the User).
• Data Fiduciary: Shoegsm, which determines the purpose and means of processing data.
• Personal Data: Any data about an individual who is identifiable by or in relation to such data.
• Sensitive Personal Data: Financial details (like card/bank details), passwords, biometric data, etc.
• Processing: Any operation performed on Personal Data, including collection, storage, and use.
• Consent: A free, specific, informed, and unambiguous agreement to process your data.

This Policy applies to all individuals interacting with the Shoegsm Platform as customers, users, resellers, or collaborators, and covers data collected online and offline.

Shoegsm collects data from various sources (voluntarily provided, automatically collected, or from third parties) to facilitate its e-commerce operations. This includes:

CategoryDescriptionCollection ScenarioIdentity & Contact DataName, username, email, phone number, shipping address.Account registration, ordering, customer support.Payment & Transaction DataMasked card/UPI details, payment ID, purchase history, order details.Placing an order, processing payment.Device & Usage DataIP address, browser type, device model, session duration, clickstream, cookies.Browsing the website or using the application.Behavioural DataItems viewed, wishlist activity, purchase likelihood, preference tags.Personalized recommendations and platform analytics.Account CredentialsHashed passwords, OTP logs, login attempts.Account login and security.Creator/Business DataBusiness name, contact person, social handles, portfolio links.Reseller application, collaboration discussions.User-Generated ContentReviews, testimonials, public comments.Submitting content on product pages.

We do not knowingly collect Personal Data from individuals under 18 without verifiable parental consent.

We process your Personal Data based on one or more lawful grounds:

Purpose of ProcessingPrimary Legal Basis (DPDPA)Order Fulfilment & DeliveryPerformance of a ContractAccount Management & SecurityConsent; Legitimate UseCustomer Service & Grievance RedressalPerformance of a Contract; Legitimate UsePersonalization & Product RecommendationsConsent; Legitimate Use (via analytics)Marketing & Promotional CampaignsExplicit ConsentFraud Prevention & Abuse DetectionLegitimate Use; Legal ObligationCompliance (Tax, Audit, Law Enforcement)Legal ObligationPlatform Improvement & AnalyticsConsent (cookies); Legitimate Use

All data is accessed internally on a strict "need-to-know" basis. We do not use Personal Data for any purpose other than those stated without prior notice and consent.

Consent is obtained through clear, affirmative action (e.g., ticking a box). You have the right to withdraw your consent at any time without adverse consequences for non-essential services. To withdraw consent for marketing, use the opt-out link in emails or contact the Grievance Officer.

We share your Personal Data only with trusted Third Parties necessary to run our business, and only under strict contractual agreements ensuring confidentiality and security.

Recipients include:

• Payment Processors: Razorpay, Paytm, Stripe (for secure transactions).
• Logistics Providers: Delhivery, Shiprocket, etc. (for order delivery).
• Cloud & Infrastructure: AWS, Hostinger (for data storage and operation).
• Marketing & Analytics: Google Ads, Meta (for campaigns and usage analysis).
• Communication Providers: Twilio, Sendinblue (for transactional messages).
• Legal/Regulatory Authorities: Government bodies (for compliance, law enforcement, tax).

Cross-Border Transfers: We process data on servers both within and outside India (e.g., USA, Canada). Any transfer outside India is done in compliance with Section 16 of the DPDPA and requires adequate data protection safeguards. We do not sell your Personal Data for commercial gain.

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal obligations (e.g., tax records retained for 8 years). Upon expiration, data is securely deleted or anonymized. You have the right to request deletion of your data, subject to legal retention mandates.

Category of DataTypical Retention PeriodIdentity & Contact Data3 years from last activity or transactionOrder and Transaction Data8 years (for tax and audit compliance)Marketing PreferencesUntil consent withdrawal or 2 years of inactivity

Shoegsm implements robust security measures, including SSL/TLS encryption, password hashing, access controls (MFA), and regular vulnerability assessments (VAPT), to protect your data.

In the event of a Personal Data Breach, Shoegsm will follow its response framework (Annexure A) and notify the Data Protection Board of India (or CERT-In) and the affected Data Principals within 48 hours where there is a high risk of harm.

As a Data Principal, you have the following rights:

RightHow to ExerciseRight to AccessRequest details on the data processed, purpose, and recipients.Right to CorrectionRequest correction of inaccurate or incomplete data.Right to ErasureRequest deletion of data where retention is no longer necessary.Right to Withdraw ConsentWithdraw previously given consent for specific processing.Right to Grievance RedressalFile a complaint regarding data handling or rights fulfilment.Right to NominateAppoint a nominee to act on your behalf in case of death/incapacity.

All privacy-related complaints and requests will be addressed in a time-bound manner.

Grievance Officer

Email: grievances@shoegsm.shop

Address: Two Horizon Centre, DLF Phase 5, Sector 43, Gurugram, Haryana 122002

Resolution Timeline: Acknowledgement within 48 hours, resolution decision within 10 working days total.

If you are dissatisfied with the resolution, you may escalate the matter to the Data Protection Board of India.

The Company may update this Policy periodically. Material changes will be communicated via prominent notices on the Platform or email.

Is there anything specific you would like me to elaborate on or another section you need to be included in this concise version?