PRIVACY POLICY

Effective Date: March 4, 2026   |   Last Updated: March 4, 2026

IMPORTANT: This Privacy Policy must be read in conjunction with REVVOGUE's Terms & Conditions of Website Use and Sale ("T&C"). In the event of any conflict between this Policy and the T&C, the T&C shall prevail. Defined terms used but not defined herein have the meanings ascribed to them in the T&C.

1. Purpose, Scope and Subordination

  1. This Privacy Policy ("Policy") describes how REVVOGUE collects, receives, processes, stores, uses, discloses, and protects the Personal Data and Sensitive Personal Data of Users and Customers who access the Website or transact with REVVOGUE.
  2. This Policy has been prepared in compliance with the following applicable laws and regulations:
    • The Information Technology Act, 2000 ("IT Act"), particularly Sections 43A and 72A;
    • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), particularly Rules 3 through 8;
    • The Digital Personal Data Protection Act, 2023 ("DPDPA") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), to the extent in force; and
    • The Consumer Protection (E-Commerce) Rules, 2020, to the extent they impose data-related disclosure obligations.
  3. This Policy forms an integral part of, and is expressly subordinated to, the T&C. In the event of any inconsistency or conflict between this Policy and the T&C, the T&C shall prevail to the extent of such inconsistency or conflict.
  4. By accessing the Website or placing an Order, you acknowledge that you have read and understood this Policy and consent to the collection, processing, and use of your Personal Data as described herein.
Legal Reference: SPDI Rules, Rule 4 requires mandatory publication of a Privacy Policy. DPDPA, Section 5 requires a notice to be given to the Data Principal before or at the time of seeking consent. This document serves both functions.

2. Identity and Contact Details of the Data Fiduciary

  1. For the purposes of the DPDPA and the IT Act, REVVOGUE is the Data Fiduciary — the entity that determines the purpose and means of processing your Personal Data.
Data Fiduciary: REVVOGUE Clothing, carrying on business as REVVOGUE (Sole Proprietorship)
Principal Place of Business: [Complete Postal Address, City, PIN Code, Maharashtra, India]
Email: revvogue.business@gmail.com
Phone (WhatsApp only): +91 7710857053 / +91 8169357858
Website: https://www.revvogue.in
  1. REVVOGUE has designated a Grievance Officer / Data Protection Contact to handle privacy-related requests and complaints. Contact details are set out in Clause 17 of this Policy.
Legal Reference: DPDPA, Section 8(1)(i) — Data Fiduciary must publish contact details of Data Protection Officer (or equivalent) for exercising Data Principal rights. IT Act, Section 43A — body corporate handling SPDI must have a designated contact.

3. Definitions

"Consent" means a free, specific, informed, unconditional, and unambiguous indication of the Data Principal's agreement to the processing of their Personal Data for a specified purpose, expressed through a clear affirmative act, as required under Section 6 of the DPDPA.

"Data Fiduciary" means REVVOGUE, which determines the purpose and means of processing of Personal Data.

"Data Principal" means the individual to whom the Personal Data relates — in this context, the User or Customer.

"Data Protection Board" means the Data Protection Board of India established under Section 18 of the DPDPA.

"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined in Section 2(t) of the DPDPA and Rule 2 of the SPDI Rules.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

"Sensitive Personal Data or Information" ("SPDI") has the meaning assigned under Rule 3 of the SPDI Rules and includes passwords, financial information (bank account, card, payment instrument details), physical or mental health condition, sexual orientation, medical records, and biometric information.

4. Personal Data We Collect — Categories and Details

  1. REVVOGUE collects only such Personal Data as is necessary for the purposes described in this Policy (the principle of data minimisation). The categories of Personal Data collected are set out in the table below:
Category Data Collected Purpose
Identity Data Full name Order processing, invoicing, account management
Contact Data Email address, mobile number Order confirmations, delivery updates, support communications, marketing (if consented)
Address Data Delivery address (door/flat no., street, city, state, PIN code) Order fulfilment, shipping, delivery coordination
Order and Transaction Data Products ordered, sizes, designs, Order ID, Order history, invoice details Order processing, fulfilment, customer support, legal and accounting records
Payment Data (via Razorpay) Transaction ID, payment status, payment method type (card/UPI/netbanking — not card numbers or UPI PIN) Payment verification and reconciliation. Razorpay processes and stores all sensitive payment instrument data.
Technical and Usage Data IP address, browser type, device type, pages visited, time spent, referring URL Website security, fraud prevention, analytics, improving user experience
Communications Data Messages, emails, support queries, complaint details submitted to REVVOGUE Customer support, grievance redressal, legal compliance
Cookies and Tracking Data Cookie identifiers, session data, preference data Website functionality, analytics, marketing (if consented). See Clause 12.
  1. REVVOGUE does not collect or process any of the following categories of Personal Data and requests you not to provide such information: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data for uniquely identifying a natural person; or data concerning sexual life or sexual orientation, except to the limited extent voluntarily disclosed by you in a support communication.
Legal Reference: SPDI Rules, Rule 5(2) — collection only for lawful purpose connected with a function or activity of the body corporate. DPDPA, Section 4(1)(b) — only for a specified, explicit, and legitimate purpose. DPDPA, Section 8(3) — accuracy obligation for Personal Data.

5. Sensitive Personal Data or Information (SPDI)

  1. Under Rule 3 of the SPDI Rules, financial information constitutes Sensitive Personal Data or Information. REVVOGUE does not directly collect, store, or process payment card numbers, CVV codes, UPI PINs, net banking credentials, or any other sensitive payment instrument data.
  2. All payment-related SPDI is collected and processed exclusively by Razorpay Payment Solutions Private Limited, which operates as an independent payment gateway under its own PCI-DSS compliant infrastructure and privacy policy. REVVOGUE receives only a transaction ID, payment status, and payment method type (e.g., card, UPI, net banking) from Razorpay.
  3. By completing a payment transaction through the Website, you provide your express consent to Razorpay's collection and processing of your payment SPDI in accordance with Razorpay's privacy policy and applicable law.
REVVOGUE does NOT store your card number, CVV, UPI PIN, net banking password, or any sensitive banking credential. If you are asked to provide these details on any page claiming to be operated by REVVOGUE, please report it immediately to revvogue.business@gmail.com as it may be a phishing attempt.
  1. Passwords (if REVVOGUE implements user accounts): Where REVVOGUE offers user account functionality, passwords are stored in encrypted form using industry-standard hashing algorithms. REVVOGUE does not store or have access to your password in plain text. REVVOGUE staff will never ask you for your account password.
Legal Reference: SPDI Rules, Rule 5(1) — written consent required before collection of SPDI. SPDI Rules, Rule 6 — disclosure of SPDI to third parties only with prior consent.

6. How We Collect Your Personal Data

  1. REVVOGUE collects Personal Data through the following means:

    (a) Directly from you: When you browse the Website, register an account (if applicable), place an Order, complete the checkout process, contact REVVOGUE's customer support or Grievance Officer, submit a review or feedback, or communicate with REVVOGUE through any channel (email, phone, WhatsApp, social media DMs).

    (b) Automatically through the Website: Technical and usage data is collected automatically through cookies, web beacons, server logs, and similar tracking technologies when you access and navigate the Website. See Clause 12 for details.

    (c) From third parties: REVVOGUE may receive limited data about you from payment gateway providers (transaction status), courier partners (delivery confirmation updates), or social media platforms (if you interact with REVVOGUE's social media accounts or use social login features).
  2. REVVOGUE does not purchase, rent, or otherwise acquire Personal Data lists from third-party data brokers or marketing agencies for the purpose of unsolicited marketing.
Legal Reference: SPDI Rules, Rule 5(3) — the body corporate must collect SPDI directly from the individual. DPDPA, Section 5 — notice must be provided before or at the time of collection.

7. Purposes of Processing and Legal Basis

  1. REVVOGUE processes your Personal Data only for specified, explicit, and legitimate purposes. The purposes of processing and the corresponding legal basis under both the DPDPA and the SPDI Rules are set out in the table below:
Purpose of Processing Legal Basis (DPDPA 2023) Legal Basis (IT Act / SPDI Rules 2011)
Processing your Order and delivering the Product Section 7(b) — Performance of contract / Legitimate Use Rule 5 — Necessary for fulfilment of contract with you
Payment processing (via Razorpay) Section 6 — Consent (provided at checkout) / Section 7(b) — Contractual necessity Rule 5 — Consent for SPDI; Rule 6 — Third party disclosure with consent
Sending Order confirmations, shipping updates and delivery notifications Section 7(b) — Contractual necessity / Legitimate Use Rule 5 — Necessary for fulfilment of contract
Customer support and grievance redressal Section 7(b) — Legitimate Use; Section 13 — Right to grievance redressal Rule 5 — Necessary for lawful purpose connected to your Order
Legal, regulatory and accounting compliance (invoicing, tax records) Section 7(a) — Compliance with law / Legitimate Use Rule 5 — Necessary to comply with legal obligation
Fraud detection, security, and prevention of misuse Section 7(g) — Legitimate use for preventing crime / fraud Section 43A ITA — Reasonable security practices
Marketing communications (promotional emails/SMS/WhatsApp) Section 6 — Consent only. Opt-out available at any time. Rule 5 — Requires consent; not SPDI but good practice applies
Website analytics and performance improvement Section 6 — Consent via cookie acceptance / Section 7(f) — Legitimate interest IT (Intermediary Guidelines) Rules 2021 — implicitly covered
  1. REVVOGUE shall not process your Personal Data for any purpose other than those stated in this Policy without first obtaining your fresh consent or establishing an alternative lawful basis under the DPDPA or the SPDI Rules.
Legal Reference: DPDPA, Section 4 — lawful processing only for a specified purpose after consent or for legitimate use. SPDI Rules, Rule 5(2) — collection only for a lawful purpose connected with a function or activity of the body corporate and the collection necessary for such purpose.

8. Consent — Mechanism, Specificity and Withdrawal

  1. Nature of Consent: Where REVVOGUE relies on consent as the legal basis for processing your Personal Data, such consent shall be: free (not coerced or conditioned on acceptance of the T&C beyond what is strictly necessary); specific (linked to a defined purpose); informed (given after you have been provided with this Policy); unconditional (not bundled with consent for unrelated processing); and unambiguous (expressed through a clear affirmative act such as ticking a checkbox or clicking an accept button).
  2. Consent at Checkout: By completing the checkout process and placing an Order, you:

    (a) Consent to REVVOGUE's collection and processing of your Personal Data (name, contact details, address, Order data) for the purpose of fulfilling your Order, communicating about it, and maintaining records;
    (b) Consent to REVVOGUE's disclosure of your delivery details to its logistics partner for delivery purposes; and
    (c) Consent to Razorpay's collection and processing of your payment data for payment processing purposes.
  3. Consent for Marketing: REVVOGUE will not send you promotional or marketing communications without your separate, specific, and freely given consent. Such consent will be sought through a distinct opt-in mechanism (e.g., a separate checkbox at checkout or account registration). Pre-ticked boxes shall not be used for marketing consent.
  4. Withdrawal of Consent:

    (a) You may withdraw your consent to the processing of your Personal Data at any time by sending a written request to revvogue.business@gmail.com or via WhatsApp at +91 7710857053 / +91 8169357858.

    (b) Withdrawal of consent for marketing communications: You may opt out of marketing emails at any time by clicking the 'Unsubscribe' link in any marketing email, or by contacting REVVOGUE directly. Opt-out requests for SMS/WhatsApp marketing may be made by contacting REVVOGUE directly.

    (c) Withdrawal of consent for core processing: Withdrawal of consent for the processing necessary to fulfil an existing Order will not affect Orders that are already confirmed and in production. REVVOGUE may not be able to continue providing services to you after consent is withdrawn.

    (d) Effect of Withdrawal: Withdrawal of consent does not affect the lawfulness of any processing carried out by REVVOGUE prior to such withdrawal.
Legal Reference: DPDPA, Section 6(4) — consent may be withdrawn at any time; withdrawal shall not affect the legality of processing of personal data based on consent before its withdrawal. DPDPA, Section 6(5) — opportunity to withdraw consent must be as easy as giving it.

9. Disclosure of Personal Data to Third Parties

  1. REVVOGUE does not sell, rent, trade, or otherwise commercially exploit your Personal Data to or with any third party.
  2. REVVOGUE discloses your Personal Data to third parties only to the extent strictly necessary for the purposes set out in this Policy and only to the recipients identified below:
Recipient / Category Data Shared Purpose Basis
Razorpay Payment Solutions Pvt. Ltd. (Payment Processor) Transaction amount, Order ID, Customer name, email, phone. REVVOGUE does NOT share card numbers, UPI PINs, or banking credentials. Payment processing, fraud detection, refund processing Consent (at checkout); SPDI Rule 6; Contractual necessity
Print and Fulfilment Vendor(s) (Third-party contractors) Customer name, Order ID, design specifications, size. Delivery address is not shared with fulfilment vendors. Manufacturing and printing of the ordered Product Contractual necessity; SPDI Rule 6 — purpose-limited disclosure
Logistics / Courier Partner(s) Customer name, delivery address (full), mobile number Delivery of the Product to Customer's address Contractual necessity; SPDI Rule 6 — purpose-limited disclosure
Website Analytics Provider(s) (e.g., Google Analytics) [if used] Anonymised/pseudonymised usage data, IP address, device/browser data Website performance analysis and improvement Consent via cookie acceptance; Legitimate interest
Legal and Regulatory Authorities Such Personal Data as required by law, court order, or regulatory direction Compliance with legal obligations, law enforcement requests, court orders Legal obligation under applicable law
Successor Entity (in case of business transfer or acquisition) All Customer data held at time of transfer Business continuity Legitimate use; Customer notified in advance
  1. All third-party recipients to whom REVVOGUE discloses Personal Data are required to: (i) process such data only for the purpose for which it was disclosed; (ii) implement reasonable security measures to protect the data; and (iii) not further disclose the data to any other party without REVVOGUE's prior written authorisation.
  2. REVVOGUE shall remain accountable to the Data Principal for its disclosures to third parties as required under the DPDPA and the SPDI Rules.
Legal Reference: SPDI Rules, Rule 6 — SPDI may be disclosed to a third party only if the individual has provided prior consent. DPDPA, Section 8(5) — Data Fiduciary responsible for acts of Data Processors.

10. Data Transfers — Domestic and Cross-Border

  1. Domestic Transfers: All primary processing of Personal Data by REVVOGUE is carried out within India. Third-party service providers engaged by REVVOGUE (Razorpay, fulfilment vendors, courier partners) are predominantly India-based entities operating under Indian law.
  2. Cross-Border Transfers: To the extent that any third-party service provider (including analytics or cloud infrastructure providers) processes Personal Data outside India, such transfers shall be made only to such countries or territories as may be notified by the Central Government under Section 16(1) of the DPDPA as permitting transfer of Personal Data, or pursuant to a standard contractual framework as may be prescribed.
  3. Analytics and Cloud Services: REVVOGUE may use third-party analytics or cloud hosting services that store data on servers outside India. REVVOGUE shall ensure that appropriate contractual safeguards are in place with such providers.
Legal Reference: DPDPA, Section 16 — transfer of Personal Data outside India subject to restrictions to be notified by the Central Government. SPDI Rules, Rule 7 — transfer to a body corporate or person in any other country providing the same level of data protection as in India.

11. Children's Personal Data

REVVOGUE's Website and Products are intended exclusively for individuals who are eighteen (18) years of age or older. REVVOGUE does not knowingly collect, process, or store Personal Data of children (persons under eighteen years of age).

  1. In accordance with Section 9 of the DPDPA, REVVOGUE shall not process the Personal Data of a child without obtaining verifiable consent from the child's parent or lawful guardian.
  2. If REVVOGUE becomes aware that it has inadvertently collected Personal Data of a child without appropriate parental consent, it shall: (i) immediately cease processing such data; (ii) delete such data from its systems without undue delay; and (iii) if an Order was placed, cancel the Order and initiate a full refund.
  3. If you have reason to believe that a child has provided Personal Data to REVVOGUE without parental consent, please notify REVVOGUE immediately at revvogue.business@gmail.com.
  4. REVVOGUE does not profile children and does not direct behavioural advertising at children.
Legal Reference: DPDPA, Section 9(1) — before processing Personal Data of a child, Data Fiduciary must obtain verifiable consent of the parent/guardian. Section 9(3) — Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.

12. Cookies and Tracking Technologies

  1. REVVOGUE's Website uses cookies and similar tracking technologies (including web beacons, pixels, and session storage) to enhance user experience, analyse Website usage, and deliver relevant content.
  2. Categories of Cookies Used:

    (a) Strictly Necessary Cookies: These cookies are essential for the Website to function and cannot be switched off. They include session cookies that maintain your shopping cart and checkout process. These do not require consent.

    (b) Performance and Analytics Cookies: These cookies collect anonymised or pseudonymised information about how visitors use the Website. They are used to improve Website performance. These require consent.

    (c) Functionality Cookies: These cookies allow the Website to remember your preferences (e.g., language, size selections) to provide a more personalised experience. These require consent.

    (d) Marketing and Targeting Cookies: These cookies may be set by REVVOGUE or third-party analytics/advertising partners to build a profile of your interests and display relevant content. REVVOGUE uses these only with your explicit consent.
  3. Cookie Consent: When you first access the Website, you will be presented with a cookie consent banner that allows you to accept all cookies, accept only necessary cookies, or customise your preferences. Your consent choices are recorded and honoured.
  4. Third-Party Cookies: Third-party services such as analytics providers may set their own cookies. REVVOGUE does not control third-party cookies and recommends reviewing the respective third-party privacy policies.
  5. Disabling Cookies: You may disable cookies through your browser settings. Please note that disabling cookies may impact the functionality and performance of the Website. Strictly necessary cookies cannot be disabled through browser settings.
Legal Reference: Cookie data that identifies or can identify an individual constitutes Personal Data and is subject to the consent and processing requirements of the DPDPA and IT Act. The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 also impose obligations on intermediaries relating to privacy.

13. Data Retention and Storage Limitation

  1. REVVOGUE retains Personal Data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law, whichever is longer. The following retention schedule applies:
Data Category Retention Period Basis for Retention
Order and Transaction Data (invoices, receipts, Order history) 7 years from date of transaction GST Act, Income Tax Act — statutory record-keeping requirements
Delivery Address and Contact Details Duration of active customer relationship + 2 years, or until erasure request is honoured (whichever is earlier) Operational necessity; DPDPA storage limitation principle
Customer Support and Complaint Records 3 years from date of closure of the complaint / interaction Consumer Protection Act, 2019 — potential litigation window; DPDPA Section 8
Payment Transaction Data (held by REVVOGUE — limited to transaction ID and status) 7 years from transaction date GST Act, RBI guidelines applicable to payment records
Marketing and Communications Consent Records Until consent is withdrawn + 1 year (for audit purposes) DPDPA Section 6 — consent records must be maintained; demonstrability of consent
Website Usage / Technical Data (logs, IP) 90 days (rolling) IT (Intermediary Guidelines) Rules 2021 — Rule 3(1)(c); security audit purposes
Cookie Data 30–365 days depending on cookie type User consent; legitimate interest in website functionality
Data of Persons Who Did Not Complete Purchase 30 days from last session, unless account created Storage limitation under DPDPA; no ongoing purpose
  1. Upon expiry of the applicable retention period, REVVOGUE shall delete or anonymise your Personal Data in a secure and irreversible manner, unless:

    (a) Retention is required to comply with a legal obligation (e.g., statutory audit, court order, regulatory investigation);
    (b) Retention is necessary for the establishment, exercise, or defence of legal claims by or against REVVOGUE; or
    (c) The data has been anonymised such that the individual can no longer be identified, in which case the anonymised data may be retained for analytics or statistical purposes.
Legal Reference: DPDPA, Section 8(7) — Data Fiduciary shall erase Personal Data upon withdrawal of consent or when the specified purpose is no longer served, unless retention required by law. SPDI Rules, Rule 5(4) — SPDI to be retained only for as long as required for the lawful purpose.

14. Security Safeguards

  1. REVVOGUE implements reasonable security practices and procedures as required under Section 43A of the IT Act and Rule 8 of the SPDI Rules to protect Personal Data from unauthorised access, disclosure, alteration, loss, or destruction.
  2. Security measures in place include, without limitation:

    (a) Transmission of Personal Data over the Website via SSL/TLS encryption (HTTPS);
    (b) Access controls restricting access to Personal Data to authorised personnel on a need-to-know basis;
    (c) Password hashing using industry-standard algorithms for any stored account credentials;
    (d) Payment data processed entirely by Razorpay under PCI-DSS certified infrastructure — REVVOGUE does not store sensitive payment data;
    (e) Periodic review of security practices and access controls; and
    (f) Contractual requirements imposed on third-party vendors and processors to maintain appropriate security standards.
  3. No method of electronic transmission or storage is completely secure. While REVVOGUE takes commercially reasonable steps to protect your Personal Data, it cannot guarantee absolute security. In the event of a data breach affecting your Personal Data, REVVOGUE shall comply with its notification obligations under Clause 15 of this Policy.
Legal Reference: IT Act, Section 43A — body corporate handling SPDI must implement reasonable security practices and procedures. SPDI Rules, Rule 8 — body corporate must implement and maintain reasonable security practices as per IS/ISO/IEC 27001 or a documented information security programme. DPDPA, Section 8(5) — Data Fiduciary must implement appropriate technical and organisational measures.

15. Data Breach — Detection, Notification and Response

  1. A Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by REVVOGUE.
  2. Upon becoming aware of a Personal Data breach, REVVOGUE shall:

    (a) Contain the breach and take immediate remedial steps to prevent further unauthorised access or disclosure;
    (b) Notify the Data Protection Board of India as required under Section 8(6) of the DPDPA and the DPDP Rules, within the prescribed timeframe (currently seventy-two (72) hours under the draft DPDP Rules, subject to final notification);
    (c) Notify affected Data Principals in the manner and within the timeframe prescribed by the Data Protection Board or the DPDP Rules; and
    (d) Conduct an internal assessment of the breach and implement corrective measures to prevent recurrence.
  3. The notification to affected Data Principals shall include, to the extent practicable: (i) a description of the nature of the breach; (ii) the categories and approximate number of individuals and records affected; (iii) the likely consequences of the breach; and (iv) the measures taken or proposed to address the breach.
  4. REVVOGUE maintains an internal incident response procedure for managing Personal Data breaches. REVVOGUE's obligations under this Clause are subject to such restrictions as may be imposed by law enforcement or regulatory authorities investigating the breach.
Legal Reference: DPDPA, Section 8(6) — upon becoming aware of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal intimate of such breach in such form and manner as may be prescribed.

16. Rights of Data Principals

  1. As a Data Principal, you are entitled to the following rights under the DPDPA. REVVOGUE is committed to facilitating the exercise of these rights in a timely and transparent manner:
Right What It Means Statutory Basis
Right to Access You may request a summary of the Personal Data processed by REVVOGUE in relation to you, including the categories of data, purposes of processing, and the identity of third parties with whom it has been shared. DPDPA 2023, Section 11
Right to Correction and Updation You may request correction of inaccurate or incomplete Personal Data, or updating of outdated Personal Data held by REVVOGUE. DPDPA 2023, Section 12(a)
Right to Erasure You may request erasure of Personal Data that is no longer necessary for the purposes for which it was collected, subject to REVVOGUE's right to retain data required by law or for legitimate legal proceedings. DPDPA 2023, Section 12(b)
Right to Grievance Redressal You have the right to have any grievance relating to the processing of your Personal Data addressed by REVVOGUE's Grievance Officer / Data Protection Contact within the prescribed timeframes. DPDPA 2023, Section 13; IT Act, Section 43A
Right to Nominate You may nominate another individual to exercise your rights under the DPDPA in the event of your death or incapacity. REVVOGUE will act on instructions from your nominee upon receipt of valid documentation. DPDPA 2023, Section 14
Right to Withdraw Consent You may withdraw your consent to the processing of your Personal Data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. Withdrawal may impact REVVOGUE's ability to provide services to you. DPDPA 2023, Section 6(4)
Right to Approach the Data Protection Board If you are not satisfied with REVVOGUE's response to your grievance, you have the right to approach the Data Protection Board of India established under the DPDPA. DPDPA 2023, Section 25
  1. How to Exercise Your Rights: To exercise any of the rights described above, please submit a written request to REVVOGUE's Grievance Officer / Data Protection Contact as set out in Clause 17, clearly identifying:

    (a) Your full name and contact details as registered with REVVOGUE;
    (b) The Order ID(s) or account details relevant to your request (if applicable);
    (c) The specific right you wish to exercise; and
    (d) Any supporting documentation that may be required to verify your identity.
  2. REVVOGUE shall respond to your request within a reasonable period, and in any event within the timeframe prescribed under the DPDPA and DPDP Rules. REVVOGUE may ask for additional verification of your identity before processing sensitive requests such as erasure or access.
  3. REVVOGUE shall not charge a fee for processing requests to exercise Data Principal rights under the DPDPA, except where a request is manifestly unfounded or excessive, in which case a reasonable fee may be charged.
  4. Where REVVOGUE is unable to fully honour a request (for example, where data retention is required by law), REVVOGUE shall inform you of the reason and the extent to which the request can be accommodated.
Legal Reference: DPDPA, Sections 11–14 — rights of Data Principal to access, correction, erasure, grievance redressal, and nomination. IT Act, Section 43A read with SPDI Rules — individuals have the right to review and correct SPDI held about them (Rule 5(6)). DPDPA, Section 25 — right to approach the Data Protection Board if grievance not redressed.

17. Grievance Redressal and Data Protection Contact

  1. REVVOGUE has designated a Grievance Officer who also serves as the Data Protection Contact for the purposes of this Policy, the IT Act, the SPDI Rules, and the DPDPA.
Designation: Grievance Officer and Data Protection Contact
Name: [Name of Grievance Officer]
Email: revvogue.business@gmail.com
Phone (WhatsApp only): +91 7710857053 / +91 8169357858
Address: [Complete Address, City, PIN Code, Maharashtra, India]
Working Hours: Monday to Sunday, excluding public holidays
  1. Upon receipt of a complaint or privacy-related request, REVVOGUE shall:

    (a) Acknowledge receipt of the complaint within forty-eight (48) hours; and
    (b) Communicate the resolution or outcome of the complaint within thirty (30) days of receipt.
  2. If you are not satisfied with REVVOGUE's response, you have the right to approach:

    (a) The Data Protection Board of India, established under Section 18 of the DPDPA, by making a complaint in the manner prescribed under the DPDPA and DPDP Rules; or
    (b) The appropriate Consumer Disputes Redressal Commission under the Consumer Protection Act, 2019.
Legal Reference: SPDI Rules, Rule 5(9) — the body corporate must designate a Grievance Officer. IT (Intermediary Guidelines) Rules, 2021, Rule 3(2) — Grievance Officer must acknowledge within 24 hours and resolve within 15 days. DPDPA, Section 13 — Data Principal has the right to have grievances redressed.

18. Links to Third-Party Websites

  1. The Website may contain hyperlinks to third-party websites, social media platforms (Instagram, WhatsApp, Facebook, etc.), and other external resources for the User's convenience. REVVOGUE does not operate or control these third-party websites and is not responsible for their content, privacy practices, or terms of use.
  2. This Policy applies solely to Personal Data collected by REVVOGUE through the Website. REVVOGUE strongly recommends that you read the privacy policy of any third-party website you visit through a link on the Website before providing any Personal Data to that website.

19. Modifications to This Policy

  1. REVVOGUE reserves the right to amend, revise, or update this Policy at any time to reflect changes in law, regulatory requirements, or REVVOGUE's data processing practices.
  2. Revised versions of this Policy will be posted on the Website with an updated effective date. Where changes are material, REVVOGUE will take reasonable steps to notify Users and Customers (for example, via email or a prominent Website notice).
  3. Your continued use of the Website following the posting of a revised Policy constitutes your acceptance of the revised terms. If you do not agree to the revised Policy, you should cease using the Website.
  4. The version of this Policy applicable to any Order shall be the version in effect at the time of Order placement.
Legal Reference: SPDI Rules, Rule 4 — body corporate to publish the Privacy Policy on its website. DPDPA, Section 5 — notice obligations apply at the time of collection; material changes require fresh notice/consent as applicable.

20. Governing Law

  1. This Policy shall be governed by and construed in accordance with the laws of India, including without limitation the IT Act, the SPDI Rules, and the DPDPA.
  2. Any disputes arising out of or in connection with this Policy shall be subject to the jurisdiction provisions set out in Clause 19 of the T&C, subject to the Data Principal's right to approach the Data Protection Board of India and the appropriate consumer forum.

21. Contact

For all privacy-related queries, requests, or notices:

Business Name: REVVOGUE (Sole Proprietorship)
Proprietor: REVVOGUE Clothing
Address: [Complete Postal Address, City, PIN Code, Maharashtra, India]
Email: revvogue.business@gmail.com
Phone (WhatsApp only): +91 7710857053 / +91 8169357858
Data Protection Contact: Grievance Officer — revvogue.business@gmail.com

Schedule A — Legal Framework Reference Table

The following table summarises the primary legal provisions applicable to REVVOGUE's data processing activities for quick internal reference:

Law / Rule Key Obligation for REVVOGUE Policy Clause(s)
IT Act 2000, Section 43A Implement reasonable security practices for SPDI Clause 14
IT Act 2000, Section 72A Do not disclose Personal Data in breach of a lawful contract Clause 9
SPDI Rules 2011, Rule 3 Identify and handle SPDI with heightened care Clauses 5, 14
SPDI Rules 2011, Rule 4 Publish Privacy Policy on Website This document
SPDI Rules 2011, Rule 5 Collect only for lawful purpose; obtain consent before collection; allow review/correction Clauses 4, 6, 7, 8, 16
SPDI Rules 2011, Rule 6 Disclose SPDI to third parties only with prior consent Clauses 5, 9
SPDI Rules 2011, Rule 7 Cross-border transfers only to countries with equivalent protection Clause 10
SPDI Rules 2011, Rule 8 Implement ISO 27001 or equivalent documented security programme Clause 14
DPDPA 2023, Section 4 Process only with consent or for legitimate use Clauses 7, 8
DPDPA 2023, Section 5 Give notice before or at time of collecting consent Clauses 1, 6, 8
DPDPA 2023, Section 6 Consent must be free, specific, informed, unconditional, unambiguous; withdrawable Clause 8
DPDPA 2023, Section 8 Data Fiduciary obligations — accuracy, storage limitation, security, breach notification Clauses 4, 13, 14, 15
DPDPA 2023, Section 9 No processing of children's data without verifiable parental consent Clause 11
DPDPA 2023, Sections 11–14 Data Principal rights — access, correction, erasure, grievance, nomination Clause 16
DPDPA 2023, Section 16 Cross-border transfer restrictions Clause 10
IT (Intermediary Guidelines) Rules 2021, Rule 3(1)(c) Retain IT logs for 180 days Clause 13 Retention Table
Consumer Protection (E-Commerce) Rules 2020 Display privacy-related terms prominently This document; T&C Clause 23
— End of Privacy Policy —
This Policy is subordinate to and forms part of the REVVOGUE Terms & Conditions. Last updated: March 4, 2026.