Privacy Policy

Last updated: 1 June 2026

This Privacy Policy explains how [Legal Entity Name] (“Korkai”, “we”), the data fiduciary, collects and processes your personal data when you use korkaikombucha.com. It is aligned with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”).

Data we collect

• Account data: name, email, password (hashed by Supabase).
• Order data: items, amounts, shipping address, phone.
• Payment data: processed by Razorpay. We never see or store card details or UPI credentials.
• Inquiry data: contact, wholesale, and event form submissions.
• Usage data: only with your consent — Google Analytics 4 and Microsoft Clarity (see our Cookie Policy).

Why we process it

• To create your account and fulfil and ship your orders.
• To process payments and prevent fraud.
• To respond to inquiries and provide support.
• With consent, to measure and improve the site, and to market.

Your rights (DPDP Act)

• Access a summary of your personal data and how it is processed.
• Correction, completion, updating, and erasure of your data.
• Withdraw consent at any time (this does not affect prior use).
• Grievance redressal and the right to nominate.

To exercise any right, or to withdraw consent, email our Grievance Officer at privacy@korkaikombucha.com. We respond within the timelines required by law.

Sharing & processors

We share data only with processors that help us operate: Supabase (database/auth), Razorpay (payments), Resend (email), UploadThing (images), Vercel (hosting), and—if you consent—Google and Microsoft (analytics). Each processes data under contract and applicable law.

Retention

We keep order and tax records as required by Indian law, and other personal data only as long as needed for the purposes above or until you request erasure (subject to legal retention obligations).

Security

We use encryption in transit (HTTPS/HSTS), Row Level Security, rate limiting, a strict Content Security Policy, and mandatory MFA for admin accounts. See our public SECURITY.md for details.

Children

The site is not directed to children under 18. We do not knowingly process children’s data without verifiable parental consent.

Changes

We may update this policy; material changes will be notified on this page with a new “last updated” date.