Legal

Privacy Policy

How Raksham Labs collects, processes, stores, and safeguards personal data.

Last updated: 2026-05-11

1. Who we are

This Privacy Policy describes how Raksham Labs ("Raksham Labs", "we", "our", "us") collects, uses, shares, processes, stores, and safeguards personal data when you visit rakshamlabs.com, create an account, or purchase hardware from us. Raksham Labs is based in Prayagraj, Uttar Pradesh, India, and operates as a data fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

2. Data we collect

We collect only the minimum personal data reasonably necessary to operate our services, fulfil legal obligations, secure our systems, support customer operations, and comply with export-control and anti-fraud requirements.

You provide

  • Account information: name, email, password (hashed), phone number, locale, preferred currency, marketing consent.
  • Order information: shipping and billing addresses, GSTIN/tax ID, company name, order line items, customer notes.
  • Communications: messages you send through the contact form, support systems, or email.

Collected automatically

  • Session and authentication: a cookie-based session token (issued by Better Auth), IP address, and user-agent string used to keep you signed in and protect your account.
  • Approximate location: country derived from your IP address by our hosting provider, used to default the display currency on the cart.
  • Usage logs: minimal server logs (path, timestamp, status code) for operational reliability, fraud prevention, abuse detection, export-compliance screening, and security monitoring. We do not run third-party analytics or advertising trackers on this site.
  • Security telemetry: limited technical information related to account security, authentication events, and infrastructure monitoring may be processed to protect systems and services.

Collected from third parties

  • Google Sign-In: when you sign in with Google, we receive your name, email, profile picture, and the unique Google account identifier.
  • Razorpay: we receive payment status, payment method type, and Razorpay-issued payment/order identifiers. We do not see or store your full card number, CVV, or UPI PIN — those stay with Razorpay.
  • Shiprocket / shipping carriers: shipment status, AWB tracking events, and delivery scans for orders you have placed.

We do not intentionally collect biometric identifiers, precise geolocation, or sensitive personal data unless operationally necessary or legally required. If we introduce features in the future that process such data (for example, precise location for shipping verification, or hardware telemetry from customer-operated devices), this Privacy Policy will be updated and, where required, additional consent will be obtained before collection begins. Users are responsible for ensuring that information provided to Raksham Labs is accurate and up to date.

Phone and SMS consent

Where you provide a phone number, you consent to receive transactional communications related to your account and orders (order confirmation, dispatch, delivery, account security, OTPs) via SMS, voice call, WhatsApp, or other messaging channels operated by our shipping and authentication processors. These communications are necessary for order fulfilment and account security. Promotional or marketing SMS / voice / WhatsApp messages are sent only where you have separately opted in, and you may withdraw consent at any time by replying STOP (where supported by the channel) or by writing to us. Sending of commercial communications is subject to TRAI's Telecom Commercial Communications Customer Preference Regulations and applicable destination-country rules.

3. How we use your data

  • To create and operate your account.
  • To process orders, take payments, ship hardware, generate invoices, and provide customer support.
  • To send transactional emails (order confirmation, shipping updates, account verification, password resets) via our email provider.
  • To send marketing emails only if you have opted in. Every marketing email contains a one-click unsubscribe link, and you can also opt out from your account page or by writing to us.
  • To detect, prevent, investigate, and respond to fraud, abuse, spam, export violations, security incidents, and unauthorised activity.
  • To meet our legal, tax, customs, export-control, sanctions-compliance, and consumer-protection obligations in India and the destination country.
  • To maintain operational reliability, infrastructure security, compatibility, and service performance.

Certain transactions and account activities may be screened for fraud prevention, abuse detection, export-compliance verification, sanctions screening, or security monitoring purposes. Operational logs and monitoring are used solely for reliability, fraud prevention, support, compliance, infrastructure protection, and security purposes.

Where AI-assisted systems or automated workflows are used for operational analytics, fraud prevention, support, abuse detection, or security functions, such systems are designed to support human decision-making and are not intended for unlawful automated profiling. Automated systems may be used to detect spam, fraud, abuse, export violations, or security threats.

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without human review. Where any automated screening result could affect your access to an order, account, or service, a human reviewer remains responsible for the final decision. Users in the EEA, UK, and other jurisdictions that recognise this right may request human intervention, express their point of view, and contest such decisions by writing to us.

Raksham Labs does not use customer operational data for unauthorized surveillance, profiling, or resale. We may generate anonymized or aggregated operational statistics that do not identify individuals. Support communications may be retained for quality assurance, dispute resolution, fraud prevention, training, and operational improvement purposes.

We process your data on the basis of:

  • the contract between you and us when you place an order or use your account;
  • your consent for marketing communications;
  • our legitimate interest in operating, securing, improving, and protecting our services and infrastructure; and
  • compliance with legal obligations under Indian tax, accounting, customs, sanctions, export-control, and consumer-protection law.

5. How we share your data

We do not sell, rent, trade, or broker personal data to advertisers, data brokers, or unrelated third parties.

We share data with the following categories of processors only as needed to run the service:

  • Payments— Razorpay Software Private Limited (India).
  • Shipping & logistics— Shiprocket and the courier you receive deliveries from (e.g. Bluedart, DHL, FedEx, India Post).
  • Email delivery— Resend (transactional email).
  • Authentication— Google (only if you choose to sign in with Google).
  • Hosting & infrastructure— Vercel (application hosting) and Bluehost (database hosting).
  • Professional advisors— auditors, lawyers, chartered accountants, insurers, and compliance advisors under confidentiality obligations.
  • Authorities— where required by law, court order, export-control obligation, sanctions requirement, or to protect our rights, systems, customers, or the public.

Requests from government or law-enforcement authorities are reviewed for legal validity prior to disclosure where permitted by law. We may preserve or disclose information where reasonably necessary to comply with legal obligations, enforce agreements, investigate fraud or abuse, support export-compliance obligations, or protect users, systems, infrastructure, or the public.

Third-party service providers maintain their own independent privacy and security practices governed by their respective policies. Raksham Labs is not responsible for independent acts, omissions, service interruptions, or security failures of third-party providers beyond our reasonable control. Infrastructure providers, subprocessors, and service integrations may change as operational requirements evolve.

6. Business transfers

In the event of a merger, acquisition, restructuring, financing, or asset sale, personal data may be transferred as part of the transaction subject to applicable law and confidentiality safeguards. Where required by law, affected users will be notified of any such transfer that materially changes how their personal data is processed.

7. International transfers

Some of the processors above operate servers outside India. Where we transfer your data internationally, we rely on the processor's contractual safeguards and on the legal bases recognised by the DPDP Act for such transfers.

By using our services or placing international orders, users acknowledge that personal data may be processed in jurisdictions where our infrastructure providers, subprocessors, or service partners operate. Users located in certain jurisdictions may have additional privacy rights under applicable local laws. Data storage and processing locations may change as infrastructure providers or operational requirements evolve. Certain products, services, or account functionality may not be available in all jurisdictions.

8. Cookies and similar technologies

We use a small number of strictly-necessary cookies and local storage entries. We do not set advertising cookies, behavioural tracking pixels, or third-party analytics on public pages. Our services currently do not respond to browser "Do Not Track" signals.

Categories of cookies and local storage we use

  • Strictly necessary — authentication: a session cookie issued by Better Auth that keeps you signed in and protects your account. Required for sign-in, checkout, and account access.
  • Strictly necessary — security: a CSRF token used to prevent cross-site request forgery on form submissions and account-changing actions.
  • Functional — preferences: a currency preference and locale setting stored in local storage so the cart shows prices in your chosen currency.
  • Functional — cart: a client-side cart stored in local storage so items persist across page loads until you sign in and check out.
  • Analytics & advertising: none. We do not load Google Analytics, ad pixels, retargeting tags, or similar trackers on public pages.

9. Data retention

  • Account data— retained while your account is active. You may request deletion at any time.
  • Order, invoice, and tax records— retained for the period required by Indian tax, GST, customs, sanctions, and export-control laws (typically eight years).
  • Server and security logs— retained for up to 90 days.
  • Marketing preferences— retained until you withdraw consent, plus a short suppression record so we do not contact you again.
  • Support and operational communications— retained for up to three years after your last interaction for fraud prevention, quality assurance, compliance, dispute resolution, and operational continuity purposes, and longer where required by law.

Deleted information may temporarily persist in encrypted backups for a limited period before automatic purge according to backup retention schedules. Retention periods may be extended where reasonably required for dispute resolution, fraud prevention, regulatory compliance, export-control obligations, sanctions screening, legal requirements, or law-enforcement cooperation.

Where applicable, personal data scheduled for deletion is disposed of using commercially reasonable technical measures. Raksham Labs does not guarantee restoration of deleted, corrupted, or inaccessible data.

10. Your rights

Under the DPDP Act and applicable laws you can:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • request erasure of your data, subject to retention obligations above;
  • withdraw consent for marketing at any time, either by clicking the unsubscribe link in any marketing email, by toggling the marketing preference on your account page, or by writing to us;
  • nominate someone to exercise these rights on your behalf;
  • file a grievance with our Grievance Officer (below).

Withdrawal of consent may limit certain account or service functionality where processing is necessary for operation, compliance, fraud prevention, export verification, or security purposes.

To exercise any of these rights, write to hello@rakshamlabs.com. We aim to respond to verified requests within 30 days unless a longer period is required under applicable law.

11. Additional rights for users in the EEA, UK, and California

Depending on where you live, additional privacy rights may apply to you in addition to those described above. The rights below supplement, but do not replace, your rights under the DPDP Act.

EEA and United Kingdom (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to:

  • request a copy of your personal data in a portable, machine-readable format (data portability);
  • object to processing carried out on the basis of our legitimate interests;
  • request restriction of processing in certain circumstances;
  • request human review of, express your point of view about, and contest decisions taken solely by automated means that produce legal or similarly significant effects (see § 3);
  • lodge a complaint with your local data protection authority (for example, the UK Information Commissioner's Office or your national supervisory authority in the EEA).

Where we process your data for the performance of a contract or based on our legitimate interests, the lawful bases are described in § 4. Where we transfer personal data from the EEA or UK outside those regions, we rely on the processor's contractual safeguards and other lawful transfer mechanisms permitted under GDPR / UK GDPR.

California (CCPA / CPRA)

If you are a California resident, you also have the right to:

  • know the categories and specific pieces of personal information we have collected about you in the preceding 12 months and the business purposes for which it was collected;
  • request deletion of personal information, subject to retention obligations described in § 9;
  • correct inaccurate personal information;
  • limit use and disclosure of sensitive personal information (where applicable);
  • opt out of any "sale" or "sharing" of personal information for cross-context behavioural advertising. Raksham Labs does not sell or share personal information for cross-context behavioural advertising and has not done so in the preceding 12 months.
  • be free from discrimination for exercising any of these rights.

Authorised agents acting on a California resident's behalf may submit requests with proof of authorisation. To exercise any of these rights, write to hello@rakshamlabs.com.

12. Security

We implement industry-standard technical and organisational safeguards including encrypted transport, role-based access control, infrastructure hardening, audit logging, secure credential management, access restriction policies, and operational monitoring designed to protect personal data.

Access to personal data is restricted to authorised personnel with legitimate operational requirements and may be logged and monitored for security and compliance purposes. We may periodically review, test, improve, or update our security practices, infrastructure, and operational safeguards. Raksham Labs maintains internal procedures intended to identify, assess, contain, investigate, and respond to security incidents.

While no system can guarantee absolute security, we continuously work to protect data using industry-standard safeguards. If you believe your account has been compromised, contact us immediately.

Breach notification

If a security incident affecting personal data occurs, Raksham Labs will take commercially reasonable mitigation measures and issue notifications in accordance with applicable law. In particular, we will:

  • report qualifying cyber-security incidents to the Indian Computer Emergency Response Team (CERT-In) within the timelines prescribed by CERT-In directions;
  • notify the Data Protection Board of India and affected users without undue delay where required under the DPDP Act;
  • where the GDPR / UK GDPR applies, notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying personal-data breach, and notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Certain privacy, operational, or security obligations may be affected by circumstances beyond reasonable control including cyberattacks, infrastructure failures, sanctions, governmental actions, force majeure events, or third-party service disruption. We do not guarantee uninterrupted availability of online services, infrastructure, account access, or supporting systems due to maintenance, operational changes, infrastructure failures, or circumstances beyond our reasonable control.

Our website, emails, and product documentation may contain links to third-party websites, services, or applications (for example, Razorpay payment pages, Google sign-in, shipping carrier tracking pages, or vendor datasheets). These third parties operate independently of Raksham Labs and have their own privacy practices, terms, and security controls. We do not control, and are not responsible for, the content, privacy practices, or security of any third-party site or service. You should review the applicable third-party privacy policy before submitting any personal data to such sites or services.

14. Children

Under the DPDP Act, a "child" is an individual under the age of 18. Our products and services are not directed to children under 18, and we do not knowingly collect personal data from children under 18 located in India. In other jurisdictions, the legal age of consent for online services may be lower (for example, 13 under the United States Children's Online Privacy Protection Act, and 13–16 under the GDPR depending on the EEA member state). Regardless of jurisdiction, we do not knowingly collect personal data from anyone below the local age of consent without verifiable parental consent where required by law. If you believe a child has shared personal data with us, please contact us so we can delete it.

15. Security research and responsible disclosure

Security researchers and responsible disclosure reports may be submitted to security@rakshamlabs.com. We request that researchers act responsibly and avoid actions that could harm users, systems, infrastructure, data, or operational availability. Full disclosure expectations, safe-harbour intent, and scope of acceptable security research are set out in our Security & Responsible Disclosure Policy.

16. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be highlighted on this page.

17. Governing law and jurisdiction

This Privacy Policy shall be governed by the laws of India and subject to the exclusive jurisdiction of the courts located in Prayagraj, Uttar Pradesh, India.

18. Grievance Officer & contact

In accordance with the Information Technology Act, 2000, the Consumer Protection (E-Commerce) Rules, 2020, and the DPDP Act, the Grievance Officer is:

  • Name: Grievance Officer, Raksham Labs
  • Email: grievance@rakshamlabs.com
  • Address: Raksham Labs Private Limited, C/O Akhilesh Kumar Singh, Surya Bheet, Uparhar, Arail, Karchana, Prayagraj, Uttar Pradesh 211008, India

For general questions, you can also reach us at hello@rakshamlabs.com or via the contact page.

19. Language

In the event of any inconsistency between translated versions of this Privacy Policy, the English-language version shall prevail.