Privacy Policy.

The short version

We collect the minimum information needed to process your order, ship it, and respond to you if you contact us. We don't sell your data. We don't share it with advertisers. We keep it only as long as legally required or genuinely useful. You can see, correct, export, or delete your data at any time — just email privacy@annaztatto.shop.

This policy is published to comply with the Indian Digital Personal Data Protection Act, 2023 (DPDP Act). If anything here is unclear, tell us and we'll rewrite it.

Who we are

"We", "us", "ANNA Z TATTO" refers to ANNA Z TATTO Private Limited, a company incorporated in India, with registered office at 2E/8, Third Floor, Jhandewalan Extension, New Delhi 110055. We are the Data Fiduciary under the DPDP Act for personal data you share with us through this website and our services.

What we collect

When you place an order

• Identity: your full name (for shipping label)
• Contact: email address and phone number (for order updates)
• Address: shipping address and billing address if different (for delivery)
• Order details: which products you bought, quantities, total value
• Payment metadata: payment method used, transaction ID, last 4 digits of card. We never see or store your full card number or CVV — that's held only by our PCI-DSS-compliant payment processor (Razorpay).

When you submit a custom commission

• All of the above, plus any references you upload (images, text, personal artefacts) and the context you share about the design's meaning.

When you contact us

• Your name, email, phone, the content of your message, any attachments you send.

When you browse our site

• Basic analytics: pages visited, time on site, referring URL, device type, browser, approximate location (city level only, derived from your IP address). We use this to understand traffic patterns, not to track individuals.
• Cookies: one essential cookie to keep your shopping cart active between page loads, and Google Analytics cookies if you don't disable them. No advertising cookies, no third-party tracking pixels.

What we don't collect

• We do not collect sensitive personal data (biometrics, health data, financial account numbers, political/religious beliefs, sexual orientation) unless you voluntarily share it in a custom commission brief — and even then, it's only used for that specific commission and deleted afterward on request.
• We do not track you across other websites.
• We do not use fingerprinting or tracking pixels from advertising networks.

Why we collect it

• To fulfil your order — we need your name and address to ship a product.
• To communicate with you — order confirmations, tracking updates, delivery notifications, reply to your questions.
• To process payments — so money moves from your account to ours.
• To provide customer service — handle returns, replacements, refunds, warranty claims.
• To improve our products and website — anonymised analytics only; no individual targeting.
• To comply with tax and accounting law — GST records, invoicing, statutory audit requirements.
• To send you marketing — only if you have explicitly opted in. You can opt out any time.

Who we share it with

We share your data only with service providers who need it to deliver the service you've asked for. All are bound by written contract to protect your data and use it only for the specific purpose we share it for. Specifically:

• Courier partners (Delhivery, Bluedart, DTDC, India Post) — your name, address, phone number, order reference. Only for delivery.
• Payment processor (Razorpay) — your name, email, payment details. For transaction processing and fraud prevention.
• Email service provider (currently Gmail for Business / Google Workspace) — your email and our correspondence. For sending and receiving email.
• Analytics provider (Google Analytics) — anonymised browsing data only. Never your name, email, or purchase details.
• Accounting software (currently Zoho Books) — invoice records for GST compliance. Accessible only to our accountant.
• Hosting provider (Amazon Web Services, Mumbai region) — our website and database. All data is encrypted at rest and in transit.

We do not:

• Sell or rent your data to anyone, ever.
• Share your data with advertisers or ad networks.
• Share your data with other brands for marketing purposes.
• Share your data with government or law enforcement unless legally compelled (a valid court order or statutory notice under Indian law).

How long we keep it

• Order records (name, address, order history): 8 years, to comply with GST and tax law requirements.
• Support correspondence: 2 years after the issue is resolved. Helps if you need us to reference a past interaction.
• Custom commission references and briefs: 12 months after completion, then automatically deleted unless you ask us to keep the artwork on file.
• Marketing opt-in list: until you unsubscribe. We ask for re-consent every 24 months if you haven't opened any of our emails.
• Analytics data: aggregated and anonymised after 14 months.
• Newsletter signups (no purchase): until you unsubscribe. Reviewed every 24 months.

Your rights

Under the Indian Digital Personal Data Protection Act, 2023, you have the following rights regarding your personal data. We honour all of them within 7 working days of a verified request.

• Right to access: see what data we have about you. Email us with the subject "Data Access Request" and verify your identity; we'll send you a complete export.
• Right to correction: if any of your data is wrong, tell us and we'll fix it promptly.
• Right to erasure ("be forgotten"): ask us to delete your data. We will, except where we are legally required to retain specific records (e.g., tax invoices for 8 years).
• Right to data portability: get your data in a structured, machine-readable format (JSON or CSV) to take elsewhere.
• Right to withdraw consent: for anything we do based on your consent (marketing, analytics cookies), you can withdraw at any time.
• Right to grievance redressal: if you believe we've mishandled your data, raise a complaint with our Data Protection Officer (contact below). If unresolved, you can escalate to the Data Protection Board of India.

Cookies, explained

A cookie is a tiny text file stored by your browser. We use three kinds:

• Essential cookies — keep your shopping cart active, remember if you've dismissed certain banners. Cannot be disabled because the site would break. Expires when you close your browser.
• Analytics cookies (Google Analytics) — help us understand page performance, popular products, and bounce rates. No individual identification. You can disable these in our cookie banner on first visit, or by installing Google's analytics opt-out browser add-on.
• Payment cookies (set by Razorpay during checkout) — required for secure payment processing. Only active during the checkout flow.

We do not use advertising cookies, retargeting pixels, or Facebook Pixel. We do not have advertising accounts with any ad network.

Children's privacy

Our products are intended for users aged 13 and above. We do not knowingly collect personal data from children under 13. If you are under 13, please do not provide any personal information to us. If you are a parent or guardian and believe your child under 13 has provided us with data, please contact privacy@annaztatto.shop and we will delete it immediately.

For users aged 13–18, we recommend parental awareness of online purchases, and parental consent for all custom commission submissions.

Security measures

• All data transferred between your device and our servers is encrypted using TLS 1.3.
• Our database is encrypted at rest (AES-256).
• Payment data never touches our servers — it's handled entirely by Razorpay's PCI-DSS Level 1 certified infrastructure.
• Access to our internal systems is two-factor authenticated and restricted by role — only team members who need specific data to do their jobs can access it.
• We perform regular security audits and backup tests.
• In the event of a data breach, we will notify affected users within 72 hours via email, as required by the DPDP Act, with details of what happened and what we're doing about it.

International transfers

All your data is primarily stored and processed within India (Mumbai region on AWS). Some service providers we use (Google Workspace for email, Google Analytics) process limited data in their global infrastructure, which may include servers outside India. These providers meet international data protection standards and operate under standard contractual clauses for cross-border data transfer. If you want details of exact data flows, email privacy@annaztatto.shop.

Changes to this policy

We may update this policy from time to time. When we do: (1) the "Last updated" date at the top changes; (2) if the change is material (affects how your data is used or shared), we email all customers with an account at least 30 days before the new policy takes effect; (3) previous versions are archived and can be requested by email.

Contact our Data Protection Officer

Data Protection Officer
ANNA Z TATTO Pvt. Ltd.
2E/8, Third Floor, Jhandewalan Extension
New Delhi, Delhi 110055, India.
Email: privacy@annaztatto.shop
Phone: +91 011 6338 3263

We respond to all privacy queries within 7 working days, as required by law.

Grievance redressal

If you have a complaint about how we've handled your personal data and aren't satisfied with our response, you can escalate to the Data Protection Board of India (once constituted under the DPDP Act). Until that body is operational, complaints can be filed with the Ministry of Electronics and Information Technology.