Privacy Policy

This Privacy Policy explains how AT Fashion ("AT Couture", "we", "us", "our") collects, uses, discloses, stores, and protects your personal data when you visit, browse, or transact on atcouture.com (the "Website"). We are committed to safeguarding your privacy in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the rules made thereunder.

By accessing the Website or providing your personal data to us, you consent to the collection, processing, and use of your data as described in this Policy.

1. Information We Collect

We collect the following categories of personal data, which you provide to us directly or which we collect automatically through your use of the Website:

1.1 Information You Provide

• Identity and contact data: full name, email address, mobile number, billing and shipping addresses.
• Order data: products purchased, sizes, quantities, order history, delivery preferences, order notes.
• Payment data: payment method (UPI / COD), transaction reference numbers, UPI ID (only where shared by you). We do not store full card numbers, CVV, or banking credentials on our servers.
• Communication data: messages, queries, and feedback you submit through our contact form, email, or phone.

1.2 Information Collected Automatically

• Device and usage data: IP address, browser type and version, operating system, device identifiers, referring URL, pages visited, time spent on pages, click-stream data.
• Cookies and similar technologies: small text files placed on your device to remember preferences, maintain your cart, and analyse traffic patterns.
• Analytics data: aggregated information collected via Google Analytics 4 (GA4) about how visitors interact with the Website.

2. How We Use Your Information

We process your personal data only for specific, lawful purposes, including:

• Processing and fulfilling your orders, including shipping, returns, refunds, and tracking.
• Communicating with you about your order status, payment, shipment, and customer service queries.
• Verifying your identity and preventing fraudulent transactions.
• Sending transactional emails (order confirmation, payment confirmation, shipment notification, return/refund updates).
• Sending marketing and promotional communications, where you have opted in. You may unsubscribe at any time.
• Improving our products, services, Website performance, and user experience.
• Complying with legal obligations, responding to lawful requests from authorities, and enforcing our terms.
• Conducting analytics, research, and business reporting.

3. Legal Basis for Processing

Under the DPDP Act, we process your personal data on one or more of the following lawful grounds:

• Consent: where you have voluntarily given us your data for a specified purpose.
• Performance of a contract: where processing is necessary to fulfil an order or service you have requested.
• Legitimate use: for purposes such as fraud prevention, security, and internal record-keeping.
• Legal obligation: where processing is required to comply with applicable law, court orders, or regulatory requirements.

4. Sharing and Disclosure

We do not sell your personal data. We may share your data with the following categories of recipients, only to the extent necessary for the purposes set out above:

• Payment gateway partners: licensed payment service providers (including MMADPay) that process UPI and other electronic payments. These partners operate under their own privacy policies and applicable RBI guidelines.
• Shipping and logistics partners: courier companies and last-mile delivery providers who require your name, address, and phone number to deliver your order.
• Email and communication providers: our SMTP and transactional email service used to send order-related communications.
• Analytics providers: Google Analytics for aggregated, non-personal usage analytics.
• Legal and regulatory authorities: where disclosure is required to comply with a legal obligation, court order, subpoena, or government request.
• Business transfers: in the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred subject to equivalent privacy protection.

5. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, tax, or reporting requirements. Specifically:

• Order and transaction records are retained for a minimum of eight (8) years in compliance with applicable tax and accounting laws.
• Contact form submissions are retained for up to three (3) years from the date of submission, or longer if required to resolve an ongoing dispute.
• Analytics and usage data are retained for up to twenty-six (26) months in aggregated form.
• Marketing preferences are retained until you withdraw consent.

6. Your Rights as a Data Principal

Under the DPDP Act, you have the following rights with respect to your personal data:

• Right to access: request a summary of personal data we process about you.
• Right to correction and erasure: request correction of inaccurate data, or deletion of data that is no longer required for the purpose for which it was collected.
• Right to grievance redressal: raise a complaint with our Grievance Officer (details below).
• Right to nominate: nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent: withdraw consent previously given, at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at care@atcouture.com. We will respond to verified requests within the timelines prescribed by law.

7. Security Measures

We implement reasonable technical, organisational, and physical safeguards designed to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These include:

• HTTPS / SSL encryption for all data transmitted between your browser and our servers.
• Hashed and salted password storage for administrative accounts.
• Restricted access to personal data on a need-to-know basis.
• Use of PCI-DSS compliant payment gateways; no card data stored on our servers (in line with RBI tokenisation guidelines).
• Periodic review of access logs, security configurations, and software updates.

While we strive to protect your data, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Cookies

We use cookies and similar technologies to:

• Maintain your shopping cart and session state.
• Remember preferences and improve performance.
• Measure visitor behaviour through analytics tools.

You may disable cookies through your browser settings. Disabling cookies may affect the functionality of the Website, including the cart and checkout flow.

9. Third-Party Links

The Website may contain links to third-party websites, social media platforms, or services. We are not responsible for the privacy practices or content of those websites. We encourage you to review their privacy policies before sharing any personal data.

10. Children's Privacy

The Website is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, please contact us so we can take appropriate action.

11. International Data Transfers

Our servers and certain service providers may be located outside India. Where personal data is transferred outside India, we ensure that the transfer is conducted in accordance with the DPDP Act and applicable government notifications.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. The latest version, marked with the revised "Last Updated" date, will always be available on this page. We encourage you to review it periodically.

13. Grievance Officer

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, the contact details of our Grievance Officer are:

Acknowledgement of your complaint will be issued within twenty-four (24) hours of receipt, and resolution will be provided within fifteen (15) days, in accordance with applicable law.

14. Contact Us

For any general queries about this Privacy Policy or our data practices, please write to: