Privacy policy
What Do We Do With Your Information?
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address. When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
Email marketing: With your permission, we may send you emails about our store, new products and other updates.
Consent
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only. If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.
How Do I Withdraw My Consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by contacting us at info@allthingsbaby.com or by mail at: Tower D, Trade World, Kamala Mills Compound, 701, near Bombay Canteen, Lower Parel, Mumbai, Maharashtra 400013.
Disclosure
We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.
Payment
We use GoKwik for processing payments. We/GoKwik do not store your card data on their servers. The data is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS) when processing payment. Your purchase transaction data is only used as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is not saved.
Our payment gateway adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers. For more insight, you may also want to read the terms and conditions of GoKwik at https://www.gokwik.co
Third-Party Services
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
We collect personal information which is shared with Facebook to serve more relevant ads and improve our customer experience.
Certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies so you can understand the way these providers will handle your personal information.
Remember that certain providers may be in or have facilities that are of a different authority than either you or us. So, if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the authority(s) in which that service provider or its facilities are located.
Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.
Links
When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
Security
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed. All personal data is encrypted at rest using AES-256 and transmitted using TLS 1.2 or higher. Access to personal data is restricted to authorised personnel only on a need-to-know basis.
Cookies
We use cookies to maintain the session of your user. It is not used to personally identify you on other websites.
Age of Consent
By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.
Marketplace Platform Integrations and API-Received Data
(a) Nature of Data Received
In addition to personal data collected directly through our website and digital platforms, All Things Baby India Private Limited receives certain personal data from third-party marketplace platforms — including but not limited to Amazon — through authorised API integrations. Such data may include buyer name, delivery address, email address, phone number, order details, and transaction identifiers (“Marketplace Buyer PII”). This data is received solely for the purpose of fulfilling orders placed by buyers on those platforms, including order processing, packing, dispatch, and generation of shipping labels. The Company acts as a data processor with respect to Marketplace Buyer PII received through such integrations, processing it strictly under the instructions and authorisation of the respective marketplace platform and in accordance with their data protection policies.
(b) Permitted Use Only
Marketplace Buyer PII is used exclusively for the following permitted purposes:
• Processing and dispatching the specific order for which the data was received.
• Generating shipping labels for merchant-fulfilled orders.
• Calculating, recording, or remitting applicable taxes including GST as required under Indian law.
• Producing tax invoices and other legally required documents.
Marketplace Buyer PII is never used for marketing, promotional communications, customer profiling, retargeting, or any purpose beyond the specific order transaction for which it was received. The Company does not share Marketplace Buyer PII with any third party except the logistics provider engaged for that specific order.
(c) Data Retention — Marketplace Buyer PII
The Company retains Marketplace Buyer PII for the minimum period necessary to fulfil the permitted purpose:
• Live systems — permanently deleted within 30 days of confirmed order delivery.
• Where retention beyond 30 days is required under Indian tax law (including the Goods and Services Tax Act, 2017), such data may be retained solely for that legal purpose, moved to offline encrypted cold storage not accessible through any active application, and deleted as soon as the legal obligation is satisfied.
• Non-PII marketplace data (order IDs, settlement reports, analytics) — maximum 18 months from date of receipt, then permanently deleted.
• API integration access logs — minimum 12 months retention. Logs do not contain PII unless legally required.
(d) Security, Deletion, and Compliance
All Marketplace Buyer PII is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Access is restricted on a need-to-know basis. All user accounts with access to Marketplace Buyer PII are protected by Multi-Factor Authentication (MFA) and are subject to account lockout after ten unsuccessful login attempts. Password controls require a minimum of 12 characters, history retention of the last 10 passwords, and a maximum expiry period of 365 days. The Company does not store Marketplace Buyer PII on personal devices, removable media, or publicly accessible storage. API keys are rotated at least annually using automated processes. Upon receipt of a deletion request from any marketplace platform, the Company will permanently and securely delete all live instances within 30 days and all archived instances within 90 days, in accordance with NIST 800-88 standards.
(e) Subcontractors and Third-Party Logistics Providers
Where the Company engages third-party logistics providers (courier or last-mile delivery partners) to fulfil merchant-fulfilled orders, such providers receive only the buyer’s delivery address and order reference necessary to complete the specific shipment. Before engaging any subcontractor or third-party vendor that may have access to Marketplace Buyer PII, the Company conducts a third-party risk assessment to verify that the subcontractor maintains data protection standards consistent with Amazon’s Data Protection Policy. Subcontractors are contractually prohibited from using Marketplace Buyer PII for any purpose other than completing the specific delivery for which the data was shared. The Company does not engage any subcontractor that cannot demonstrate adequate data protection controls.
(f) Incident Management Point of Contact (IMPOC)
The designated contact for any security incident involving Marketplace Buyer PII is:
Avinash Karande
Email: info@allthingsbaby.com
Available within 24 hours for incident notification and response.
Data Retention Table
|
Category of Data |
Retention Period |
|
Personal information collected at purchase (name, address, email) |
Retained for the duration of the business relationship and as required by applicable law. |
|
Payment transaction data |
Not stored after transaction completion. Processed by GoKwik under PCI-DSS. |
|
IP address and browsing data |
Session-based. Not linked to personal identity. |
|
Marketplace Buyer PII — live systems (name, address, phone, email received via Amazon or other marketplace APIs) |
Permanently deleted within 30 days of confirmed order delivery. Retained beyond 30 days only where required by Indian tax/regulatory law — offline encrypted storage only, deleted when legal obligation expires. |
|
Non-PII marketplace data (order IDs, product data, settlement reports, performance metrics) |
Maximum 18 months from date of receipt, then permanently deleted. |
|
API integration access logs |
Minimum 12 months retention. Logs do not contain PII unless legally required. |
Changes to This Privacy Policy
We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it. If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.
Questions and Contact Information
If you would like to access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information, please contact our Privacy Compliance Officer:
Privacy Compliance Officer
All Things Baby India Private Limited
Email: info@allthingsbaby.com
Address: Tower D, Trade World, Kamala Mills Compound, 701, near Bombay Canteen, Lower Parel, Mumbai, Maharashtra 400013
Grievance Officer (India)
In accordance with the Information Technology Act, 2000 and applicable rules made thereunder, as well as the Digital Personal Data Protection Act, 2023, the name and contact details of the Grievance Officer are provided below:
Avinash Karande
All Things Baby India Private Limited
Email: info@allthingsbaby.com
Address: Tower D, Trade World, Kamala Mills Compound, 701, near Bombay Canteen, Lower Parel, Mumbai, Maharashtra 400013
The Grievance Officer can be contacted for any complaints or concerns regarding the processing of personal data.
