Effective Date: 27 June 2025
Jurisdiction: India

Forteefied.com (“Forteefied,” “we,” “our,” or “us”) respects your privacy. This Privacy Policy outlines how we collect, use, store, and share your information when you visit or make a purchase from our website, in compliance with:

• The Information Technology Act, 2000

• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

• Draft provisions under India’s Digital Personal Data Protection (DPDP) Act

• International best practices

By accessing our platform, you consent to the practices described herein.

1. DEFINITIONS

• Personal Information refers to any information that, either directly or indirectly, identifies an individual. This includes but is not limited to: full name, mobile number, email address, residential or shipping address, IP address, and any other detail associated with a natural person that can reasonably identify them.

• Sensitive Personal Data or Information (SPDI) shall have the meaning assigned under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and includes, without limitation:

  • Passwords

  • Financial information (such as bank account details, credit/debit card numbers, UPI IDs)

  • Physical, physiological, and mental health conditions

  • Sexual orientation

  • Medical records and history

  • Biometric information

  • Any detail relating to the above categories as provided to or received by Forteefied for processing or storage

• Processing means any operation or set of operations performed on personal data or SPDI, whether or not by automated means. This includes but is not limited to: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction of data.

• These definitions shall be interpreted in accordance with applicable Indian laws and, to the extent relevant, internationally accepted data protection principles, including the forthcoming enforcement of the Digital Personal Data Protection Act, 2023.

2. INFORMATION WE COLLECT

• We collect and process personal information from you when you visit, browse, interact with, or make a purchase through our website. This information is collected through the following means:

  ---

  a. Information You Provide Directly:

  You may voluntarily provide us with personal information when you:

  • Place an order through the Website

  • Sign up or log in to your account

  • Contact us via email or support forms

  • Participate in promotions, surveys, or reviews

  The types of personal information you may provide include:

  • Full name

  • Billing and shipping address

  • Mobile number and email address

  • Payment details (such as UPI ID, Razorpay tokenized identifiers)*

  • Any information included in messages or support requests

  *Note: We do not store your card numbers, CVV, UPI PINs, or banking credentials. All payment transactions are processed securely through Razorpay’s PCI-DSS-compliant systems.

  ---

  b. Information Collected Automatically:

  We may automatically collect limited technical and usage information when you access or use the Website. This includes:

  • IP address and device type

  • Browser type, operating system, and language settings

  • Referral URL, session duration, and clickstream activity

  • User behavior and engagement metrics, collected via tools such as Google Analytics and Meta Pixel (Facebook)

  We also use cookies and session identifiers to:

  • Maintain secure login sessions

  • Remember your cart and preferences

  • Track website performance and fraud prevention

  • Personalize the browsing experience

  Cookie Consent Compliance:
  We collect this information only after obtaining explicit user consent via a cookie consent banner/pop-up shown on your first visit to the Website. This is in accordance with:

  • Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

  • Anticipated consent requirements under the Digital Personal Data Protection Act, 2023

  You may revoke or modify your consent at any time using your browser settings or cookie management tool (where available).

  ---

  c. Information Received Through Third Parties:

  We may receive limited personal information from authorized third-party service providers in order to complete your transaction and ensure service delivery. These include:

  • Social login providers (Google or Facebook): When you opt to log in via third-party OAuth, we may receive your name and email address, as permitted by your account’s privacy settings. We do not access passwords or full profile information.

  • Delivery and logistics partners: Order status updates, tracking numbers, proof of delivery, and address verification are shared with us for fulfillment purposes.

  • Payment gateway (Razorpay): Confirmation of payment status, transaction ID, and risk indicators necessary for fraud prevention and accounting.

  All such third-party integrations are used solely for order fulfillment, fraud protection, user authentication, and customer service improvement. We ensure that these service providers adhere to industry-standard data protection and security protocols.

3. USE OF YOUR INFORMATION

We collect and process personal information and sensitive personal data or information (SPDI) for specific, lawful, and legitimate purposes. The use of such data is strictly limited to the following functions:

• To process, fulfill, and manage product orders placed through our website, including order confirmations, shipping coordination, delivery tracking, and invoicing.

• To communicate with users regarding the status of orders, resolve complaints, respond to queries, and address service-related disputes or grievances.

• To detect, investigate, and prevent fraudulent transactions, misuse of our services, unauthorized access, and violations of our terms or policies.

• To ensure secure and accurate financial processing via third-party payment gateways that are compliant with applicable Indian security and privacy standards.

• To personalize the user experience by analyzing behavioral trends, purchase patterns, and preferences strictly for operational enhancement, not profiling.

• To measure and evaluate website performance through analytical tools (such as Google Analytics and Meta Ads) for internal audit, functionality improvement, and optimization of user engagement strategies.

• To send transactional or service-related communications. Promotional emails and marketing messages shall be sent only to users who have explicitly opted in for such communication, in accordance with Rule 5(7) of the SPDI Rules and Section 5 of the DPDP Act, 2023.

We do not sell, lease, rent, trade, or otherwise transfer your personal data to any third-party marketing or advertising company, broker, or agent for profit or promotional targeting beyond the intended scope disclosed herein.

All processing activities are executed in accordance with the principle of purpose limitation, and data is retained only for as long as is necessary to fulfill the stated purposes or to comply with statutory obligations.

4. COOKIES AND TRACKING TECHNOLOGIES

Forteefied uses cookies to:

• Maintain login sessions

• Store cart contents

• Improve website performance

• Track user behavior (via Meta Pixel and Google Analytics)

You may disable cookies through your browser settings, but this may affect website functionality.

5. LEGAL BASIS FOR PROCESSING

We collect and process your data on the following grounds:

• Consent: When you fill a form or sign up

• Contractual necessity: To fulfill orders

• Legal obligation: For invoicing, taxation, or fraud prevention

• Legitimate interest: For analytics, user experience improvement, and marketing (limited)

6. SHARING OF YOUR INFORMATION

We do not sell, rent, lease, or otherwise distribute your personal or sensitive personal data to any third party for direct marketing or unrelated commercial gain. However, in the course of delivering our services, we may share your data with certain third parties under strict contractual obligations and lawful bases, as detailed below.

Such sharing is done solely for the purpose of fulfilling your transaction, complying with statutory obligations, or improving user experience, and only with entities that demonstrate adherence to data protection standards consistent with Indian law.

a. Categories of Third Parties With Whom We May Share Data

b. Legal Grounds for Sharing

All sharing is based on at least one of the following lawful bases:

• Contractual Necessity: Where sharing is required to fulfill a purchase order or provide a requested service.

• Legal Obligation: Where mandated by applicable Indian laws, regulatory authorities, or law enforcement agencies.

• Legitimate Interest: To ensure fraud detection, operational efficiency, or platform security, provided your fundamental rights are not overridden.

• Consent: Where you have explicitly consented to such sharing (e.g., via cookie banner or opt-in checkboxes).

c. Safeguards and Risk Controls

All third parties with whom we share data:

• Are bound by Non-Disclosure Agreements (NDAs), Data Processing Agreements (DPAs), or other enforceable legal instruments;

• Are contractually obligated to use data solely for the specific, disclosed purpose and not for any secondary processing;

• Must implement reasonable security practices as required under Rule 8 of the IT Rules, 2011 and Section 24 of the DPDP Bill (once enacted);

• Are subject to audit and review for compliance.

We retain the right to terminate data-sharing arrangements with any third party found in violation of applicable privacy obligations.

d. No Unauthorized Cross-Border Transfers

We do not transfer your personal data outside the territorial jurisdiction of India unless:

• The third-party processor has equivalent data protection standards;

• The transfer is required for technical functionality (e.g., Google or Meta servers);

• The transfer is permitted under Indian law or your explicit consent has been obtained.

Cross-border transfers, if any, are carried out in accordance with the prevailing provisions of the IT Rules and anticipated compliance requirements under the DPDP Act.

e. Liability Limitation

While we exercise due diligence in selecting our processors and enforcing contractual safeguards, we are not liable for any misuse, breach, or unauthorized processing by third parties beyond our control, provided we have fulfilled our statutory obligations and responded promptly to any data subject grievance.

7. DATA RETENTION

• Your personal data is retained for as long as necessary to:

  • Complete the transaction

  • Provide customer support

  • Comply with legal, tax, and accounting requirements

• Google Analytics and advertising cookies may persist for 12–26 months unless cleared manually

• You may request deletion of your account and data via email at any time

8. DATA SECURITY

Forteefied implements a layered, risk-sensitive, and legally compliant approach to the protection of personal and sensitive personal data. We employ commercially reasonable physical, technical, electronic, and managerial safeguards to prevent unauthorized access, disclosure, alteration, misuse, or destruction of your information, whether in transit or at rest.

The security measures we currently enforce include, but are not limited to, the following:

• SSL (Secure Socket Layer) encryption for all transactions conducted on https://forteefied.com to ensure end-to-end data security during transmission;

• PCI-DSS-compliant payment gateways such as Razorpay to process financial transactions—Forteefied itself does not store or access your full payment credentials (e.g., card numbers, UPI IDs);

• Firewall and intrusion detection systems on all production-level infrastructure;

• Access control mechanisms, including password protection, role-based access, and need-to-know data segregation to restrict internal data exposure;

• Periodic vulnerability assessments and data audits to identify and address emerging risks;

• Data minimization protocols, wherein only the minimum amount of personal data necessary for specific processing is retained;

• Strong password and OTP practices, with customer advisories to avoid sharing authentication credentials or sensitive data over insecure channels.

While we strive to follow all industry standards and statutory obligations, no digital or physical method of data storage or transmission is entirely immune to unauthorized access or security compromise. Therefore, we expressly disclaim liability for any breach arising out of third-party misconduct, cyberattacks, or user negligence, provided we have discharged our legal duties under applicable law.

In the unlikely event of a data breach affecting your personal or sensitive personal data, Forteefied shall:

• Promptly notify the affected data subjects via email or registered communication channels;

• Report the incident to the relevant Computer Emergency Response Team – India (CERT-In), in accordance with Rule 12 of the IT (Reasonable Security Practices) Rules, 2011;

• Cooperate with law enforcement authorities and affected parties to contain and investigate the breach;

• Initiate remedial actions including, but not limited to, access revocation, patch deployment, and user advisories.

We reserve the right to temporarily suspend services, revoke access, or shut down systems during critical security events to prevent data leakage or exploitation.

By using our platform, you acknowledge that you understand and accept the inherent risks associated with internet-based services and digital commerce.

9. CHILDREN’S PRIVACY

• Forteefied does not knowingly solicit or collect personal information from individuals under the age of 18 years. Our website, services, and content are not intended for use by minors below this age threshold.

• In accordance with Rule 4 of the SPDI Rules and the guiding principles of the DPDP framework, we do not process data from children without verified parental consent, and our systems are not designed to attract or target users classified as children under applicable law.

• If it comes to our attention, through verification or notification, that a minor under the age of 18 has submitted personal data to us without appropriate authorization or parental consent, we shall take immediate steps to delete such data from our records and systems without undue delay.

• Parents or legal guardians who believe that their child has provided personal information without proper consent are advised to contact us immediately at privacy@forteefied.com to initiate the data deletion process.

10. YOUR RIGHTS UNDER INDIAN LAW

As a data principal under Indian law, you are entitled to exercise the following rights concerning your personal data, in accordance with the Information Technology Act, 2000, Rule 5 of the SPDI Rules, and the emerging framework of the Digital Personal Data Protection (DPDP) Act, 2023:

• Right to Access
  You may request confirmation as to whether your personal data is being processed by Forteefied and obtain a summary of such data, including processing purposes, data categories, and third-party recipients.

• Right to Correction and Rectification
  You may request correction of any inaccurate, incomplete, outdated, or misleading personal data held by Forteefied. Such requests will be acted upon without undue delay following verification of authenticity.

• Right to Withdraw Consent
  You may withdraw your consent to the collection or processing of your personal or sensitive personal data at any time. Such withdrawal shall not affect data processing that occurred lawfully prior to the withdrawal. Withdrawal may restrict access to services or functionalities reliant on that data.

• Right to Erasure / Account Deletion
  You may request the deletion of your account and associated personal data, subject to:

  • Mandatory data retention obligations under Indian tax, financial, or regulatory laws

  • Preservation required for legal claims, dispute resolution, or contractual enforcement

  • GST-compliant invoicing and audit record requirements

  Forteefied will delete non-essential data upon successful verification of identity and ownership.

• Right to Object to Direct Marketing
  You may opt out of receiving promotional or marketing communications at any time by using the opt-out link in emails or by contacting us directly. We will process such opt-out requests within a maximum of 10 working days.

• Right to Data Portability (subject to future legal framework implementation)
  While not enforceable under current Indian legislation, Forteefied may, in good faith, support requests to provide your data in a structured, machine-readable format, where technically feasible and commercially viable.

HOW TO EXERCISE YOUR RIGHTS

To exercise any of the above rights, email your request to:

📧 privacy@forteefied.com

Please include:

• Your full name and registered email ID

• Specific nature of the request (e.g., data access, correction, withdrawal)

• Valid proof of identity (e.g., government-issued ID), if required

Forteefied shall acknowledge your request within a reasonable time and respond within 15 calendar days, unless a longer period is warranted due to complexity, in which case you will be duly informed.

Requests may be denied if they are:

• Unreasonable, repetitive, or excessive in nature

• Not technically feasible or disproportionately burdensome

• In conflict with statutory compliance or retention obligations

All data rights must be exercised strictly through the official communication channel above. No verbal, telephonic, social media, or informal request shall be entertained under any circumstances.

11. GRIEVANCE OFFICER

In compliance with Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:

Grievance Officer: CEO, Obsidira
Designation: Chief Executive Officer
Email: privacy@forteefied.com
Address: OBSIDIRA (OPC) PRIVATE LIMITED,Om Chambers, 648/A, 4th Floor, Binnamangala 1st Stage, Indiranagar, Bangalore – 560038
Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST

12. INTERNATIONAL DATA TRANSFERS

• Certain service providers engaged by Forteefied (including but not limited to Google LLC, Meta Platforms, Inc., and Razorpay Software Private Limited) may process or store data on servers located outside the territorial jurisdiction of India.

• By accessing and continuing to use the Forteefied website, placing an order, or interacting with its features, you explicitly consent to such cross-border transfers of personal and sensitive personal data as necessary for the provision of payment processing, analytics, user authentication, logistics coordination, and platform functionality.

• Forteefied exercises due diligence in ensuring that such transfers are made only to jurisdictions or entities that maintain adequate data protection standards, as per globally accepted security frameworks and Indian legal expectations under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and proposed adequacy safeguards under the Digital Personal Data Protection Act, 2023.

• All vendors and subprocessors handling such data are contractually bound to follow reasonable security practices, implement data minimization, and limit access strictly to authorized personnel.

• Forteefied shall not be liable for any unauthorized processing or access that occurs on foreign servers outside its direct control, provided the third-party vendor or processor has been appointed in good faith and in line with this Policy.

• In the event of any changes to applicable cross-border data transfer restrictions under Indian law, Forteefied will take timely corrective steps and update this section accordingly. Continued use of the platform after such changes shall constitute acceptance of the revised transfer mechanism.

13. CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may be updated periodically to reflect changes in our practices or applicable law. You are advised to check this page frequently.

🔚 END OF PRIVACY POLICY

Thank you for trusting Forteefied. We are committed to transparen