Privacy Policy

1. Who We Are

PureHarvest Organics is a food and wellness brand based in Araku Valley, Andhra Pradesh, India. We sell raw forest honey, single-origin coffee, wild dry fruits, and forest spices sourced from indigenous tribal communities of the Eastern Ghats.

Our registered office is located at: [Company Address], Araku Valley, Visakhapatnam, Andhra Pradesh — [PIN Code], India.

For all privacy-related matters, you may contact our Data Officer at privacy@pureharvest.com.

This policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Consumer Protection Act, 2019. Where applicable, we also comply with the General Data Protection Regulation (GDPR) for visitors from the European Economic Area.

2. Information We Collect

We collect the following categories of personal information:

Identity & Contact Information

• Full name
• Email address
• Phone number (including WhatsApp, if provided)
• Billing and shipping address (including city, state, PIN code)

Order & Transaction Information

• Products purchased, quantities, and sizes
• Order history, order status, and delivery tracking data
• Subscription preferences (products, delivery frequency, pauses, cancellations)
• Payment method type (UPI, card, net banking — we do not store card numbers or UPI IDs; all payment data is processed by Razorpay)
• Transaction reference numbers and payment confirmation records

Account Information

• Username and encrypted password (if you create an account)
• Saved addresses and preferences
• Wishlist and saved products
• Communication preferences and marketing opt-in status

Device & Usage Information

• IP address and approximate geographic location (city/region level)
• Browser type, version, and operating system
• Device type (desktop, mobile, tablet)
• Pages visited, time spent, clicks, and navigation path
• Referral source (how you arrived at our site)
• Search queries entered on our site

Communications

• Emails, messages, or enquiries you send to us
• Responses to customer surveys or feedback forms
• Product reviews or testimonials you submit
• Wholesale or B2B enquiry details

Sensitive Personal Data (SPDI)

We do not intentionally collect sensitive personal data such as financial account credentials, biometric data, health information, or government identity numbers. If you choose to share such information with us (e.g., in a message), you do so voluntarily and at your own discretion.

3. How We Collect Information

Directly from You

When you place an order, create an account, sign up for our newsletter, fill out the subscription modal, complete a contact or wholesale enquiry form, or communicate with us via email or WhatsApp.

Automatically

When you browse our website, we automatically collect certain device and usage data through cookies, web beacons, and server logs. This happens whether or not you are logged in or have made a purchase. See Section 6 for full details on cookies.

From Third Parties

• Razorpay — our payment processor may share payment confirmation data, transaction IDs, and fraud risk signals with us
• Shipping partners — logistics providers may share delivery status and recipient confirmation data
• Analytics providers — aggregated, anonymised behavioural data about site usage
• Social media platforms — if you interact with our social media pages or use social login, those platforms may share limited profile data with us subject to their own privacy policies

4. How We Use Your Information

We use the information we collect only for lawful, legitimate purposes:

To Process and Fulfil Orders

• Processing payments and verifying transactions
• Packing, shipping, and delivering your orders
• Sending order confirmations, invoices, and shipping notifications
• Managing returns, refunds, and exchanges
• Resolving delivery disputes with logistics partners

To Manage Your Account & Subscription

• Creating and maintaining your customer account
• Managing your subscription — delivery rhythm, product preferences, pauses, and cancellations
• Personalising your experience based on past orders and preferences

To Communicate With You

• Responding to your enquiries, support requests, and complaints
• Sending transactional emails (order updates, shipping confirmations, subscription reminders)
• Sending marketing emails, offers, and seasonal harvest updates — only with your explicit consent and only if you have opted in
• Conducting satisfaction surveys and requesting product reviews

To Improve Our Products & Site

• Analysing purchase patterns to improve our product catalogue
• Understanding how users navigate the site to improve usability
• Testing new features and measuring their effectiveness
• Detecting and preventing fraud, abuse, and security incidents

To Comply With Legal Obligations

• Maintaining transaction records as required by GST and Indian tax law
• Responding to lawful requests from law enforcement or regulatory authorities
• Enforcing our Terms & Conditions and other legal agreements

5. Legal Basis for Processing

Under the SPDI Rules (India) and GDPR (EU), we process your personal data on the following legal bases:

• Contract performance — processing necessary to fulfil an order you have placed or a subscription you have entered into
• Legitimate interests — fraud prevention, site security, improving our products and service, and communicating about your existing orders
• Consent — sending marketing communications, using non-essential cookies, and processing any sensitive data you voluntarily share. You may withdraw consent at any time.
• Legal obligation — retaining transaction records and responding to lawful government requests

6. Cookies

Cookies are small text files stored on your device when you visit our website. We use them to make the site work properly, understand how it is used, and (with your consent) to personalise your experience.

Essential Cookies

These are required for the website to function. They cannot be disabled.

• Session state (your cart contents, login status)
• Security tokens (CSRF protection)
• Cookie consent preferences

Analytics Cookies

Set with your consent. Help us understand how visitors use the site — which pages are visited, where users drop off, and how traffic arrives.

• PostHog (product analytics — page views, clicks, conversion funnels)

Marketing Cookies

Set only with explicit consent. Used to measure the effectiveness of advertising campaigns and to show you relevant ads on other platforms.

• Meta Pixel (Facebook / Instagram advertising)
• Google Ads conversion tracking

Managing Cookies

You can control and delete cookies through your browser settings at any time. Note that disabling essential cookies may prevent parts of the site from working correctly. You may also withdraw consent for analytics and marketing cookies by contacting us at privacy@pureharvest.com.

7. Data Sharing

We share your personal information only where necessary and with parties who are contractually obligated to protect it:

Payment Processors

Razorpay processes all payment transactions on our behalf. When you pay, your financial details go directly to Razorpay and are governed by Razorpay's Privacy Policy. We receive only a transaction confirmation and reference number — never your card or UPI details.

Logistics & Shipping Partners

We share your name, phone number, and delivery address with our logistics partners (including but not limited to Delhivery, BlueDart, DTDC, and India Post) solely for the purpose of delivering your order. These partners are not authorised to use your data for any other purpose.

Technology Service Providers

• Supabase — database infrastructure for storing order and account data, hosted within secure cloud environments
• Netlify — website hosting and delivery infrastructure
• Email service providers — for sending transactional and marketing emails (e.g., Resend, SendGrid)

Legal & Regulatory Disclosure

We may disclose your information to law enforcement agencies, courts, or government authorities if required by applicable Indian law, court order, or other legal process. We will notify you of such requests where legally permitted to do so.

Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

8. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, subject to legal and regulatory requirements:

• Order and transaction records — 7 years, as required by Indian GST and tax regulations
• Customer accounts — for the duration of your account, plus 2 years after closure
• Marketing consent records — until you withdraw consent, plus 1 year thereafter as evidence of consent
• Support and communication records — 3 years from last interaction
• Analytics data — 26 months in anonymised, aggregated form
• Fraud prevention records — up to 5 years from the date of the relevant incident

When retention periods expire, data is securely deleted or anonymised in a manner that prevents re-identification.

9. Your Rights

Under Indian law and, where applicable, GDPR, you have the following rights regarding your personal data:

• Right to Access — You may request a copy of the personal data we hold about you at any time.
• Right to Correction — You may request that we correct inaccurate or incomplete information.
• Right to Deletion — You may request that we delete your personal data. Note that we may retain certain data where required by law (e.g., transaction records).
• Right to Data Portability — You may request a copy of your data in a structured, machine-readable format.
• Right to Withdraw Consent — Where processing is based on consent (marketing emails, non-essential cookies), you may withdraw at any time without affecting the lawfulness of prior processing.
• Right to Object — You may object to processing based on legitimate interests, including direct marketing.
• Right to Restrict Processing — In certain circumstances, you may request that we limit how we use your data.

To exercise any of these rights, contact us at privacy@pureharvest.com. We will respond within 30 days of receiving your request. We may need to verify your identity before processing the request.

If you are in the EU/EEA and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local data protection authority.

10. Children's Privacy

Our website and services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal data from a child under 18 without verifiable parental consent, we will delete that information promptly.

If you believe a minor has provided personal information to us, please contact us at privacy@pureharvest.com and we will take immediate action.

11. Security

We implement reasonable and appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• HTTPS encryption for all data transmitted between your browser and our servers
• Encrypted storage of passwords using industry-standard hashing algorithms
• Restricted access to personal data — only authorised personnel may access it, and only where necessary for their role
• Payment processing handled entirely by Razorpay — we never see or store your payment credentials
• Regular review of our security practices and access controls

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that affects your rights, we will notify you as required by applicable law.

12. International Data Transfers

PureHarvest Organics is based in India. Your data is primarily stored and processed in India. Where we use technology service providers whose infrastructure is located outside India (for example, cloud hosting services), we ensure appropriate safeguards are in place including standard contractual clauses and data processing agreements that meet the requirements of applicable law.

If you are accessing our site from outside India, please be aware that your data will be transferred to and processed in India, where data protection laws may differ from those in your country.

13. Third-Party Links

Our website may contain links to third-party websites, social media platforms, or external content. This Privacy Policy applies only to information collected on our website. We are not responsible for the privacy practices or content of any third-party sites. We encourage you to read the privacy policies of any external sites you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to registered customers where the changes are significant
• Display a prominent notice on our website

We encourage you to review this policy periodically. Your continued use of our website after changes are posted constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or the way we handle your data, please reach out: