Privacy Policy

We collect information from you when you browse our site, register, make a purchase, or contact support. This includes:

• Device & Usage Data: IP address, browser version, time zone, pages visited, search terms, cookie data — collected automatically to optimize Site performance.
• Order Information: Name, billing/shipping address, email, phone number, and payment information (processed securely via Razorpay) — collected to fulfill orders, send invoices, and prevent fraud.
• Account Information: Username, password (hashed), and profile preferences — if you create an account on our platform.
• Customer Support Information: Details you share when contacting us via email, WhatsApp, or our contact form — used solely to resolve your query.
• Marketing Preferences: If you subscribe to our newsletter, we collect your email address with your explicit consent.

We use the information collected for the following purposes:

• To process, fulfil, and ship your orders accurately and on time.
• To send order confirmations, invoices, shipping notifications, and delivery updates.
• To respond promptly to your queries, complaints, and support requests.
• To detect, investigate, and prevent fraudulent transactions and illegal activities.
• To improve our website, product catalogue, and overall user experience.
• To send promotional offers, new arrivals, and spiritual content — only if you have opted in.
• To comply with applicable legal and regulatory obligations.

We do not sell or rent your personal information to any third party. We may share your data only as described below:

• Payment Processors: Your payment details are shared with Razorpay (our payment gateway) to securely process transactions. Razorpay is PCI-DSS compliant; Stone Mart does not store full card details on our servers.
• Logistics & Shipping: Your name, address, and phone number are shared with Shiprocket (our shipping aggregator) and our courier partners (BlueDart, Delhivery, Expressbees, FedEx) to deliver your order and surface live tracking inside the website and mobile app.
• Authentication & Account Storage: User accounts, order history, addresses, cart, wishlist, and profile data are stored on Supabase (PostgreSQL hosted in the EU). Supabase processes data on our behalf as a sub-processor.
• Media Storage: Product images, profile photos, and review photos you upload are stored on Cloudflare R2, served via the cdn.stonemart.co.in domain.
• Crash & Error Reporting: The mobile app uses Sentry to capture crashes and errors. Reports are scrubbed of personal information (email, phone, address, push tokens) before they leave your device, and the user identifier sent to Sentry is the Supabase user ID only — never your email or phone.
• Push Notification Delivery: The mobile app's push tokens are issued by Expo (for our Expo-based runtime) and routed via Apple Push Notification Service (iOS) or Firebase Cloud Messaging (Android) to deliver order updates.
• Analytics Services: We use Google Analytics on the website to understand usage. The mobile app does not use Google Analytics. You may opt out at tools.google.com/dlpage/gaoptout.
• Legal Authorities: We may disclose information to government agencies or regulators if required by law, a court order, or to enforce our legal rights.
• Internal Teams: Relevant employees (customer support, logistics, finance) who need access solely to fulfil their job responsibilities.

The security of your personal data is a top priority for Stone Mart. We implement the following safeguards:

• SSL Encryption: All data transmitted between your browser and our servers is encrypted using SSL (HTTPS).
• Payment Security: Card and financial data is processed via Razorpay's certified, encrypted payment infrastructure — we never store raw payment data.
• Access Control: Access to personal data is restricted to authorized personnel on a strict need-to-know basis.
• Regular Audits: We conduct periodic security reviews to ensure compliance with internal security standards.

While we strive to protect your data, no method of transmission over the internet is 100% secure. We encourage you to keep your account password confidential and to contact us immediately if you suspect any unauthorized use.

Cookies are small data files downloaded to your device when you visit our site. We use them to improve functionality, remember your preferences, and analyze site traffic.

• Functional Cookies: To remember your login, cart, and regional preferences.
• Analytics Cookies: To understand how visitors interact with our site (e.g., Google Analytics).
• Advertising Cookies: To deliver relevant ads on external platforms based on your browsing history.

You can control and manage cookies through your browser settings. Blocking cookies may affect some functionality of our website. Session cookies expire when you close your browser; persistent cookies expire between 30 minutes and two years from download.

The Stone Mart Android app (package in.co.stonemart.app) and the iOS app share most data practices with the website. The disclosures below cover the additional categories that are app-specific.

Data the app collects beyond what the website collects

• Push notification tokens: When you grant notification permission, a device-scoped token (Expo + APNS/FCM) is stored on our Supabase backend and used to send order updates. You can revoke this at any time via your device's notification settings or by signing out (the token is removed on sign-out).
• Device identifiers for crash reporting: Sentry, our crash reporting service, attaches non-personal device metadata (model, OS version, app version, anonymous installation ID) to crash reports. Personal data (email, phone, address, push tokens) is stripped client-side before the report is sent.
• On-device app storage: Your cart contents, wishlist, recently viewed products, and last-used delivery PIN code are cached locally on your device using AsyncStorage. This is never transmitted to our servers except as part of normal cart/wishlist sync when you are signed in.
• Approximate location via PIN code: The app uses the 6-digit PIN code you type on a product page to look up city and state via India Post's public PIN lookup API. We do not request or read your device's GPS location.

Permissions the app requests

• Notifications: To send order confirmations, shipping updates, and delivery alerts. Optional — denying is fine; the app works without it.
• Camera: Only when you tap "Take photo" while adding a profile picture or a product review photo. Never accessed otherwise; no background camera use.
• Photo Library / Gallery: Only when you tap "Choose from gallery" for the same flows above. We can only see images you explicitly pick.
• Internet: Required for the app to communicate with our servers. No offline analytics or background data syncing beyond what is described in this policy.

Data the app does NOT collect

• We do not collect your precise GPS location, contacts, SMS messages, call logs, calendar, microphone audio, or installed-apps list.
• We do not share data with advertising SDKs, attribution providers, or analytics SDKs in the mobile app.
• We do not sell or rent any data collected by the app.

Account deletion

You can delete your Stone Mart account — and all the data we hold about you — from inside the mobile app: Profile → Account → Delete Account. Account deletion removes your profile, saved addresses, cart, wishlist, push tokens, and review history. Order records are retained for the 7 years required by Indian GST and accounting law, but are dissociated from your account where legally permitted. You can also email support@stonemart.co.in with the subject line "Delete my account" to request the same.

We may use your browsing and purchase data to serve targeted advertisements on external platforms such as Google and Meta (Facebook/Instagram). You can opt out via:

• Facebook Ads: facebook.com/settings/?tab=ads
• Google Ads: google.com/settings/ads/anonymous
• General Opt-out: optout.aboutads.info

As a user, you have the following rights with respect to your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Correction: Request corrections to inaccurate or incomplete data.
• Right to Deletion: Request that we delete your personal data, subject to any legal obligations to retain it.
• Right to Withdraw Consent: Withdraw your consent for marketing communications at any time. Note that withdrawing consent may affect certain services like promotional updates.
• Right to Object: Object to processing your data for direct marketing purposes.

To exercise any of these rights, please contact us at the details provided in the "Contact & Grievance" section below.

Our website and services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you are a parent or legal guardian and believe your child has provided us with personal information, please contact us immediately and we will take steps to delete such information from our systems.

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Typically:

• Order-related data is retained for up to 7 years for GST and accounting compliance.
• Customer support communications are retained for 2 years from resolution.
• Marketing preferences and newsletter subscriptions are retained until you unsubscribe.

Once your data is no longer required, it will be securely deleted or anonymised.

Stone Mart reserves the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or service offerings. Updated versions will be posted on this page with a revised "Last Updated" date. We encourage you to review this page periodically. Continued use of our website after any changes constitutes your acceptance of the updated policy.

We will notify you of material changes via email or a prominent notice on our homepage before the change becomes effective.

If you have questions, concerns, or would like to exercise any of your data rights, please reach out to our Grievance Officer. Complaints are addressed within 30 business days.