Privacy & Data Protection Policy

1. Our role

1. Entity: Mylestones, a sole proprietorship validly formed under Indian law having its registered office at 701, The Reserve, LR Papan Marg, Worli, Mumbai 400018, Maharashtra, India.
2. Roles under law:
   1. For personal data processed in connection with Internal Products, Mylestones acts as a data fiduciary.
   2. We may appoint third parties as data processors under contracts requiring confidentiality, security, and lawful processing.
3. Intermediary: For user-generated content such as registry descriptions, images, reviews, external links, etc., we act as an "intermediary" as defined under the Information Technology Act, 2000.
4. If designated a significant data fiduciary, we will appoint an India-based data protection officer reporting to the Data Protection Board of India, conduct mandated audits/ assessments, and publish the data protection officer's business contact details.

2. Scope & applicability of this Policy

This Policy applies to all users of the Platform, including but not limited to:

1. Hosts who create and share gift registries/ wish-lists; and
2. Guests who browse gift registries/ wish-lists, purchase products, or contribute funds towards Internal Products; and
3. Visitors who interact with the Platform without creating an account.

It covers: (a) Internal Products sold/ fulfilled by us or our authorised sellers; (b) Contributions towards Internal Products; and (c) redirects to External Products hosted by third-party sellers/ marketplaces (see Section 9 below).

3. What data we collect

We collect the following categories of data (as applicable):

4. Purposes for which we process your data

We process personal data only for lawful purposes, including:

The data shall be processed only with your consent and for legitimate uses permissible by Applicable Law and for contractual necessity in line with the Terms and this Policy.

Each consent screen/ notice will include: (i) the data and purposes; (ii) how you may exercise your rights; and (iii) how to file a complaint with the Data Protection Board of India.

Consent will be free, specific, informed, unambiguous, tied to each purpose, and revocable with comparable ease. We maintain verifiable consent logs and support consent managers where applicable.

5. How we collect data

• a. Directly from you: when you create an account; create/ share a registry; place orders; make Contributions; contact support; or set preferences.
• b. Automatically: via cookies/ software development kits (SDKs)/ server logs when you access the Platform.
• c. From third parties: PSPs/ gateways/ UPI; logistics partners; analytics providers; and service vendors engaged by us.

6. Sharing of personal data

We do not sell your personal data. We share personal data strictly on a need-to-know basis with:

• i. PSPs & banks/ UPI: to process transactions, manage refunds/ chargebacks, comply with the Reserve Bank of India (RBI) guidelines (including tokenisation).
• ii. Logistics, warehousing & fulfilment partners: for delivery, returns, and replacements of Internal Products.
• iii. Cloud/ IT/ analytics and customer support vendors: to host data, provide analytics, and manage tickets/ communications.
• iv. Affiliates/ authorised sellers: for sale/ fulfilment of Internal Products, invoicing, and statutory disclosures.
• v. Government, regulators, law enforcement & courts/ tribunals/ consumer fora: when required by Applicable Law or to protect our rights, users, or Platform's integrity.
• vi. Business transfers: in the event of reorganisation, merger, or transfer, subject to this Policy and the Applicable Law.

7. Your choices & rights

Subject to the Applicable Law, you may:

• i. Access/ confirm processing and obtain summary of your data;
• ii. Correct/ update inaccurate or incomplete data;
• iii. Erase data that is no longer necessary or where consent is withdrawn and there is no other legal basis;
• iv. Withdraw consent for processing data prospectively;
• v. Grievance redressal via our Grievance Officer;

8. Children's privacy

1. The Platform is intended for adults above the age of 18 years.
2. If you are under the age of 18 years, you may use the Platform only with the consent and active supervision of a parent/ legal guardian, who will be deemed the user for all purposes.
3. We do not knowingly collect children's data without verifiable parental/ legal guardian consent. If you believe that a child has provided personal data without consent, contact the Grievance Officer for prompt action.
4. For users under the age of 18 years, we will not conduct behavioural tracking or monitoring or serve targeted advertising.
5. We will not process children's personal data in ways likely to cause any detrimental effect to their well-being.

9. External Products & third-party links

For External Products, you are redirected to third-party sellers/ marketplaces to complete purchase, payment, delivery, returns, and support. Mylestones is not a party to such transactions and does not control third-party privacy/ security practices and shall not be responsible for their performance. Your data will be handled according to those third parties' policies. Please review them carefully before proceeding.

10. Security

We implement reasonable administrative, technical, and physical security practices and procedures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. We also ensure that our data processors adopt comparable safeguards. If we become aware of a personal data breach causing or likely to cause significant harm, we will notify the Data Protection Board of India and the affected users within 72 hours, or as otherwise prescribed, where legally required and shall cooperate with directions.

11. Cookies & similar technologies

We use cookies/ SDKs to operate and improve the Platform.

• Strictly necessary: login/ session management, cart/ checkout, security.
• Functional: remembering preferences.
• Analytics/ performance: measuring usage and improving features.
• Marketing (with consent): showing relevant offers on our Platform.

Your controls: You can manage cookies via your browser. Disabling certain cookies may impact functionality.

Cookies/ SDKs used for profiling/ advertisements are disabled for child users.

12. Data retention

We retain personal data only as long as necessary for the purposes outlined in the Terms and this Policy or as required by Applicable Law. Thereafter, we will delete or irreversibly anonymise the data. Typical examples of the data that is retained includes:

• i. Order, payment and invoice records;
• ii. Support/ grievance records;
• iii. Security/fraud logs which are retained for reasonable periods to prevent abuse.

13. Cross-border transfer of data

We process/ store data on servers located within India. If required, we may transfer data outside India except to countries, if any, that the Central Government notifies as restricted. Where data is transferred outside India, we do so in compliance with Applicable Law and any notified restrictions. Our contracts with processors include obligations for security and confidentiality.

14. Transactional and marketing communications

• i. Transaction communications: We send service/ transactional communications relating to order updates, policy changes, etc. Transactional/ service communications will continue as they are not promotional in nature.
• ii. Marketing communications: We send marketing communications only with your consent or as otherwise permitted by Applicable Law. You may opt out of marketing communications at any time via unsubscribe links or in-app/ email settings.

15. Automated decision making/ profiling

We may use limited automated evaluations for fraud checks, risk scoring signals, and other such like activities to protect users and the Platform. These systems are designed to be proportionate and are reviewed periodically. You may contact us to understand factors that materially affect your experience, subject to protection of our security systems and rights.

16. Grievance redressal

Grievance Redressal Officer. You may contact our Grievance Redressal Officer regarding any questions about this Policy or how we handle your personal data, content, Platform use, or user rights issues:

We acknowledge complaints within 24 hours and endeavour to resolve them within 15 days or such other period mandated by Applicable Law.

Customer care. For order/ return/ Contribution queries: [email protected] | Contact: +91 84336 30233 (Mon–Sat, 10:00–18:00 IST).

17. Governing Law; Dispute Resolution

This Policy is governed by and construed in accordance with the laws of India. Disputes will be resolved in the manner as set out in the Terms (including consumer fora access where applicable). The provisions under Section 22 (Governing Law; Dispute Resolution) of the Terms shall apply mutatis mutandis to this Policy and shall be deemed to be incorporated by reference into this Policy as if it were set out in full herein.

18. Changes to this Policy

We may update this Policy to reflect changes in Applicable Law or our services. We will post the revised Policy with an effective date on the Platform. Your continued use after the effective date constitutes acceptance of the updated Policy.

19. Additional disclosures

1. Intermediary & acceptable use: We may remove/ disable access to unlawful or infringing content upon actual knowledge or valid notice.
2. KYC/ validation: We may request KYC/ OTP or other verification and suspend/ limit access until completed.
3. Payments & nodal/ escrow: Contributions for Internal Products may be routed through a bank maintained nodal/ escrow account as per the applicable RBI circulars.
4. Returns/ refunds: Personal data you provide with returns/ replacements (photos/ description) requests will be used to process the request and for fraud prevention.
5. Contributions: Non-cash redeemability applies. The data related to Contributions is used only to run the registry objectives and to comply with the Applicable Law. Refunds, where applicable, go back to the original payment instrument.
6. Ratings/ reviews: We may moderate reviews for authenticity, relevance, and compliance. Incentivised or fake reviews are prohibited.