Privacy Policy

Introduction and Definitions

PrintMagnet (referred to as "we," "us," "our," or "Company") operates the website printmagnet.in and provides personalized printing services (collectively, the "Services"). This Privacy Policy governs the collection, processing, use, and disclosure of personal information by PrintMagnet in accordance with applicable laws including the Information Technology Act, 2000, and Digital Personal Data Protection Act, 2023.

Key Definitions

• "Personal Information" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data, including collection, use, storage, disclosure, or deletion
• "Data Controller" means PrintMagnet, which determines the purposes and means of processing personal data
• "Data Subject" means any individual whose personal information we process
• "Third Party" means any person or entity other than you or PrintMagnet
• "Services" means all products, services, and features offered by PrintMagnet

Scope and Applicability

This Privacy Policy applies to:

• All users of our website, mobile applications, and services
• All personal information collected through any means, including online, offline, or through third parties
• All subsidiaries, affiliates, and business partners acting on our behalf
• All data processing activities conducted by or on behalf of PrintMagnet

Territorial Scope: This policy applies to the processing of personal information of data subjects regardless of their location, provided the processing is related to our Services.

Information We Collect

Categories of Personal Information

1. Identification and Contact Data

• Identity Information: Full name, date of birth, government-issued ID numbers (when required for large orders or corporate accounts)
• Contact Information: Email address, telephone number, postal address, emergency contact details
• Account Information: Username, encrypted password, security questions, account preferences, profile picture
• Verification Data: Documents provided for identity verification, age verification, or account security

2. Financial and Transaction Data

• Payment Information: Credit/debit card details, bank account information, payment processor data, transaction history
• Billing Information: Billing address, tax identification numbers (for business accounts), invoice preferences
• Order History: Purchase records, order details, product specifications, pricing information, refund and return history

3. Content and Media Data

• User-Generated Content: Photos, images, text, designs, and other creative materials uploaded for printing
• Project Files: Custom designs, templates, albums, calendars, and personalized product configurations
• Metadata: File creation dates, device information, geolocation data (if embedded), image properties
• Communications: Messages, feedback, reviews, customer support interactions, chat logs

4. Technical and Usage Data

• Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution
• Usage Analytics: Pages visited, features used, time spent, click patterns, search queries, error logs
• Performance Data: Page load times, system performance metrics, crash reports, diagnostic information
• Location Data: IP-based location, GPS coordinates (if explicitly consented), delivery addresses

5. Behavioral and Preference Data

• Preferences: Product preferences, communication preferences, language settings, accessibility needs
• Behavioral Data: Purchase patterns, browsing behavior, product interactions, engagement metrics
• Marketing Data: Email engagement, campaign responses, demographic insights, interest categories

Legal Basis for Processing

We process your personal information based on one or more of the following legal bases:

1. Contractual Necessity

• Processing necessary for the performance of a contract with you
• Taking steps at your request prior to entering into a contract
• Order fulfillment, payment processing, and service delivery

2. Legitimate Interests

• Fraud prevention and security measures
• Business analytics and service improvement
• Marketing to existing customers (subject to opt-out rights)
• Network and information security

3. Legal Compliance

• Compliance with Indian laws and regulations
• Tax and accounting obligations
• Response to legal process and government requests
• Consumer protection and safety requirements

4. Consent

• Marketing communications to non-customers
• Cookies and similar technologies (where required)
• Special categories of personal data (if applicable)
• Processing for purposes beyond original collection

How We Use Your Information

Primary Business Purposes

• Order Processing: Fulfilling printing orders, creating personalized products, managing inventory, coordinating production schedules
• Service Delivery: Shipping and logistics, tracking deliveries, handling returns and exchanges, providing customer support
• Account Management: Maintaining user accounts, processing registrations, managing subscriptions, providing technical support
• Quality Assurance: Monitoring service quality, conducting quality control checks, gathering feedback

Secondary Business Purposes

• Business Analytics: Analyzing usage patterns, measuring performance, conducting market research, improving services
• Marketing and Promotions: Sending promotional offers, conducting marketing campaigns, personalizing advertisements
• Customer Relationship Management: Building customer profiles, providing personalized recommendations, enhancing user experience
• Business Development: Developing new products and services, conducting market research, strategic planning

Legal and Compliance Purposes

• Legal Compliance: Meeting regulatory requirements, responding to legal requests, maintaining records as required by law
• Security and Fraud Prevention: Protecting against unauthorized access, detecting fraudulent activities, ensuring system security
• Dispute Resolution: Resolving customer disputes, handling legal claims, managing litigation matters

Information Sharing and Disclosure

Categories of Recipients

Service Providers and Business Partners

We engage third-party service providers under strict contractual obligations:

• Printing and Production Partners: Authorized printing facilities with signed confidentiality agreements and data security requirements
• Payment Processors: PCI DSS compliant payment gateways and financial institutions for transaction processing
• Logistics and Shipping: Courier services and logistics partners for order delivery and tracking
• Technology Service Providers: Cloud hosting, email services, analytics platforms, customer support systems
• Professional Services: Legal advisors, accountants, auditors, and business consultants (under professional privilege where applicable)

Legal and Regulatory Disclosures

We may disclose personal information when legally required or permitted:

• Government Authorities: Law enforcement, regulatory bodies, tax authorities, courts of competent jurisdiction
• Legal Process: In response to subpoenas, court orders, legal investigations, or official government requests
• Emergency Situations: To protect the vital interests of individuals or prevent serious harm
• Business Transfers: In connection with mergers, acquisitions, asset sales, or corporate reorganization (with appropriate safeguards)

Consent-Based Sharing

• Explicit Consent: Sharing with third parties when you have provided clear, informed consent
• Social Media Integration: When you choose to connect or share through social media platforms
• Partner Promotions: Participation in joint promotions or partnerships (with your explicit opt-in consent)

Data Sharing Safeguards

• Contractual Protection: All third parties must sign comprehensive data processing agreements
• Data Minimization: We share only the minimum necessary information for the specific purpose
• Security Requirements: Third parties must maintain equivalent security standards
• Regular Audits: We conduct periodic assessments of third-party data handling practices

Data Security and Protection Measures

Technical Safeguards

• Encryption: End-to-end encryption for data in transit using TLS 1.3, AES-256 encryption for data at rest
• Access Controls: Multi-factor authentication, role-based access controls, principle of least privilege
• Network Security: Firewalls, intrusion detection systems, DDoS protection, secure network architecture
• Data Anonymization: Pseudonymization and anonymization techniques where technically feasible
• Backup and Recovery: Encrypted backups, disaster recovery procedures, business continuity planning

Physical Safeguards

• Secure Facilities: Restricted access to data centers, biometric authentication, surveillance systems
• Equipment Security: Secure disposal of hardware, encrypted storage devices, clean desk policies
• Environmental Controls: Fire suppression, climate control, power backup systems

Administrative Safeguards

• Employee Training: Regular privacy and security training, confidentiality agreements, background checks
• Policy Framework: Comprehensive information security policies, incident response procedures
• Compliance Monitoring: Regular security audits, vulnerability assessments, penetration testing
• Incident Management: 24/7 security monitoring, automated threat detection, incident response team

Data Breach Notification

In the unlikely event of a data breach:

• We will assess the breach within 24 hours and take immediate containment measures
• Affected individuals will be notified within 72 hours where legally required
• Relevant authorities will be notified in accordance with applicable laws
• We will provide clear information about the breach, potential impact, and remedial actions
• Free credit monitoring services may be provided where appropriate

Your Rights and Legal Remedies

Fundamental Data Subject Rights

Right of Access (Article 15 equivalent)

• Request confirmation of whether we process your personal information
• Obtain a copy of your personal information in our possession
• Receive information about processing purposes, categories of data, and recipients
• Learn about data retention periods and your other rights

Right to Rectification (Article 16 equivalent)

• Correct inaccurate or incomplete personal information
• Update outdated information in your account
• Request completion of incomplete personal data

Right to Erasure/"Right to be Forgotten" (Article 17 equivalent)

• Request deletion of personal information where legally permissible
• Withdrawal of consent where processing was based on consent
• Objection to processing for direct marketing purposes
• Processing was unlawful or violates applicable regulations

Right to Restrict Processing (Article 18 equivalent)

• Limit our processing of your personal information in specific circumstances
• During dispute resolution regarding accuracy or lawfulness of processing
• When you need the data for legal claims but we no longer require it

Right to Data Portability (Article 20 equivalent)

• Receive your personal information in a structured, commonly used format
• Transmit your data to another controller where technically feasible
• Available for data processed by automated means based on consent or contract

Right to Object (Article 21 equivalent)

• Object to processing based on legitimate interests
• Opt-out of direct marketing communications at any time
• Object to automated decision-making and profiling

Exercise of Rights

• Request Methods: Online account portal, email to privacy@printmagnet.in, written request to our registered address
• Response Time: We will respond within 30 days (extendable by 60 days for complex requests)
• Identity Verification: We may require proof of identity to prevent unauthorized access
• Free of Charge: Rights requests are generally free, except for manifestly unfounded or excessive requests

Legal Remedies

If you believe your rights have been violated, you may:

• File a complaint with our Data Protection Officer
• Lodge a complaint with the relevant data protection authority
• Seek judicial remedy through competent courts
• Claim compensation for material or non-material damage

International Data Transfers

Transfer Mechanisms

When we transfer personal information internationally, we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries recognized as providing adequate protection
• Standard Contractual Clauses: EU Standard Contractual Clauses or equivalent safeguards
• Binding Corporate Rules: Internal data protection rules approved by competent authorities
• Certification Schemes: Transfers under approved certification mechanisms
• Explicit Consent: Your informed consent for specific transfers

Third Country Processing

We may transfer data to the following regions with appropriate safeguards:

• United States: Under Privacy Shield successor frameworks or Standard Contractual Clauses
• European Economic Area: Recognized as providing adequate protection
• Other Countries: Only with explicit safeguards and your consent where required

Cookie Policy and Tracking Technologies

Types of Cookies We Use

Strictly Necessary Cookies

• Session Management: User authentication, shopping cart functionality, security features
• Security Cookies: Fraud prevention, secure login, CSRF protection
• Load Balancing: Server load distribution, performance optimization

Functional Cookies

• Preferences: Language settings, accessibility options, personalization features
• User Experience: Form auto-fill, recently viewed items, site navigation history

Analytics and Performance Cookies

• Google Analytics: Website usage statistics, user journey analysis, performance metrics
• Heat Mapping: User interaction patterns, page optimization insights
• Error Tracking: Technical issue identification, system performance monitoring

Marketing and Advertising Cookies

• Behavioral Targeting: Personalized advertisements, retargeting campaigns
• Social Media Integration: Social sharing functionality, embedded content
• Conversion Tracking: Campaign effectiveness, ROI measurement

Cookie Management

• Cookie Banner: Granular consent options for different cookie categories
• Cookie Settings: Manage preferences through our cookie management center
• Browser Controls: Use browser settings to disable or delete cookies
• Opt-Out Tools: Industry opt-out mechanisms for advertising cookies

Data Retention and Deletion

Retention Principles

• Necessity Principle: Data retained only as long as necessary for legitimate purposes
• Legal Requirements: Compliance with statutory retention periods under applicable laws
• Business Justification: Clear business rationale for each retention period
• Regular Review: Periodic assessment of retention needs and automatic deletion where appropriate

Specific Retention Periods

• Account Information: Duration of account relationship plus 3 years
• Order and Transaction Data: 7 years from completion (for tax and audit purposes)
• Financial Records: 7 years as required by Income Tax Act and Company Law
• Photos and Creative Content: Deleted within 90 days after order completion (unless explicitly saved by user)
• Marketing Communications: Until consent withdrawal or 3 years of inactivity
• Website Analytics: 24 months from collection
• Customer Support Records: 3 years from last interaction
• Legal Documentation: Duration of legal requirement plus 1 year

Secure Deletion Process

• Automated Deletion: Systematic removal based on predefined schedules
• Secure Wiping: DOD 5220.22-M standard for data destruction
• Backup Purging: Removal from all backup systems and archives
• Third-Party Notification: Instructions to service providers for data deletion
• Audit Trail: Documented proof of deletion for compliance purposes

Children's Privacy Protection

Age Restrictions

• Minimum Age: Our services are not intended for children under 13 years of age
• Parental Consent: Users aged 13-18 require verifiable parental consent
• Age Verification: We implement age verification mechanisms where technically feasible

Special Protections for Minors

• Enhanced Consent: Additional safeguards for processing children's data
• Limited Processing: Restricted data collection and use for minors
• Parental Rights: Parents can access, correct, or delete their child's information
• Marketing Restrictions: No direct marketing to children without parental consent

Inadvertent Collection

If we become aware that we have collected personal information from a child under 13 without proper consent:

• We will immediately cease processing such information
• Delete the information from our systems within 30 days
• Notify relevant parties of the inadvertent collection
• Implement additional safeguards to prevent recurrence

Third-Party Services and External Links

Third-Party Integrations

Our website may include integrations with third-party services:

• Payment Gateways: Razorpay, PayU, Paytm, and other payment processors
• Social Media: Facebook, Instagram, WhatsApp sharing and login features
• Analytics: Google Analytics, heat mapping tools, performance monitoring
• Communication: Email marketing platforms, customer support chat systems
• Advertising: Google Ads, Facebook Pixel, retargeting platforms

External Links Disclaimer

• No Control: We do not control the privacy practices of external websites
• Separate Policies: Third-party sites have their own privacy policies and terms
• User Responsibility: Review third-party privacy policies before providing information
• No Liability: We are not responsible for third-party privacy practices

Legal Compliance and Regulatory Framework

Applicable Laws and Regulations

• Indian Laws: Information Technology Act 2000, IT Rules 2011, Digital Personal Data Protection Act 2023
• Consumer Protection: Consumer Protection Act 2019, Competition Act 2002
• Financial Regulations: RBI Guidelines, Prevention of Money Laundering Act
• International Standards: ISO 27001, SOC 2, PCI DSS where applicable

Regulatory Cooperation

• Authority Engagement: Proactive communication with data protection authorities
• Compliance Monitoring: Regular assessment of regulatory changes and requirements
• Industry Standards: Participation in industry best practice initiatives
• Legal Updates: Continuous monitoring of legal developments affecting privacy

Limitation of Liability

Liability Disclaimers

To the maximum extent permitted by applicable law:

• We provide our services "as is" without warranties of any kind
• We disclaim all warranties, express or implied, including merchantability and fitness for purpose
• We do not warrant uninterrupted, error-free, or completely secure service
• Users assume responsibility for their use of our services

Limitation of Damages

• Direct Damages: Our liability is limited to the amount paid for services in the 12 months preceding the claim
• Consequential Damages: We exclude liability for indirect, incidental, or consequential damages
• Data Loss: We recommend regular backups; we are not liable for user data loss
• Third-Party Actions: No liability for actions of third-party service providers beyond our control

Indemnification

You agree to indemnify and hold PrintMagnet harmless from claims arising from:

• Your violation of this Privacy Policy or Terms of Service
• Your infringement of intellectual property rights
• Your violation of applicable laws or regulations
• Content you submit that violates third-party rights

Policy Modifications and Updates

Amendment Process

• Regular Review: We review this policy annually or as required by legal changes
• Stakeholder Input: Consideration of user feedback and regulatory guidance
• Legal Review: All changes reviewed by qualified legal counsel
• Impact Assessment: Privacy impact assessments for material changes

Notification of Changes

• Advance Notice: 30 days' notice for material changes affecting user rights
• Prominent Display: Changes highlighted on our website and in user accounts
• Email Notification: Direct communication to registered users for significant changes
• Granular Consent: New consent required for expanded processing purposes

Version Control

• Archive Maintenance: Previous versions available for reference
• Change Log: Detailed record of all modifications and reasons
• Effective Dates: Clear indication of when changes take effect

Governing Law and Jurisdiction

Applicable Law

This Privacy Policy and all related matters shall be governed by and construed in accordance with the laws of India, without regard to conflict of law principles.

Jurisdiction and Dispute Resolution

• Exclusive Jurisdiction: Courts of Guwahati, Assam shall have exclusive jurisdiction
• Alternative Dispute Resolution: Mediation and arbitration options available
• Consumer Forums: Consumer protection forums as per applicable laws
• International Users: Local law may provide additional rights not excluded by this policy

Severability

If any provision of this Privacy Policy is found to be unenforceable or invalid, such provision will be modified to reflect our intention, and the remainder of this policy will remain in full force and effect.

Contact Information and Data Protection Officer