Privacy Policy.

1. Company Information & Legal Compliance

The Platform is owned and operated by STRAYED.

• Brand Name: STRAYED
• Registered Address: C2-306, Greenwood Regency, Bangalore, India
• GSTIN: 29STBPS7762F1ZQ
• Contact Email: [email protected]
• Data Protection & Grievance Officer: Deeptanil Sinha ([email protected])

2. Definitions

• "Personal Data": Any information relating to an identified or identifiable natural person.
• "Sensitive Personal Data": Financial information (such as bank account or card details), passwords, or specific biometric data under applicable law.
• "Processing": Any operation performed on personal data (collection, storage, modification, sharing, or erasure).
• "Cookies" / "Tracking Technologies": Small text files or pixels placed on your device to collect browser activity, page views, and user patterns.

3. Consent & Control

Implicit Consent: By accessing the Platform and submitting orders, you consent to our processing of your personal data for checkout and delivery.

Marketing Consent: You can opt-in to receive promotional emails, SMS, and WhatsApp alerts. You may withdraw your consent at any time using the "unsubscribe" link in our emails, or replying "STOP" to SMS/WhatsApp alerts.

Cookie Consent: You can control cookie preferences in your browser settings. Restricting cookies may affect Platform functionality.

4. Information We Collect

We collect several categories of information to provide and improve our services:

A. Information You Provide Directly

• Identity Data: Name, date of birth, gender, and social media handles.
• Contact Data: Email address, mobile phone number, billing address, and shipping address.
• Account Credentials: Username, password, and security tokens.
• User-Generated Content (UGC): Product reviews, comments, and uploaded photos or videos (e.g. unboxing videos).
• Communication Logs: Messages sent to customer support, emails, chat history, and survey responses.

B. Automatically Collected Information

• Device Data: IP address, device type, operating system, browser, time zone, language preferences, and screen resolution.
• Behavioral Activity: Pages viewed, products clicked, cart abandonment history, scroll depth, mouse movement, navigation pathways, and session duration. This includes recordings tracked via tools like PostHog and web session capture.
• Location Data: IP-based approximate location (city, state, country) and shipping location.

C. Transaction & Financial Information

• Order History: Details of products purchased, quantities, dates, coupon codes applied, and referral connections.
• Wallet & Loyalty Data: Dynamic balances, earned points, reward coupon redemptions, and transaction history.
• Payment Status: Payment gateway confirmations, transaction IDs, and refund logs. We do not store full credit card numbers or net banking passwords.

D. Marketing & Analytics Data

• Email & SMS Metrics: Open rates, click-through rates, opt-out logs, and campaign responses.
• Ad Profiling: Meta Pixel activity, Google Analytics event logs, and cross-device advertising parameters.

E. Sensitive Information Exclusion

We do not intentionally collect sensitive personal data such as government IDs, health records, biometric information, or religious beliefs.

5. How & Why We Collect Information

We collect data through direct submissions (checkout form entries and support calls), platform tracking pixels (Meta Pixel, PostHog, Google Analytics), and tracking metrics sent by logistics partners.

6. Purpose of Data Processing

We use your personal data for the following legitimate purposes:

• Order Fulfillment: Processing transactions, verifying payment status, organizing shipping/delivery, and managing returned/exchanged pieces.
• Account Management: Authenticating logins, saving wishlists, and displaying wallet balances.
• Customer Support: Resolving product defects, verifying unboxing videos, and conducting support chats.
• Personalization: Recommending streetwear styles based on browsing behavior and sizing queries.
• Marketing Campaigns: Sending promotional emails, SMS updates, WhatsApp notifications, and displaying targeted retargeting ads on Meta/Google.
• Security & Fraud Prevention: Detecting referral code abuse, preventing chargeback fraud, and blocking suspicious orders.
• Legal Compliance: Maintaining tax ledgers, reporting GST details, and addressing law enforcement requests.

7. Cookies, Pixels, & Session Recordings

Essential Cookies: Necessary for account login, maintaining your shopping cart, and security verification.

Analytics Cookies: Track page traffic and customer behavior (via Google Analytics, PostHog, and Microsoft Clarity) to optimize checkout flows.

Session Replays & Heatmaps: We use tools (such as PostHog) to record mouse movements, clicks, and page navigation. This is strictly used for diagnostics to fix checkout latency and improve storefront design. All sensitive password inputs are masked.

Ad Retargeting: Pixels allow us to show customized STRAYED advertisements on third-party networks (e.g. Meta, Instagram, Google search). You can block cookies in your web browser settings.

8. Legal Basis for Processing (International Users)

If you access the Platform from the European Union (EU) or United Kingdom (UK), we process your data under the following GDPR legal bases: Contractual Necessity (order shipping), Consent (newsletters and behavioral cookies), Legitimate Interest (security analysis and fraud prevention), and Legal Obligation (accounting and tax reporting).

9. Third-Party Data Sharing

We do not sell your personal data. We share your information only with trusted third parties who help us run our business:

• Payment Processors: Razorpay receives your payment details securely to capture transactions.
• Shipping & Logistics Partners: Courier partners (such as Delhivery, Blue Dart, Shiprocket) receive your name, shipping address, and phone number to fulfill deliveries.
• Marketing & Analytics Providers: Meta, Google, and PostHog receive hashed event data for retargeting and diagnostics.
• Hosting & Infrastructure: Vercel and AWS host our servers, databases, and assets.
• Legal & Law Enforcement: We may share data to comply with valid government orders, tax compliance, or court summonses.

10. Data Transfer, Retention, & Security

Because we use global servers (Vercel, AWS), your data may be stored outside of India. We ensure our providers employ encryption and security protocols equivalent to Indian standards.

We retain customer identity and transaction logs for as long as required for tax compliance (GST) and financial auditing. Inactive user accounts (accounts with no activity for more than 5 years) may be archived or deleted.

We use Secure Sockets Layer (SSL/HTTPS) encryption, strict internal access controls, and database firewalls. However, no digital transmission is 100% secure.

11. Your Privacy Rights

Under the DPDP Act and GDPR, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Correction: Update incorrect contact details or address logs.
• Right to Erasure (Deletion): Request the deletion of your account and personal details, subject to our legal retention requirements (e.g. tax records).
• Right to Withdraw Consent: Revoke consent for marketing and cookie tracking.

To protect your account, we may verify your identity before processing any data requests.

12. Children's Privacy

STRAYED does not knowingly collect personal data from minors under the age of 18 without parental consent. If we discover a minor has submitted personal information without supervision, we will delete the data immediately.

13. Data Breach Response Procedures

In the unlikely event of a security breach or database compromise, we will investigate and mitigate the vulnerability immediately, and notify the Indian Computer Emergency Response Team (CERT-In) and affected users where required by law.

14. Cloudflare Turnstile Security & Anti-Bot Protection

To protect our Platform against malicious activity, spam, and automated bot abuse, we implement Cloudflare Turnstile (and/or Cloudflare's Challenge Platform) in invisible mode on our forms and checkout processes. Turnstile is a pro-privacy website security tool developed by Cloudflare, Inc. (“Cloudflare”).

Our integration of Turnstile in invisible mode is subject to, and references, the Cloudflare Turnstile Privacy Addendum (Last Updated: June 18, 2025). In accordance with this addendum:

• Information Collected: Cloudflare Turnstile processes a variety of client-side signals (“Signals”) such as client IP address, TLS Fingerprint, User-Agent Header, and Sitekey and associated origin. Cloudflare does not have the ability to directly identify any individuals from any of the Signals Turnstile collects, including IP addresses.
• How Information is Used: Signals are processed to distinguish human users from bots and block detected bot traffic (acting as a data processor on our behalf as the data controller), and to improve Turnstile's bot detection capabilities (acting as a data controller, relying on legitimate interests).
• EU & UK Residents: To the extent the collected data qualifies as personal data, we determine the lawful basis of processor-related operations. For controller-related improvements, Cloudflare relies on its legitimate interests.
• Cookies: The Signals collected by Turnstile are strictly necessary for the purpose of detecting and blocking bots to enable visitors to enjoy a safe and secure experience.

For more information about the cookies used by Cloudflare, please check their Cookie Policy and Turnstile Developer Docs. For detailed disclosures, please read the official Cloudflare Privacy Policy and the Cloudflare Turnstile Privacy Addendum.