Privacy Policy

Collaboratory Digital LLP (“STAASH”, “we”, “us”, or “our”) operates the STAASH platform — a multi-brand D2C discovery and commerce platform where shoppers discover, wishlist, and purchase products from Indian D2C brands through a unified checkout experience.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have over your data. It applies to all users of the STAASH platform, including:

• Shoppers — individuals who browse and purchase products through the STAASH app or website.
• Brand Partners — D2C brands and merchants who list products on the STAASH platform.
• Visitors — anyone who visits staash.in or brands.staash.in without creating an account.

By using the STAASH platform, you agree to the collection and use of information as described in this Policy. If you do not agree, please do not use the platform.

2.1 Information you provide to us

We collect information you give us directly when you:

• Create a STAASH account — name, email address, mobile number, and authentication method (Google, Apple, phone OTP, or email/password).
• Place an order — delivery address, contact details, and order preferences.
• Set up a brand partner account — business name, GSTIN, PAN, bank account details, Shopify store URL, and authorised contact information.
• Interact with features — wishlist saves, haul creation, ratings, and reviews.
• Contact support — messages, emails, or chat transcripts with our support team.

2.2 Information collected automatically

When you use the STAASH platform we automatically collect:

• Device information — device type, operating system version, device identifiers, and browser type.
• Usage data — pages viewed, products browsed, search queries, wishlist actions, time spent, and navigation paths.
• Location data — approximate location derived from IP address, or precise location if you grant permission, used for delivery address suggestions and regional personalisation.
• Transaction data — order history, payment status, settlement records, and return requests.
• Log data — IP address, access timestamps, error logs, and referral URLs.
• Cookies and tracking technologies — session cookies, preference cookies, and analytics identifiers. See Section 8 for full cookie details.

2.3 Information from third parties

• Google or Apple sign-in — name, email address, and profile picture if you choose to authenticate via Google or Apple.
• Shopify — for brand partners, we receive product catalogue data, inventory levels, and order fulfilment status via Shopify OAuth.
• Payment processors — Razorpay provides payment confirmation and transaction reference numbers. We do not store full card numbers.
• SMS and OTP providers — delivery confirmation of authentication messages.

We do not use your personal data for automated decision-making that produces significant legal or similarly significant effects without human review.

4.1 What brand partners receive

When a shopper places an order through STAASH, the following data is shared with the relevant brand partner:

• Shopper name and delivery address (required for fulfilment)
• Contact details (mobile number and email) for order coordination
• Order details, product selections, and quantities
• Order reference number for reconciliation

This data is delivered to the brand partner via the Shopify Draft Order created in their Shopify admin. The brand partner becomes a data controller for this customer data and must handle it in accordance with their own privacy policy and applicable law.

4.2 What STAASH does not do

• STAASH does not sell customer data to brand partners or third parties.
• STAASH does not use customer data to target shoppers with advertising on behalf of brand partners without explicit consent.
• STAASH does not withhold customer data from the brand that fulfilled the order.

4.3 Aggregated and anonymised data

STAASH may use aggregated, anonymised data about shopping behaviour and platform performance for product improvement, marketing, and reporting. This data cannot be used to identify individual shoppers.

We do not sell your personal information. We share your data only in the following circumstances.

5.1 Service providers

All service providers are bound by data processing agreements that prohibit them from using your data for any purpose other than providing services to STAASH.

5.2 Brand partners

As described in Section 4, fulfilment data is shared with brand partners upon order completion.

5.3 Legal requirements

We may disclose your information if required to do so by law, court order, regulatory authority, or to protect the rights, property, or safety of STAASH, its users, or the public.

5.4 Business transfers

If STAASH is acquired, merged, or undergoes a restructuring, your data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.

We retain your personal data for as long as necessary to fulfil the purposes described in this Policy, or as required by law.

When data is no longer required, it is securely deleted or anonymised so it can no longer be associated with an individual.

You have the following rights over your personal data. To exercise any of these rights, contact us at privacy@collaboratory.in.

7.1 Access

You have the right to request a copy of the personal data we hold about you.

7.2 Correction

You have the right to request correction of inaccurate or incomplete personal data. Most account information can be updated directly in the STAASH app under Profile → Settings.

7.3 Deletion

You have the right to request deletion of your personal data. We will delete your data subject to legal retention requirements (such as the 7-year retention of transaction records for tax compliance). To request account deletion, go to Profile → Settings → Delete account, or email privacy@collaboratory.in.

7.4 Portability

You have the right to receive your personal data in a structured, machine-readable format. Email privacy@collaboratory.in with a data portability request and we will provide your data within 30 days.

7.5 Objection and restriction

You have the right to object to processing of your personal data for marketing purposes or to restrict processing in certain circumstances. To opt out of marketing communications, use the unsubscribe link in any marketing email or update your notification preferences in the app.

7.6 Withdrawal of consent

Where we rely on consent to process your data (such as for marketing communications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

The STAASH web platform uses cookies and similar technologies to operate the platform, remember your preferences, and understand how you use STAASH.

You can manage cookies through your browser settings. Disabling essential cookies will prevent the platform from functioning correctly. The STAASH mobile app uses Firebase Analytics and equivalent SDK-based identifiers governed by the same principles.

We implement industry-standard technical and organisational measures to protect your personal data:

• All data in transit is encrypted using TLS 1.2 or higher.
• Passwords are hashed and never stored in plain text. Authentication is handled via Firebase Auth.
• Shopify OAuth credentials and API tokens are stored in AWS Secrets Manager — never in application code or committed to version control.
• Access to production systems is restricted to authorised personnel and requires multi-factor authentication.
• Razorpay handles all card data — STAASH never stores full card numbers or CVV codes.
• Regular security assessments and penetration testing are conducted before major releases.

Despite these measures, no internet transmission or storage system is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@collaboratory.in or change your password via Profile → Settings → Security.

The STAASH platform is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a user is under 18, we will delete their account and associated data promptly.

If you believe a minor has created an account on STAASH, please contact us at privacy@collaboratory.in.

The STAASH platform may contain links to brand partner websites, social media profiles, and haul content created by community members. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit through STAASH.

Brand partner websites are independently operated. STAASH is not responsible for the privacy practices or content of brand partner sites.

STAASH is an Indian platform and your data is primarily stored and processed in India on AWS infrastructure. Some of our service providers (including Firebase, Anthropic, Pinecone, and Cohere) may process data outside India.

Where data is transferred internationally, we ensure appropriate safeguards are in place through contractual data processing agreements with our service providers. We take reasonable steps to ensure that overseas providers handle your data with equivalent care to Indian requirements.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

• posting a prominent notice on the STAASH app and website;
• sending an email notification to your registered email address; and
• updating the “Effective date” at the top of this Policy.

Your continued use of STAASH after the effective date of a revised Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically.

In accordance with the Information Technology Act 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, STAASH has appointed a Grievance Officer:

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out: