// PRIVACY POLICY
Privacy Policy
Effective date: 17 February 2026
MysteryKart is operated by Insec Solution LLP, headquartered in Kolkata, West Bengal, India. Insec Solution LLP is an established Indian cyber-security company. Your data is handled with bank-grade safeguards.
This Privacy Policy explains how Insec Solution LLP (“MysteryKart”, “we”, “us”, “our”) collects, uses, stores, shares and protects your personal information when you visit or transact on mystkart.com. We are committed to handling your data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 and the rules framed thereunder. Insec Solution LLP is the Data Fiduciary for the personal data collected through this site.
1. What we collect
- Account data: email address, name, profile picture (from Google OAuth), referral code generated by us.
- Order data: shipping and billing addresses, phone number, items ordered, order amount, delivery instructions.
- Payment data: a tokenised reference to your transaction. We do not store full card numbers, CVV, OTPs, UPI handles or netbanking credentials on our servers — these are handled entirely by our PCI-DSS Level 1 certified payment gateway partner.
- Communication data: any messages, support tickets or feedback you voluntarily send to us, including unboxing reviews and photographs you choose to post.
- Technical data: IP address, browser type, device type, operating system, referring URL, anonymised analytics events, and necessary cookies used to keep you signed in and to remember your cart.
2. How we use your data
- To create and maintain your account and authenticate you when you sign in.
- To process and ship your orders, including communicating with our courier partners.
- To process payments and detect/prevent fraud, chargeback abuse and unauthorised activity.
- To provide customer support and respond to your enquiries.
- To send transactional notifications (order confirmation, shipment updates, delivery confirmation) by email and, where applicable, SMS or WhatsApp.
- To improve our products, curation, site experience, performance and security.
- To comply with applicable legal, regulatory, audit and tax obligations.
3. Legal basis
- We rely on your free, specific, informed and unambiguous consent (clicking “continue with Google”, placing an order, opting in to newsletters), on the necessity to perform our contract with you (fulfilling your order), and on our legitimate interests (fraud prevention, securing the platform, audit).
4. With whom we share data
- Payment gateway: only the data minimally required to process the transaction (amount, order id, customer name, email, phone).
- Courier and logistics partners: name, shipping address, phone number, order id.
- Authentication provider (Google OAuth): we receive your basic profile (email, name, profile picture). We do not receive your Google password.
- Email/SMS communication providers: where used, for sending transactional notifications.
- Government and law enforcement: only when compelled by valid legal process under Indian law.
- We do not sell, rent or trade your personal data to advertisers or third-party marketers. Period.
5. Cookies
- We use a small number of strictly necessary cookies: a session cookie to keep you signed in and a cart cookie to remember your selections.
- We do not use third-party advertising or behavioural tracking cookies. You may disable cookies in your browser settings, but the site’s functionality may degrade significantly.
6. Data retention
- Account data: retained as long as your account is active, plus a reasonable grace period of 90 days after deletion to allow for chargeback handling and statutory audit.
- Order and invoice data: retained for at least 8 years from the financial year of issue to comply with Indian taxation and GST recordkeeping requirements.
- Support and communication data: retained for up to 3 years.
- Technical logs: retained for 90 days.
7. Your rights as a Data Principal (DPDP Act, 2023)
- Right to access — you can request a copy of the personal data we hold about you.
- Right to correction — you can ask us to correct any inaccurate or incomplete personal data.
- Right to erasure — you can ask us to delete your account and personal data, subject to retention obligations stated above.
- Right to grievance redressal — you can raise concerns directly with our Grievance Officer (see contact below).
- Right to nominate — you can nominate another individual to exercise your rights in case of death or incapacity.
- To exercise any right, email us from your registered email address. We will respond within 30 days.
8. Data security
- MysteryKart is built and maintained by Insec Solution LLP, an Indian cyber-security firm. We apply security controls including: HTTPS/TLS across the entire site, secure HTTP-only cookies, encrypted-at-rest database storage, PCI-DSS Level 1 certified payment gateway, application-level rate limiting, password-less Google OAuth login, monitored access logs and least-privilege admin access.
- Despite our reasonable efforts, no system on the internet can be guaranteed to be 100% secure. In the unlikely event of a data breach affecting your personal data, we will notify you and the Data Protection Board of India in accordance with the DPDP Act.
9. Children’s privacy
- MysteryKart is not directed at users under 18 years of age. We do not knowingly collect personal data of children. If you believe a minor has provided us personal data, please contact us and we will delete it.
10. International transfers
- Our primary data storage is in India. Some of our service providers (e.g., email infrastructure, analytics, payment gateway sub-processors) may process data in other jurisdictions. Where this happens, contractual safeguards consistent with Indian law are put in place.
11. Updates to this Policy
- We may revise this Privacy Policy from time to time. The most current version is always on this page, with an updated effective date. Material changes will be highlighted via a notice on the site or by email.
12. Grievance Officer
- In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the contact details of our Grievance Officer are as follows:
- Email: mysterykartsupport@gmail.com
- Operator: Insec Solution LLP, Kolkata, West Bengal, India.
- Response time: within 30 days of receipt of a complete grievance.
Privacy Policy \u00b7 Last updated 17 February 2026 \u00b7 Insec Solution LLP