Privacy Policy

This privacy policy applies to The Maison World (themaisonworld.com), operated by Ms. Sadhana Ojha, sole proprietor trading as Ivanaa's Beautify ("we", "us", "our", "the Maison"). Registered Address: 34 Sheshadri Colony, Kila Medan, Mari Mata Square, Indore, Madhya Pradesh – 452006, India. GSTIN: 23AAGPO8569E1ZH For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are the Data Fiduciary in respect of personal data we collect from you. You are the Data Principal. This policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it. It applies to all visitors and registered users of the Maison's websites, mobile applications, and connected services — including Maison Nox (fragrances), Maison Velours (cosmetics), Maison Beauty Suite (salon services), La Maison Privée (members), and Maia (AI consultant).

1. Information you provide directly • Name, phone number, email address, postal address, and date of birth (where relevant) • Account credentials and authentication codes (OTP) • Payment instrument details (processed by our payment gateway, never stored by us) • Booking preferences, gift recipient details, and order notes • Photographs you submit to AI Skin Analysis or Hair Analysis • Conversations you have with Maia, our AI consultant • Reviews, feedback, and any communication you send us 2. Information collected automatically • Device and browser type, operating system, and screen size • IP address and approximate location (city level, derived from IP) • Pages viewed, products browsed, time on page, and referral source • Authentication and session cookies; analytics cookies (only if you accept the cookie banner) • Crash and performance telemetry from Sentry (no personal content) 3. Information from third parties • Order, payment, and refund status from Razorpay • Delivery and tracking events from courier partners • OAuth identifiers if you choose to sign in via a third-party provider (currently none enabled) • Aggregate audience data from Meta and Google when you arrive via an advertisement (only if you have accepted analytics cookies)

Under the DPDP Act we process your personal data on the basis of your consent or where processing is necessary for certain legitimate uses specified in the Act. Performance of contract — fulfilling orders, processing payments, scheduling salon appointments, issuing tax invoices, handling returns and refunds. Consent — sending marketing communications, dropping analytics or advertising cookies, processing photographs for AI Skin / Hair Analysis, recording conversations with Maia for service improvement, and any processing of children's data (with verifiable parental consent). Legal obligation — retention of transactional records under Indian tax law (CGST Act, Income-tax Act), responses to lawful requests from regulators, courts, or law-enforcement authorities, and grievance reporting under the IT Rules, 2021. Legitimate interest — safeguarding the platform against fraud and abuse, improving services, conducting internal audits, and defending legal claims, where such interest is not overridden by your rights and freedoms. We never sell, rent, or trade your personal data for marketing purposes.

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law. Account & profile data — for the lifetime of your account. Deleted within 30 days of your account-closure request, except for records we are required to retain. Order, invoice, and payment records — 8 financial years from the relevant tax year, as required under the CGST Act, 2017 and the Income-tax Act, 1961. Salon booking records — 3 years from the appointment date for warranty and dispute purposes. AI Skin & Hair Analysis photographs — NOT stored on our servers. Images are streamed to our AI vision provider, processed in real time, and immediately discarded. Analysis results are stored in your browser's local storage and automatically expire after 1 hour unless you save them to your account. Maia conversations — the assistant's replies are not stored. Your typed questions are retained in our analytics store for 90 days to monitor service quality, then automatically deleted. Each entry is the question text only, with no userId, IP, email, account reference or device identifier attached. The text is run through an automated redactor before storage that replaces emails, phone numbers, postal pincodes, PAN, Aadhaar, GSTIN and card-number patterns with placeholder tokens (e.g. *[email]*, *[phone]*). Free-text scrubbing is best-effort, not perfect — please do not type sensitive personal information into Maia; like any chatbot, it is not the right place for it. Web analytics & marketing tags — retained per the vendor's policy (Google Analytics: up to 14 months; Meta Pixel: up to 2 years). Only collected after you accept the cookie banner. Server logs and crash telemetry — 30 days, then deleted. Backups — operational backups are encrypted and rotated on a 35-day cycle.

We share personal data only with carefully chosen Data Processors who are contractually bound to process it solely on our instructions and to standards no lower than ours. Payments: Razorpay Software Private Limited (PCI-DSS Level 1, RBI-licensed) — for card, UPI, net-banking, wallet, and EMI processing. Hosting & infrastructure: Vercel Inc. — for website hosting and edge delivery; Upstash Inc. — for Redis-based session and rate-limit storage. Email & messaging: Google LLC (Gmail SMTP) and Resend Inc. — for transactional email; Interakt — for WhatsApp Business messaging. AI providers: Groq Inc. (text — Maia AI consultant), Google LLC (vision — Skin & Hair Analysis primary model, Gemini family), and Anthropic PBC (vision — fallback model, Claude Haiku family). Prompts and images are routed through Vercel AI Gateway under its Zero-Data-Retention configuration, which means the gateway does not retain prompts, images or completions beyond the request lifecycle. Onward providers receive only the redacted prompt or the photograph and the chosen model name; their handling, retention and training behaviour is governed by the provider's published commercial API terms, to which we are bound as a customer. We do not transmit your name, email, account ID, IP or payment information to these providers as part of the prompt. Skin and hair analysis photographs are streamed in-memory to the vision provider for a single request and are not written to disk, our database or any log on our side. Monitoring: Functional Software Inc. (Sentry) — for error and crash diagnostics. Personal content is scrubbed before transmission. Couriers & logistics: Authorised courier partners for shipping fulfilment. They receive only the delivery address and contact phone. Government & legal: Tax authorities, regulators, courts, and law-enforcement agencies when compelled by valid legal process. We do not sell or share personal data with advertisers, data brokers, or unrelated third parties.

Some of our service providers process data outside India — chiefly in the United States and the European Union. Where this occurs, we rely on: • Contractual safeguards with each processor that bind them to confidentiality, security, and onward-transfer restrictions consistent with Indian law. • Restrictions specified by the Central Government from time to time under Section 16 of the DPDP Act regarding countries to which personal data may not be transferred. If the Central Government notifies a country as restricted under Section 16, we will cease transfers to that country and migrate data to a permitted region.

We use a small number of cookies and similar technologies. A separate Cookie Policy at /cookie-policy lists each one with its purpose and duration. Essential cookies — set by default and necessary for the site to function (authentication, cart state, fraud prevention). These cannot be disabled. Analytics & advertising cookies — set only after you click Accept on the cookie banner. These include Google Analytics 4 and the Meta Pixel. You may decline at any time, and we will not load them. You can also disable cookies in your browser settings, though some site features may not work as expected.

Our services are intended for users 18 years of age and over. We do not knowingly process personal data of any individual under 18 ("Child" under the DPDP Act) without verifiable consent of a parent or lawful guardian. If you are a parent or guardian and become aware that a child has provided us with personal data without your consent, please contact our Grievance Officer at info@themaisonworld.com and we will delete the data without undue delay. We will not undertake any tracking, behavioural monitoring, or targeted advertising directed at children.

Maia (AI Consultant) — Maia uses third-party large language models to suggest products, rituals, and editorial reading based on your stated preferences. Recommendations are advisory, not medical advice. You may dismiss or override any recommendation. We do not use Maia to make decisions that produce legal effects on you. AI Skin & Hair Analysis — these features apply computer-vision models to a photograph you submit, returning a non-medical, informational assessment. They are not a diagnosis. The image is processed in real time and immediately discarded; the result is stored only in your browser unless you save it to your account. Targeted advertising — we may show you remarketing advertisements on Meta and Google platforms if you have accepted analytics cookies. You may opt out via the platforms' own preference centres at any time. You have the right to seek human review of any automated outcome you believe is unfair. Contact our Grievance Officer.

As a Data Principal under the DPDP Act, 2023, you have the right to: • Access the personal data we hold about you, the processing activities undertaken, and the third parties we have shared it with. • Correct, complete, update, or erase your personal data where it is no longer necessary for the purpose collected. • Withdraw consent that you have previously given, at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. • Nominate another individual who may exercise your rights in the event of your death or incapacity. • Grievance redressal — to make a complaint to our Grievance Officer and, if unresolved, to escalate to the Data Protection Board of India. We respond to verified rights requests within the timelines required by law and, in any case, no later than 30 days of receipt.

Send a request to info@themaisonworld.com from the email address registered with your account, with the subject line "Data Rights Request" and a description of the right you wish to exercise. We may ask you to verify your identity before acting on the request, in order to protect you from impersonation. We will not charge a fee for routine requests, though we may charge a reasonable fee for manifestly unfounded or excessive requests. If you are dissatisfied with our response, you may escalate the matter to: Data Protection Board of India — once notified by the Central Government under Section 18 of the DPDP Act.

We implement reasonable security practices and procedures consistent with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — broadly aligned with ISO/IEC 27001 principles. These include encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, strict access controls, multi-factor authentication for administrative access, an information-security policy, periodic security reviews, secure software-development practices, and incident-response runbooks. No system is impenetrable. If you suspect any unauthorised access to your account, write to us immediately at info@themaisonworld.com.

In the event of a personal-data breach that is likely to result in risk to your rights, we will: • Notify the Data Protection Board of India in the form and within the timelines prescribed by the DPDP Rules. • Notify each affected Data Principal in clear and plain language, describing the nature of the breach, the data categories affected, the likely consequences, and the measures we are taking. • Cooperate with CERT-In and other competent authorities as required.

In accordance with Section 8(9) of the DPDP Act, 2023 and Rule 3(2) of the Information Technology (Intermediary Guidelines) Rules, 2021, we have appointed a Grievance Officer who is a person resident in India: Name: Ms. Sadhana Ojha Designation: Grievance Officer & Proprietor Address: 34 Sheshadri Colony, Kila Medan, Mari Mata Square, Indore, Madhya Pradesh – 452006 Email: info@themaisonworld.com Phone: +91 99815 22242 We acknowledge every grievance within 24 hours of receipt and resolve it within 15 days in accordance with the IT Rules, 2021. A standalone /grievance page sets out the full process.

We may revise this policy from time to time. The "Last updated" date at the top of the page reflects the date of the most recent change. Material changes will be communicated to registered users by email at least 15 days before they take effect, where the change adversely affects your rights. Continued use of the Maison after the effective date of a revision constitutes acceptance of the revised policy.

The Maison World (Ivanaa's Beautify · Sadhana Ojha, Proprietor) 34 Sheshadri Colony, Kila Medan, Mari Mata Square, Indore, Madhya Pradesh – 452006, India Email: info@themaisonworld.com Phone: +91 99815 22242 GSTIN: 23AAGPO8569E1ZH