Privacy Policy

The Craft Leather Private Limited (“The Craft Leather”, “we”, “our”) is committed to protecting personal data entrusted to us by clients, suppliers, artisans, and employees.

This policy explains the data we collect, the lawful bases for processing, retention timelines, and the safeguards we apply across our digital platforms, ERP systems, and offline operations.

We collect the following categories of personal and business data:

• Identity & Contact Data: Name, designation, company information, billing and shipping addresses, phone numbers, email addresses.
• Order & Preference Data: Product selections, sizing details, engraving preferences, event briefs, purchase history, feedback, and samples approvals.
• Technical Data: IP addresses, device identifiers, browser metadata, referral URLs, session analytics, and cookies.
• Compliance Data: GST/TAX details, import/export licences, KYC documents, UBO disclosures, and sanction screening outcomes where mandated.
• HR & Artisan Data: Employment records, skill matrices, compensation, attendance, and statutory compliance documentation.

We process personal data under DPDP and GDPR compliant legal grounds:

• Contractual Necessity: Creating accounts, processing orders, delivering goods, managing warranties, and executing MSAs/SOWs.
• Legitimate Interest: Improving catalogue recommendations, fraud prevention, supply chain optimisation, and brand communication with business customers.
• Consent: Email newsletters, marketing automation journeys, and cookie categories beyond essential operations.
• Legal Obligation: Tax audit requirements, export control checks, accident reporting, and statutory benefits.

We never sell personal data. Any secondary processing is disclosed with purpose, lawful basis, and consent or opt-out options as applicable.

We honour rights provided under India’s DPDP Act, the EU GDPR, and relevant local regulations.

• Right to Access: Obtain a copy of personal data we maintain about you.
• Right to Correction: Update, rectify, or complete inaccurate or incomplete data.
• Right to Erasure: Request deletion subject to contractual or legal retention requirements.
• Right to Portability: Receive business-critical data in a structured, machine-readable format.
• Right to Restrict/Withdraw Consent: Opt out of marketing or limit processing where legally permissible.

To exercise these rights, contact our Data Protection Officer (DPO) at dpo@thecraftleather.com. We respond within 30 days, or earlier where mandated.

We share data with trusted vendors strictly on a need-to-know basis:

• Logistics partners and customs brokers for order fulfilment and regulatory filings.
• IT infrastructure providers (hosting, analytics, communication tools) under DPAs and SCCs/approved transfer mechanisms.
• Payment gateways and banking partners for invoicing, reconciliation, and refund processes.
• Compliance consultants and auditors for ISO, SEDEX, and supply-chain certifications.

Cross-border transfers outside India or the EEA are protected through Standard Contractual Clauses, adequacy decisions, and vendor due diligence.

We retain data only for the duration necessary to fulfil purposes outlined above and in line with statutory obligations:

• Order, invoicing, and tax data: minimum 8 years (or longer as per jurisdiction).
• Quality assurance footage, design files, and sampling notes: 24 months post project completion unless otherwise requested.
• Marketing preferences and engagement logs: until consent is withdrawn or after 24 months of inactivity.
• HR, artisan, and compliance records: as required by labour, ESIC, PF, and occupational safety laws.

Security-by-design underpins our digital operations. Key measures include:

• Role-based access controls (RBAC) with MFA for admin interfaces and data repositories.
• Encryption of data in transit (TLS 1.2+) and at rest, with segregation between production, staging, and archival workloads.
• Quarterly vulnerability assessments, secure coding practices, and employee awareness programmes.
• Vendor risk assessments covering SOC 2/ISO 27001 certifications where applicable.

Suspected incidents are triaged within 4 hours. Notifiable breaches are reported to impacted stakeholders and regulators within statutory timelines.

Our sites and apps use cookies and similar technologies to deliver, measure, and improve experiences:

• Essential cookies: authentication, cart persistence, session management.
• Analytics cookies: aggregated performance, bounce rates, and browsing patterns.
• Preference cookies: saving catalogue views, language, or currency toggles.
• Marketing cookies: personalised campaigns activated only with explicit consent.

Manage cookie preferences via the consent banner or browser settings. Some features may degrade if essential cookies are disabled.

Our products and services target business users aged 18+. We do not knowingly collect data from minors. Guardian consent is required for workshop visits involving students or apprentices.

For privacy concerns, contact our DPO at dpo@thecraftleather.com or write to the Corporate Studio address listed on the Contact page.

You may also escalate unresolved grievances to the Data Protection Board of India or the supervisory authority in your jurisdiction.

We review this policy annually or upon regulatory changes. Updated versions will be posted here with a revised effective date. Material policy changes will be communicated via email or in-product notifications.