PRIVACY

HOLLOW is operated by [[PENDING: Registered company name, e.g. HOLLOW WEAR PRIVATE LIMITED ]](the “Company”, “we”, “us”), based in Bengaluru, Karnataka, India. For the purposes of the DPDP Act, we act as the Data Fiduciary that determines how and why your personal data is processed.

We process the following categories of personal data:

• —Account & authentication — your email address and a securely hashed password, managed by our authentication provider. We never see your raw password.
• —Profile — display name, username, an optional avatar, and, where you provide them for delivery, your phone number and shipping address (street, city, state, postal code, country).
• —Consent records — when you accept our Terms or this Policy, we record the version accepted, the timestamp, your browser user-agent, and a partial (truncated) IP address, kept as proof of consent.
• —Orders & drops — your drop entries (selected size, entry time), allocation and payment status, fulfillment method, and order history.
• —Payments — payments are processed by Razorpay. We receive confirmation and limited transaction metadata (such as an order reference, amount, and status) but do not collect or store your full card or bank details.
• —Product & provenance — the garments you own and their provenance records, and, when an NFC tag is tapped, validation logs. For tap logs, IP addresses are stored only in hashed form.
• —Support — the messages and details you submit through the support flow.
• —Activity & device — limited technical logs of key actions and anti-bot signals (via Cloudflare Turnstile) used to protect the platform.

We use personal data to:

• —create and secure your account and authenticate you;
• —run drops, allocate garments, and process payments and fulfillment;
• —maintain garment provenance and power NFC authentication;
• —send transactional communications such as drop, order, and delivery notifications;
• —detect, prevent, and investigate fraud, abuse, and automated attacks;
• —comply with legal, tax, and accounting obligations.

We do not sell your personal data, and we do not use it for third-party advertising.

We rely on the following bases under the DPDP Act:

• —Your consent, given when you create an account and accept our Terms and this Policy, which you can withdraw at any time;
• —Performance of our contract with you, such as fulfilling an order you place;
• —Certain legitimate uses permitted under the DPDP Act, such as preventing fraud and securing our systems;
• —Compliance with our legal obligations.

We share personal data only with the service providers (Data Processors) that help us operate, under contractual safeguards and only as needed:

• —Razorpay — Payment processing (UPI, cards, netbanking) (India)
• —Supabase — Database, authentication, file metadata ([[PENDING: hosting region, e.g. Mumbai (ap-south-1) ]])
• —SendGrid — Transactional email (order / drop / delivery notifications) ([[PENDING: processing region ]])
• —Cloudflare — CDN & media (R2), NFC validation edge, anti-bot (Turnstile), privacy-friendly analytics (Global edge / APAC)
• —Vercel — Application hosting ([[PENDING: hosting region ]])

We may also disclose data where required by law, or to protect our rights and the safety of others.

We keep personal data only as long as needed for the purposes above or as required by law. Indicative periods:

When a retention period ends, we delete or irreversibly anonymize the data.

As a Data Principal under the DPDP Act, you can:

• —access a summary of the personal data we process about you;
• —correct, complete, or update inaccurate data;
• —request erasure of your data, subject to legal retention requirements;
• —withdraw consent at any time (this does not affect processing already carried out);
• —nominate another individual to exercise your rights in the event of death or incapacity;
• —raise a grievance with our Grievance Officer (below) and, if unresolved, with the Data Protection Board of India.

To exercise any right, contact us at [email protected] or our Grievance Officer. We may need to verify your identity first.

We apply reasonable technical and organizational safeguards, including encryption in transit, row-level access controls on our database, multi-factor authentication for staff, hashing of sensitive identifiers (such as NFC tap IP addresses), and least-privilege access.

No system is perfectly secure. If a personal data breach occurs, we will act in accordance with the DPDP Act, including notifying the Data Protection Board and affected Data Principals where required.

Some of our service providers operate globally, so your data may be processed on servers outside India. Where this happens, it is done in accordance with the DPDP Act, which permits such transfers except to countries specifically restricted by the Government of India.

HOLLOW is intended for adults. Our services are not directed to individuals under 18, and we do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us and we will take appropriate steps to delete it.

We may update this Policy from time to time. The current version and effective date appear at the top of this page. When we make material changes, we will ask you to review and accept the updated Policy the next time you sign in.

Current version: 1.0.

In accordance with the DPDP Act and applicable rules, you can contact our Grievance Officer about this Policy or how we handle your personal data:

We aim to acknowledge grievances within 48 hours and resolve them within 30 days. If you are not satisfied with the resolution, you may escalate to the Data Protection Board of India.