Privacy. Held in confidence.

This Privacy Policy is structured to be understood, not endured. We have written it in plain English — not legal jargon — because European data protection law explicitly requires us to. If anything below is unclear, contact us at the email address listed at the end and we will explain it personally.

The policy is organised into sections that mirror the questions you are likely to have. The General Policy applies to everyone, everywhere. After that, four region-specific sections add additional rights for residents of the European Union and United Kingdom, California (United States), Australia, and India. If you live in one of those places, the General Policy plus your regional section together make up your rights.

If you ever want a specific piece of information we hold about you, want us to correct it, or want us to delete it — you have that right. Email us at the address on the last section and we will respond within 30 days.

The Rug Chalet operates this store and website (the "Services") to bring handwoven rugs from Banaras, India to customers in Europe, the United States, Australia, India, and elsewhere. By using or accessing the Services, you acknowledge that you have read this Privacy Policy and understand how your information is handled. If you do not agree with this policy, please do not use the Services.

The Rug Chalet is a brand operated by [INSERT LEGAL ENTITY NAME — e.g. "The Rug Chalet Private Limited"], a company registered in India under the Companies Act, 2013. We are the "data controller" responsible for your personal information under GDPR and the "data fiduciary" under India's Digital Personal Data Protection Act.

Our contact details

• Postal address — [INSERT REGISTERED OFFICE ADDRESS]
• Email (general) — contact@therugchalet.com
• Email (privacy) — privacy@therugchalet.com [SET UP THIS EMAIL ADDRESS BEFORE PUBLISHING]
• Phone — [INSERT PHONE NUMBER]
• Website — therugchalet.com

EU / UK representative

If you are a resident of the European Union or United Kingdom, you may also contact our EU/UK representative, who acts as our local point of contact for data protection matters. [INSERT EU REPRESENTATIVE NAME AND ADDRESS — REQUIRED BEFORE EU MARKETING LAUNCH. Services like Prighter, EU-Representative.com, and Rickert Services offer this for €100–€300/year.]

Important: until we appoint an EU representative, we are not actively marketing to EU residents. Residents of the EU/UK who visit our site can purchase, but no targeted EU advertising will run until an EU representative is in place.

We use the term "personal information" to mean any information that identifies you or can reasonably be linked to you. We collect only what we need to provide the Services and to comply with our legal obligations. We do not collect personal information we do not need.

Identity & contact information

• Your name (first and last)
• Email address
• Postal address (for shipping and billing)
• Phone number (for delivery coordination)

Transaction information

• Items you view, add to cart, add to wishlist, or purchase
• Purchase history, returns, exchanges, and cancellations
• Order numbers, delivery dates, and shipment status
• Payment confirmation (we do not store your full card number)

Payment information

Payment is processed by Shopify Payments and other payment processors. We do not see, store, or have access to your full card details. We see only the last four digits, the card type, the billing address, and whether the payment succeeded or failed. Full card details are handled by our processors in compliance with PCI DSS.

Account information (if you create an account)

• Username, password (stored as an encrypted hash — we cannot see your actual password)
• Account preferences and settings
• Wishlist contents

Communications with us

• Customer support enquiries and our responses
• Reviews, comments, and feedback you submit
• Email correspondence

Technical information (collected automatically)

• Your IP address and approximate location derived from it
• Your device type, browser, operating system, and language settings
• Cookies and similar technologies (see our separate Cookie Policy)
• How you interact with the Services — pages viewed, time on page, scroll depth, basic analytics

What we deliberately do NOT collect: your full payment card details, date of birth, gender, ethnicity, religion, political views, sexual orientation, biometric data, or any data about your health. We do not need this to sell you a rug, so we do not collect it.

Under GDPR, we are required to tell you the specific purpose and the legal basis for each way we use your data. We use your personal information for the following purposes only:

To provide the Services you have requested

Processing your orders, taking payment, arranging shipping, handling returns and exchanges, providing customer support, maintaining your account, and remembering your preferences. Legal basis: performance of a contract (Article 6(1)(b)).

To communicate with you about your orders

Order confirmations, shipping notifications, delivery updates, and replies to your enquiries. Legal basis: performance of a contract (Article 6(1)(b)) and our legitimate interests in good customer service (Article 6(1)(f)).

To improve and tailor the Services

Understanding how customers use our website helps us improve photography, simplify checkout, and identify problems. Legal basis: legitimate interests (Article 6(1)(f)), or your consent for non-essential analytics (Article 6(1)(a)).

To meet legal and tax obligations

Indian tax law and other applicable laws require us to retain transaction records. We may share information with tax authorities, law enforcement, or regulators if legally required. Legal basis: legal obligations (Article 6(1)(c)).

To prevent fraud and protect security

Verifying orders, detecting fraud, preventing abuse, and protecting our customers and business. Legal basis: legitimate interests (Article 6(1)(f)) and legal obligations where applicable (Article 6(1)(c)).

What we do NOT do: we do not send marketing emails (none in operation at launch), do not run third-party advertising pixels, do not sell your data, and do not share your data with advertisers. If this changes, we will update this policy and ask for fresh consent where the law requires it.

We share personal information only with specific parties for specific purposes. We do not sell your data. We do not rent it. We do not trade it.

Service providers who help us operate the Services

These third parties process personal data on our behalf, under contract, and only for the purposes we specify.

Each provider operates under its own privacy policy and provides contractual protections for your data. The current up-to-date list is available on request from privacy@therugchalet.com.

Other circumstances where we may share information

• When you direct us to — for example, shipping to a third-party address or processing a return through a service partner.
• To comply with legal obligations — tax authorities, law enforcement, court orders, or other valid legal process.
• To protect our rights and the rights of others — including investigating fraud or violations of our terms.
• In a business transaction — if The Rug Chalet is acquired or restructured, your data may transfer to the new entity, subject to this same policy until you are notified of any change.

We do not share your personal information with advertising networks, social media platforms, data brokers, or any third party for marketing purposes.

The Rug Chalet operates from India. Our shopping platform Shopify is based in Canada with infrastructure in the United States and European Union. When you make a purchase, your data may be transferred to and processed in any of these countries, plus the country your order ships to.

If you are in the European Union or United Kingdom and your data is transferred outside the EU/UK, we rely on the following safeguards:

• Standard Contractual Clauses approved by the European Commission for transfers to countries without an EU adequacy decision (this applies to India and the United States in most cases).
• Where applicable, the EU-US Data Privacy Framework certifications maintained by our service providers.
• Additional supplementary technical and contractual measures where the destination country's protections are less robust than the EU's.

If you are in India and your data is processed outside India, we comply with the DPDP Act's provisions on cross-border data transfer, including any restrictions the Central Government may notify on specific countries.

We keep your personal information only for as long as we need it for the purpose it was collected, plus any additional period required by law.

After these periods, your information is either deleted, irreversibly anonymised, or — where required by law — kept securely with restricted access.

Regardless of where you live, you have the following baseline rights over the personal information we hold about you:

Right to access (right to know)

Ask us what personal information we hold about you. We will provide a copy within 30 days, free of charge for the first request in any 12-month period.

Right to correction (rectification)

If anything we hold is wrong or incomplete, ask us to correct it. We will update it once we have verified your identity.

Right to deletion (erasure)

Ask us to delete your personal information. We will, unless legally required to keep it (for example, transaction records for tax). We will tell you which records we cannot delete and why.

Right to data portability

Ask us to provide your information in a structured, machine-readable format (typically CSV or JSON) so you can transfer it to another service.

Right to object

Object to specific uses that rely on our legitimate interests rather than your consent or a contract.

Right to withdraw consent

Where we process based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to lodge a complaint

If you believe we have mishandled your information, you can complain to your local data protection authority. We would prefer you contact us first so we can fix the problem.

How to exercise your rights

Email us at privacy@therugchalet.com from the address associated with your account or order. We may ask for information to verify your identity. We respond within 30 days, do not charge, and will not retaliate against you for exercising your rights.

We take reasonable technical and organisational measures to protect your personal information against loss, theft, unauthorised access, alteration, and disclosure. These include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of payment data in storage by our payment processors
• Restricted access controls — only staff who need access to your data have it
• Regular security review of our infrastructure and service providers
• Compliance with our providers' certifications (Shopify's SOC 2 Type II, PCI DSS for payment processing)

Despite these measures, no security system is completely impenetrable. We cannot guarantee absolute security. We strongly recommend you do not share your account password and that you use a strong, unique password.

Data breach notification

If we discover a personal data breach that may pose a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (GDPR requirement)
• Notify the Data Protection Board of India as required under the DPDP Act
• Notify you directly without undue delay if the breach poses a high risk to you personally
• Take immediate steps to contain the breach and prevent further harm

The Services are not directed at children. We do not knowingly collect personal information from anyone under the age of 18 (the age of majority in India and many of our markets, and the threshold for special protections under the DPDP Act).

If you are a parent or guardian and believe your child has provided us with personal information, contact us at privacy@therugchalet.com and we will delete it promptly.

As of the effective date of this policy, we do not have actual knowledge that we share or sell personal information of individuals under 16 years of age.

In addition to the rights described in the general policy above, the General Data Protection Regulation (EU) 2016/679 and the UK GDPR give you additional rights and require us to provide additional information.

Lawful basis — itemised by purpose

We have disclosed the legal basis for each processing purpose in "How we use it" above. The bases are: performance of a contract, legitimate interests, legal obligations, and consent (for non-essential cookies and any future marketing).

Automated decision-making

We do not make decisions about you based solely on automated processing. All decisions that significantly affect you (order acceptance, refund decisions, account closure) are made or reviewed by a human. We do not perform profiling for advertising or other purposes that produce legal effects on you.

Right not to be subject to solely automated decisions

Under GDPR Article 22 you have this right. Because we do not perform automated decision-making, it is not triggered by our current processing — but the right is yours to invoke if circumstances change.

Supervisory authority

You may lodge a complaint with a supervisory authority, in particular in the EU/EEA member state where you reside, work, or where the alleged infringement occurred. A list is at edpb.europa.eu. UK residents can contact the Information Commissioner's Office at ico.org.uk.

In addition to the general rights above, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and similar laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Kentucky, Rhode Island, Delaware, Maryland, Minnesota, New Hampshire, New Jersey, and Nebraska give you additional rights.

Categories collected, sold, or shared

Within the past 12 months we have collected the categories listed in "What information we collect" above. We have NOT sold personal information. We have NOT shared personal information for cross-context behavioural advertising. We do not collect sensitive personal information in the first place.

Right to know, delete, and correct

You have the right to know what we have collected, the sources, the purpose, and the categories of third parties to whom we disclosed it; to request deletion (subject to exceptions such as tax records); and to request correction of inaccurate information.

Right to opt out of sale or sharing

We do not sell personal information and do not share it for cross-context behavioural advertising. There is therefore no "Do Not Sell or Share My Personal Information" link, because we have nothing to opt out of. If this changes, we will add the link and update this policy.

Right to limit use of sensitive personal information

We do not collect sensitive personal information as defined under California law.

Non-discrimination, authorised agents, GPC, verification

We will not discriminate against you for exercising your rights. You may use an authorised agent (with written proof). If your browser sends a Global Privacy Control signal, we honour it as an opt-out of any sale or sharing — and since we do not engage in either, we already comply. Before responding to a request we verify your identity, requiring stronger verification for deletion than for access, and never more than is reasonably necessary.

India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 govern how we process your personal data. As a Data Fiduciary, we have specific obligations to you as a Data Principal.

Our role as Data Fiduciary

We determine the purpose and means of processing your data. Where we engage third parties (such as Shopify), they act as Data Processors bound by contract to handle your data only as we direct.

Consent and notice

Where we process based on consent, our request is presented clearly at the point of collection (checkout, account creation, or contact form). Consent is free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action. You can withdraw it at any time by contacting privacy@therugchalet.com — withdrawal is as easy as giving consent.

Legitimate uses

In some cases we process under Section 7 of the DPDP Act — the "legitimate uses" basis — specifically when you have voluntarily provided your data for a specific purpose (such as data you provide at checkout) and have not indicated non-consent.

Your rights as a Data Principal

• Right to access personal data we hold about you
• Right to correction and erasure of inaccurate or unnecessary data
• Right to nominate another person to exercise your rights in the event of death or incapacity
• Right to grievance redressal
• Right to withdraw consent at any time

Duties as a Data Principal

Under Section 15 of the DPDP Act, Data Principals also have duties — not impersonating others, not submitting false information when exercising rights, and providing accurate information when registering.

Grievance officer

For complaints about how your data is processed: grievance@therugchalet.com [SET UP THIS EMAIL ADDRESS BEFORE PUBLISHING]. If not satisfied, you may lodge a complaint with the Data Protection Board of India.

Data Protection Officer (when applicable)

If The Rug Chalet is classified as a Significant Data Fiduciary by the Central Government, we will appoint a DPO based in India and publish their contact details here. As of the effective date, we have not been so classified.

If you are in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to our handling of your personal information.

Our compliance with the APPs

We handle personal information in accordance with the 13 Australian Privacy Principles, including open and transparent management (APP 1), anonymity and pseudonymity where practical (APP 2), collection of solicited information (APP 3), unsolicited information (APP 4), notification of collection (APP 5), use and disclosure (APP 6), direct marketing (APP 7 — we do not engage in this), cross-border disclosure (APP 8), government identifiers (APP 9 — we do not collect these), quality (APP 10), security (APP 11), access (APP 12), and correction (APP 13).

Cross-border disclosure

When we disclose your information to overseas recipients (typically Shopify in Canada/US, shipping partners worldwide), we take reasonable steps to ensure they handle it consistently with the APPs.

Complaints

If you believe we have breached the APPs, contact us at privacy@therugchalet.com first. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

We may update this Privacy Policy from time to time. When we make changes:

• We will update the "Last updated" date at the top of this page.
• For material changes, we will provide additional notice — by email if we have your address, or by a prominent banner on the website.
• Material changes that affect how we use data already collected will require fresh consent where the law requires it.
• Previous versions of this policy are available on request from privacy@therugchalet.com.

General privacy enquiries

• Email — privacy@therugchalet.com
• Post — [INSERT REGISTERED OFFICE ADDRESS, INDIA]

Grievance officer (India)

• Email — grievance@therugchalet.com

EU / UK representative

[TO BE APPOINTED BEFORE EU MARKETING LAUNCH]

Response time

We aim to respond to all privacy enquiries within 30 days. For urgent matters relating to a suspected data breach, we respond as soon as possible — typically within 72 hours.