CHIR Privacy Policy

CHIR is a sustainable fashion marketplace that supports buying, renting, reselling, and clothing donation workflows across the CHIR website and mobile app. This Privacy Policy explains how we handle personal data when you create an account, browse the marketplace, upload content, submit payments, request refunds, or use the admin-reviewed support flows.

We act as the data controller for the information we collect through CHIR and we use service providers such as Firebase, Cloudinary, and Razorpay to operate the service.

We collect only the data needed to run the marketplace and provide account support:

• Account data: name, display name, username, email address, phone number, profile photo, and role.
• Profile and address data: gender, bio, address, city, state, and pincode.
• Marketplace content: listings, descriptions, category, size, brand, condition, listing images, and seller details.
• Order and rental data: cart items, shipping address, order IDs, rental dates, delivery status, tracking history, and order/rental history.
• Payment data: payment method, payment status, Razorpay order or payment IDs, manual UPI transaction references, payment notes, proof screenshots, and refund destination details.
• Return and refund data: return reasons, proof images, pickup details, UPI refund IDs, bank account details, refund references, and admin notes.
• Donation data: donor name, phone number, pickup address, description, donation images, and moderation notes.
• Technical and usage data: sign-in state, app activity, recent search terms, cart and wishlist data, session identifiers, request logs, and analytics or diagnostics data if enabled in the Firebase project.

The Android app also uses camera and photo library access when you choose to capture or upload listing, payment, donation, or return images. The browser version uses file pickers and web storage for recent searches, carts, and wishlist persistence.

We use your data to provide the service you asked us to deliver:

• Authenticate accounts and keep sign-in sessions working.
• Publish and moderate listings, rentals, donations, and return requests.
• Process checkout, manual UPI verification, Razorpay payments, COD orders, and rental deposits.
• Show your dashboard, order history, rental history, wishlist, saved cart, and account details.
• Review returns, calculate refunds, and send approved refunds to the destination you provide.
• Prevent abuse, fraud, spam, duplicate requests, and platform misuse.
• Support customer service, dispute resolution, and compliance with legal, tax, and audit obligations.

CHIR uses the following storage mechanisms:

• Firebase Authentication for sign-in and identity management.
• Cloud Firestore for user profiles, products, orders, rentals, donations, return requests, carts, account deletion requests, and admin logs.
• Firebase Storage and Cloudinary for uploaded images and supporting media.
• Local browser storage and Android SharedPreferences for session caches, carts, wishlists, recent searches, and pending profile updates.
• Server-side API routes for payment verification, account sync, donations, return requests, and account deletion handling.

We protect data in transit using HTTPS and service-provider security features. Access to moderation and refund workflows is restricted to authenticated admins.

We do not sell personal data. We only share it when it is necessary to operate CHIR:

• Firebase / Google services for authentication, storage, database, hosting, and optional analytics.
• Cloudinary for unsigned image uploads and media hosting.
• Razorpay for payment processing and payment verification.
• Authorized CHIR admins who review products, payments, returns, rentals, donations, and deletion requests.
• Legal, regulatory, or law-enforcement authorities when disclosure is required by law.

We share only the minimum information necessary for each purpose and we expect our service providers to protect the information they process.

Where GDPR or similar laws apply, we rely on the following legal bases:

• Performance of a contract when we process your account, orders, rentals, payments, and support requests.
• Legitimate interests when we moderate content, prevent fraud, protect the platform, and keep audit records.
• Consent when we rely on user permissions for certain uploads or optional communication features.
• Legal obligation when we keep records that tax, accounting, consumer-protection, or anti-fraud rules require.

We keep account, order, rental, donation, return, and support records only for as long as reasonably needed to operate the service, protect against fraud, resolve disputes, and meet legal obligations.

If you request deletion, we remove or anonymize the data we can safely remove. Some records may still be kept when retention is required for payment reconciliation, legal compliance, fraud prevention, moderation audits, or dispute handling. Images or documents tied to active or completed transactions may also be retained if they are needed to support those records.

Local browser storage or device caches are cleared when you sign out or complete the account deletion flow.

We use technical and organizational controls designed to reduce the risk of unauthorized access:

• Token-based authentication and server-side verification for protected API routes.
• Firestore and Storage security rules.
• Role-based admin access and audit logs for moderation activity.
• Payment verification using Razorpay signatures and authenticated backend checks.
• Restricted admin-only data access for moderation and refund workflows.

No online system is perfectly secure, but we work to protect the information you entrust to us.

You can ask us to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete profile details.
• Delete your account and request deletion of associated personal data.
• Object to or restrict certain processing where applicable.
• Withdraw consent for optional data uses where that consent applies.
• Receive a copy of your data where portability rights apply.

To exercise these rights, use the in-app deletion flow or contact us using the details below.

CHIR is not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has shared data with us, contact us and we will review the request promptly.

If you have privacy questions or want to submit a request, contact us at:

• Email: chirservices@gmail.com
• Phone: +91 9708310250
• Website: https://vastraloop.in