Pen Pan Prints.

Privacy Policy

Last updated 2026-05-20.

This page explains what PenPanPrints collects about you when you use the site, why we collect it, and how long we keep it. We're a small Indian business and we try to collect the minimum we can while still running a real store.

1. What we collect

1a. When you place an order

  • Your name, email, phone, and shipping address.
  • Optionally a GSTIN + business name (for B2B invoices).
  • The contents of your order (products, variants, quantities, custom artwork).
  • Payment metadata from Razorpay (we never see your card details — only the payment id + status).

1b. When you visit the site (analytics)

We run our own analytics on this server — we don't use Google Analytics or any other third-party tracker. The data we collect depends on the cookie consent you've given:

  • Without consent. We record only an anonymous pageview ping: the URL you visited, an irreversible salted hash of your IP, and the time. We do not set cookies, do not store your User-Agent, and do not link the ping to future visits.
  • With consent. In addition to the above, we set app_anon cookie (a random UUID, valid 1 year) so we can recognise a returning visitor without knowing who they are. We record your User-Agent (to bucket devices/browsers/OS), your referrer URL (to credit marketing channels), and your approximate location (country + region + city, looked up via MaxMind GeoLite2 from your IP). Each session links to the events that happened during it (pageviews, add-to-cart, checkout steps, payment attempts) so we can compute funnel and conversion stats.

Raw events are kept for 180 days.After that we archive them to cold storage and delete the live rows. Aggregated daily counts (number of sessions per day, conversion rate, etc.) are kept indefinitely — they don't identify you.

1c. When you create an account

We store the same fields as above plus the consent state at the time you signed up, the date of last password change, and any 2FA enrolment metadata. Order history is kept for at least the statutory GST retention period (8 years from the end of the financial year) even if you later ask us to forget you — Indian tax law requires it.

2. Why we collect it

  • To process and ship your orders.
  • To raise GST-compliant tax invoices and credit notes.
  • To detect and prevent fraud (e.g. card-testing on Razorpay).
  • To respond to your support questions.
  • With your consent, to understand which pages and products bring people in and where they drop off — so we can fix friction.

3. Who we share it with

Only the third-party processors we strictly need to run the store: Razorpay (payments), Shiprocket / our courier (shipping), Resend (transactional email), MSG91 (SMS OTP). We do not sell your data, and we do not share with analytics or advertising networks.

4. Your rights under DPDPA 2023

  • Access.Email us and we'll send you a copy of everything we hold about you.
  • Correction. You can edit your profile + addresses in your account, or email us.
  • Erasure. Request deletion from your account settings. Orders + invoices retained for GST stay in our books but are anonymised — your name + email are scrubbed.
  • Consent withdrawal. You can change your cookie choices anytime via the link at the bottom of every page. Switching to "Reject" immediately clears the pp_anon cookie.
  • Grievances. Email hello@penpanprints.com and we'll respond within 30 days. If we don't resolve it to your satisfaction, you can escalate to the Data Protection Board of India.

5. Cookies we set

  • pp_consent — essential. Records your cookie choice. One year.
  • pp_cart — essential. Lets guests keep a cart across page loads. 30 days.
  • pp_anon — analytics (consent-gated). Random UUID, HttpOnly. One year. Cleared immediately if you opt out.
  • pp_otp — essential. Phone OTP session for COD orders. Short-lived.
  • Auth.js session cookies — essential. Only set after you sign in.

6. Security

Customer artwork uploaded for custom prints is private and only accessible to you and our review staff via short-lived signed URLs. Passwords are hashed with bcrypt. Razorpay webhook payloads are verified with HMAC-SHA256. Quarterly we rotate API keys + the IP hashing salt.

7. Contact

For any privacy question, email hello@penpanprints.com.