Privacy policy

Last Updated: June 2, 2025

This Privacy Policy (“Policy”) describes how Kosala (the “Company,” “we,” “us,” or “our”), a B2C enterprise hosted on Shopify, collects, processes, uses, retains, and discloses personal data when you (“you,” “your,” or “Site User”) visit, use, or transact on kosala.com (the “Site”), or otherwise interact with our services (collectively, the “Services”).

By accessing or using any portion of the Services, you explicitly agree to the collection, processing, and use of your data as described herein. If you do not consent to these terms, you must immediately discontinue use of the Site and Services or write to us at support@kosala.com.

1. Scope and Applicability

1.1. B2C Emphasis: This Policy applies exclusively to personal data collected from individual consumers, customers, and visitors using the Site. It does not cover data collection methods outside the Site (e.g., offline transactions), or from third-party platforms not directly controlled by Kosala.

1.2. Corporate Oversight: As a subsidiary of Hindalco Industries Limited (“Hindalco”), Kosala aligns with Hindalco’s corporate privacy framework.

1.3. Jurisdictional Coverage: While Kosala is based in India, personal data may be transferred, stored, and processed globally, subject to applicable data protection laws (e.g., Indian DPDP Act, GDPR for EU data subjects, UK GDPR, CCPA/CPRA), with your consent or for legitimate interests.

2. Information We Collect

2.1. Directly from You

  • Contact & Identification Data: Full name, postal address, phone number, e-mail address, billing/shipping address, postal code.
  • Account Credentials: Username, hashed passwords, security questions/answers.
  • Order & Transaction Data: Purchase history (products/services purchased, order date, payment confirmation), loyalty points, gift cards, referrals, and product reviews submitted by you.
  • Customer Support & Communication Data: Any information included in your communications to our support channels (e-mail, chat transcripts, support tickets, recorded audio messages/ interactions).

Font Note: Providing certain data is mandatory to complete transactions, manage your account, or fulfill your requests. If you do not provide information about the required fields we will not be able to complete orders, or in some cases you may not be able to access and avail full Services and features of the Site.

2.2. Usage & Technical Data

We automatically collect non-personal and personal technical data via cookies, pixels, web beacons, and similar tracking technologies (“Cookies”). This may include:

  • Device & Browser Details: Device type (mobile, desktop, tablet), operating system version, browser type/version.
  • Network & Connection Data: IP address, Internet Service Provider (ISP), unique device identifiers, mobile carrier (where applicable).
  • Site Interaction Metrics: Pages accessed, clickstream data, referral URLs, scroll depth, session duration, search queries, GPC signals, and other engagement metrics.

2.3. Third-Party & Affiliate Sources

  • Platform Providers: Shopify (e-commerce platform), payment gateways (e.g., Stripe, PayU, Razorpay), logistics/fulfillment partners. These partners may provide transactional, payment, and shipping data.
  • Ad/Analytics Partners: Google Analytics, Meta (Facebook/Instagram) pixel, TikTok Pixel, and other advertising partners may supply audience segmentation and performance metrics.
  • Social Media Integrations: Information from social platforms (LinkedIn, Facebook, Instagram, YouTube) when you choose to connect or interact via embedded widgets. Data from these sources is subject to and governed by their respective privacy notices.

3. Legal Grounds & Business Purposes for Processing

Kosala processes your personal data under the following lawful bases and business purposes:

  1. Contractual Necessity
    • Order Fulfillment: Processing orders, payments, shipping, returns, and exchanges (including sharing data with payment processors and logistics partners).
    • Account Management: Creating/maintaining your account, validation, password resets, security notifications.
    • Customer Support: Responding to inquiries, troubleshooting, service support, and grievance redressal.
  2. Legitimate Interests (Balanced with Your Rights)
    • Site Analytics & Optimization: Monitoring site performance, diagnosing technical issues, improving user experience, A/B testing.
    • Fraud Detection & Risk Management: Identifying and preventing fraudulent transactions, data breaches, or malicious activities.
    • Security & Abuse Prevention: Securing accounts, protecting infrastructure, and maintaining compliance with our Terms of Service, and laws of the land.
    • Corporate Governance & Reporting: Integrating with Hindalco’s centralized compliance and audit frameworks for oversight, internal reporting, and regulatory disclosures.
  3. Consent
    • Marketing & Promotional Communications: Sending newsletters, special offers, product updates, and targeted advertisements via email, SMS, or postal mail, provided you have opted in.
    • Behavioral Advertising: Using tracking technologies to tailor advertising on the Site and on third-party platforms. You may withdraw consent at any time (see Section 7).
  4. Legal & Regulatory Compliance
    • Statutory Obligations: Complying with Indian laws (e.g., Companies Act, IT Act, DPDP Act), responding to lawful requests by courts, law enforcement, or regulatory bodies (e.g., RBI, SEBI, Data Protection Board).
    • Vital Interests: Disclosing information to protect life, safety, or public health, such as in the event of a health emergency or disaster.

4. Cookies, Tracking & Global Privacy Control (GPC)

Kosala and our third-party service providers use Cookies and similar technologies for the following:

  • Essential Cookies: Necessary to run core Shopify functionality (e.g., cart management, payment authentication, user sessions).
  • Performance & Analytics Cookies: Collect real-time data to measure site usage, load times, error logs, and to generate aggregated reports for optimization.
  • Functionality Cookies: Remember your preferences, such as language selection, region, and login details, to personalize your experience.
  • Advertising & Targeting Cookies: Track your browsing activity across Kosala and partner sites to deliver tailored advertisements.

Managing Cookies:

  • Most browsers allow you to control or delete Cookies via settings. Blocking essential Cookies may impair your ability to use certain Services.
  • Global Privacy Control (GPC): We honor GPC signals as a valid opt-out request for targeted advertising and data sharing. If we can associate the GPC-enabled browser/device with your Kosala account, we will apply your opt-out preferences to account-based tracking and advertising. We do not honor other Do Not Track (DNT) signals. For detailed information on Shopify’s cookie usage, see: https://www.shopify.com/legal/cookies.

5. How We Use Your Personal Data

Business Purpose

Data Categories Used

Order Fulfillment & Payments

Contact & Customer Identification Data; Payment Confirmation; Billing/Shipping Address; Device/IP Data (for risk assessment).

Account Creation & Security

Account Credentials; Email; Phone Number; Authentication Logs; Security Questions/Answers.

Customer Support & Feedback

Customer Support Data; Order History; Chat/Email Transcripts; Device/Browser Info (for troubleshooting).

Marketing & Advertising

Contact Data; Purchase History; Cookies & Usage Data; Social Media Profile Data (as permitted); GPC & Consent Indicators.

Site Analytics & Optimization

Cookies & Usage Data; IP Address; Device/Browser Data; Aggregated Interaction Metrics; Third-Party Analytics Reports.

Fraud & Security Monitoring

Transaction Details; Account Activity Logs; Device/IP Reputation; Payment Processor Fraud Alerts; Security Event Logs.

Legal & Compliance

Any Personal Data as required to comply with statutory obligations, subpoenas, court orders, or regulatory directives (e.g., data retention for tax/audit).

 

All uses not explicitly enumerated in this Policy require explicit prior consent or must be justified under applicable law as a legitimate interest or legal obligation.

6. Data Sharing & Third-Party Recipients

6.1. Service Providers & Vendors

  • Shopify: E-commerce platform hosting the Site, managing checkout, and storing certain customer data.
  • Payment Processors: Entities such as Stripe, Razorpay, PayU, or other PCI-compliant processors that handle transaction data (card details, billing address) under strict confidentiality.
  • Logistics & Fulfillment Partners: Third-party carriers (e.g., DHL, FedEx, Blue Dart) that receive your shipping address and contact details to deliver products to your doorstep.
  • Customer Support/CRM Tools: Platforms used for ticketing, e-mail marketing, chatbots (e.g., Zendesk, Intercom), which may collect support interactions and satisfaction data.
  • Analytics & Advertising Platforms: Google Analytics, Meta Advertising, TikTok Ads, Criteo, etc., which process Cookies, device identifiers, and behavioral data for audience segmentation and campaign optimization.

All service providers operate under our written instructions and are contractually bound to implement adequate technical and organizational measures to protect your data, adhering to confidentiality and data protection requirements.

6.2. Hindalco Group Affiliates & Subsidiaries

  • We may share necessary data with Hindalco or its affiliates (e.g., reporting on aggregated sales, compliance auditing, risk management) strictly for internal governance, auditing, and corporate oversight.
  • Any transfer to Hindalco affiliates will be governed by intra-group data processing agreements, ensuring consistency in data protection standards across jurisdictions.

6.3. Business & Marketing Partners

  • We may share selected data (e.g., hashed e-mail addresses, phone numbers) with trusted marketing partners for co-branded campaigns, loyalty programs, or product cross-promotions.
  • Your personal data shared with marketing partners will be used solely for the agreed-upon marketing activities, subject your explicit consent where required, and their privacy notices.

6.4. Legal, Regulatory & Law Enforcement Disclosures

  • Kosala reserves the right to disclose any personal information to comply with applicable law, legal process (e.g., subpoenas, court orders), or to respond to lawful requests of public authorities (e.g., government agencies, regulatory bodies).
  • We may also share data when necessary to protect our rights, property, or the safety of users, or to enforce our Terms of Service.

6.5. Corporate Transactions

  • In the event of a merger, acquisition, sale, or reorganization involving Kosala or its assets, we may transfer your personal data to the acquiring entity. The successor entity will be required to use your data in a manner consistent with this Policy, or we will notify you about material changes which will apply to the management of your data.

7. User Rights & Choice Mechanisms

At Kosala, we recognize that users have specific rights relating to their personal data. Depending on your jurisdiction, these rights may include:

  1. Right to Access / Know
    • Request a copy of personal data we hold, including details on processing purposes, data categories, recipients, and retention periods.
  2. Right to Rectification / Correction
    • Request correction of inaccurate or incomplete personal data.
  3. Right to Deletion / Erasure
    • Request removal of personal data when no longer necessary for the purposes it was collected or processed, unless retention is required by law (e.g., tax, anti-fraud).
  4. Right of Portability
    • Receive your data in a structured, commonly used, machine-readable format and, where technically feasible, request direct transfer to another data controller.
  5. Right to Restrict Processing
    • Request suspension of processing your data where accuracy is contested or processing is unlawful and you oppose deletion.
  6. Right to Object
    • Object to processing based on legitimate interests (e.g., for direct marketing, profiling).
  7. Right to Withdraw Consent
    • If data processing is based on consent (e.g., marketing), you can withdraw at any time by updating your preferences or contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  8. Right to Lodge a Complaint
    • If you believe your rights under this Policy or applicable data protection law have been violated, you may file a complaint with our Data Protection Officer (DPO) at the contact details below, or escalate to a relevant data protection authority (e.g., Data Protection Board of India, supervisory authorities in your jurisdiction).
  9. Right to Appeal
    • If we decline your request, you have the right to appeal our decision. Instructions for appeals will be provided in our response to your request.
  10. Global Privacy Control (GPC) & Do-Not-Sell/Share
    • For users in jurisdictions that recognize “Do Not Sell/Share” rights (e.g., California), we honor GPC signals to opt-out of targeted advertising and sale/sharing of personal data.

Exercising Your Rights:

  • You can exercise these rights via:
    1. Account Dashboard: Log into your Kosala account and navigate to “Privacy Settings” to review, edit, download, or delete data.
    2. Email Request: Send a detailed request to support@kosala.com with subject lines indicating the right you wish to exercise (e.g., “Data Access Request,” “Data Erasure Request”).
    3. Postal Mail: Write to our DPO at the address below specifying your rights request.

We will respond to verifiable requests within the timelines mandated by applicable law (e.g., 30 days under GDPR, 45 days under CCPA/CPRA, 30 days under India’s DPDP Act), and may request additional information to confirm your identity before processing.

8. Data Retention & Archiving

Kosala retains your personal data only for as long as necessary to fulfill the purposes outlined in Section 3, including:

  • Transactional Records: Minimum 7 years for tax, audit, and anti-money laundering compliance.
  • Account Information: Active account data retained until you close your account or request deletion, plus statutory retention buffers.
  • Marketing Consents & Preferences: Retained until you withdraw consent or 2 years after your last interaction, whichever is earlier, unless otherwise required to defend or enforce legal rights.
  • Support Communications: Retained for up to 3 years to resolve disputes, for continuous improvement, or as mandated by Hindalco’s corporate governance policies.
  • Analytics & Logs: Aggregated or anonymized data may be retained indefinitely for trend analysis and business intelligence; raw logs and identifiable usage metrics retained for up to 24 months.

Upon expiry of the retention period, data will be securely deleted, anonymized, or archived in compliance with industry-standard security protocols, and as per legal requirements.

9. Security Measures and Data Protection

Kosala implements a multi-layered security framework to safeguard personal data:

  • Technical Controls: Encryption of data in transit using TLS 1.2+; data at rest encrypted with AES-256; regular vulnerability assessments, intrusion detection systems (IDS), and patch management.
  • Organizational Measures: Role-based access control (RBAC), least-privilege principle, strong password policies, mandatory two-factor authentication (2FA) for administrative access, periodic security awareness training for staff.
  • Physical Security: Secure data centers (SOC 2 Type II compliant) for servers, restricted access facilities, CCTV monitoring, and disaster recovery protocols.
  • Incident Response: Documented Incident Response Plan (IRP), with 72-hour breach notification procedures to affected individuals and relevant authorities, aligned to DPDP Act and GDPR requirements.
  • Third-Party Audits: Annual penetration testing and independent SOC 2 audits for Shopify-hosted infrastructure and key service providers.

No security measure is entirely foolproof. While we strive to protect your personal data, absolute security cannot be guaranteed. We recommend that you do not transmit sensitive personal information via unencrypted email or other insecure channels.

10. Cross-Border Data Transfers

Since Kosala is hosted on Shopify and leverages global service providers, your personal data may be transferred to, processed, and stored in jurisdictions outside India, including:

  • United States & Canada: Shopify IT infrastructure, Stripe, PayPal, Google Analytics servers, CRM vendors.
  • European Union & UK: Potential processing by EU/UK-based marketing/analytics partners; transfers governed by Standard Contractual Clauses (SCCs) or adequacy decisions.
  • Other Regions: Fulfillment centers, call centers, and customer support vendors in APAC or MEA regions.

Safeguards for Transfers:

  • We employ recognized transfer mechanisms (e.g., EU Standard Contractual Clauses, UK Addendum to SCCs) for transfers out of the EEA/UK.
  • For transfers from India, we rely on consent or approved cross-border data transfer mechanisms under Indian law and/or bilateral adequacy arrangements.
  • All recipients are contractually bound to adhere to equivalent data protection standards as delineated in this Policy.

11. Third-Party Websites, Plugins, and Links

Our Site may contain links to external websites (e.g., social media platforms, partner sites) and embed third-party functionalities (e.g., “Log in with Facebook,” Instagram feeds). Kosala is not responsible for the content, data practices, or privacy policies of those external sites. We encourage you to review their privacy policies before disclosing any personal information.

12. Children’s Privacy

Kosala’s Services are strictly intended for individuals aged eighteen (18) years and above. We do not knowingly collect personal data from minors under 18. If we become aware that we have inadvertently collected data from a minor without verifiable parental consent, we will promptly delete the data and, where required, notify the parent or guardian.

If you believe a minor has provided personal data without consent, please contact our DPO immediately at the details provided below.

13. Your Obligations (“Data Principal Duties”)

By using the Services, you agree to:

  • Provide accurate and complete information; do not impersonate others or supply false data.
  • Keep your account credentials confidential; notify us immediately if you suspect unauthorized access.
  • Use the Site in compliance with all applicable laws.

Non-compliance may result in suspension or termination of your Kosala account or legal action if required.

14. Updates to This Policy

Kosala reserves the right to modify or update this Policy at any time to:

  • Reflect changes in business operations, legal/regulatory requirements, or privacy standards.
  • Incorporate new services, features, or partnerships requiring updated data practices.

When we update the Policy, we will:

  1. Revise the “Last Updated” date at the top.
  2. Provide conspicuous notice of material changes (e.g., via banner on the Site, email notifications to registered users).
  3. For significant changes affecting your rights, where feasible, obtain your renewed consent.

Your continued use of the Site following the posting of changes constitutes your acceptance of such changes. We recommend that you review this Policy periodically to stay informed of modifications.

15. Grievance Redressal & Privacy Contacts

For any questions, concerns, or requests concerning this Policy or Kosala’s data practices, or to exercise your data subject rights, please contact:

Data Protection Officer (DPO)
Kosala (A Subsidiary of Hindalco Industries Limited)
Plot No. A218, Krishna Vihar Colony,
Near Mahindra Showroom,
Dimrapur Chowk, Raigarh, CG 496001, India
Email: Support@kosala.com

If you have concerns regarding how we handle your complaint, or if you are unsatisfied with our resolution, you may escalate to:

  1. Grievance Officer (Hindalco Group)
    Email: Geetika.anand@adityabirla.com
    (Applicable primarily for corporate governance issues or if your complaint pertains to Hindalco’s group-level policies.)
  2. Data Protection Board of India
    (For issues under India’s Digital Personal Data Protection Act, 2023, or other applicable Indian privacy laws.)
  3. Supervisory Authority in Your Jurisdiction
    (e.g., European Data Protection Board for GDPR matters, State/Provincial authority for CCPA/CPRA matters.)

16. Effective Date and Policy Governance

This Policy is effective as of June 2, 2025. It is governed by the data protection laws of India, and where applicable, by other jurisdictional regulations governing cross-border data flows (e.g., GDPR, UK GDPR, CCPA/CPRA). In the event of any conflict between this Policy and mandatory legal requirements, we will comply with the applicable law.

Kosala’s Privacy Committee (comprising representatives from Legal, IT Security, Compliance, and Operations) oversees periodic reviews, risk assessments, and compliance audits to ensure ongoing effectiveness and adherence to evolving privacy standards.

End of Privacy Policy

Kosala commits to maintaining the confidentiality, integrity, and availability of your personal data. By engaging with our Services, you place your trust in us to manage your information responsibly. We appreciate your patronage and are dedicated to fostering a secure, transparent, and respectful relationship.