Privacy Policy

Effective Date: 12 Mar 2026  |  Last Updated: 12 Mar 2026 

1. Introduction

Curiously positive (+IVE) ("we", "us", or "our") is committed to protecting your privacy and handling your personal data with transparency, fairness, and care. This Privacy Policy ("Policy") describes how we collect, process, use, disclose, and retain your personal data when you interact with our website, mobile applications, products, community events, and related services (the "Platform"). This Policy is compliant with the Digital Personal Data Protection Act, 2023 ("DPDPA") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules").

Please read this Policy carefully. By using our Platform, you acknowledge that you have read and understood this Policy. If you do not agree, please discontinue use.

2. Definitions

In this Policy, the following terms have the meanings ascribed to them:

"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDPA.
"Data Fiduciary" refers to curiously positive (+IVE), which determines the purpose and means of processing your personal data.
"Data Principal" refers to you, the individual whose personal data is being processed.
"Data Processor" means any third party that processes personal data on our behalf under a contractual arrangement.
"Processing" means any operation on personal data, including collection, storage, use, sharing, disclosure, or deletion.

3. What Personal Data We Collect

3.1 Data You Provide Directly

Identity & contact details: full name, email address, phone number, shipping and billing address.
Account credentials: username and password (stored in encrypted form).
Order & payment information: purchase history, payment confirmation details (we do not store full card numbers).
Community content: reviews, comments, user-generated content, photos submitted to our Platform.
Event registration data: name, contact details, dietary or accessibility requirements for events.
Communications: enquiries, support tickets, and responses to our surveys or feedback forms.

3.2 Data Collected Automatically

Device and technical data: IP address, browser type, operating system, device identifiers.
Usage data: pages visited, time spent, click paths, referral sources.
Cookies and similar technologies: session cookies, analytics cookies, preference cookies (see Section 9).

3.3 Data from Third Parties

Social login data: if you log in via Google, Facebook, or similar, we receive your name and email from that provider.
Referral data: information shared by existing users when you are referred to our Platform.
Payment processor data: transaction status from our authorised payment gateway.

4. Purposes & Legal Basis for Processing

Under the DPDPA, we process your personal data on the basis of your free, informed, specific, and unambiguous consent or for other legitimate uses as specified. The purposes for which we process your data are:

 

Order fulfilment: Processing purchases, managing deliveries, and handling returns.

Account management: Creating and administering your user account.

Customer communications: Responding to enquiries, sending transactional emails, and providing support.

Marketing & promotions: Sending newsletters, product updates, and promotional offers (with your consent).

Community & events: Managing event registrations, community participation, and loyalty programmes.

Analytics & improvement: Analysing usage patterns to improve our Platform, products, and services.

Legal compliance: Meeting our obligations under applicable Indian law, responding to lawful orders.

Fraud prevention: Detecting and preventing fraudulent transactions and security incidents.

 

We will not process your personal data for any purpose incompatible with those stated above without obtaining fresh consent.

5. Consent

Where processing is based on consent, you have the right to provide or refuse consent freely. Consent will be obtained via a clear affirmative action (e.g., checking a tick-box, clicking an accept button). We will maintain records of consent as required under the DPDP Rules 2025.

You may withdraw your consent at any time by:

Updating your preferences in your account settings.
Clicking the unsubscribe link in any marketing email.
Contacting our Data Protection Officer (see Section 13).

Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal. However, withdrawal may limit your ability to use certain features of the Platform.

6. How We Share Your Personal Data

We do not sell your personal data. We may share your data with:

6.1 Service Providers & Data Processors

Third-party vendors who provide services on our behalf, including payment processors, logistics and delivery partners, email service providers, analytics providers, and cloud hosting services. All data processors are bound by written agreements requiring them to process data only on our instructions and in compliance with the DPDPA.

6.2 Event Partners

For community events co-hosted with partners, we may share limited registration data (name, contact) with the relevant partner solely for event management purposes, subject to equivalent confidentiality obligations.

6.3 Legal & Regulatory Authorities

Where required by law, court order, or governmental authority, or where we reasonably believe disclosure is necessary to protect our rights or the safety of others.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such transfer and any consequent changes to this Policy.

7. Children's Data

We do not knowingly collect personal data from individuals under the age of 18 without verifiable parental or guardian consent, in compliance with Section 9 of the DPDPA and Rule 10 of the DPDP Rules 2025. If you believe a minor has provided personal data without appropriate consent, please contact us immediately and we will take prompt steps to delete such data.

We do not engage in targeted advertising, profiling, or behavioural monitoring directed at children.

8. Cross-Border Data Transfers

Your personal data is primarily stored and processed within India. Where we engage service providers located outside India, we ensure such transfers comply with applicable provisions of the DPDPA and any notifications issued by the Government of India restricting transfers to specific countries. We maintain contractual safeguards with all international data processors.

 

9. Cookies & Tracking Technologies

We use cookies and similar technologies to enhance your experience, understand usage patterns, and deliver relevant content. The categories of cookies we use include:

Strictly necessary cookies: required for the Platform to function (cannot be disabled).
Analytics cookies: help us understand how users interact with the Platform (e.g., Google Analytics).
Marketing/preference cookies: used to deliver relevant promotions and remember your preferences.

You may manage your cookie preferences through our Cookie Consent Manager available at www.curiouslypositive.co or through your browser settings. Disabling certain cookies may affect the functionality of the Platform.

10. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Policy or as required by applicable law. Our general retention periods are:

Account & order data: retained for the duration of your account and 7 years thereafter (for tax and legal compliance).
Marketing preferences: retained until you withdraw consent.
Event data: retained for 2 years post-event.
Analytics data: retained in aggregated, anonymised form indefinitely.

Upon expiry of the applicable retention period, or upon your request for erasure, we will securely delete or anonymise your personal data.

11. Your Rights as a Data Principal

Under the DPDPA, you have the following rights with respect to your personal data:

 

Right to Access: Request a summary of the personal data we hold about you and how it is being processed.

Right to Correction: Request correction of inaccurate or incomplete personal data.

Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected or where you have withdrawn consent.

Right to Grievance Redressal: File a complaint with our Grievance Officer and, if unsatisfied, escalate to the Data Protection Board of India.

Right to Nominate: Nominate another individual to exercise your rights in the event of death or incapacity.

 

To exercise any of these rights, please submit a request to our Data Protection Officer (Section 13). We will respond within the timeframes stipulated under the DPDP Rules, and no later than 90 days from receipt of your request.

12. Data Security

We implement appropriate technical and organisational safeguards to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include encrypted data transmission (TLS/SSL), access controls and authentication protocols, regular security audits, and staff training on data protection.

In the event of a personal data breach that is likely to affect your rights, we will notify the Data Protection Board of India and affected Data Principals promptly as required under the DPDPA, with details sufficient for you to take protective action.

13. Data Protection Officer / Grievance Officer

We have appointed a Data Protection Officer / Grievance Officer to oversee our compliance with the DPDPA and to address your privacy-related queries and complaints:

 

Name: Parth Saxena

Designation: Data Protection Officer & Grievance Officer

Email: parth@curiouslypositive.co

Address: Innov8 Ras Vilas, Lower Ground Floor, Salcon Rasvilas, D-1, Saket District Center, Saket, New Delhi, India-110017

Response Timelines: Acknowledgement within 48 hours; resolution within 90 days.

 

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India at [www.dataprotectionboard.gov.in] once the Board is operational.

14. Third-Party Links

Our Platform may contain links to third-party websites or social media platforms. This Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party services you access through our Platform.

15. Updates to This Policy

We may update this Policy from time to time to reflect changes in our practices, services, or applicable law. We will notify you of material changes by email or a prominent notice on our Platform at least 15 days before they take effect. Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the changes.

16. Contact Us

For general privacy enquiries:

 

Email: info@curiouslypositive.co

Registered Office: Innov8 Ras Vilas, Lower Ground Floor, Salcon Rasvilas, D-1, Saket District Center, Saket, New Delhi, India-110017

CIN: U86909MP2025PTC074879