Privacy policy

 

Last updated: 2026-04-10

 

This Privacy Policy explains how Comikey India ("we", "our", "us") collects, uses, shares, and protects digital personal data when you use my Oshi store (the "Store"), including our website and related services. This Policy is issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), the Information Technology Act, 2000 ("IT Act"), and the Consumer Protection (E-Commerce) Rules, 2020.

 

Companion Policies: This Privacy Policy is part of a set of Store policies. Please also refer to our Terms of Service, Refund Policy, and Shipping Policy for complete information.


1. Who We Are

Data Fiduciary: Comikey India

Address: Micro Technology #675, Sri Krishna Prowess, 4th floor, 14th Cross, 8th Main, 2nd Phase, JP Nagar, Bengaluru-560078, India

Website: https://myoshistore.in/

Customer Care: support@myoshistore.in

Privacy Contact Email: privacy@myoshistore.in


2. Scope

This Policy applies to digital personal data collected through the Store, including when you browse, create an account, log in, place orders, contact support, or otherwise interact with the Store.

This Policy does not cover non-digital personal data or data that has been fully anonymised.


3. Personal Data We Collect and How We Use It

We collect the minimum personal data needed to operate the Store, fulfill orders, provide support, and comply with law. The following table sets out the categories of data, the specific items collected, and the corresponding purposes of processing:

Account & login data

  • Data collected: Name (if provided), email address, phone number, login identifiers, OTP codes and verification status
  • Purpose: Provide the Store and user accounts; login and identity verification via email, SMS or WhatsApp OTP
  • Lawful ground: Consent; Performance of contract

Order & delivery data

  • Data collected: Shipping address, billing address, order items, order history, delivery instructions, returns and refund details
  • Purpose: Process and fulfill orders (confirmation, packing, shipping, delivery updates, returns, refunds)
  • Lawful ground: Performance of contract

Payment-related data

  • Data collected: Payment status, transaction references, payment method used, order amount, refund status (we do not store full card numbers, UPI PIN, or banking credentials)
  • Purpose: Order management, reconciliation, fraud prevention, customer support
  • Lawful ground: Performance of contract; Certain Legitimate Uses (§7 DPDPA)

Customer support data

  • Data collected: Messages, requests, and any information you choose to provide
  • Purpose: Respond to inquiries and resolve issues
  • Lawful ground: Performance of contract; Consent

Device & usage data

  • Data collected: IP address, device type, browser type, OS, language, pages viewed, links clicked, timestamps, referring URLs
  • Purpose: Operate, maintain and improve the Store; analytics, troubleshooting, performance monitoring
  • Lawful ground: Certain Legitimate Uses (§7 DPDPA)

Cookie & similar technology data

  • Data collected: Identifiers for core site functionality, preferences, performance measurement, security
  • Purpose: Enable core functions; remember preferences; measure performance; prevent fraud
  • Lawful ground: Consent (non-essential cookies); Certain Legitimate Uses (essential cookies)

We also use personal data to:

  • Prevent fraud and abuse — detecting suspicious activity, enforcing purchase limits, and protecting the security of the Store.
  • Comply with legal obligations — tax, accounting, regulatory compliance, and law enforcement requests.
  • Enforce our terms — including our Terms of Service and other applicable policies.

4. Lawful Grounds for Processing (DPDPA §4–§7)

Under the Digital Personal Data Protection Act, 2023, we process personal data based on one or more of the following lawful grounds:

  • Consent (§6) — We obtain your free, specific, informed and unambiguous consent before collecting and processing your personal data. You may withdraw consent at any time (see Section 9 below).
  • Performance of a contract (§7(a)) — Processing necessary to provide the Store, fulfill orders, and perform our contractual obligations to you.
  • Certain Legitimate Uses (§7) — Processing permitted under Section 7 of the DPDPA without consent, limited to:
    • Data voluntarily provided by you where the purpose is reasonably expected (§7(a))
    • Data provided by the State or any instrumentality for subsidies, services, licences etc. (§7(b))
    • Compliance with any judgment, order, or legal obligation (§7(c))
    • Responding to medical emergencies or threats to life/safety (§7(d))
    • Employment-related purposes (§7(e))
    • Public interest purposes as prescribed (§7(f))
  • Legal obligation — Tax, accounting, breach reporting, and other statutory compliance requirements under Indian law.

We do not rely on a general "legitimate interest" ground. All processing is based on the specific grounds listed above.


5. How We Share Personal Data

We share personal data only as needed for the purposes described above, and only with the following categories of recipients:

  • E-commerce platform and hosting providers that operate the Store infrastructure.
  • Payment processing providers (including for UPI, cards, and COD) to process payments, handle refunds, and manage fraud prevention.
  • Logistics and delivery partners to ship orders and handle returns.
  • Communication and authentication providers to send OTPs, account messages, and service notifications via email, SMS, or WhatsApp.
  • Analytics, security, and fraud-prevention providers to protect the Store and understand performance.
  • Professional advisors (e.g., auditors, legal advisors) and government authorities where required by law, regulation, or to protect rights and safety.

All third-party recipients who process personal data on our behalf act as Data Processors under the DPDPA and are bound by contractual obligations to process data only for specified purposes and to implement appropriate security safeguards.

No sale of personal data: We do not sell your personal data.

No unnecessary disclosure: We do not share personal data for purposes unrelated to those described above.


6. Cookies and Similar Technologies

We use cookies and similar technologies for:

  • Strictly necessary functions — cart, checkout, login sessions, security.
  • Preferences — language and display settings.
  • Analytics and performance — understanding how the Store is used.
  • Fraud prevention and security.

Your choices: You can control non-essential cookies through your browser settings or our cookie consent mechanism. Disabling certain cookies may affect Store functionality. Where consent is required for non-essential cookies, we will obtain it before placing those cookies.


7. International Transfers

Your personal data may be processed outside India depending on where our service providers operate or where our systems are hosted. When we transfer personal data internationally, we implement the following safeguards:

  • Contractual safeguards — Data processing agreements with all recipients requiring equivalent data protection.
  • Security controls — Encryption, access controls, monitoring, and other technical measures as specified in the DPDP Rules, 2025.
  • Legal compliance — We ensure transfers are consistent with the DPDPA and any applicable rules or directions issued by the Central Government.

We do not transfer personal data to any country or territory restricted by the Central Government of India under the DPDPA.


8. Data Retention

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected, as required under DPDPA §8(7). Specifically:

  • Account data: Duration of active account + 30 days after deletion request (to allow for recovery)
  • Order and transaction data: As required by applicable tax and accounting law (minimum 8 years under Income Tax Act)
  • Customer support data: Up to 3 years from resolution of the inquiry
  • Device and usage data: Up to 24 months from collection
  • Cookie data: As specified per cookie; session cookies expire at session end

Upon expiry of the retention period, or upon a valid deletion request (where no legal retention obligation applies), we will delete or anonymise the data. This obligation extends to our Data Processors, whom we will instruct to delete the relevant data accordingly.


9. Your Rights (DPDPA §11–§14)

Under the Digital Personal Data Protection Act, 2023, you have the following rights:

  • Right to access (§11): Request a summary of the personal data we process about you and the processing activities undertaken.
  • Right to correction (§11): Request correction of inaccurate or incomplete personal data.
  • Right to erasure (§12): Request erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
  • Right to withdraw consent (§6(6)): Where processing is based on consent, you may withdraw it at any time. Upon withdrawal:
    • We will cease all processing of the relevant data.
    • We will delete the relevant data, and instruct all Data Processors to do the same, unless retention is required by law.
    • Withdrawal of consent may affect your ability to use certain features of the Store.
  • Right to nominate (§14): You may designate a nominee to exercise your rights in the event of your death or incapacity. To designate a nominee, contact us at: privacy@myoshistore.in.
  • Right to grievance redressal (§13): If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India. Details: [Board's official website URL when published].

How to exercise your rights: Contact us at privacy@myoshistore.in. We will verify your identity and respond within the timelines prescribed under the DPDP Rules, 2025.


10. Data Breach Notification (DPDPA §8(6))

In the event of a personal data breach, we will:

  1. Notify the Data Protection Board of India without unreasonable delay, in the form and manner prescribed under the DPDP Rules, 2025, including a description of the breach, data affected, likely consequences, and measures taken.
  2. Notify each affected Data Principal without unreasonable delay, providing the same information and guidance on protective steps.
  3. Report cybersecurity incidents to CERT-In within 6 hours of becoming aware of the incident, in accordance with CERT-In Directions dated 28 April 2022.

11. Children's Privacy (DPDPA §9)

The Store is intended for users aged 18 years and above. We do not knowingly collect or process personal data of children (persons under 18 years of age) without verifiable parental consent as required under DPDPA §9.

Specifically:

  • Before processing any personal data of a child, we will obtain verifiable consent from the child's parent or lawful guardian.
  • We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children (DPDPA §9(2)).
  • We do not process personal data of children in any manner likely to cause detrimental effect to the well-being of the child (DPDPA §9(3)).

If you believe that a child has provided personal data to us without appropriate parental consent, please contact us immediately at privacy@myoshistore.in so we can take appropriate steps, including deletion.


12. Marketing Communications

If we send marketing messages, you can opt out at any time using:

  • The unsubscribe link in email messages, or
  • The opt-out instructions provided in SMS/WhatsApp messages.

Even if you opt out of marketing, we may still send transactional or service-related messages (e.g., order updates, security alerts) that are necessary for the performance of our contract with you.


13. Grievance Officer

In accordance with the Consumer Protection (E-Commerce) Rules, 2020 (Rule 4) and the DPDPA, we have appointed a Grievance Officer to address your concerns:

Name: [Grievance Officer's full name]

Designation: [Title / Designation]

Email: privacy@myoshistore.in

Address: Micro Technology #675, Sri Krishna Prowess, 4th floor, 14th Cross, 8th Main, 2nd Phase, JP Nagar, Bengaluru-560078, India

The Grievance Officer will:

  • Acknowledge your complaint within 7 business days of receipt.
  • Endeavour to resolve it within one month from the date of receipt.

If you are not satisfied with the resolution, you may escalate to the Data Protection Board of India (under DPDPA) or the appropriate Consumer Disputes Redressal Commission (under the Consumer Protection Act, 2019).


14. Applicable Laws

This Privacy Policy is drafted in compliance with the following Indian legislation:

  • Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023)
  • Digital Personal Data Protection Rules, 2025
  • Information Technology Act, 2000 (Act No. 21 of 2000) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to the extent they remain in force
  • Consumer Protection Act, 2019 (Act No. 35 of 2019)
  • Consumer Protection (E-Commerce) Rules, 2020
  • CERT-In Directions dated 28 April 2022

15. Changes to This Privacy Policy

We may update this Policy from time to time. We will:

  • Post the updated version on the Store and update the "Last updated" date above.
  • If changes are material, provide additional notice as required by applicable law (such as an email notification or a prominent notice on the Store).
  • Where required under the DPDPA, obtain fresh consent for any new purposes of processing.

16. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in [City], India.


17. Contact

Comikey India

Address: Micro Technology #675, Sri Krishna Prowess, 4th floor, 14th Cross, 8th Main, 2nd Phase, JP Nagar, Bengaluru-560078, India

Customer Care: support@myoshistore.in

Email: privacy@myoshistore.in

Website: https://myoshistore.in/