Last updated: June 8, 2026
Published by: CIVARA WORKSHOP
Applies to: All users of civaraworkshop.com and all customers of CIVARA WORKSHOP worldwide
Global Privacy Policy and Data Protection Notice
1. Who We Are and How to Contact Us
Data controller: CIVARA WORKSHOP is a sole proprietorship owned and operated by Hilal Ahmad Goona, registered at Abi Buchwars, Dalgate, Srinagar 190001, Jammu and Kashmir, India.
Primary privacy contact:
Email: hello@civaraworkshop.com
Phone: +91 889-937-4887
Post: Hilal Ahmad Goona, CIVARA WORKSHOP, Abi Buchwars, Dalgate, Srinagar 190001, Jammu and Kashmir, India
EU data rights contact:
Email: dsa@civaraworkshop.com
EU and UK residents may use this address for any data protection matter. We respond to data protection requests within one month.
2. Scope of This Policy
This Privacy Policy explains how CIVARA WORKSHOP collects, uses, stores, shares, and protects personal data in connection with:
- Your use of the civaraworkshop.com website
- Your placement of an order, request for a custom quote, or any other transaction with CIVARA WORKSHOP
- Your subscription to our email communications
- Your correspondence with us by email, phone, or WhatsApp
This policy applies to all customers, website visitors, and enquirers worldwide. Where your home country has specific data protection laws, including India’s Digital Personal Data Protection Act 2023, the EU and UK General Data Protection Regulations, Canada’s PIPEDA, the UAE’s Federal Decree Law No. 45 of 2021, or Australia’s Privacy Act 1988, this policy is written to satisfy those requirements. Jurisdiction-specific sections are included where the obligations differ materially.
3. Personal Data We Collect
We collect personal data in the following categories:
Identity and contact data:
- Full name
- Delivery address (street, city, region, postcode, country)
- Billing address (if different from delivery address)
- Email address
- Phone number
Order and production data:
- Products ordered and their specifications
- Custom measurements and dimensions confirmed for made-to-order items
- Colour, weight, and style preferences
- Embellishment or personalisation instructions
- Order history and correspondence related to production
Payment transaction data:
- Payment status (confirmed, pending, failed)
- Transaction reference numbers issued by Razorpay or PayPal
- Partial card details displayed in order records (last four digits, card type), provided by the payment processor for your reference only
We do not store, receive, or process your full card number, card verification value (CVV), or bank account credentials. All sensitive payment data is processed exclusively within the secure environments of our payment processors, Razorpay Payments Private Limited and PayPal Payments Private Limited, which are PCI DSS-certified. Please refer to their respective privacy policies for information on how they handle payment data.
Device and analytics data:
- IP address
- Browser type and version
- Operating system
- Pages visited on civaraworkshop.com, time spent, and navigation path
- Referring website or search term
- Device type (desktop, mobile, tablet)
This data is collected automatically when you visit our website, primarily via cookies and analytics tools. Please refer to our Cookie and Tracking Technologies Policy for full details.
Marketing and consent data:
- Email marketing subscription status
- Consent timestamp and consent version record
- Unsubscribe date and method (where applicable)
Communications data:
- Content of emails, WhatsApp messages, and Etsy messages exchanged with us in connection with an order, enquiry, or complaint
- Records of grievance submissions and their resolution
4. How and Why We Use Your Personal Data
The table below sets out each purpose for which we process personal data, the categories of data used, and, for EU and UK customers, the legal basis under the UK/EU GDPR.
| Purpose | Data Used | Legal Basis (GDPR/UK GDPR) | Applicable To |
|---|---|---|---|
| Processing and fulfilling your order, including production of your custom item | Identity, contact, order/production data | Performance of contract | All customers |
| Sending order confirmation, production updates, and dispatch notifications | Identity, contact, order data | Performance of contract | All customers |
| Preparing customs, export, and shipping documentation | Identity, contact, order data | Legal obligation (FEMA, GST, IEC, customs law) | All international customers |
| Processing payment and managing payment records | Transaction reference data | Performance of contract | All customers |
| Responding to your customer service queries, complaints, or grievances | Identity, contact, communications data | Legitimate interests (providing effective customer service) | All customers |
| Defending against chargebacks, payment disputes, and legal claims | Identity, contact, order, production, payment data | Legitimate interests (protecting the business from fraudulent claims) | All customers |
| Sending marketing emails and newsletters (only with your consent) | Identity, contact, marketing consent data | Consent | Subscribers only |
| Analysing website traffic and improving our website | Device and analytics data | Legitimate interests (improving site performance), or Consent where required by cookie law | All website visitors |
| Complying with tax, accounting, and regulatory obligations | Identity, contact, order, payment data | Legal obligation (Indian Income Tax Act, GST Act, FEMA) | All customers |
| Facilitating export compliance and EDPMS reconciliation with Axis Bank | Identity, contact, order, payment data | Legal obligation (RBI, FEMA, DGFT) | All international customers |
On legitimate interests: Where we rely on legitimate interests as our legal basis, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to processing on legitimate interests grounds, see Section 9.
5. Who We Share Your Personal Data With
We do not sell your personal data. We do not share it with third parties for their own marketing purposes. We share data only with the following categories of recipients, and only to the extent necessary for each purpose:
Payment processors:
- Razorpay Payments Private Limited, processes card payment transactions; holds RBI Payment Aggregator (PA-CB) licence; PCI DSS Level 1 certified. Razorpay’s privacy policy is available at razorpay.com.
- PayPal Payments Private Limited, processes PayPal transactions for international buyers; operates under RBI’s PA-CB framework. PayPal’s privacy policy is available at paypal.com.
We share your name, email address, billing address, order amount, and currency with these processors to facilitate payment. They process this data under their own privacy frameworks and PCI DSS obligations.
Settlement bank:
- Axis Bank Limited (IFSC: UTIB0002480), receives export remittance proceeds and associated transaction references; processes FEMA-mandated disposal instructions and issues e-FIRC/FIRA export certificates. Axis Bank receives transaction reference data and export documentation details, not your payment card data.
Shipping and logistics carrier:
- DTDC and any sub-contracted last-mile carrier, receives your full name, delivery address, phone number, and order reference number for the purpose of delivering your parcel. The carrier’s own privacy policy governs how they handle your data.
E-commerce and website platform:
- WooCommerce and WordPress, our website and order management platform. Order data is stored on our hosted WooCommerce installation. Our hosting provider is Contabo, and the hosting servers are located in Frankfurt, Germany.
Email communications platform:
- Our marketing email list is managed on a self-hosted Mautic instance running on our own server (the hosting provider and location are stated above). We store only the email addresses and consent records of subscribers to our marketing list. Email delivery is carried out through Amazon Web Services (Amazon SES) under the AWS data processing terms; AWS’s privacy notice is available at aws.amazon.com/privacy.
Website analytics (self-hosted, no third party):
- We use Matomo, an open-source analytics application that we host and operate ourselves on our own server (Contabo, Frankfurt, Germany). Your analytics data is not sent to, shared with, or accessible by any third-party analytics company. IP addresses are anonymised, and analytics cookies are placed only with your prior consent via our cookie banner.
Fibre testing:
- Pashmina Testing Quality Certification Centre (PTQCC) / Craft Development Institute, Srinagar, receives fibre samples for testing where PTQCC certification is requested. No customer personal data is shared with PTQCC.
Professional advisers:
- Our legal, accounting, and tax advisers may receive personal data to the extent necessary to provide their professional services and are bound by professional confidentiality obligations.
Law enforcement and regulatory authorities:
- We may disclose personal data to law enforcement agencies, courts, regulators, or other public authorities where we are required to do so by law, court order, or regulatory direction.
6. International Data Transfers
CIVARA WORKSHOP is based in India. When you interact with our website or place an order, your personal data may be transferred to and processed in more than one country. Specifically: our website, order data, and self-hosted analytics are held in Frankfurt, Germany, within the European Economic Area; PayPal processes payments on its own infrastructure, which includes the United States; and email delivery through Amazon Web Services (Amazon SES) may involve processing in the United States or other AWS regions. As the data controller is based in India, your personal data may also be accessed from India.
For EU and UK customers: India does not currently hold an EU adequacy decision under GDPR Article 45. Where your personal data is transferred to India or other third countries without an adequacy decision, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs), adopted by the European Commission, are incorporated into our agreements with relevant third-party processors where required
- For transfers to processors such as PayPal and Amazon Web Services, those processors have their own GDPR-compliant transfer mechanisms in place
Your website and analytics data are held within the European Economic Area. You may request a copy of the relevant transfer safeguards by contacting us at hello@civaraworkshop.com.
For Indian customers: Your personal data is processed in accordance with the Digital Personal Data Protection Act 2023 (DPDPA). Where your data is processed by third-party processors based outside India, those processors are contractually required to handle your data securely and in accordance with applicable law.
7. How Long We Keep Your Personal Data
We retain personal data only for as long as necessary for the purpose for which it was collected, and in any event no longer than required by applicable law. Our standard retention periods are:
| Data Category | Retention Period | Reason |
|---|---|---|
| Order records (name, address, order details, invoices) | 7 years from date of order | Indian Income Tax Act, GST Act, FEMA audit obligations |
| Custom measurement and specification data | 2 years from date of delivery | In case of alteration requests, remake disputes, or legal claims |
| Payment transaction references | 7 years from date of transaction | GST, Income Tax, FEMA, RBI audit obligations |
| Communications and grievance records | 3 years from resolution of the matter | Legal claims limitation period |
| Marketing consent records and subscription data | Until consent is withdrawn, plus 1 year | Consent audit obligations under DPDPA and GDPR |
| Website analytics data | 14 months, or the platform’s default retention period, whichever is shorter | Analytics improvement purposes |
| Cookie consent records | 12 months from consent, or until consent is withdrawn | Consent compliance audit |
After the applicable retention period expires, personal data is securely deleted or irreversibly anonymised.
8. How We Protect Your Personal Data
We implement technical and organisational measures appropriate to the risk to protect your personal data from unauthorised access, disclosure, alteration, and destruction. These include:
- SSL/TLS encryption on all pages of civaraworkshop.com, including checkout, account, and contact form pages
- PCI DSS-compliant payment processing; all payment data handled exclusively by Razorpay and PayPal within their certified environments; no card data is stored on our servers
- Access controls; personal data stored on our WooCommerce installation is accessible only to authorised personnel
- Third-party processor agreements; all processors are contractually required to implement appropriate security measures
- Annual PCI DSS Self-Assessment Questionnaire (SAQ A) completed to confirm our compliance scope
Despite these measures, no internet transmission or electronic storage system is completely secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at hello@civaraworkshop.com.
Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within the timeframe required by applicable law (72 hours under GDPR where feasible) and will notify affected individuals without undue delay where the breach is likely to result in a high risk to those individuals.
9. Your Rights
Depending on your location and the applicable data protection law, you have some or all of the following rights in relation to your personal data:
Right of access: You have the right to request a copy of the personal data we hold about you and information about how we use it.
Right to correction: You have the right to request that we correct inaccurate personal data we hold about you, or complete incomplete data.
Right to erasure (right to be forgotten): You have the right to request deletion of your personal data where: it is no longer necessary for the purpose for which it was collected; you withdraw consent (where consent was the legal basis); you object to processing and we have no overriding legitimate grounds; or the data has been unlawfully processed. This right is subject to our legal obligation to retain certain records (see Section 7).
Right to restriction of processing: You have the right to request that we restrict our processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have contested.
Right to data portability: Where we process your data on the basis of your consent or a contract, and processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to object: You have the right to object at any time to processing of your personal data based on our legitimate interests. You also have an absolute right to object to processing of your personal data for direct marketing purposes, including profiling for direct marketing.
Right to withdraw consent: Where we rely on your consent as the legal basis for processing (for example, for marketing emails or non-essential cookies), you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw marketing consent, use the unsubscribe link in any marketing email or contact hello@civaraworkshop.com.
Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority in your country. In India, complaints may be directed to the Data Protection Board of India once it is constituted under the DPDPA 2023. In the EU, contact your national data protection authority (a list is available at edpb.europa.eu). In the UK, contact the Information Commissioner’s Office at ico.org.uk.
To exercise any of the above rights, please contact us at hello@civaraworkshop.com with the subject line “Data Rights Request – [Your Name]”. We will respond within 30 days of receiving your request (extendable to 90 days for complex requests under GDPR, with notification to you).
We will not charge a fee for handling data rights requests except in cases of manifestly unfounded or excessive requests.
10. Indian Customers – DPDPA 2023 Notice
In accordance with the Digital Personal Data Protection Act 2023 (India), this section sets out the information required to be provided to data principals (individuals whose personal data we process) before or at the time of collection.
What data we collect: As set out in Section 3 above.
Purpose of processing: As set out in Section 4 above.
How to exercise your rights: As set out in Section 9 above.
Grievance contact: Hilal Ahmad Goona, Proprietor and Grievance Officer, CIVARA WORKSHOP, hello@civaraworkshop.com, +91 889-937-4887.
Consent: Where we rely on your consent to process your personal data, specifically for marketing communications and non-essential cookies, that consent is:
- Free, not a condition of purchasing from us
- Specific, given for a defined purpose
- Informed, provided after you have read this notice
- Unconditional, not bundled with other consents
- Revocable, you may withdraw it at any time as described in Section 9
We will not use your personal data for any purpose beyond what is described in this policy without seeking fresh consent.
11. EU and UK Customers – Additional GDPR Information
This section supplements the information above for residents of the European Union and the United Kingdom.
Legal bases summary: As set out in the table in Section 4. Where we rely on legitimate interests, those interests are: fulfilment of customer service obligations, defence against fraudulent payment disputes, and improvement of our website experience. We have conducted legitimate interests assessments and are satisfied that these interests do not override your rights and freedoms.
Automated decision-making and profiling: We do not make any automated decisions about you that produce legal or similarly significant effects. We do not profile you for the purposes of automated decision-making.
Data protection contact: For any GDPR-related matter, EU and UK residents may contact us directly at dsa@civaraworkshop.com. We respond to data protection requests within one month.
Supervisory authority complaint: You have the right to lodge a complaint with your national data protection authority at any time. A list of EU national data protection authorities is available at edpb.europa.eu. In the UK, contact the ICO at ico.org.uk.
12. Canadian Customers – PIPEDA
Personal information of Canadian customers is handled in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. This includes:
- Collecting only the personal information necessary for the identified purposes
- Obtaining consent before or at the time of collection (implied consent for information necessary to fulfil your order; express consent for marketing)
- Providing access to and correction of your personal information on request
- Retaining personal information only as long as required for the identified purposes or by law
To make a PIPEDA access or correction request, or to withdraw consent for marketing, contact hello@civaraworkshop.com.
13. UAE Customers
Personal data of customers in the United Arab Emirates is handled in accordance with UAE Federal Decree Law No. 45 of 2021 on the Protection of Personal Data. We process your personal data only for the purposes described in this policy, maintain appropriate security measures, and will not use your data for unauthorised marketing or share it with unauthorised third parties.
14. Australian Customers
CIVARA WORKSHOP handles the personal data of Australian customers in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This policy constitutes our APP Privacy Policy and covers the collection, use, disclosure, and storage of your personal data. You may request access to or correction of your personal data by contacting us at hello@civaraworkshop.com. You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
15. California Customers – CCPA/CPRA
CIVARA WORKSHOP is an Indian business with annual revenue below USD 25 million and does not currently meet the thresholds that would make the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) mandatory. Accordingly, we do not currently provide California-specific rights disclosures. However, we will always honour reasonable privacy requests from any person, regardless of location. If and when CCPA/CPRA thresholds are met as the business grows, this policy will be updated with the required California-specific provisions.
16. Cookies and Tracking Technologies
Our use of cookies and similar tracking technologies is explained in our separate Cookie and Tracking Technologies Policy, available at civaraworkshop.com/cookie-policy. Non-essential cookies are only placed with your prior consent via our cookie banner.
17. Children’s Data
civaraworkshop.com is not directed at children under the age of 16. We do not knowingly collect personal data from individuals under 16. If you believe that we have inadvertently collected personal data from a child under 16, please contact us immediately at hello@civaraworkshop.com and we will delete that data promptly.
18. Links to Third-Party Websites
Our website may contain links to the websites of third parties, including our payment processors, carriers, and platform partners. This Privacy Policy applies only to civaraworkshop.com. We are not responsible for the privacy practices of third-party websites and encourage you to read their privacy policies before providing them with any personal data.
19. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or our business operations. When we make material changes, we will update the “last updated” date at the top of this page. For significant changes, we will notify active customers by email. We encourage you to review this policy periodically.
The version of this policy in force at the time your data was collected governs how that data is handled, except where law requires us to apply updated standards retrospectively.
20. How to Contact Us
For all privacy enquiries, data rights requests, and complaints:
Email: hello@civaraworkshop.com
Subject line for data rights: “Data Rights Request – [Your Name]”
Subject line for privacy complaints: “Privacy Complaint – [Your Name]”
EU data protection contact: dsa@civaraworkshop.com
Post: Hilal Ahmad Goona, CIVARA WORKSHOP, Abi Buchwars, Dalgate, Srinagar 190001, Jammu and Kashmir, India
The Civara Dana Email List
We operate an opt-in email list under the project name Civara Dana. This list is currently operated by Civara Workshop (proprietor Hilal Goona) as the data controller, and this section explains how we handle the personal data you provide when you subscribe.
What we collect: Your email address, together with a record of your consent, including the date and time you submitted the form, the date and time you confirmed your subscription, and a copy of the consent wording you agreed to.
Legal basis: Your consent (GDPR Article 6(1)(a) and the equivalent provisions of other applicable laws). We use a double opt-in process: after you submit the form, we send a confirmation email, and we only add you to the list and send you the welcome email after you click the confirmation link. We do not store a confirmed subscription, or send list email, to any address that has not completed this confirmation step.
How we send it: List emails are delivered through our authenticated email infrastructure. We do not share your address with any third party for their own purposes, and we do not sell it.
Retention: Unconfirmed signups are automatically deleted after a short period if the confirmation link is not clicked. Confirmed subscriptions are kept until you unsubscribe, after which your address is removed from the active list and retained only as a suppression record where necessary to honour your unsubscribe request.
Your control: You can withdraw your consent and unsubscribe at any time using the link in any email we send you, or by contacting us at hello@civaraworkshop.com. Withdrawing consent is as easy as giving it, and does not affect the lawfulness of anything sent before you withdrew.
A temporary arrangement: Civara Dana is preparing to launch its own website at civaradana.org and a collective robe offering platform integrated into this website. When the Civara Dana website launches, this email list and the handling of the personal data associated with it will move to that website under its own privacy policy, and we will notify subscribers of the change. Until then, the list is operated by Civara Workshop and handled under this policy.
This policy was last reviewed and updated on June 8, 2026. The current version is always available at civaraworkshop.com/privacy-policy.
