Privacy

Privacy Policy

What we collect, why we collect it, how we use it, and the choices you have. Plain English — no dark patterns.

Last updated: 27 April 2026 · Compliant with India's Digital Personal Data Protection Act, 2023.
On this page
  1. Who we are
  2. What data we collect
  3. How we use your data
  4. Cookies & tracking
  5. Sharing with third parties
  6. Where your data is stored
  7. Security
  8. Your rights under DPDP Act
  9. Data retention
  10. Children
  11. Changes to this policy
  12. Contact our DPO

1 Who we are

"Embrix" (we / us / our) operates the marketplace at embrix.in. We are the data fiduciary for personal data collected through the Platform under India's Digital Personal Data Protection Act, 2023 (DPDP Act).

2 What data we collect

2.1 Data you give us directly

  • Account: name, mobile number (verified via OTP), email (optional), profile photo if uploaded.
  • Seller details: bank account / UPI ID for payouts, GSTIN if you provide it, business name.
  • Listings: design files, preview images, descriptions, prices, machine formats, tags. By default these are public to the marketplace once approved.
  • Communications: support tickets, comments, claim evidence, job postings, job applications and resumes.

2.2 Data we collect automatically

  • Device & usage: IP address, browser/user-agent, pages viewed, search queries, design interactions (views, likes, saves, purchases).
  • Cookies: session cookie for login, CSRF token, cart contents (session-scoped). See Cookies & tracking.
  • Visual search uploads: when you use the AI image search, the image you upload is sent to our vision provider for matching. We do not store the upload after the search completes.

2.3 Data from third parties

  • Payment gateway: a transaction status and gateway-issued payment ID — never your full card number, UPI PIN, or net-banking password.
  • Firebase Authentication: when you sign in with mobile OTP we receive a verified phone token from Google's Firebase service.

3 How we use your data

We use the data above only for these purposes:

  • Run the marketplace: show you designs, process orders, deliver files, credit seller wallets, settle payouts.
  • Communicate transactionally: email/SMS receipts, order confirmations, design-approved notices, withdrawal status, support replies.
  • Personalise: show you trending designs, recently viewed items, AI-matched designs based on your uploaded image.
  • Moderate: detect copyright violations, contact-info leaks in comments, fake reviews, abusive accounts.
  • Improve the Platform: aggregated, de-identified analytics on which designs get bought, how visual search performs, what categories are most active.
  • Comply with law: respond to legal requests, tax filings, fraud investigations.

We do not sell your personal data, ever. We do not run third-party advertising networks on the Platform.

4 Cookies & tracking

We use the minimum cookies needed to keep the site working:

  • laravel_session — your logged-in state and CSRF token. Lifetime 2 hours.
  • XSRF-TOKEN — security token for form submissions.
  • cart.design_ids (server session) — items in your cart while you browse.

We do not use Google Analytics, Facebook Pixel, or any other cross-site tracker by default. If you've enabled an integration that does (e.g. our admin opting in to GA), we will list it here before activation.

5 Sharing with third parties

We share data only with service providers that help us operate, and only the data they need:

  • Payment gateway (Razorpay / Cashfree / similar): order ID, amount, buyer name, mobile, email — to process the transaction.
  • SMS / OTP provider (Firebase Authentication): your mobile number — to deliver login OTP.
  • Email provider (SMTP / SES / Gmail SMTP): your email and the email body — to deliver transactional mail.
  • OpenAI (vision & embeddings): images uploaded for visual search and design cover photos for indexing. OpenAI processes them per its API terms; uploads are not used to train OpenAI's models when sent via API.
  • Cloud hosting: our hosting provider's servers (located in India) where the Platform runs.
  • Law enforcement / regulators: when legally compelled by an Indian court order or government notice.

We never share your data with marketing affiliates, data brokers, or insurance/credit-scoring firms.

6 Where your data is stored

Account, transaction, and content data is stored on servers physically located in India. Some processor services (e.g. OpenAI, Firebase) may temporarily process data on servers outside India in transit; this is standard for these services and is bound by their Indian data-protection compliance commitments.

7 Security

  • HTTPS-only delivery for every page and API call.
  • Passwords (where used) hashed with bcrypt; mobile-OTP login does not require a password.
  • API endpoints protected with Laravel Sanctum bearer tokens.
  • Card numbers, UPI PINs and bank passwords are never stored on our servers — they're submitted directly to the payment gateway.
  • Database backups are encrypted at rest. Access to admin panels is restricted to a small team and audit-logged.

No system is perfectly secure; if you suspect your account is compromised, change anything sensitive (e.g. UPI ID for withdrawals) and email security@embrix.in immediately.

8 Your rights under DPDP Act 2023

As an Indian data principal, you have the right to:

  • Access a copy of your personal data we hold.
  • Correct inaccurate or incomplete data — most fields are self-editable from your profile page.
  • Erase your account and personal data, except where retention is required by law (e.g. tax records of past transactions).
  • Withdraw consent for any processing that's based on your consent — though some functionality (e.g. payouts) may stop working as a result.
  • Nominate another individual to exercise your rights in case of incapacity or death.
  • Grievance redressal: if our response doesn't satisfy you, escalate to the Data Protection Board of India.

To exercise any of these rights, email our Data Protection Officer at dpo@embrix.in from the email address registered to your account. We respond within 30 days.

9 Data retention

  • Active account data: kept while your account is active.
  • Transaction records: 7 years (Indian tax and accounting requirements).
  • Support tickets: 3 years from closure.
  • Visual-search uploads: deleted as soon as the search completes (no retention).
  • Deleted account residuals: within 30 days of account deletion, all personally identifying data is erased; aggregate, de-identified statistics may persist.

10 Children

The Platform is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a minor has registered, contact us and we will remove the account and any data attached.

11 Changes to this policy

We will update this policy when our practices change. Material changes (e.g. a new third-party processor, expanded data collection) will be communicated by email and a banner on the Platform at least 14 days before they take effect. Continued use after that date constitutes acceptance.

12 Contact our DPO

For privacy questions, data-access requests, or grievance redressal:

Embrix — Data Protection Officer
Surat Textile Market, Ring Road
Surat, Gujarat 395002, India
Email: dpo@embrix.in
Security incidents: security@embrix.in
General support: support@embrix.in

This Privacy Policy should be read alongside our Terms & Conditions. If there is any conflict between the two, the Terms & Conditions prevail unless the conflict is on a privacy-specific matter, in which case this policy prevails.

Embrix
Marketplace
Home Browse all Find by image Trending
Categories
Embroidery JKart Scratch Designs
Sign in
Terms · Privacy · Refunds