Privacy Policy

Last updated: 19 May 2026

Beamdeal ("we", "us") explains here what personal data we collect when you visit the storefront or place an order, how we use it, who we share it with, and the rights you have over it. We ship worldwide; the rights section calls out the jurisdiction-specific protections that apply.

What we collect

  • Contact and shipping details you enter at checkout: name, email, phone, shipping address, billing address.
  • Order data: items purchased, currency, amount, the gateway that processed payment, the order status, tracking number once shipped.
  • Payment metadata from Razorpay, PayPal, or Dodo Payments. We never see or store your full card number, CVV, UPI PIN, or bank credentials. Those go directly to the gateway over a PCI-DSS-compliant channel and we only receive a tokenised reference plus the success or failure outcome.
  • Account credentials, if you create an account: email, we dont ask or store passwords.
  • Support messages you send via the contact form: name, phone, email if provided, and the message body.
  • Technical and analytics data automatically captured by your browser when you visit: IP address, user-agent string, referring URL, pages viewed, and approximate location derived from IP (country and city granularity only).

Cookies and similar technologies

  • Session cookie issued by better-auth when you log in; expires on sign-out or after the session window.
  • attr cookie (90 days) stores the first-touch marketing source (the ?src= URL parameter and external referrer) so we can credit which campaign brought you in. This is first-touch only, so once set it is not overwritten.
  • currency cookie remembers your selected display currency (INR, USD, or EUR).
  • Third-party analytics cookies set by Microsoft Clarity (heatmap and session replay) and Meta Pixel (advertising measurement) when you load any public page. You can block these with any standard ad-blocker or browser tracking-protection setting and the storefront will continue to work normally.

How we use the data

  • To accept and process orders, ship the goods, and handle returns or refunds.
  • To send order-status notifications (email and, where you opted in, WhatsApp).
  • To respond to support requests and resolve disputes with payment gateways or shipping carriers.
  • To detect and prevent fraud, bot traffic, and abuse (Cloudflare Turnstile, rate-limiting, honeypot checks).
  • To improve the storefront: aggregate analytics on page performance and product discovery, never tied to your identity beyond the session.
  • To comply with Indian tax law (GST invoicing for shipments inside India) and accounting record-keeping obligations.

Who we share it with

  • Razorpay, PayPal, Dodo Payments: payment gateways. Receive only what is needed to charge the order (amount, currency, billing email, and a gateway-side order reference).
  • Delhivery: shipping carrier for orders inside India. Receives recipient name, full shipping address, phone, and order weight.
  • International carriers (varies per destination): same fields as Delhivery, plus a customs declaration listing the item description, HS code, and declared value.
  • Cloudflare: CDN, DNS, and Turnstile bot-protection.
  • Microsoft Clarity, Meta Pixel: analytics and advertising measurement on public pages.
  • Telegram: internal admin notifications for new orders. The notification contains order ID, total, and city; no payment details.
  • We do not sell or rent your personal data to anyone.

Where the data lives

Primary database is hosted in India. Payment-gateway data lives on the gateway's own infrastructure under their terms. Analytics providers (Cloudflare, Microsoft, Meta) operate globally; their processing may take place outside your country of residence under Standard Contractual Clauses or equivalent transfer mechanisms.

Retention

  • Order, invoice, and shipping records: 8 years (Indian tax record-keeping rule).
  • Account data: until you ask us to delete it, or 3 years of inactivity.
  • Support messages: 2 years.
  • Analytics cookies: per the third-party provider's own retention (typically up to 2 years).

Your rights

Submit data requests via /support from the email or phone on your order or account and we will action the request within 30 days. The specific rights you can invoke depend on where you live:

India: Digital Personal Data Protection Act, 2023

  • Right to access a summary of the personal data we hold about you.
  • Right to correct, complete, update, or erase your personal data.
  • Right to grievance redressal: escalate first to us, then to the Data Protection Board of India.
  • Right to nominate another person to exercise these rights in your incapacity or death.

European Union and United Kingdom: GDPR / UK GDPR

  • Right of access, rectification, erasure ("right to be forgotten"), restriction, portability, and objection.
  • Right to withdraw consent at any time for processing based on consent (analytics, marketing).
  • Right to lodge a complaint with your local supervisory authority.
  • Our lawful bases: contract (to fulfil your order), legal obligation (tax records), legitimate interest (fraud prevention, internal analytics), and consent (advertising cookies).

California: CCPA / CPRA

  • Right to know what categories of personal information we collect and the purpose.
  • Right to delete personal information we hold about you (subject to legal retention exceptions).
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information. We do not sell, but advertising-pixel data may qualify as "sharing" under CPRA; submit a request via /support to opt out and we will exclude your future sessions.
  • Right to non-discrimination for exercising any CCPA right.

Children

The storefront is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has placed an order without parental consent, contact us via /support and we will cancel and refund.

Security

TLS in transit, hashed passwords at rest, tokenised payment references, bot protection on every public form, no admin endpoints exposed to search engines, and principle-of-least-privilege access to the production database. No system is unbreakable; if a breach affects your data we will notify you and the relevant regulator within 72 hours as required.

Changes to this notice

We may update this notice when the law, the gateways we use, or the analytics we run changes. Material changes will be flagged on the home page for at least 30 days; the "Last updated" date at the top always reflects the latest revision.

Contact

Privacy questions, data requests, and complaints route through /support. The contact form is Turnstile-gated to reduce spam and reaches the same inbox as general support.