Privacy policy

Last updated: August 20, 2025

1. Introduction

The Deco Story operates this store and website (the “Services”), providing a curated shopping experience powered by Shopify. This Privacy Policy outlines how we collect, use, disclose, and retain your personal information. Where applicable laws overlap, this policy takes precedence for privacy-related matters.

2. Information We Collect

  • Contact Details: Name, address (billing/shipping), email, phone.

  • Financial Data: Payment card info, transaction details, payment confirmations.

  • Account Info: Username, password, preferences, etc.

  • Transaction Data: Items viewed, cart activity, purchase history.

  • Communications: Support inquiries or other messages.

  • Device Info: IP, browser, network, unique identifiers.

  • Usage Data: Interactions with our Services.

3. How We Collect It

From:

  • You directly (e.g., account creation or communications).

  • Automatically (through cookies, devices, Shopify).

  • Third parties (service providers, partners).

4. How We Use Personal Information

We use your data to:

  • Deliver and improve Services (e.g., orders, shipping, recommendations).

  • Send promotional communications and personalized ads.

  • Prevent fraud and ensure security.

  • Provide customer support and respond to your needs.

  • Comply with legal obligations.

5. How We Share Information

We may share data with:

  • Shopify and service providers (e.g., shipping, analytics).

  • Marketing partners (subject to your privacy settings).

  • Third-party integrations (social logins, widgets).

  • Affiliates or during business transactions.

  • Law enforcement or legal proceedings.

6. Shopify Relationship

Shopify hosts our store and processes personal data. They may use this data for platform features and are responsible for processing under their privacy terms.

7. Third-Party Links

Links to external websites are not covered by our policy. Please review their respective privacy documents when navigating away from our Services.

8. Children’s Data

Our Services are not intended for users under the age of majority in your jurisdiction. If you believe we have collected children’s data without proper consent, please contact us for removal.

9. Security

While we strive for robust protection, no system is infallible. Please avoid sending sensitive information via insecure means.

10. Data Retention

We retain personal data only as necessary: for Services, legal compliance, dispute resolution, or as required by law. Certain e-commerce platforms in India may be bound by the three-year retention rule based on DPDP draft regulations.

11. Your Rights & Choices

Depending on your region, you may have the following rights:

  • Access, correction, deletion, portability of your data.

  • Withdraw consent.

  • Opt out of marketing, ad tracking, or data sale/sharing.

  • Non-discrimination protection (particularly in California).

Use site tools or contact us to exercise these rights. Shopify's privacy portal also assists with rights over data processed by Shopify.

Region-Specific Addendum

A. For Individuals in India

Legal Basis & Consent
Processing happens only with your free, specific, and informed consent, via affirmative action, following the DPDP Act standards.

Grievance / DPO Contact
We have appointed a Grievance Officer / Data Protection Officer (DPO) in India. They are the point of contact for any privacy concerns or data subject requests.

Consent Withdrawal
You may withdraw consent any time using the same mechanism by which you gave it. We will stop processing unless legally required to continue.

Data Retention & Erasure
Data is kept only as necessary for Services, legal needs, or disputes. We securely delete or anonymize data no longer needed. A maximum three-year retention may apply for large e-commerce providers.

Cross-Border Transfers
Transfers outside India will occur only via valid contracts or with your explicit consent where required.

B. For Individuals in the United Kingdom

Data Controller & Processor
The Deco Story is the Data Controller for UK residents; Shopify acts as our Data Processor.

Lawful Bases for Processing

  • Contract: For fulfilling orders and payments.

  • Consent: For marketing and cookies.

  • Legitimate Interests: For security and service improvement.

  • Legal Obligations: For tax, audit, etc.

Marketing & Consent
We only send marketing communications with opt-in consent per UK GDPR and PECR.

UK Representative
If we lack a UK presence, we will appoint a UK GDPR Representative and publish their contact details.

C. For California (CCPA / CPRA) Residents

Your Privacy Rights
If you're in California, you have rights to:

  • Know what data is collected, used, shared, or sold.

  • Access, delete, and correct your information.

  • Opt out of sale or sharing (via a “Do Not Sell or Share My Personal Information” link).

  • Limit use of sensitive data.

  • Be free from discrimination for exercising these rights.

Do Not Sell or Share Link
We will display a clear “Do Not Sell or Share My Personal Information” link on our website.

Sensitive Personal Information
We use sensitive data (like payment info) only as needed to deliver our Services.

Non-Discrimination
No service denial, price increases, or downgrade in quality for exercising your privacy rights.

12. Changes to This Policy

We may update this Privacy Policy as our practices or laws evolve—especially when launching services in new regions. The “Last updated” date will be revised accordingly.

13. Contact Information

For any questions or requests related to this Privacy Policy (including regional rights and requests), email us at: customersupport@thedecostory.com.