Privacy Policy

This privacy policy ("Policy") sets out how Crayonz, a brand operated by Aivolvix Private Limited ("we", "us", or "our"), uses and protects any information that you provide when you use this website or mobile application (individually and collectively, "Platform").

Crayonz is committed to ensuring that your privacy is protected. Should we ask you to provide any information by which you can be identified when using this Platform, be assured that it will only be used strictly in accordance with this Policy.

Please note that our Policy is subject to change at any time. To stay informed of updates, please review this page periodically. This Policy applies to current and former visitors and customers. By visiting and/or using our Platform, you accept and consent to the practices described in this Policy.

We collect, store, and use your personal information (that we consider necessary) when you use our Platform. We use this information to provide you with a safe, efficient, and customized experience, which includes displaying content such as recommended products and communicating with you about your orders, new products, and the latest promotional offers. This enables us to provide specific services and features tailored to your needs.

Account & profile data we collect:

• Email address and bcrypt-hashed password (or Google OAuth identifier if you sign in with Google)
• First name and last name
• Profile photo URL (only if you sign in with Google)
• Phone number (only if you choose to enter one during checkout)
• Shipping address (full name, address lines, city, state, pincode, country, phone) entered at checkout
• Designer Pass / subscription tier and credit balance

Order & payment data we collect:

• Order line items (garment type, colour, size, quantity, design preview URLs)
• Order amount in INR, discount applied, payment status, payment instrument category (UPI / card / wallet — never the card number itself)
• Cashfree merchant order ID and payment ID (returned by the payment processor)
• Order shipping status and tracking number (received from our fulfilment partner)

Studio & design data we collect:

• Text prompts you write to generate designs
• Reference images you upload to the studio or paste from URLs
• Generated design files, mockups, and version history
• Editor state (placements, scale, layer arrangement) tied to your draft
• Marketplace listing metadata (title, description, tags, price, like and remix counts) if you publish a design

Technical & usage data we collect:

• IP address (used for rate-limit enforcement and abuse prevention; not stored beyond 30 days)
• User-agent string and device type for layout switching
• Session cookies (`user_id`, `auth_session`) — required for authentication
• OAuth tokens and refresh tokens, only when you grant a third-party MCP client (such as Claude.ai or ChatGPT) access via our OAuth flow
• API request timestamps, tool names, and outcome status (used to detect abuse and improve reliability)

What we do NOT collect: we never receive or store your card number, CVV, UPI PIN, bank account number, or any other raw payment instrument data. All of that is collected and stored by Cashfree under PCI-DSS standards. We also do not run any third-party advertising or behavioural-tracking pixels on the Platform.

Respecting customer privacy is a core philosophy at Crayonz. We do not sell, rent, or trade your personal information. We share specific fields with specific vendors, only for the purpose each vendor serves:

• Cashfree Payments (payment processing) — receives your name, email, phone, shipping address, order amount, and merchant order ID to enable the transaction. Cashfree returns a payment ID and payment status. Card / UPI details are collected by Cashfree directly and never reach us.
• Print-and-fulfilment partners in India (and global print partner for international orders) — receive your shipping address, the print-ready design file you have approved, and the garment / size details for your order. They use this data only to print and ship your order.
• Cloud database and storage provider (Supabase, hosted in Singapore) — stores your account, designs, drafts, orders, and uploaded reference images on encrypted servers. Bound by a data processing agreement that prohibits any use beyond providing the service to us.
• Edge and CDN provider (Cloudflare) — terminates HTTPS, runs the Worker that serves crayonz.ai, caches static assets. Sees the IP address and request path of every visitor (transient — not stored by us beyond rate-limit windows).
• Compute and AI provider (Google Cloud Run + Vertex AI) — runs our design generation, mockup composition, and content APIs. Receives your design prompts and reference images while a request is being processed; outputs are stored back in Supabase.
• Transactional email provider (Resend) — receives your email address and the message body for order confirmations, password resets, and account notifications.
• Third-party MCP clients (Claude.ai, ChatGPT, etc.) — only when you authorise them — receive an OAuth access token scoped to your account so the client can call our MCP server (`mcp.crayonz.ai`) on your behalf. The client can list garments, create drafts, modify designs, and mint checkout URLs. Revoke access at any time from your account page.

We may also disclose information to comply with a court order, valid legal request, or to protect our rights and the safety of our users.

• Account profile: retained while your account is active. Deleted within 90 days of an account-closure request.
• Order records: retained for 7 years to comply with Indian GST and consumer protection record-keeping rules.
• Design files and drafts: retained while your account is active. Deletable on request from your account page.
• Uploaded reference images: auto-purged after 30 days if not attached to a saved draft.
• Payment records: not retained by us beyond the Cashfree payment ID; full transaction records remain with Cashfree per their retention policy.
• IP address and request logs: rotated out of edge caches within 30 days; aggregated counters kept up to 90 days for abuse prevention.
• OAuth tokens issued to MCP clients: revocable at any time; expire 90 days after last use.

Under the Digital Personal Data Protection Act, 2023 (DPDP) and, where applicable, the EU/UK General Data Protection Regulation (GDPR), you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data (subject to the order-record retention rules above)
• Withdraw consent for any optional processing
• Object to direct marketing communications
• Lodge a complaint with India's Data Protection Board (or your local data protection authority in the EU/UK)

To exercise any of these rights, email hello@crayonz.ai with the subject line "Data Rights Request". We acknowledge within 24 hours and respond substantively within the timelines required by applicable law.

The security of your information is a priority for us. We use appropriate security policies, rules, and technical measures to protect your information from unauthorised access, improper use or disclosure, and unlawful destruction. Passwords are hashed with bcrypt; payment instrument data is handled entirely by Cashfree and never touches our servers. However, no system is unbreachable; Crayonz is not responsible for any breach of security or actions of third parties beyond our control.

You can regularly add, correct, update, or review your personal information from your account. If you do not want to receive emails or messages from us, you may unsubscribe via the link in our marketing emails or by contacting hello@crayonz.ai. You can choose not to provide your personal information, withdraw your consent for usage, or request deletion of your account and associated information. However, this may limit your ability to fully utilise the Platform's features.

In accordance with the Information Technology Act, 2000 and the rules made thereunder (including the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021), the name and contact details of the Grievance Officer are provided below. You may write to us if you have any complaint or grievance regarding the use of the Platform, the content hosted on it, or the way your personal information has been handled.

Name: Arun Raghav
Designation: Grievance Officer, Aivolvix Private Limited
Email: hello@crayonz.ai
Address: Aivolvix Private Limited, Bhilai, Chhattisgarh 490006, India

We will acknowledge receipt of any complaint within 24 hours and resolve such complaint within 15 days from the date of receipt, in line with the timelines prescribed by Indian law.