Skip to content
Kosh India

Privacy policy

Effective 11 June 2026

Kosh India (“we”, “us”) provides portfolio websites for interior designers at kosh-india.com and on designer subdomains. This policy explains what personal data we collect, why we collect it, how long we keep it, and the rights you have over it under India’s Digital Personal Data Protection Act, 2023 (DPDPA).

What we collect, and why

  • Account and profile data — your name, email address, phone number, company name and size, city, and role. Purpose: creating and securing your account, verifying your phone number, and operating your dashboard.
  • Consent records — which consents you gave or withdrew, when, and the IP address and browser user-agent at the time. Purpose: the DPDPA requires us to be able to evidence your consent.
  • Portfolio content — the text and images you add to your site. Purpose: publishing your portfolio website, which is the service itself. Published sites are public by design.
  • Inquiries— when a visitor submits an inquiry on a designer’s site, we collect the message and the sender’s contact details for delivery to that designer, plus the sender’s IP address for abuse prevention (removed after 90 days).
  • Billing data — subscription state, payments, and GST invoices for Pro plans, processed through Razorpay. We never store your card or bank credentials.
  • Usage data — server logs and aggregate, privacy-preserving page analytics for published sites. Purpose: keeping the platform reliable and showing designers how their site performs.

Consent

At signup you give two separate, unbundled consents. Accepting the terms of service and this privacy policy is required to use the platform. Research consent is optional: if you grant it, we may contact you about product research (interviews, surveys) and use your responses to improve the platform. You can withdraw research consent at any time from your dashboard settings, with immediate effect and no impact on your account. If you later withdraw the required consent, that is processed as an account-deletion request, explained below.

Responses you give in research activities are anonymized rather than deleted when your account is removed — your identity is stripped and only aggregate findings are kept.

How long we keep data

  • Active account data: for the life of your account.
  • Inquiry sender IP addresses: removed after 90 days; the inquiry itself remains.
  • Audit logs: 2 years. Webhook delivery records: 90 days.
  • Unpublished sites you leave unpublished by choice are deleted 90 days after unpublishing, with advance notice.

Statutory exception for financial records. Indian tax law (Central Goods and Services Tax Act, 2017, §36) requires us to retain tax records — invoices and payment records — for at least 72 months. When you delete your account, these records are kept for that statutory period but are decoupled from your deleted profile: they carry only the identity details the law requires on a tax invoice, and they are no longer linked to a living account.

Your rights

  • Access and export. You can request a complete export of your data from your dashboard. We deliver it as a machine-readable JSON archive within 72 hours.
  • Correction. You can edit your profile and site content at any time.
  • Deletion. You can delete individual sites or your entire account from your dashboard. Account deletion permanently removes your profile, sites, drafts, published pages, media, inquiries, and consent records. Your subdomain becomes available again, and login is no longer possible. The only data that survives is the statutory financial records described above and anonymized research aggregates.
  • Consent withdrawal. Research consent is withdrawable in settings; withdrawing required consent triggers the account-deletion path.

Cookies and sessions

We use first-party cookies strictly for signing you in and keeping your session secure. We do not run third-party advertising or tracking scripts on the platform.

Who processes data for us

We use vetted infrastructure providers to run the service: Vercel (hosting), Neon (database and authentication), Cloudflare (image storage and delivery), Upstash (queues and caching), Razorpay (payments), Resend (transactional email), MSG91 (phone verification SMS), and Sentry (error monitoring). Each receives only what its function requires.

Contact and grievances

For any privacy question, data request, or grievance, write to support@kosh-india.com. We respond to grievances within the timelines the DPDPA prescribes.

Changes to this policy

If we make material changes, we will notify account holders by email and update the effective date above. This page is versioned with our codebase, so its history is preserved.