Privacy Policy

How we collect, use, and protect your data

Effective: December 1, 2025

v1.0

12 min read

Introduction

Welcome to Sketch2Shape ("we," "us," "our," or the "Company"). We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website at sketch2shape.com and our services (collectively, the "Services").

This Privacy Policy is drafted in compliance with:

The Digital Personal Data Protection Act, 2023 (DPDPA) and DPDP Rules, 2025 of India
Information Technology Act, 2000 and IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Consumer Protection Act, 2019 and Consumer Protection (E-Commerce) Rules, 2020
General Data Protection Regulation (GDPR) principles for users outside India

By using our Services, you consent to the collection and processing of your personal data as described in this Privacy Policy. If you do not agree with this Policy, please do not use our Services.

Data Controller Information

For the purposes of applicable data protection laws, the data controller is:

Sketch2Shape
Email: pgrudrakshi@gmail.com
Website: sketch2shape.com
Country of Operation: India

Personal Data We Collect

We collect personal data that you voluntarily provide to us and data that is automatically collected when you use our Services.

3.1 Information You Provide Directly

Account Information: Phone number, email address, name (when provided)
Authentication Data: Google OAuth credentials (we do not store your Google password)
Design Preferences: Responses to questionnaires including favorite animals, flowers, fruits, colors, activities, and other personalization choices for TrulyTheirs service
User-Uploaded Content: Drawings, images, and photographs you upload for conversion to 3D models
Shipping Information: Full name, delivery address, postal code, contact number
Order Information: Product selections, customization preferences, order history
Communication Data: Messages, feedback, and support requests you send to us

3.2 Information Collected Automatically

Device Information: Device type, operating system, browser type and version
Usage Data: Pages visited, time spent on pages, click patterns, features used
Log Data: IP address, access times, referring URLs
Cookies and Similar Technologies: Session cookies, preference cookies, and analytics cookies (see Section 10 for details)

3.3 Payment Information

Payment transactions are processed by our payment gateway partner, Zoho Payments. We do not store your credit card numbers, debit card numbers, UPI IDs, or bank account details on our servers. Zoho Payments processes this information in accordance with PCI-DSS standards and their own privacy policy. We only receive confirmation of successful payments and basic transaction identifiers.

Purpose and Legal Basis for Processing

We process your personal data for the following purposes:

Purpose	Legal Basis (DPDPA)
Account creation and authentication	Consent; Performance of contract
Processing and fulfilling orders	Performance of contract
Generating personalized designs using AI	Consent; Performance of contract
Converting uploaded images to 3D models	Consent; Performance of contract
Processing payments	Performance of contract
Shipping and delivery	Performance of contract
Customer support and communication	Legitimate interest; Performance of contract
Service improvement and analytics	Legitimate interest
Marketing communications (with consent)	Consent
Legal compliance and fraud prevention	Legal obligation; Legitimate interest

Sharing of Personal Data

We share your personal data only as necessary to provide our Services and as described below:

5.1 Third-Party Service Providers

Service Provider	Purpose	Data Shared
Supabase	Database hosting and authentication	Account data, order data
Google (OAuth)	Social login authentication	Authentication tokens only
Google Gemini API	AI-powered design generation	Design preferences, uploaded images
Cloudflare R2	Image and file storage	Uploaded images, generated designs
Zoho Payments	Payment processing	Payment details (processed directly)
Shipping Partners	Order delivery	Name, address, contact number

5.2 Other Disclosures

We may also disclose your personal data:

To comply with legal obligations, court orders, or government requests
To protect our rights, privacy, safety, or property
To investigate fraud or security issues
In connection with a merger, acquisition, or sale of assets (with prior notice to you)

We do not sell your personal data to third parties.

Data Retention

In compliance with the DPDP Rules 2025, we retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data: Until you delete your account or request deletion
Order and Transaction Data: 7 years from the date of transaction (as required for tax and legal compliance in India)
Uploaded Images and Designs: 90 days after order completion (unless you request earlier deletion)
Design Preferences: Until you delete your account or request deletion
Communication Records: 3 years from the date of communication
Analytics Data: 26 months (anonymized after this period)

Inactivity Notice (DPDP Rules 2025)

As per the DPDP Rules 2025, if your account remains inactive for more than one year and there is no legal requirement for us to retain your data, we will send you a 48-hour advance notice before erasing your personal data. You may reactivate your account or request data export during this period.

After the retention period, your data will be securely deleted or anonymized using appropriate technical measures including encryption, masking, or tokenization as required under DPDP Rules 2025.

Your Rights as a Data Principal

Under the DPDPA and applicable data protection laws, you have the following rights:

Right to Access: You may request information about what personal data we hold about you and obtain a copy of such data.
Right to Correction: You may request correction of inaccurate or incomplete personal data.
Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements.
Right to Withdraw Consent: You may withdraw your consent for data processing at any time through your account settings or by contacting us. As per DPDP Rules 2025, we provide a dedicated consent withdrawal mechanism. Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
Right to Nominate: You may nominate another individual to exercise your rights on your behalf in case of your death or incapacity.
Right to Grievance Redressal: You have the right to have any grievances addressed by us and, if unsatisfied, to approach the Data Protection Board of India.

To exercise any of these rights, please contact us at pgrudrakshi@gmail.com with the subject line "Data Subject Request." We will respond within 30 days of receiving your request.

Children's Privacy

Under the DPDPA and DPDP Rules 2025, a "child" is defined as an individual below 18 years of age. Sketch2Shape services are intended for users who are 18 years of age or older.

Age Requirement

You must be at least 18 years old to create an account on Sketch2Shape. By creating an account, you confirm that you are 18 years of age or older.

Our "Drawing to 3D" service allows adults to upload drawings (including those created by children in their care) for conversion to 3D models. In such cases:

Adult Account Holder: The parent or guardian is the account holder and Data Principal. We collect personal data from the adult, not from the child.
Content Responsibility: The adult account holder is responsible for any content they upload, including drawings created by minors in their care.
No Direct Data Collection from Children: We do not knowingly collect personal data directly from individuals under 18 years of age.
No Behavioral Tracking: We do not track, behaviorally monitor, or serve targeted advertisements to any users based on children's activities.

If we become aware that we have inadvertently collected personal data directly from an individual under 18 without a parent or guardian as the account holder, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal data directly, please contact us immediately at pgrudrakshi@gmail.com.

Data Security

In compliance with the DPDP Rules 2025, we implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS/SSL protocols
Encryption, masking, obfuscation, or tokenization of sensitive data at rest (as required by DPDP Rules 2025)
Strict access controls and continuous monitoring mechanisms
One-year log retention for security audit purposes (DPDP Rules 2025)
Verified backup systems and disaster recovery
Regular security assessments and updates
Secure data storage with reputable cloud service providers with mandatory security clauses in processor contracts
Employee training on data protection practices

While we strive to protect your personal data with measures compliant with DPDP Rules 2025, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website.

10.1 Types of Cookies and Storage We Use

Essential Cookies: Required for the website to function properly, including authentication cookies set by Supabase to maintain your login session
Local Storage (Functional): We use browser local storage to temporarily save your questionnaire progress and design preferences so you don't lose your work
Analytics Cookies: We use Google Analytics to understand how visitors interact with our website, helping us improve our Services

10.2 Managing Cookies

You can control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. You can also manage your cookie preferences through our cookie consent banner.

Cross-Border Data Transfers

Some of our third-party service providers are located outside India. When we transfer your personal data outside India, we ensure that:

The transfer complies with applicable data protection laws
Appropriate safeguards are in place (such as standard contractual clauses or adequacy decisions)
The receiving party maintains adequate security measures

Data may be transferred to and processed in countries where our service providers operate, including the United States. These countries may have different data protection laws than India.

Data Breach Notification

In compliance with the DPDP Rules 2025, in the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will:

Immediate User Notification: Notify affected individuals immediately via registered communication channel (email/SMS) in a clear, concise manner
Data Protection Board Notification: Provide initial intimation to the Data Protection Board of India without delay, followed by a detailed report within 72 hours (or extended period if formally permitted)
Breach Details: Include in notifications: nature of breach, extent, timing, likely consequences, mitigation measures taken, safety recommendations for you, and our contact details
Documentation: Document all breaches and remedial actions taken, maintaining logs for a minimum of one year as required under DPDP Rules 2025

Penalty Notice

Under DPDP Rules 2025, failure to report breaches can attract penalties up to ₹200 crore, while inadequate security safeguards may lead to penalties up to ₹250 crore. We take data security extremely seriously.

Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage you to read the privacy policies of any third-party sites you visit.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Effective Date" at the top of this Policy
We will notify you via email or through a prominent notice on our website
For significant changes, we may seek your renewed consent where required

We encourage you to review this Privacy Policy periodically.

Grievance Officer

In accordance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and Consumer Protection (E-Commerce) Rules, 2020, we have appointed a Grievance Officer to address your concerns regarding data privacy and protection:

Grievance Officer

Sketch2Shape
Email: pgrudrakshi@gmail.com
Subject Line: "Grievance - Privacy"

The Grievance Officer will:

Acknowledge your complaint within 48 hours of receipt
Investigate and resolve complaints within 30 days
Provide you with updates on the status of your complaint

If you are not satisfied with the resolution, you may approach the Data Protection Board of India as established under the DPDPA.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Sketch2Shape
Email: pgrudrakshi@gmail.com
Website: sketch2shape.com