This Privacy Policy explains what personal data Yash Aggarwal, an individual sole proprietor based in New Delhi, India and operating the Lovlio service (“Lovlio”, “we”, “our”, “us”), collects when you use the Lovlio website, builder, and published keepsake sites (together, the “Service”), why we collect it, who we share it with, and your rights. For the purposes of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) we act as a Data Fiduciary. Questions: support@lovlio.in.
1. What we collect
- Account data — your name, email and profile picture as supplied by Google when you sign in. We never receive your Google password.
- Content you create — text and photos you put into the keepsake-site builder.
- Payment data — when you publish a paid Site, payment is processed by Razorpay; we never see your card / UPI / net-banking credentials. We do store the order ID, amount, status and template purchased.
- Technical and analytics data — server logs (IP, user-agent, request path, timestamp) for security and debugging; a session token held in your browser's local storage; and product-analytics events (page views, conversion events, anonymised session recordings and click heatmaps) collected by Google Analytics 4 and Microsoft Clarity. Clarity masks sensitive form inputs by default. We do not use any of this for advertising.
2. Why we collect it
- To run the Service (let you sign in, build, publish, share).
- To process payments and handle refunds or chargebacks.
- To detect abuse and keep the Service secure.
- To respond to you when you write in.
- To meet legal obligations (tax records, lawful requests).
Our lawful basis under the DPDP Act is your consent (given when you sign in and accept these policies), supplemented by the “legitimate uses” the Act allows for security, fraud prevention and statutory compliance.
3. Who we share it with
We never sell personal data and never share it for advertising. We rely on the following partners to run the Service:
| Partner | Purpose |
|---|---|
| Google (Sign-In) | Authentication. Receives whatever you authorise on Google's consent screen. |
| Razorpay | Payment processing. Receives the order amount and whatever you enter on its checkout. |
| Cloudinary | Hosts photos uploaded for paid templates. |
| MongoDB Atlas | Hosts our database (account, site, image and payment records). |
| Vercel | Serves the Lovlio website. Receives standard server logs. |
| Google Analytics 4 (Google LLC) | Anonymised usage analytics — page views, conversion events, IP-derived approximate location. |
| Microsoft Clarity (Microsoft Corp.) | Anonymised session recordings and click heatmaps; sensitive form inputs are masked. |
We may also disclose personal data to law-enforcement, regulators or courts when legally required.
4. Where it's stored and how long we keep it
Our database and image storage are hosted on infrastructure that may be physically located outside India. Account and Site data are kept while your account / Site exists; payment records are kept for at least 8 years to meet Indian tax requirements; server logs are rotated within 90 days; analytics data is retained per Google's and Microsoft's default settings. Photos for paid Sites that you delete are preserved internally during a soft-delete window and then permanently removed.
5. Your rights under the DPDP Act
You have the right to:
- access the personal data we hold about you;
- correct any inaccurate or incomplete data;
- have your data erased, subject to lawful retention obligations;
- withdraw consent (without affecting prior processing);
- nominate another individual to exercise these rights for you;
- raise a grievance with our Grievance Officer (§8) and, if unresolved, with the Data Protection Board of India.
To exercise any of these, write to support@lovlio.in from the email address on your account. We respond within the timelines required by law, and in any case within 30 days.
6. Security
We use HTTPS, signed direct uploads to our image partner, server-side validation, rate limits, scoped tokens and least-privilege controls. No system is perfectly secure; we will notify you and the Data Protection Board of any qualifying personal-data breach as required by law.
7. Children
The Service is not intended for anyone under 18 and we do not knowingly collect personal data from children. If you believe a child has given us personal data, write to support@lovlio.in and we will delete it.
8. Grievance Officer (DPDP Act + IT Rules, India)
- Name: Yash Aggarwal
- Email: support@lovlio.in
- Location: New Delhi, India
We acknowledge complaints within 24 hours and aim to resolve them within 15 days from the date of receipt.
9. Changes
We may update this policy. The “Last updated” date above reflects the most recent change; material changes will be highlighted on the website before they take effect. See our Contact page for anything else.