Skip to main content
joywave/digital
joywave/digital
SearchSign in

Privacy Policy

Last updated: 2026-05-28

This Privacy Policy explains what personal data JoyWaveDigital collects when you use joywavedigital.in (the "Site"), how we use it, who we share it with, how long we keep it, and what rights you have over it. We have written this policy to satisfy our obligations under the EU General Data Protection Regulation (GDPR Articles 13 and 14), the UK GDPR, and India's Digital Personal Data Protection Act 2023 (DPDP Act). Where the same right exists under more than one regime, we apply the most protective version globally.

If you have read our Terms of Service, this policy fills in the data side of the relationship. If anything is unclear or you want to exercise one of your rights, please email privacy@joywavedigital.in.

1. Who we are

JoyWaveDigital is a sole proprietorship operated from India by an individual seller. We are the data controller (under GDPR terminology) and the data fiduciary (under the DPDP Act) for the personal data processed through the Site.

We do not have a designated Data Protection Officer because our scale does not require one. For all data-protection questions and requests, contact privacy@joywavedigital.in.

2. What we collect

We collect personal data in three ways.

a. Data you give us directly

  • Email address when you sign in, place an order, request a download link, contact us, subscribe to our newsletter, or submit a review.
  • Order details when you buy a Product: the Products purchased, the amount paid, the currency, the order timestamp, and any coupon code applied. We do not see or store your payment card number or CVV (see Section 4 on processors).
  • Account profile data if you choose to sign in and create an account: a display name (if you set one) and any preferences you save.
  • Communications if you email us or use a contact form: the message contents and any attachments.

b. Data we collect automatically

  • Request metadata. The IP address, browser user-agent, approximate geographic region, and timestamp of each request to the Site. We use the region to display an approximate local-currency price and to comply with regional cookie-consent requirements.
  • Audit data. When you take an authenticated action (sign in, place an order, submit a review), we record the action type, the resource it affected, and the IP address for security and abuse prevention. This is stored in an internal audit log.
  • Analytics and performance data (consent-gated). With your consent, we collect anonymized product analytics (which pages you view, broad device categories, navigation paths) and performance telemetry (Core Web Vitals such as load time and layout stability). Without consent, these are not collected. See Section 6 on cookies for the exact mechanism.

c. Data we receive from third parties

  • Payment confirmation from Dodo Payments after a successful purchase. We receive the order amount, currency, payment status, the email address you provided at checkout, and a payment processor reference. We do not receive your full card number.
  • Email delivery status from Resend (our transactional email provider) for receipts and notifications we send to you: delivered, bounced, spam-flagged, or opened (if tracking is enabled).

3. Why we process your data (lawful basis)

Under GDPR Article 6 and DPDP Act Section 7, we must have a lawful basis for each category of processing. Ours are:

  • Performance of a contract with you (GDPR Art. 6(1)(b); DPDP Sec. 7(a)). We use your email, order details, and the resulting download links to deliver the Product you purchased and to provide post-purchase support. Without this data, we cannot fulfill the order.
  • Consent (GDPR Art. 6(1)(a); DPDP Sec. 7(a)). Analytics, performance telemetry, and marketing communications are processed only after you have explicitly opted in via our cookie banner (Section 6) or by subscribing to our newsletter. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legitimate interests (GDPR Art. 6(1)(f)). We rely on legitimate interests for fraud prevention, securing the Site against abuse, keeping audit logs of sensitive actions, and operating the business at a basic level (such as serving the Site itself and routing email). We have assessed that these interests are not overridden by your rights and freedoms, given the limited scope of the data and the protections in Sections 4 and 7.
  • Legal obligation (GDPR Art. 6(1)(c)). We retain certain order records (such as invoice data) to comply with tax law in the relevant jurisdiction.

4. Who we share your data with

We use a small number of carefully chosen processors (in GDPR terms) and data processors (in DPDP terms) to operate the Site. Each is contractually bound to act on our instructions, protect your data with appropriate safeguards, and use it only for the purposes described here.

  • Dodo Payments (Merchant of Record and payment processor): receives your email and order details to process payment, calculate and remit applicable taxes, and issue invoices. Dodo Payments is the seller of record for your transaction. Privacy details: dodopayments.com/legal/privacy.
  • Resend (transactional email): sends order receipts, account emails, and post-purchase communications. Resend receives your email address and the email content. Privacy details: resend.com/legal/privacy-policy.
  • Supabase (database, account authentication, file storage): stores your account record, orders, wishlist, and the digital Product files we deliver. Supabase operates regional infrastructure in the EU and US. Privacy details: supabase.com/privacy.
  • Vercel (hosting and request delivery, plus Speed Insights performance telemetry): serves the Site and the API endpoints. Speed Insights collects anonymized Core Web Vitals only with your consent. Privacy details: vercel.com/legal/privacy-policy.
  • PostHog (consent-gated product analytics): receives anonymized event data about page navigation and feature use only after you opt in to analytics cookies. PostHog does not capture session recordings or use auto-capture on this Site. Privacy details: posthog.com/privacy.
  • Upstash (Redis-backed rate limiting): receives request IP addresses temporarily to enforce rate limits on authentication, checkout, admin actions, and order recovery. Each IP is stored in a sliding-window counter that auto-expires within minutes. No long-term retention; we do not associate the IP with any account or order record at the Upstash layer. Privacy details: upstash.com/trust/privacy.
  • MailerLite (newsletter and marketing email, consent-gated and not yet active): we have provisioned a MailerLite account in preparation for a future newsletter signup and other marketing surfaces. As of the date at the top of this policy, no MailerLite endpoint is wired up to this Site, so no data is sent to MailerLite from your interactions here. When the first marketing surface ships (such as a Footer newsletter signup), it will respect the marketing-tier consent you have already set in the cookie banner, and we will update this section. Privacy details: mailerlite.com/legal/privacy-policy.
  • Cloudflare (DNS and email routing): resolves the joywavedigital.in domain and forwards email sent to our policy aliases (hello, privacy, accessibility) to our mailbox. Privacy details: cloudflare.com/privacypolicy.

We do not sell your personal data and we do not share it with advertising networks or data brokers. If we ever need to add a new processor, we will update this policy and (for material changes) notify you in advance.

We may also disclose data when required by law, court order, or valid government request, or where necessary to defend our legal rights or investigate suspected fraud or abuse. We will challenge requests we believe are unlawful or overbroad.

5. International transfers

The Site operates from India and uses processors based in the EU and the US. When your data moves between regions, we rely on the processor's safeguards. For transfers from the EEA, UK, or Switzerland to processors in other jurisdictions, our processors use Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent UK and Swiss safeguards. For transfers under the DPDP Act, we use processors that we have assessed as offering comparable protections under their own jurisdictions' laws.

If you would like more detail about the safeguards applied to a specific transfer, email privacy@joywavedigital.in.

6. Cookies and similar technologies

We use a small number of cookies and similar browser-side storage mechanisms (such as localStorage). On your first visit, our cookie banner asks you to make a choice in three categories. You can change your choice at any time by clearing the jwd-cookie-consent entry in your browser's localStorage; the banner will reappear. Your choice is also re-prompted automatically every 12 months and whenever this policy is materially updated.

a. Essential (always on)

These are required for the Site to function. They cannot be turned off. We use them to remember your cart, keep you signed in, protect against cross-site request forgery, and remember your preferred currency and locale. Examples: a session cookie set by Supabase Auth, a cart token in localStorage, a wishlist replay cookie set briefly during a sign-in flow.

b. Analytics (consent required)

When you opt in, we collect anonymized usage data through PostHog and performance telemetry through Vercel Speed Insights. PostHog uses a localStorage entry to remember your anonymized session. Speed Insights uses a first-party beacon that does not set cookies. You can opt out at any time via the cookie banner; on opt-out, PostHog stops collecting and Speed Insights stops mounting.

c. Marketing (consent required, not yet active)

Marketing cookies are currently inactive on the Site. The cookie banner exposes a Marketing toggle as a forward-compatible placeholder: when the first marketing surface ships (such as a newsletter signup in the Footer), it will respect the consent value you have already given. If you opted out today, no marketing cookie or pixel will ever fire. If you opted in today, you will remain opted in when the surface goes live, and we will update this section to describe what gets set. We do not run third-party advertising trackers or remarketing pixels on the Site.

7. How long we keep your data

  • Account data is kept while your account is active. To delete your account and the personal data associated with it, email privacy@joywavedigital.in from the address tied to your account. We confirm the request, then process the deletion within 30 days. Anonymized order records are retained per the row below for tax compliance; everything else (account profile, wishlist, audit log entries tied to your account) is hard-deleted. We are working on a self-service deletion endpoint; until it ships, the email-based flow is the path.
  • Order records are kept for 7 years from the date of purchase to comply with tax-law retention requirements. After that period, we anonymize the record (we keep the aggregate amount and Product for accounting continuity but remove your email and other identifiers).
  • Audit logs are kept for 2 years for security and abuse-investigation purposes, then deleted.
  • Analytics data is kept for up to 12 months by PostHog under our configuration, then deleted. Speed Insights data is aggregated and not personally identifying.
  • Newsletter subscriptions are kept until you unsubscribe. Unsubscribe is one click in any email we send, and we delete your subscriber record within 30 days of an unsubscribe request.
  • Support emails are kept for 3 years from the last message in the thread.

8. Your rights

Depending on where you live, you have some or all of the following rights over your personal data. We extend these rights to all users regardless of jurisdiction:

  • Right of access. You can ask for a copy of the personal data we hold about you.
  • Right to rectification. You can ask us to correct inaccurate or incomplete data.
  • Right to erasure. You can ask us to delete your data, subject to the retention requirements in Section 7.
  • Right to data portability. You can ask us to export your data in a machine-readable format (such as JSON).
  • Right to restrict processing. You can ask us to pause processing while we resolve an accuracy or objection question.
  • Right to object. You can object to processing based on legitimate interests; we will stop unless we can show compelling grounds that override your interests.
  • Right to withdraw consent. If we process data based on your consent (analytics, marketing), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right to lodge a complaint with a supervisory authority. If you are in the EEA, UK, or Switzerland, you can complain to your local Data Protection Authority. If you are in India, you can complain to the Data Protection Board of India once it is operational under the DPDP Act. We would prefer the chance to fix the issue first, so please contact us before escalating.

To exercise any of these rights, email privacy@joywavedigital.in from the email address associated with your account. We will respond within 30 days. If we need more time (for example, because the request is complex), we will tell you why within that window. We do not charge a fee for reasonable requests.

9. Children

The Site is directed at adults (parents, teachers, and other educators who buy printables for the children in their care). The Site is not directed at children, and we do not knowingly collect personal data from anyone under the age of 13 (under the US Children's Online Privacy Protection Act), under 16 (the GDPR digital-consent default), or under 18 (the DPDP Act's threshold for verifiable parental consent), as applicable in the relevant jurisdiction.

If you believe a child has provided us with personal data, please contact privacy@joywavedigital.in and we will delete the data promptly.

10. Security

We use industry-standard technical and organizational measures to protect your data, including encryption in transit (HTTPS everywhere), encryption at rest at our database provider, row-level security policies that scope account data to its owner, signed download URLs with short lifetimes, rate-limited authentication, and audit logging of sensitive actions. No system is perfectly secure, but we treat security as ongoing work, not a checklist.

If a breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay, in accordance with GDPR Article 34 and the equivalent DPDP Act provisions.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes (such as new categories of data, new processors, or new purposes of processing), we will give you reasonable advance notice and, where required by law, ask for fresh consent. The current version is always available at joywavedigital.in/policies/privacy.

12. Contact us

For data-protection questions and to exercise your rights, email privacy@joywavedigital.in. For general questions about the Site or your order, use hello@joywavedigital.in.

Your cart

Your cart is empty

Pick out a worksheet to get started.

Browse the shop