Privacy Policy

Last updated: May 2026

This Privacy Policy describes how Zonafi Ventures (OPC) Private Limited ("we", "us", "our", or the "Data Fiduciary"), operating the brand Moi Doughssier®, collects, uses, stores, and protects the personal data of individuals ("Data Principals") who visit our website (www.moidoughssier.com), place orders, contact us, or otherwise interact with us.

By using our website or services, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein, in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable laws of India.

1. Definitions

• Data Fiduciary: Zonafi Ventures (OPC) Private Limited, operating as Moi Doughssier®, which determines the purpose and means of processing your personal data.
• Data Principal: You — the individual whose personal data is being processed.
• Personal Data: Any data by which you can be identified, directly or indirectly.
• Data Processor: Any third party that processes personal data on our behalf.
• Processing: Any operation performed on personal data, including collection, storage, use, sharing, or deletion.

2. Data We Collect and Why

2.1 Data you provide directly

• Name and contact details (phone number, email address) — when you fill out our enquiry form, place an order via WhatsApp, enquire about custom cakes or corporate gifting, or subscribe to updates.
• Order information — items ordered, delivery address, special instructions, and payment confirmation (payment processing is handled by Ciferon; we do not store card details).
• Business details — company name and requirements, when you submit a wholesale or corporate gifting enquiry.
• Content you upload — photographs uploaded through the "Moi Moment" feature on our website for the purpose of creating a personalised digital postcard. These images are processed locally on your device and are not stored on our servers.
• Game data — your chosen display name and score when you play games on our website (Bombo's Bomboloni Bounce, Catch the Kouign). This data is stored in our database to operate the leaderboard.

2.2 Data collected automatically

• Visitor analytics — approximate city and country of origin (derived from your IP address via a third-party geolocation service), the section of the website you are viewing, the referral source (e.g. Instagram, Google, direct), and your device type (mobile or desktop). This data is stored in our backend database to help us understand how visitors interact with our website.
• CTA interaction data — whether you clicked the Order Now, Swiggy, Zomato, or Ciferon buttons, and which section of the website you were in when you clicked.
• Browser and device data — browser type, operating system, and session identifiers (stored temporarily in your browser's session storage, not a persistent cookie).

2.3 Data received from third parties

• When you place an order through Swiggy or Zomato, those platforms share your order details (name, items ordered, delivery address) with us for the sole purpose of preparing and fulfilling your order.
• When you order through Ciferon (our website-based ordering system), your order and contact information is shared with us in the same manner.
• When you contact us via WhatsApp, your phone number and message content are visible to us through WhatsApp Business, operated by Meta Platforms, Inc.
• Reelo, our customer engagement and loyalty platform, captures phone numbers at our point-of-sale terminal when you transact in-store. This is governed by Reelo's privacy policy and operates independently of this website.

3. Legal Basis for Processing

We process your personal data on the following grounds under the DPDPA and applicable Indian law:

• Consent: Where you have actively provided your information (e.g., filling a contact form, submitting a game entry, or messaging us on WhatsApp).
• Contractual necessity: To fulfil orders you have placed with us.
• Legitimate interest: To operate and improve our website, understand visitor behaviour, and prevent fraud.
• Legal obligation: To comply with applicable laws including GST, accounting, and consumer protection regulations.

4. Third-Party Services and Data Processors

We work with the following third-party services. Each processes personal data in accordance with their own privacy policies, which we encourage you to review:

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

5. Cookies and Tracking Technologies

Our website uses the following tracking mechanisms:

• Session storage: A temporary session identifier is stored in your browser's session storage (not a persistent cookie) to track your visit within a single browsing session. This data is cleared when you close your browser tab.
• Google Analytics cookies: GA4 places cookies to measure website traffic and usage patterns. You can opt out via Google's opt-out browser add-on.
• Microsoft Clarity: Places cookies to record session behaviour and generate heatmaps. Data is anonymised and aggregated.

You may adjust cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the website.

6. Cross-Border Data Transfers

Several of our third-party service providers are located outside India, including in the United States. Specifically, Supabase Inc., Google LLC, Microsoft Corporation, Meta Platforms Inc., Netlify Inc., and Abstract API LLC (ipapi.co) process certain data on servers located in the United States or other jurisdictions.

We take reasonable steps to ensure that such transfers are governed by appropriate contractual safeguards consistent with the requirements of the Digital Personal Data Protection Act, 2023 (DPDPA), including standard contractual clauses where applicable. By using our website and services, you consent to such transfers.

7. Data Retention

• Order records: Retained for a minimum of 7 years in accordance with Indian accounting, GST, and legal requirements.
• Enquiry and contact data: Retained for up to 2 years from the date of last contact, or until you request deletion.
• Game leaderboard data: Display names and scores are retained for the duration the leaderboard feature is active. You may request removal at any time.
• Visitor analytics data: Anonymous session data is retained for up to 6 months for analytical purposes.
• WhatsApp communications: Message history is retained on the WhatsApp Business platform. We do not export or archive these independently beyond our operational need.

8. Data Security

We implement reasonable technical and organisational measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These include:

• HTTPS encryption on all website traffic
• Access-controlled backend systems via Supabase's row-level security policies
• Restricted access to personal data — only authorised personnel
• Secure third-party platforms with their own security certifications

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights Under the DPDPA, 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to information (Section 11): You may request a summary of personal data we hold about you and how it has been processed.
• Right to correction and erasure (Section 12): You may request correction of inaccurate or incomplete data, or erasure of data that is no longer necessary for the purpose for which it was collected, subject to legal retention obligations.
• Right to grievance redressal (Section 13): You may raise a grievance with our Grievance Officer (see Section 13 below). If not resolved satisfactorily, you may escalate to the Data Protection Board of India.
• Right to nominate (Section 14): You may nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact our Grievance Officer as detailed in Section 13.

10. Children's Data

In accordance with the Digital Personal Data Protection Act, 2023, we treat any person under the age of 18 years as a child. We do not knowingly collect or process personal data of children without verifiable parental or guardian consent. Our website's interactive features — including the game leaderboard — may collect a display name and score. If you are under 18, please ensure you have your parent's or guardian's permission before submitting any information.

If we discover that we have inadvertently collected personal data of a child without appropriate consent, we will delete such data promptly. Please contact our Grievance Officer to report such instances.

11. Data Breach Response

In the event of a personal data breach that is likely to result in harm to Data Principals, we will:

• Notify the Data Protection Board of India as required under the DPDPA
• Take immediate steps to contain and remediate the breach
• Inform affected Data Principals where required by law

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this page will be revised accordingly. We encourage you to review this policy from time to time. Continued use of our website following any changes constitutes your acceptance of the revised policy.

13. Grievance Officer and Contact

In accordance with the Digital Personal Data Protection Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer:

If your grievance is not resolved to your satisfaction, you may escalate the matter to the Data Protection Board of India once established under the DPDPA.