Privacy Policy

1. Introduction

Art by Joy ("we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website artbyjoy.shop (the "Website"), create an account, sign in via third-party authentication, and make purchases.

By using our Website, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our Website.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide to us when you:

• Create an account on our Website
• Sign in using Google OAuth ("Sign in with Google")
• Make a purchase or place an order
• Subscribe to our newsletter
• Contact us via email or contact forms
• Request a commission or custom artwork
• Participate in surveys or promotions

This information may include:

• Name
• Email address
• Phone number
• Shipping and billing address
• Payment information (processed securely through third-party payment processors)
• Order history and preferences

2.2 Information Collected via Google OAuth

If you choose to sign in or register using "Sign in with Google," we receive the following information from Google as part of the OAuth 2.0 authentication flow:

• Google Account ID: A unique identifier associated with your Google account
• Name: Your display name as set in your Google profile
• Email address: The primary email address associated with your Google account
• Profile picture URL: A link to your Google account profile photo (if available)

We request only the minimum scopes necessary for authentication. We do not request access to your Google Drive, Gmail, Contacts, Calendar, or any other Google services.

OAuth access tokens and refresh tokens are handled server-side and are never exposed to the browser. We store only what is necessary to maintain your authenticated session and link your Google identity to your Art by Joy account.

2.3 Automatically Collected Information

When you visit our Website, we automatically collect certain information about your device and browsing behavior, including:

• IP address
• Browser type and version
• Operating system
• Referring website
• Pages viewed and time spent on pages
• Geographic location (country/city level)
• Device information (mobile, desktop, screen resolution)

2.4 Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to enhance your experience, maintain authenticated sessions (including those initiated via Google OAuth), analyze website traffic, and personalize content. You can control cookie preferences through your browser settings, though disabling cookies may prevent sign-in functionality from working correctly.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Authentication: To verify your identity when you sign in, including via Google OAuth, and to maintain secure sessions
• Account Creation: To create and pre-populate your Art by Joy account with your Google profile name and email when you first sign in with Google
• Order Processing: To process transactions, fulfill orders, arrange shipping, and send order confirmations
• Customer Service: To respond to inquiries, provide support, and resolve issues
• Account Management: To manage your account and login credentials
• Communication: To send transactional emails (order updates, shipping notifications) and marketing communications (if you opt-in)
• Personalization: To customize your experience and show relevant artwork recommendations
• Analytics: To understand how visitors use our Website and improve our services
• Security: To detect and prevent fraud, unauthorized access, and other illegal activities
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Business Operations: To maintain records, conduct internal research, and improve our business

Information obtained via Google OAuth is used solely for authentication and account management. It is not used for advertising, sold to third parties, or shared with any party other than as described in Section 4.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our Website and conducting our business, including:

• Google LLC (OAuth Provider): When you use "Sign in with Google," your authentication is handled by Google's OAuth 2.0 service. Google's collection and use of your data during this process is governed by Google's Privacy Policy. We receive only the profile data described in Section 2.2.
• Payment Processors: To process credit card and payment transactions securely
• Shipping Companies: To fulfill and deliver orders
• Email Service Providers: To send transactional and marketing emails
• Analytics Providers: To analyze website usage (e.g., Google Analytics)
• Cloud Storage Providers: To host our website and store data securely

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.2 Legal Obligations

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

• Comply with legal processes or enforce our Terms and Conditions
• Protect the rights, property, or safety of Art by Joy, our users, or the public
• Prevent fraud, security breaches, or illegal activities

4.3 Business Transfers

In the event of a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred to the successor entity. We will notify you via email or a prominent notice on our Website before your information becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard security measures to protect your personal information, including:

• SSL/TLS encryption for all data transmission
• Secure, server-side handling of OAuth tokens — tokens are never stored in the browser or exposed to client-side scripts
• Secure servers and encrypted databases
• Regular security audits and dependency updates
• Restricted access to personal information (limited to authorized personnel only)
• Secure payment processing through PCI-DSS compliant providers

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay.

6. Your Rights and Choices

You have the following rights regarding your personal information:

6.1 Access and Update

You can access and update your account information by logging into your account on our Website.

6.2 Data Deletion

You may request deletion of your account and personal information by contacting us at artbyjoy.contact@gmail.com. We will process your request within 30 days. Please note that we may retain certain information as required by law or for legitimate business purposes (e.g., order history for tax records). If your account was created via Google OAuth, deleting your Art by Joy account removes all associated OAuth data from our systems; however, you should also separately revoke Art by Joy's access from your Google Account permissions page.

6.3 Revoke Google OAuth Access

You can revoke Art by Joy's access to your Google account at any time by visiting your Google Account permissions and removing Art by Joy from the list of connected apps. Revoking access will prevent future Google sign-in for your account but will not delete your Art by Joy account or order history. To fully delete your data, please contact us directly.

6.4 Marketing Communications

You can opt out of marketing emails at any time by clicking the "unsubscribe" link in any marketing email or by contacting us. Note that you will still receive transactional emails related to your orders.

6.5 Cookie Preferences

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies. Note that session cookies are required for the Google OAuth sign-in flow to function correctly.

6.6 Data Portability

You may request a copy of your personal information in a structured, commonly used, machine-readable format by contacting us at artbyjoy.contact@gmail.com.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law:

• Order information: Retained for 7 years for tax and accounting purposes
• Account information: Retained for the duration of your account, plus 30 days following deletion to allow for recovery
• Google OAuth tokens: OAuth access tokens and refresh tokens are invalidated and deleted upon account deletion or when you revoke access via your Google Account. Session data is cleared when you sign out.
• Analytics data: Retained in anonymized or aggregated form for up to 26 months

8. Children's Privacy

Our Website is not directed to, and is not intended for use by, children under the age of 18. We do not knowingly collect, solicit, or store personal information from minors. The Google OAuth sign-in feature on our Website is likewise not intended for use by children under 18.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at artbyjoy.contact@gmail.com. We will take prompt steps to delete such information from our systems.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including India and the United States (where Google's infrastructure operates). These countries may have different data protection laws than your country of residence. By using our Website or signing in via Google OAuth, you consent to the transfer of your information as described in this policy. Where required, we implement appropriate safeguards to protect your data during such transfers.

10. Third-Party Links

Our Website may contain links to third-party websites (e.g., social media platforms, payment processors). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information. This includes Google's services — while we use Google OAuth for authentication, Google's own data practices are governed by Google's Privacy Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the updated policy on this page with a revised "Last Updated" date. For material changes — particularly those affecting how we process data obtained via Google OAuth — we will notify you by email or via a prominent notice on our Website at least 7 days before the change takes effect. Your continued use of the Website after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices — including requests to access, correct, or delete your data — please contact us:

• Email: artbyjoy.contact@gmail.com
• Website: https://artbyjoy.shop

We aim to respond to all privacy-related requests within 30 days.

13. Compliance with Applicable Laws

This Privacy Policy is designed to comply with the following applicable laws and regulations:

• Digital Personal Data Protection Act, 2023 (DPDPA): India's primary data protection legislation, which governs the processing of digital personal data within India
• Information Technology Act, 2000: Including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Google API Services User Data Policy: Our use of Google OAuth complies with Google's API Services User Data Policy, including the Limited Use requirements

We are committed to protecting your personal information in accordance with Indian data protection laws and international best practices. As the DPDPA implementing rules are finalized, we will update our practices accordingly.