Privacy Policy
Effective Date: 23 May 2026
Last Updated: 23 May 2026
At Heartlisted, we turn your child's artwork into a keepsake book. To do that well, we need a small amount of personal information — your name, where to ship the book, and the artwork you upload. This policy explains what we collect, what we do with it, and the rights you have.
We've written it in plain language because we'd rather you actually read it. If anything is unclear, write to us at `support@heartlisted.com`.
This policy applies to our marketing site at `heartlisted.com`, our application at `app.heartlisted.com`, and the books we ship to you. Heartlisted is operated by Twinkledale Studio Private Limited, registered at No. 93/52, Poes Garden, Sathyanarayana Apartments, Teynampet, Chennai, Tamil Nadu - 600018.
1. What we collect
From you directly
- Your name, email, and phone number when you sign up or place an order.
- Your shipping address — used to deliver your book.
- Your GSTIN, only if you provide one for a GST invoice.
- The artwork and images you upload to be printed.
- The text you choose to print on your book — titles, your child's name, year.
Automatically when you use our site
- Your IP address, browser type, device, and similar technical details.
- Pages you visit, links you click, and the path you take through our site.
- Cookies and similar identifiers (see Section 5).
2. How we use it
We use this information to:
- Create and ship your photobook.
- Send order confirmations, payment receipts, and shipping updates.
- Help you when you write to support.
- Generate GST-compliant invoices, as required by Indian tax law.
- Understand how our site is used and improve it.
- Measure which advertising campaigns bring customers to us.
- Detect and prevent fraud.
- Meet legal and tax obligations.
We will not use your personal information for an unrelated purpose without notifying you and, where required by law, obtaining your consent.
3. About children's artwork
Heartlisted is a service for adults — typically parents or guardians creating a keepsake for their child. We do not market to children, and we do not knowingly collect personal information directly from them.
When you upload your child's artwork, you confirm that you are their legal parent or guardian and that you consent, on their behalf, to that artwork being used to create the book you ordered. If your child's name appears on a cover or caption, we treat it as personal information.
4. Payments and invoicing
Payments on Heartlisted are processed by Razorpay. Sensitive payment information — your full card number, CVV, UPI PIN, and banking credentials — is handled directly by Razorpay and does not pass through Heartlisted's servers. We only receive a payment confirmation along with limited details such as the payment method and the last four digits of your card.
For GST-compliant invoices, we may use Zoho Books or similar invoicing software. This involves sharing your name, address, and order details as required by Indian tax law.
5. Cookies, analytics, and advertising measurement
When you visit our site, small pieces of data are stored on your device so we can recognise you between visits and understand how the site is used.
- Essential cookies keep you signed in and preserve your checkout state. The site won't function without these.
- Analytics cookies help us understand how visitors use the site so we can improve it. We use Google Analytics for general site analytics and Microsoft Clarity for session-replay analysis.
- Advertising cookies help us measure whether our Instagram and Facebook ads are working. We also keep a small cookie of our own to remember which campaign first brought you to our site.
You can disable or delete cookies through your browser settings. The essential ones are required for sign-in and checkout.
Session replays
We use Microsoft Clarity to record masked session replays of how visitors interact with our site. This helps us spot usability issues — for example, where customers get stuck in checkout. Checkout and customer-detail fields are masked, so your name, email, phone, address, GSTIN, and pincode are not captured. Payment details are entered on Razorpay's own secure overlay and are not visible to Clarity.
Advertising measurement
To know whether our Instagram and Facebook ads bring people who actually place an order, we may share limited order and contact information with Meta (via its Pixel and Conversions API) in hashed form. Plaintext contact details are not sent. Meta may use the hashed information to match against its own records and attribute a purchase to an ad you saw or clicked.
Some advertising measurement may happen through our servers rather than only through browser cookies. You can control browser-side tracking through your browser settings, a tracking blocker, or your Meta account preferences. If you want us to delete personal information we no longer need to retain, you can exercise your erasure right under Section 8.
We do not sell your personal information to anyone.
6. Other service providers
We rely on third-party service providers to run Heartlisted. We work with service providers under terms that restrict how they may use the personal information we share with them. They fall into these categories:
- Payment and invoicing
- Website and app hosting
- Cloud storage and database
- Artwork and image processing
- Email delivery
- Analytics and advertising measurement
- Error monitoring and security
- Printing, packing, and delivery
Some providers process data outside India. When that happens, the transfer is governed by their applicable data-protection obligations and our contractual terms with them.
7. How long we keep your data
Account information
Retained while your account is active. Deleted within a reasonable period after a verified deletion request, subject to legal retention obligations.
Order records and tax invoices
Retained for the period required under applicable tax law, including GST record-retention requirements.
Uploaded artwork — inactive or incomplete projects
We may delete uploaded artwork from inactive or incomplete projects after an extended period.
Uploaded artwork — completed orders
Retained while your account remains active, unless you ask us to delete it, subject to legal, tax, fraud-prevention, and dispute-resolution requirements.
Analytics data and session replays
Retained according to our analytics providers’ settings and standard retention practices.
Customer support correspondence
Retained for a reasonable period, to handle follow-ups and disputes.
8. Your rights under the Digital Personal Data Protection Act, 2023
You have the right to:
- Access the personal information we hold about you.
- Correct or update information that is inaccurate.
- Erase personal information we no longer have a legitimate reason to keep — subject to legal retention requirements such as tax records.
- Withdraw consent for processing where consent is the basis. Withdrawal does not affect processing we lawfully carried out beforehand.
- Nominate another person to exercise your rights in the event of your incapacity or death.
- File a grievance with our Grievance Officer (Section 9).
To exercise any of these rights, write to `support@heartlisted.com` from the email registered with your Heartlisted account. We may ask you to verify your identity before acting on a request.
9. Grievance Officer
In line with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000, we have designated a Grievance Officer:
- Name: Vignesh Shankar
- Designation: Grievance Officer, Heartlisted
- Email: hello@heartlisted.com
- Address: No. 93/52, Poes Garden, Sathyanarayana Apartments, Teynampet, Chennai, Tamil Nadu - 600018
If you have a complaint about how we handle your data, write to the Grievance Officer. We will respond within the timelines required by law. If you are not satisfied with our response, you may escalate the matter to the Data Protection Board of India or any other authority designated under applicable law.
10. How we protect your information
We use industry-standard security measures, including encryption in transit, encryption at rest where supported by our providers, limited access within our team, and continuous error and security monitoring.
No security system is perfect. If a personal data breach were to materially affect you, we would notify you and the relevant authorities as required by law.
11. Changes and how to reach us
We will update this policy from time to time as our services or the law evolve. The "Last Updated" date above always reflects the most recent change. For material changes, we will notify you, typically by email or a notice on our site.
For any questions about this policy or how we handle your data, write to `support@heartlisted.com`. For data-protection grievances, see Section 9.
Thank you for trusting us with your child's artwork.