Stash Logo

Privacy Policy

Last updated: August 14, 2025

Welcome to Stash. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site.

1.0 Introduction and Definitions



1.1 Preamble

 

This Privacy Policy ("Policy") is issued by Mystash Pvt Ltd, a company incorporated under the laws of India, with its registered office at B308, JP Nagar, Bangalore, Karnataka, India (hereinafter referred to as "Mystash", "We", "Us", or "Our"). This Policy outlines our practices and procedures regarding the collection, processing, use, storage, disclosure, and protection of your Personal Data when you use our online platform, including our website and mobile applications (collectively, the "Platform").

The purpose of this Policy is to provide you, the user ("User", "You", "Your"), with a clear and comprehensive understanding of how we handle your Personal Data in compliance with applicable Indian laws. By accessing or using our Platform, you signify your understanding of and agreement with the terms of this Privacy Policy.

 

1.2 Applicability

 

This Policy applies to all individuals and entities who access, register on, or use the services offered on the Mystash Platform, including but not limited to content creators ("Creators"), individuals or entities purchasing services ("Customers"), and brands engaging with Creators ("Brands").

In accordance with India's data protection framework, this Policy has an extraterritorial scope. It applies to the processing of digital personal data within the territory of India. Furthermore, it extends to the processing of digital personal data outside the territory of India if such processing is in connection with any activity related to the offering of goods or services to individuals within India.1 Therefore, this Policy is applicable to all our users, regardless of their geographical location, as long as they are engaging with our services offered in India.

 

1.3 Definitions

 

Unless the context otherwise requires, the terms defined in this section shall have the meanings ascribed to them throughout this Policy. These definitions are aligned with the provisions of the Digital Personal Data Protection Act, 2023 ("DPDP Act") and other relevant Indian legislation.

  • Personal Data: Means any data about an individual who is identifiable by or in relation to such data.1
  • Digital Personal Data: Means Personal Data in digital form.1
  • Data Fiduciary: Means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. For the purposes of this Policy, Mystash Pvt Ltd is the Data Fiduciary.3
  • Data Processor: Means any person who processes personal data on behalf of a Data Fiduciary.3
  • Data Principal: Means the individual to whom the personal data relates. In the context of this Policy, You, the User, are the Data Principal.3
  • Processing: In relation to personal data, means a wholly or partially automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.1
  • Consent: Means any freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes by which they, by a clear affirmative action, signify agreement to the processing of their personal data for the specified purpose.4
  • Data Breach: Means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
  • Significant Data Fiduciary (SDF): Means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under Section 10 of the DPDP Act.3

 

2.0 Personal Data We Collect and Process

 

We collect and process Personal Data to provide and improve our services. The collection is guided by the principle of data minimisation, meaning we only collect data that is necessary for the specified purpose.5 The types of data we collect are as follows:

 

2.1 Information You Provide to Us

 

This includes data you voluntarily submit when you interact with our Platform.

  • For All Users: When you create an account, we collect basic registration data, which includes your full name, email address, a mobile phone number for verification, and a password to secure your account.
  • For Creators: To facilitate your participation and enable commission payouts, we require additional information. This includes a public display name or alias, a biographical description, links to your social media profiles, and crucial financial information such as your bank account number, IFSC code, Unified Payments Interface (UPI) ID, and your Permanent Account Number (PAN) for taxation purposes.
  • For Customers: When you purchase services from a Creator, we collect transaction data. This includes details of the services you have purchased and the payment method used. To ensure your financial security, we do not store full credit/debit card numbers or other sensitive payment credentials on our servers; this information is handled by our secure third-party payment gateway partners.
  • For Brands: To enable campaign management and business transactions, we collect business-related information. This includes the registered company name, Goods and Services Tax Identification Number (GSTIN), and contact details of the authorised representative, such as their name, email, and phone number.
  • Communications Data: We collect information when you communicate with us for user support, provide feedback, or participate in surveys. This may include the content of your messages, emails, and call recordings.

 

2.2 Information We Collect Automatically

 

As you navigate and interact with our Platform, we may use automatic data collection technologies to gather certain information about your equipment, browsing actions, and patterns. This includes:

  • Device and Connection Information: We collect information about your computer, mobile device, and internet connection, including your IP address, operating system, browser type, and device identifiers.
  • Usage Data: We collect details of your visits to our Platform, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Platform. This helps us understand user behaviour and improve service delivery.
  • Cookies and Similar Technologies: We use cookies and other tracking technologies to recognise you and/or your device(s) and to enhance your user experience.

 

2.3 Information from Third Parties

 

We may receive Personal Data about you from other sources. For example, if you choose to link your Mystash account with a third-party service, such as a social media platform for login purposes, we may receive information from that service, such as your name and email address, in accordance with the authorisation procedures determined by such third-party service.

 

3.0 Lawful Basis and Purpose of Processing

 

Our processing of your Personal Data is always based on a lawful ground and for a specific, explicit, and legitimate purpose.

 

3.1 Our Lawful Basis

 

The primary legal basis for our processing of your Personal Data is the explicit Consent you provide to us before we commence processing.1 We ensure that your consent is obtained in a manner that is free, specific, informed, and unambiguous.4 In certain limited circumstances, we may also process your data for "Legitimate Uses" as defined under the DPDP Act, such as when you have voluntarily provided your data for a specified purpose and have not indicated that you do not consent to its use.7

 

3.2 Purpose of Processing (Purpose Limitation)

 

We adhere strictly to the principle of "purpose limitation," which means we process your Personal Data only for the purposes for which it was collected and for which you have given your consent.5 These purposes include:

  • Service Provision: To provide, operate, maintain, and improve the functionalities of the Mystash Platform.
  • Transaction Facilitation: To enable and process transactions between Creators, Customers, and Brands, and to facilitate communications necessary for the fulfillment of services.
  • Payment Processing: To process commission payments to Creators and other financial transactions on the Platform. This includes using your PAN for the deduction of Tax Deducted at Source (TDS) as required by Indian law.
  • Legal and Regulatory Compliance: To comply with our legal obligations under applicable laws, including the Information Technology Act, 2000, the DPDP Act, 2023, and tax laws.
  • Customer Support: To respond to your inquiries, provide support, and resolve any issues you may face while using the Platform.
  • Platform Improvement: To analyse usage patterns, conduct research, and use the insights to enhance the user experience, security, and features of our Platform.
  • Marketing and Communications: To send you updates, promotional materials, and other information related to our services. We will always provide you with a clear and simple way to opt-out of receiving such communications.

As our Platform grows, the volume and nature of the data we process may lead to our classification as a "Significant Data Fiduciary" under the DPDP Act, 2023.8 This designation is based on factors including the volume and sensitivity of personal data processed and the potential risk to Data Principals. Should Mystash be notified as an SDF, we are committed to undertaking the additional compliance measures mandated by law. These measures include, but are not limited to, the appointment of a Data Protection Officer (DPO) based in India, conducting periodic Data Protection Impact Assessments (DPIAs), and undergoing independent data audits.10 In such an event, this Privacy Policy will be updated to reflect these enhanced obligations and provide you with the necessary information regarding our DPO and other compliance mechanisms.

 

4.0 Consent

 

Your consent is the cornerstone of our data processing activities. We are committed to ensuring that your consent is obtained and managed in a transparent and lawful manner.

 

4.1 Obtaining Consent

 

We will obtain your consent through a clear affirmative action before or at the time of collecting your Personal Data.4 This means you will be required to take a deliberate step, such as ticking a checkbox, to signify your agreement. Consent requests will be presented in a clear, plain language, and we will not bundle requests for consent for different purposes. Each purpose of processing will require a separate, specific consent from you.7

 

4.2 The Notice

 

Every request for consent will be preceded by or accompanied by a clear notice. This notice is designed to ensure your consent is fully informed. As mandated by the DPDP Act, the notice will provide you with the following information 6:

  • An itemised description of the Personal Data we seek to collect.
  • The specific purpose(s) for which the data will be processed.
  • A clear explanation of how you can exercise your rights as a Data Principal.
  • The procedure for withdrawing your consent.
  • The contact details of our Grievance Officer and the procedure for making a complaint to the Data Protection Board of India.

 

4.3 Withdrawal of Consent

 

You have the right to withdraw your consent at any time with ease.1 The process for withdrawal will be as straightforward as the process for giving consent. You can withdraw your consent by contacting us through the channels specified in this Policy. Upon withdrawal of your consent, we will cease processing your Personal Data for the purpose(s) for which consent was withdrawn. Please note that the withdrawal of consent will not affect the lawfulness of any processing that occurred before the withdrawal. Furthermore, the consequence of withdrawal may be that we are unable to provide certain services to you, such as processing commission payments if you withdraw consent for processing your financial data.

 

5.0 Your Rights as a Data Principal

 

Under the DPDP Act, 2023, you are granted several rights to protect and control your Personal Data. We are committed to upholding these rights and have established processes to facilitate their exercise.

 

5.1 Exercising Your Rights

 

To exercise any of your rights as a Data Principal, please submit a formal request via email to privacy@mystash.co.in. Please include a clear description of your request in the subject line (e.g., "Data Access Request") to ensure timely processing. We will respond to your request within a reasonable timeframe and in accordance with the timelines prescribed by law.

The following table provides a summary of your key rights and how to exercise them:

 

Valuable Table: Your Data Protection Rights at a Glance



Right

What it Means

How to Exercise It

Right to Access

You can request a summary of your personal data that we process and the identities of third parties we have shared it with.5

Email your request to privacy@mystash.co.in with the subject "Data Access Request".

Right to Correction

You can ask us to correct any inaccurate or incomplete personal data we hold about you.7

You can update most information directly in your profile settings or email privacy@mystash.co.in for assistance.

Right to Erasure

You can request the deletion of your personal data once the purpose for which it was collected is no longer being served.1

Email your request to privacy@mystash.co.in with the subject "Data Erasure Request". Note that we may need to retain certain data for legal and compliance reasons.

Right to Grievance Redressal

You have the right to have your complaints regarding data processing addressed in a timely manner.5

Please contact our Grievance Officer, Rishabh Thakur, at the details provided in Section 9.0 of this policy.

Right to Nominate

You can nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.1

Email your nomination details to privacy@mystash.co.in with the subject "Nomination Request".

 

6.0 Data Sharing and Disclosure

 

We do not sell your Personal Data. We may, however, share your Personal Data with third parties in the following circumstances, ensuring that such sharing is necessary and lawful:

  • With Service Providers (Data Processors): We engage third-party companies and individuals to perform services on our behalf, such as payment processing, cloud hosting, data analytics, and customer support. We share your Personal Data with these Data Processors only to the extent necessary for them to perform these services. We have contractual agreements in place that obligate them to protect your data and process it only for the purposes we specify.
  • Between Users: To facilitate the core function of the Platform, we share necessary information between users. For example, a Creator's public profile information will be visible to Customers and Brands, and a Brand's campaign details may be shared with Creators they wish to engage.
  • For Legal and Compliance Reasons: We may disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation or a lawful request from government agencies or law enforcement 13; (b) protect and defend the rights or property of Mystash; (c) prevent or investigate possible wrongdoing in connection with the Service; or (d) protect the personal safety of users of the Service or the public.
  • In Connection with Business Transfers: If Mystash is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

 

7.0 Data Security and Retention

 

We are committed to protecting your Personal Data and have implemented robust measures to ensure its security and appropriate retention.

 

7.1 Security Safeguards

 

We implement reasonable security safeguards to protect your Personal Data against unauthorised access, alteration, disclosure, or destruction.5 These measures include technical and organisational controls such as:

  • Encryption: Encrypting data both in transit and at rest.
  • Access Controls: Implementing strict access control mechanisms to ensure that only authorised personnel have access to Personal Data on a need-to-know basis.
  • Regular Reviews: Conducting periodic reviews of our information collection, storage, and processing practices, including physical security measures, to guard against unauthorised access to systems.12

 

7.2 Data Breach Notification

 

In the unfortunate event of a Personal Data breach, we have a clear response plan. In compliance with the DPDP Act, we will notify the Data Protection Board of India and the affected Data Principals of the breach in the manner and within the timelines prescribed by law.5 The notification will describe the nature of the breach, the likely consequences, and the measures we have taken to mitigate its effects.

 

7.3 Data Retention

 

We adhere to the principle of "storage limitation".5 We will retain your Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, as outlined in this Policy.1 We will erase your Personal Data when:

  • The purpose for which it was processed is no longer being served.
  • You withdraw your consent and there is no other lawful basis for its retention.
  • The retention is no longer necessary for legal or business purposes.

Please note that we may be required to retain certain information for longer periods to comply with legal obligations (such as tax laws requiring the retention of financial records for a specified number of years), resolve disputes, and enforce our agreements.

 

8.0 International Data Transfers

 

We primarily store and process your Personal Data on servers located within the territory of India.1 However, in certain circumstances, we may need to transfer your Personal Data to other countries. Such transfers will only occur to countries or territories that the Central Government of India has, by notification, deemed to have a robust and reliable data protection regime.1 We will ensure that any such international transfer of your Personal Data is carried out in accordance with applicable Indian laws and that appropriate safeguards are in place to protect your data.

 

9.0 Grievance Redressal

 

If you have any concerns, questions, or complaints regarding the processing of your Personal Data or a potential breach of your privacy, we encourage you to first contact our Grievance Officer.

In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer.13

You can contact our Grievance Officer at:

Name: Rishabh Thakur

Email: rishabh@mystash.co.in

The Grievance Officer will address your concern and endeavour to resolve it within a reasonable timeframe, not exceeding one (1) month from the date of receipt of the complaint.13

If you are not satisfied with the resolution provided by our Grievance Officer, you have the right to lodge a complaint with the Data Protection Board of India, once it is established and operational under the DPDP Act, 2023.1

 

10.0 Children's Privacy

 

Our Platform is not intended for use by individuals under the age of 18 ("Child" or "Children"). We do not knowingly collect Personal Data from Children. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from a Child without verification of parental consent, we will take steps to remove that information from our servers in accordance with the law.1

 

11.0 Changes to This Privacy Policy

 

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. We will also endeavour to provide you with a notice, such as adding a statement to our website's homepage or sending you an email notification, for material changes.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

 

12.0 Contact Us

 

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us at:

Mystash Pvt Ltd

B308, JP Nagar, Bangalore, Karnataka, India

Email: privacy@mystash.co.in

 

Footnotes:

  1. Digital Personal Data Protection Act, 2023, Section 3.
  2. Digital Personal Data Protection Act, 2023, Section 4.
  3. Digital Personal Data Protection Act, 2023, Section 2.
  4. Digital Personal Data Protection Act, 2023, Section 6.
  5. Digital Personal Data Protection Act, 2023, Section 8.
  6. Digital Personal Data Protection Act, 2023, Section 5.
  7. Digital Personal Data Protection Act, 2023, Section 7.
  8. Digital Personal Data Protection Act, 2023, Section 10.
  9. Digital Personal Data Protection Act, 2023, Section 10(2).
  10. Digital Personal Data Protection Act, 2023, Section 10(2).
  11. Information Technology Act, 2000, Section 43A.
  12. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
  13. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.