Featured in leading newspapers across the world
Privacy policy
Last updated: 29 June 2026
This Privacy Policy describes how Royalhub Products (OPC) Private Limited (CIN: U47912HR2024OPC121475, GSTIN: 06AANCR6322C1ZJ), operating the brand Vedic Crystals® through the website thevediccrystals.com (the "Site"), collects, uses, discloses, retains and protects your personal data when you visit the Site, make a purchase, book a consultation or puja, use any of our tools, or otherwise interact with us. In this Policy, "we", "us", "our" or "Vedic Crystals" refers to Royalhub Products (OPC) Private Limited as the Data Fiduciary; "you" or "your" refers to the individual whose personal data is being processed, referred to as the Data Principal under the Digital Personal Data Protection Act, 2023 ("DPDP Act").
This Policy is governed by the DPDP Act, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, with parallel provisions for customers in the European Union, the United Kingdom (GDPR) and California (CCPA) set out in Sections 13 and 14 below.
By using the Site and our services, you confirm that you have read and understood this Policy and consent to the collection, processing, sharing and retention of your personal data as described herein. If you do not agree to any part of this Policy, please do not use the Site or our services.
Quick Reference
- We are the Data Fiduciary — Royalhub Products (OPC) Private Limited, the owner of the Vedic Crystals® brand.
- Astrological data (birth details, gotra, kundli, family information) is treated as our most sensitive category. See Section 3.
- Your data is shared with named third parties only for the purposes described, including pandits, astrologers, payment gateways, analytics, courier partners and messaging platforms. See Section 5.
- You have rights as a Data Principal — to access, correct, delete, port and withdraw consent. See Section 9.
- For data-related grievances, write to our Data Grievance Officer at dpo@thevediccrystals.com. See Section 16.
- Customers in the EU, UK or California have additional rights under GDPR and CCPA respectively. See Sections 13 and 14.
1. Definitions
For the purposes of this Policy, the following terms have the meanings set out below:
- "Personal Data" means any data about an individual who is identifiable by or in relation to such data, including name, contact details, account information, order details, payment information, IP address, location data, device data, browsing behaviour, birth details, gotra and consultation content.
- "Sensitive Personal Data", in the context of this Policy, includes data we collect for astrological, spiritual and ritual services — specifically date of birth, exact time of birth, place of birth, gotra, family relationships, and the content of astrological consultations or puja sankalp (intentions). We treat this category with elevated protection (see Section 3).
- "Data Fiduciary" means Royalhub Products (OPC) Private Limited — the entity which determines the purpose and means of processing your personal data.
- "Data Principal" means you, the individual whose personal data is being processed.
- "Processing" means any operation performed on personal data, including collection, recording, organisation, storage, retrieval, use, disclosure, transfer or erasure.
- "Service Provider" or "Data Processor" means any third party that processes personal data on our behalf under our instructions and contractual safeguards.
2. Personal Data We Collect
2.1 Data you provide directly
When you interact with the Site or use our services, you provide us with the following categories of personal data:
- Contact details: Name, email address, phone number, billing address, shipping address.
- Account information: Username, password (stored in hashed form), security questions, account preferences.
- Order information: Items purchased, quantities, order history, payment confirmation, transaction IDs.
- Payment information: Card details and bank information are processed directly by our payment gateways (PhonePe and PayPal) and are not stored on our servers. We receive only confirmation of payment status and the last 4 digits of the card or instrument used.
- Customer support information: The content of your messages, emails, calls and WhatsApp communications with us, including any photographs, screenshots or documents you share.
- Astrological & spiritual data (sensitive — see Section 3): Date of birth, exact time of birth, place of birth, gotra, name of co-beneficiaries (spouse, children, parents), specific intention (sankalp) for pujas, and the content of your kundli analysis or consultation.
- User-generated content: Product reviews, ratings, photographs, testimonials and any other material you choose to submit through the Site.
2.2 Data collected automatically
When you use the Site, we and our service providers automatically collect:
- Usage data: Pages visited, time spent on pages, links clicked, search queries, products viewed, items added to cart or wishlist, referring website.
- Device and connection data: IP address, browser type and version, operating system, device identifiers, screen resolution, language preference.
- Location data: Approximate location derived from your IP address, used for currency conversion, language localisation and shipping rate calculation.
- Cookies and similar technologies: See Section 6.
2.3 Data we receive from third parties
We may receive personal data about you from:
- Our payment gateways (PhonePe, PayPal) confirming payment status, transaction reference and basic payer identity.
- Our analytics and advertising partners (Google Analytics, Meta Pixel) reporting your interaction with our advertisements or other websites.
- Our courier partners reporting delivery status, signature confirmation and any delivery exceptions.
- Public sources, such as social media platforms where you have made your profile public, only where you have engaged with us through those channels.
3. Sensitive Astrological & Spiritual Data — Special Protection
We recognise that the data we collect for astrological consultations, puja services and kundli generation is uniquely intimate. This includes your exact time and place of birth, your gotra, your family relationships, and the spiritual concerns you discuss with our astrologers or for which you request puja services. We treat this category with the highest level of protection and apply the following safeguards:
- Purpose limitation: This data is used solely to deliver the specific service you have purchased (e.g. kundli generation, consultation, puja performance). It is not used for marketing, behavioural advertising or any other commercial purpose.
- Restricted access: Within our organisation, access to this data is limited to the specific personnel required to deliver your service — typically the assigned astrologer, the pandit performing your puja, and the customer-support team handling your booking.
- Contractual safeguards with pandits and astrologers: All pandits and astrologers we engage are bound by written confidentiality undertakings requiring them to use customer data only for the assigned service, not to retain it beyond service delivery, and not to disclose it to any third party.
- No third-party marketing: Astrological and spiritual data is never shared with marketing partners, advertising platforms or any third party for promotional purposes.
- No automated profiling: We do not use this data to make automated decisions about you, to generate behavioural profiles for marketing, or for any purpose beyond service delivery.
- Retention: Astrological data is retained while your account remains active, in accordance with Section 8.
- Right to erasure: You may request deletion of your astrological data at any time by writing to our Data Grievance Officer, with such deletion to be effected within 30 days of receipt of a verified request (subject to statutory retention obligations for related order or tax records).
4. Why We Collect and Process Your Personal Data
We process your personal data for specific, defined purposes, each grounded in a lawful basis as required under the DPDP Act and applicable international data protection law:
- To provide products and services — fulfilling orders, processing payments, arranging shipping, delivering consultations and pujas, sending order confirmations and shipping updates. Lawful basis: performance of contract.
- To manage your account — creating, maintaining and securing your account, enabling login, storing order history and preferences. Lawful basis: performance of contract.
- To provide customer support — responding to your queries via email, phone, WhatsApp or live chat, investigating complaints, resolving disputes. Lawful basis: performance of contract and our legitimate interests.
- To send marketing and promotional communications — newsletters, offer announcements, product launches and personalised recommendations, where you have opted in. Lawful basis: consent.
- To improve the Site and our services — analysing how customers use the Site, identifying issues, optimising the user experience, developing new features. Lawful basis: our legitimate interests.
- To prevent fraud and ensure security — detecting suspicious transactions, verifying identity for high-value orders, securing the Site against unauthorised access. Lawful basis: our legitimate interests and legal obligations.
- To comply with legal and regulatory obligations — issuing GST tax invoices, maintaining tax records for the statutory period, responding to lawful requests from authorities, defending legal claims. Lawful basis: legal obligation.
5. How We Share Your Personal Data
We share your personal data only with specific third parties and only for the purposes described below. We do not sell your personal data to anyone.
5.1 Service providers and data processors
We share your personal data with the following service providers who process it on our behalf, under contractual safeguards requiring confidentiality and purpose limitation:
- Shopify Inc. — our e-commerce platform provider, hosting the Site infrastructure, processing orders and storing customer accounts.
- PhonePe — payment gateway for domestic Indian transactions, processing card, UPI, net banking and wallet payments.
- PayPal — payment gateway for international transactions, processing card and PayPal-account payments.
- Google Analytics — web analytics service provided by Google LLC, which processes pseudonymised data about Site usage including pages visited, traffic sources, device data and approximate location derived from IP address. We have enabled IP anonymisation where supported.
- Meta Pixel — advertising and conversion-tracking service provided by Meta Platforms Ireland Limited, which processes data about your interaction with our advertisements on Facebook and Instagram and your subsequent activity on the Site, for the purpose of measuring advertising effectiveness and showing you relevant advertisements.
- WhatsApp Business API — customer messaging service provided by Meta Platforms, used for order confirmations, customer support, stone-approval communication for custom jewelry, and puja and consultation coordination.
- Courier partners — including Blue Dart, DTDC, FedEx, DHL and India Post, processing shipping addresses, contact numbers and delivery instructions to deliver your orders.
- Gemological laboratories — including IGI, GIA, GJEPC and others, where you opt for a paid certification upgrade; they receive only the information necessary for certification processing.
5.2 Pandits and astrologers
For consultation and puja services, we share the personal data required to deliver the service with the assigned pandit or astrologer from our network. This includes your name, gotra, birth details and the specific intention or query for which the service is requested. All pandits and astrologers are bound by written confidentiality undertakings as described in Section 3. They are permitted to use your data only for the specific service requested and are required to securely delete or return any working copies after service delivery.
5.3 Legal and regulatory disclosures
We may disclose your personal data when required by law, court order, or lawful request from a government authority, including for tax, customs, financial-crime, consumer-protection and law-enforcement purposes. In such cases, we will disclose only the minimum data required and, where legally permitted, notify you of the request.
5.4 Business transitions
In the event of a merger, acquisition, sale of business assets, restructuring or insolvency proceedings, your personal data may be transferred to the successor entity, subject to the same protections set out in this Policy. We will notify you of any such transition.
5.5 No sale of personal data
We do not sell, rent, lease or otherwise commercially trade your personal data. We do not share your personal data with data brokers or any party that uses it for purposes unrelated to the services you have requested or the legitimate operation of our business.
6. Cookies and Tracking Technologies
The Site uses cookies and similar tracking technologies (web beacons, pixels, local storage) to operate the Site, remember your preferences, analyse usage and deliver advertising. Cookies fall into the following categories:
- Strictly necessary cookies — required for core functionality (cart, checkout, login, security). These cannot be disabled and do not require consent.
- Functional cookies — remember your preferences (language, currency, location, viewed items). Improve user experience.
- Analytics cookies — used by Google Analytics to understand how visitors interact with the Site, in pseudonymised form.
- Advertising and marketing cookies — used by Meta Pixel and similar tools to measure advertising effectiveness and deliver relevant advertisements on third-party platforms.
On your first visit, you will be presented with a cookie consent notice allowing you to accept all cookies, reject non-essential cookies, or manage individual cookie categories. You may change your preferences at any time via the cookie-settings link in the Site footer.
You may also control cookies through your browser settings — most browsers allow you to block or delete cookies. Note that blocking strictly necessary cookies will prevent core Site functions such as adding items to cart and completing checkout.
7. International Data Transfers
Our primary data processing is conducted in India. However, several of our service providers (such as Shopify, Google, Meta and PayPal) may store and process data outside India, including in the United States, the European Union, Ireland and other jurisdictions.
Where personal data is transferred outside India, we ensure such transfers comply with Section 16 of the DPDP Act, 2023, and are made only to countries that are either not restricted by the Central Government for such transfers, or where appropriate contractual or technical safeguards are in place. For transfers from the European Union or United Kingdom to India, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent UK International Data Transfer Agreement provisions to ensure equivalent protection.
8. Data Retention
We retain your personal data for as long as it is necessary to fulfil the purposes for which it was collected, comply with our legal obligations, resolve disputes and enforce our policies. Our general retention principles are:
- Account data: Retained for as long as your account remains active. If your account has been inactive for more than 36 months, we may notify you and either delete the account or seek your confirmation to retain it.
- Astrological data (birth details, gotra, kundli, consultation content, puja sankalp): Retained while your account remains active, so that your kundli, past consultations and historical recommendations remain accessible to you. On account deletion request, this data is deleted within 30 days, subject to the statutory carve-outs below.
- Order and invoice records: Retained for a minimum of 8 years from the financial year of the transaction, as required under Section 36 of the Central Goods and Services Tax Act, 2017, and equivalent state GST laws. This applies even if you request account deletion.
- Payment transaction records: Retained as required under applicable financial-services regulations, typically 7 years for transaction audit purposes.
- Customer support communications: Retained for 24 months from last interaction, for service quality and dispute resolution.
- Marketing consent records: Retained until you withdraw consent; we retain a record of your withdrawal indefinitely to ensure we honour your preference.
- Cookies and analytics data: Retained per the expiry periods set on individual cookies (typically 24 months for analytics; 90 days for advertising).
- Puja video and photo proof: Stored on our servers for 90 days for your retrieval, after which the original recording is deleted while a hash-stamped completion certificate is retained as service-delivery evidence.
After the applicable retention period, your personal data is either securely deleted or irreversibly anonymised.
9. Your Rights as a Data Principal
Under the DPDP Act, 2023 and applicable international data protection laws, you have the following rights in respect of your personal data:
- Right to access: You may request a summary of the personal data we hold about you, the purposes for which it is processed and the third parties with whom it has been shared.
- Right to correction: You may request correction of inaccurate or incomplete personal data.
- Right to erasure: You may request deletion of your personal data, subject to statutory retention obligations (e.g. tax records under GST law).
- Right to nominate: Under Section 14 of the DPDP Act, you have the right to nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
- Right to withdraw consent: Where processing is based on your consent (e.g. marketing communications), you may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Right to data portability: You may request a copy of your personal data in a structured, commonly used and machine-readable format.
- Right to opt out of marketing: You may opt out of marketing emails using the unsubscribe link in every marketing email, or by writing to us. Transactional communications (order confirmations, shipping updates, consultation reminders) will continue regardless.
- Right to grievance redressal: If you believe your rights have been violated or your data has been mishandled, you may contact our Data Grievance Officer (Section 16). If unsatisfied with our response, you may escalate to the Data Protection Board of India under the DPDP Act.
To exercise any of these rights, please contact our Data Grievance Officer at dpo@thevediccrystals.com. We will acknowledge your request within 48 hours and respond substantively within 30 days. We may require you to verify your identity before processing certain requests, to prevent unauthorised access to your data.
10. Data Security
We implement reasonable security practices and procedures to protect your personal data from unauthorised access, disclosure, alteration or destruction, including:
- Encryption of data in transit using TLS 1.2 or higher across the Site and all customer-facing applications.
- Encryption of stored payment confirmations and account credentials in our database.
- Role-based access controls limiting employee and contractor access to personal data on a need-to-know basis.
- Regular security reviews of our infrastructure, including Shopify's underlying platform certifications (ISO 27001, SOC 2 Type II, PCI-DSS Level 1).
- Confidentiality undertakings binding all employees, pandits, astrologers and contractors who may access customer personal data.
- Secure deletion or anonymisation of data when retention periods expire.
Despite these measures, no security system is impenetrable, and the transmission of data over the internet carries inherent risk. We cannot guarantee absolute security, and you share data with us at your own risk in this respect.
In the event of a personal data breach that is likely to result in significant harm, we will notify the Data Protection Board of India and affected Data Principals as required under the DPDP Act, 2023.
11. Children's Privacy
The Site and our services are not directed at children under the age of 18. We do not knowingly collect personal data from children. In line with Section 9 of the DPDP Act, 2023, we do not engage in tracking, behavioural monitoring or targeted advertising directed at children, and we do not process children's data in any manner that may cause detrimental effects on their wellbeing.
If you are a parent or guardian and believe that we have inadvertently collected personal data from a child, please contact our Data Grievance Officer at dpo@thevediccrystals.com and we will delete such data promptly.
12. Marketing Communications
We may send you marketing emails, SMS messages or WhatsApp messages about our products, services, offers and content where you have opted in (or, in some jurisdictions, where we rely on legitimate interests for existing customers). You may opt out at any time by:
- Clicking the "Unsubscribe" link at the bottom of any marketing email;
- Replying "STOP" to any marketing SMS or WhatsApp message;
- Updating your communication preferences in your account settings;
- Writing to us at contactus@thevediccrystals.com.
We will honour your opt-out within 7 business days. Transactional and service-related communications (such as order confirmations, shipping updates, consultation appointment reminders and puja muhurat notifications) are operational in nature and will continue regardless of your marketing preferences.
13. GDPR — Additional Rights for EU and UK Customers
If you are located in the European Economic Area, the United Kingdom or Switzerland, the General Data Protection Regulation (GDPR) or UK GDPR applies in addition to the DPDP Act, 2023. Royalhub Products (OPC) Private Limited acts as the Data Controller for your personal data. In addition to the rights set out in Section 9, you have:
- Right to restrict processing — in certain circumstances (e.g. while a correction request is being processed).
- Right to object — to processing based on legitimate interests, including profiling, marketing and analytics.
- Right not to be subject to automated decision-making — including profiling, where such decisions produce legal or similarly significant effects on you. We do not currently make any such automated decisions.
- Right to lodge a complaint with your local data protection supervisory authority (e.g. the Information Commissioner's Office in the UK, or your national DPA in the EU). A list is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
Personal data of EU/UK customers may be transferred to India for processing. As India is not currently the subject of an EU adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Decision 2021/914) and, for UK transfers, the UK International Data Transfer Agreement, to ensure that your data continues to receive a level of protection essentially equivalent to that under GDPR/UK GDPR.
For GDPR-related queries, please contact our Data Grievance Officer (Section 16). Where required by Article 27 of the GDPR, we will appoint an EU representative; in the interim, EU residents may contact us directly at dpo@thevediccrystals.com.
14. CCPA — Additional Rights for California Customers
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may apply to your personal data. Royalhub Products (OPC) Private Limited acts as a "business" under the CCPA in respect of California residents' data we process. We extend the following rights to California residents regardless of whether the CCPA strictly applies to our business under its statutory thresholds:
- Right to know — what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it.
- Right to delete — your personal information, subject to statutory exceptions.
- Right to correct — inaccurate personal information.
- Right to opt out of "sale" or "sharing" — we do not sell personal information for monetary consideration. To the extent that our use of cookies for advertising purposes (via Meta Pixel) may be considered "sharing" under the CCPA, you may opt out by adjusting your cookie preferences or using the "Do Not Sell or Share My Personal Information" link in the Site footer.
- Right to limit use and disclosure of sensitive personal information — including birth date, religious beliefs (relevant to our astrological services) and other categories defined under CPRA.
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
- Right to designate an authorised agent — to make CCPA requests on your behalf, subject to identity verification.
To exercise any CCPA right, please contact our Data Grievance Officer at dpo@thevediccrystals.com. We will verify your request and respond within 45 days (extendable by an additional 45 days where reasonably necessary).
We have not sold personal information of California consumers for monetary consideration in the preceding 12 months. We disclose personal information for business purposes as described in Section 5.
15. Third-Party Websites and Links
The Site may contain links to websites operated by third parties (e.g. social media platforms, partner websites, lab certificate verification portals). These third-party sites are not operated by us, and we are not responsible for their privacy practices. We recommend reviewing the privacy policies of any third-party site before sharing personal data with them.
16. Data Grievance Officer
In compliance with the DPDP Act, 2023, the Information Technology Act, 2000 and the Consumer Protection (E-Commerce) Rules, 2020, we have designated a Data Grievance Officer to address all queries, requests and complaints related to your personal data:
Company: Royalhub Products (OPC) Private Limited
CIN: U47912HR2024OPC121475
GSTIN: 06AANCR6322C1ZJ
Data Grievance Officer: Gaurav Bhushan Sharma
Designation: Director & Data Grievance Officer, Royalhub Products (OPC) Private Limited
Email: dpo@thevediccrystals.com
Backup Email: grievance@thevediccrystals.com
Phone: +91-9811809967
Registered Office: 153, Sector 45, Mathura Road, Faridabad, Haryana 121003, India
Corporate Office: 67, First Floor, Zone B, Highstreet, Shree Homes Sarvome, Sector 45, Faridabad, Haryana 121009, India
Working hours: Monday to Saturday, 10:00 AM to 6:00 PM IST
We will acknowledge your data-related grievance within 48 hours and respond substantively within 30 days. If you are not satisfied with our response, you may escalate the matter to:
- Data Protection Board of India — established under Section 18 of the DPDP Act, 2023, for unresolved complaints under Indian data protection law.
- Your local data protection supervisory authority — if you are a resident of the EU, UK or other jurisdiction with an applicable regulator.
- California Privacy Protection Agency — if you are a California resident and your complaint relates to CCPA/CPRA rights.
17. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this Policy;
- Post a notice on the Site for at least 30 days following the change;
- Notify registered account holders by email where the change is material and where reasonably practicable.
We recommend reviewing this Policy periodically to stay informed about how we protect your personal data.
18. Contact
For any questions about this Privacy Policy, our data practices, or to exercise any of your rights:
- Data Grievance Officer: dpo@thevediccrystals.com
- Customer Support: contactus@thevediccrystals.com
- Phone / WhatsApp: +91-9811809967
- Website: https://thevediccrystals.com
- Registered Office: 153, Sector 45, Mathura Road, Faridabad, Haryana 121003, India
Vedic Crystals® is a registered trademark of Royalhub Products (OPC) Private Limited under the Trade Marks Act, 1999 (Registration No. 6462882, Certificate No. 3954212 dated 11 March 2026, Class 14, valid until 3 June 2034).