Login

Cart

Your cart is empty

Privacy policy

This Privacy Policy describes how Lonestar Hospitality Private Limited, operating under the brand name Khoya Mithai ("Khoya Mithai", "Company", "we", "us", or "our"), collects, uses, stores, shares, transfers, and otherwise processes personal data through the website https://khoyamithai.com, mobile or web interfaces connected to it, and related customer interactions including orders, gifting, customer support, promotions, and marketing communications.

This Privacy Policy is intended to comply with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and applicable consumer e-commerce requirements in India.

Khoya Mithai may update this Privacy Policy from time to time to reflect changes in law, technology, business operations, or data-processing practices.

Material changes shall be brought to the attention of users through a website notice. Users are expected to review this policy periodically to make sure that they are aware of any changes/updations.

All partner firms, vendors, logistics providers, payment partners, and any third party working with or for Us and having access to personal data shall be expected to read and comply with this Privacy Policy. No third party shall access or process personal data held by Us without first entering into appropriate confidentiality and data protection obligations.

1. Data Fiduciary / Body Corporate Details

Legal entity: Lonestar Hospitality Private Limited
Brand: Khoya Mithai
Website: https://khoyamithai.com
Registered / Principal Address: D-21, Second Floor, Okhla phase 1, New Delhi - 110020
Customer Support Email: contact@khoyamithai.com
Grievance Officer: Utkarsh Sharma
Grievance Officer Email: contact@khoyamithai.com
Grievance Officer Phone: +91 9910096940

Khoya Mithai acts as a data fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) in relation to personal data processed for identified purposes, and as a body corporate for purposes of the Information Technology Act and the SPDI Rules where applicable.

2. Scope

This Privacy Policy applies to personal data collected from or about customers, prospective customers, gift recipients, website visitors, account holders, corporate gifting contacts, job applicants where relevant forms are used on the website, and any person who otherwise interacts with Khoya Mithai through the website, forms, email, phone, WhatsApp, social channels, or related services.

This Privacy Policy does not apply to third-party websites, apps, social-media pages, or payment-gateway pages that may be linked through our website as they are / ought to be governed by their own policies.

3. Personal Data Collected

Depending on how a person interacts with Khoya Mithai, we collect and process the following categories of personal data:

• Core Personal Information: Identity data, such as first name, last name, username, billing name, recipient name, and corporate contact name. Contact data, such as mobile number, email address, billing address, shipping address, city, state, postal code, and communication details.

• Transaction data: Order history, products purchased, order value, invoice details, payment status, refund status, coupon usage, and delivery records.

• Account data: Login credentials, saved addresses, preferences and account communications.

• Technical and usage data: IP address, browser type, device identifiers, operating system, website interactions, pages visited, date and time of access, clickstream data, and cookie or analytics data.

• Communication data: Customer-support messages, grievance submissions, feedback, survey responses, reviews, and call or chat records where lawfully recorded.

• Marketing preference data: Consent choices, opt-in records, and campaign engagement information.

Khoya Mithai does not intentionally collect or request sensitive personal data unless it is strictly necessary for a lawful purpose connected with the service and permitted by law.

4. Sensitive Personal Data / SPDI

Under the SPDI Rules, certain categories such as passwords, financial information, health information, biometric information, and similar data may qualify as sensitive personal data or information.

Khoya Mithai does not seek to collect sensitive personal data except where strictly required for a lawful, specific, and necessary purpose, and where such collection is supported by valid consent or another lawful basis under applicable law.

Payment information is processed directly by regulated third-party payment gateways. Khoya Mithai does not store full card numbers, CVV, PIN, or equivalent payment credentials on its own systems unless legally required and technically secured under applicable standards.

5. How Personal Data Is Collected

Personal data may be collected when a person:

• creates an account or places an order on the website;

• requests product information, catalogues, festive gifting assistance, or customer support;

• signs up for newsletters, promotional communications, waitlists, or campaigns;

• uses cookies, tracking technologies, or website analytics tools;

• submits reviews, feedback, testimonials, photos, or social-media content;

• participates in contests, referrals, surveys, or marketing events;

• provides recipient details for gifting, group orders, or corporate orders.

6. Purposes of Processing

Khoya Mithai processes personal data only for lawful purposes connected with its business and only to the extent necessary for those purposes.

Personal data may be processed for the following purposes:

• to create and manage user accounts;

• to process, confirm, pack, dispatch, deliver, replace, return, or refund orders;

• to coordinate gifting and delivery with customers and recipients;

• to send transactional communications such as order confirmations, invoices, shipping alerts, OTPs, and customer-service messages;

• to respond to customer queries, grievances, complaints, and legal claims;

• to verify identity, prevent fraud, maintain platform security, and investigate abuse or suspicious activity;

• to comply with legal, regulatory, tax, accounting, audit, and law-enforcement obligations;

• to improve website functionality, customer experience, product offerings, and service quality using analytics and feedback;

• to send promotional or marketing communications, offers, festive campaigns, product updates, and recommendations, but only where appropriate notice has been provided and consent has been obtained where required;

• to maintain internal records and support business operations, reporting, and dispute resolution.

7. Legal Basis and Consent

Khoya Mithai collects, processes, stores, and shares Personal Information only with free, specific, informed, unconditional, and unambiguous consent obtained through clear affirmative action from the Data Principal, as required under Sections 6(1) and 6(3) of the DPDPA. Khoya Mithai will provide a clear and standalone notice before or at the time of collection, setting out the personal data being collected and the specific purpose of processing, and will seek consent through a clear affirmative action.

Consent will not be presumed through silence, inactivity, or pre-ticked boxes where an explicit affirmative action is required.

Where applicable under law, certain personal data may also be processed for legitimate and necessary operational purposes such as order fulfilment, fraud prevention, customer service, legal compliance, and contract performance, provided such processing remains lawful and proportionate.

A person may withdraw consent previously given by contacting Khoya Mithai through the details set out in this Privacy Policy by contacting the Privacy Team / Data Protection Contacts, subject to the consequences of such withdrawal where the data is necessary to continue a requested service.

8. Children and Persons Under Disability

Khoya Mithai does not knowingly process personal data of children in violation of applicable law. The Platforms and its Services are not directed towards minors and children in the absence of consent of a parent or lawful guardian. Parents or legal guardians who believe that a child has provided personal data without authorization should immediately contact the Grievance Officer. Upon verification, such information shall be deleted in accordance with applicable law.

Khoya Mithai should also establish appropriate procedures for obtaining consent from a lawful guardian where personal data relates to a person with disability for whom such support is legally required.

9. Cookies and Tracking Technologies

Khoya Mithai may use cookies, pixels, SDKs, tags, local storage objects, and similar technologies for website functionality, security, analytics, and marketing.

These technologies may be categorised as:

• strictly necessary cookies for login, cart, checkout, security, and website operation;

• analytics cookies to understand traffic, user journeys, product interest, and website performance;

• advertising or marketing cookies to measure campaign performance and personalise promotions where permitted.

Non-essential cookies are deployed only after obtaining valid consent through a cookie banner or preference centre.

10. Sharing of Personal Data

Khoya Mithai may share personal data only on a need-to-know basis, with specific categories of Data Processors bound by contractual confidentiality and data protection obligations and only for lawful purposes.

Personal data may be shared with:

• website hosting, commerce-platform, cloud-storage, CRM, and IT service providers;

• payment gateways, payment processors, banks, and fraud-detection providers;

• logistics partners, courier companies, fulfilment teams, and delivery service providers;

• marketing, analytics, communication, and customer-engagement vendors, subject to appropriate consent where required;

• professional advisors, auditors, insurers, legal counsel, and compliance partners;

• government agencies, courts, regulators, or law-enforcement bodies where disclosure is required by law.

Khoya Mithai does not sell personal data to third parties in a manner contrary to applicable law.

11. Cross-Border Transfers

Khoya Mithai primarily stores and processes personal data on servers located within India in compliance with applicable laws. 

Where personal data is processed or stored outside India, including through cloud, SaaS, payment, analytics, or e-commerce infrastructure providers, Khoya Mithai will ensure that such transfers are made in accordance with Section 16 of the DPDP Act and other applicable Indian law and subject to contractual, technical, and organisational safeguards reasonably designed to protect the data.

Where required, Khoya Mithai will disclose the categories of overseas recipients and implement contractual commitments to ensure a comparable level of protection.

12. Retention of Personal Data

Khoya Mithai will retain personal data only for as long as necessary for the purpose for which it was collected, or for as long as required under applicable law, tax, accounting, dispute-resolution, or enforcement requirements.

Illustratively:

• account and profile data may be retained while the account remains active and for a reasonable period thereafter;

• order, invoice, tax, and financial records may be retained for the period required under tax, company, accounting, or limitation laws;

• customer-support and grievance records may be retained for as long as required to address complaints, defend claims, or comply with law;

• marketing preferences and opt-out records may be retained to ensure continued suppression where a person has unsubscribed.

Where retention is no longer necessary, personal data is deleted, anonymised, or securely disposed of in accordance with internal retention schedules and security procedures.

13. Data Principal / User Rights

Subject to applicable law and verification requirements, an individual has the right to:

• request a summary of personal data being processed;

• request correction, completion, or updating of inaccurate or incomplete personal data;

• request erasure of personal data where retention is no longer necessary or where consent has been withdrawn, subject to legal exceptions;

• withdraw consent for future processing based on consent;

• register a grievance with Khoya Mithai's Grievance Officer;

• nominate another person to exercise rights where permitted by applicable law.

Requests may be submitted using the contact details stated in this Privacy Policy. Khoya Mithai may take reasonable steps to verify identity before acting on a request.

Where personal data is essential for order processing or Service delivery, failure to provide such data may prevent access to certain Services or Platform features.

14. Grievance Redressal

Khoya Mithai maintains an adequate grievance redressal mechanism and ensures that the grievances of users are dealt with on priority. To that end, the name, designation, and contact details of its grievance officer are provided hereinbelow.

We attempt to acknowledge consumer complaints within 48 hours from receipt and address them within one month. Privacy grievances are handled within the timeline prescribed by applicable law or, where no specific timeline applies, within a reasonable period documented internally.

Grievances may be submitted to:
Grievance Officer: Utkarsh Sharma / General Manager of Operations
Email: contact@khoyamithai.com
Phone: +91 9910096940
Postal Address: D-21, 2nd Floor, Okhla Phase 1, New Delhi - 110020

15. Security Practices and Procedures

Khoya Mithai implements reasonable security practices and procedures appropriate to the nature of the personal data processed, including administrative, technical, physical, and organisational safeguards designed to protect against unauthorised access, disclosure, alteration, loss, misuse, or destruction.

Such safeguards may include role-based access controls, encryption, password controls, secure development and configuration practices, vendor due diligence, backups, incident logging, vulnerability management, and periodic audits or reviews.

Where sensitive personal data is processed, Khoya Mithai should ensure that its information security programme is documented and aligned with recognised standards and good industry practice.

16. Data Accuracy and User Responsibilities

A person providing personal data should ensure that the information submitted is true, complete, and accurate, and should promptly notify Khoya Mithai of any updates or corrections required.

Where a person shares recipient information, employee lists, or any other third-party personal data, that person must ensure it has the authority to share such data for the identified purpose.

17. Third-Party Services

The website may integrate or interact with third-party providers such as payment gateways, social-media services, analytics providers, review tools, maps, logistics providers, or embedded content vendors. Such providers may collect or process personal data independently in accordance with their own privacy policies.

Khoya Mithai bears no responsibility for the content, privacy practices, security, or data processing activities of third-party platforms. Users are advised to review the respective privacy policies before sharing personal data.

Khoya Mithai conducts vendor due diligence and ensures that processing contracts or equivalent safeguards are in place where required.

18.Data Breach Response

If Khoya Mithai becomes aware of a personal data breach, it shall assess the nature and scope of the incident, take immediate containment and remediation measures, document the event, and issue notifications to affected individuals and relevant authorities where required by applicable law.

19. Contact

For questions, complaints, consent withdrawal, unsubscribe requests, correction or deletion requests, or other privacy-related concerns, contact:

Privacy Team / Data Protection Contact: Digital Marketing Team
Email: contact@khoyamithai.com
Phone: +91 9910096940
Address: D-21, 2nd Floor, Okhla Phase 1, New Delhi - 110020

Last Updated: 28-05-2026