Add Your Business

Privacy Policy

Last updated: November 29, 2025

This Privacy Policy describes how Firststudio (“we”, “us”, “our”) collects, uses, discloses, stores and protects personal data when you use our website, mobile applications and related services (collectively, the “Services”).

Table of Contents

  1. 1. Introduction & Scope
  2. 2. Definitions
  3. 3. Controller & Contact Details
  4. 4. Information We Collect (detailed)
  5. 5. How We Use Personal Data (purposes & examples)
  6. 6. Lawful Basis for Processing (GDPR Mapping)
  7. 7. Data Subject Rights & How to Exercise Them
  8. 8. Verification & Response Times
  9. 9. Automated Decision Making, Profiling & Recommendations
  10. 10. Cookies & Tracking Technologies (detailed)
  11. 11. Payments & Financial Data (Razorpay & PCI-DSS)
  12. 12. Data Security Measures (technical & organizational)
  13. 13. Data Retention, Archival & Deletion Schedules
  14. 14. Cross-Border Transfers & Safeguards (SCCs/BCRs)
  15. 15. Processors, Subprocessors & Third Parties
  16. 16. Children & COPPA / Age Restrictions
  17. 17. Data Protection Impact Assessments (DPIA) & ROPA
  18. 18. Breach Response Plan & Notification (72-hour rule)
  19. 19. Third-Party Links, Embedded Content & Social Logins
  20. 20. Legal Disclosures, Law Enforcement & Legal Holds
  21. 21. International & Regional Compliance (GDPR / CCPA / DPDPA)
  22. 22. Updates to This Policy
  23. 23. Contact, Grievance Officer & Supervisory Authority
  24. 24. Appendix: Retention Table & Technical Controls (summary)

1. Introduction & Scope

Firststudio is a marketplace and discovery platform connecting users with creative studios, artists and service providers (photography, music, tattoo, dance, art and related services). This Privacy Policy applies to all processing of personal data carried out by Firststudio in its capacity as a Controller or Processor in relation to the Services.

The policy covers data collected via our website, mobile applications, APIs, forms, email communications, events, phone, and any other channel where you provide data to Firststudio. The policy also describes the rights available to data subjects, the legal bases for processing, and the security measures we use to protect personal data.

2. Definitions

Personal Data
Any information that identifies, or can be used to identify, an individual directly or indirectly (name, email, IP address, location, etc.).
Processing
Any operation or set of operations performed on personal data (collection, storage, use, disclosure, erasure, analysis).
Controller
The entity which determines the purposes and means of processing personal data.
Processor
A service provider processing data on behalf of the Controller under contract (e.g., payment gateways, hosting providers).
DPIA
Data Protection Impact Assessment — a risk assessment for high-risk processing.

3. Controller & Contact Details

Controller: Firststudio (the legal company operating the Service).

Grievance / Privacy Officer:

Email: hello@firststudio.in

Phone: +91 9004040712

Address: 6th Floor, Building No. 3, Mindspace Airoli West, Mumbai, Maharashtra 400708, India

If you are in the EU and require an EU representative, we will provide contact details on request where applicable.

4. Information We Collect (detailed)

4.1 Account & Profile Data

  • Full name, username, display name
  • Email address and verified phone number
  • Profile photograph, bio, portfolio items (if you upload them)
  • Business/studio information for owners: business name, address, services, pricing

4.2 Transaction & Booking Data

  • Bookings, session times, booking history
  • Payment transaction metadata (amount, timestamp, invoice id)
  • Refund and dispute records

4.3 Authentication & Security Data

  • Hashed passwords and multi-factor authentication tokens
  • Login timestamps, IP addresses, device fingerprints
  • Fraud detection signals and abuse reports

4.4 Device, Usage & Analytics

We collect telemetry to diagnose problems, optimize performance and understand user behaviour:

  • IP address, device model, OS version, app version
  • Pages visited, features used, clickstream data
  • Crash logs, performance metrics

4.5 Location Data

With your explicit consent we collect precise GPS location on mobile devices. Website users may be located via IP address (approximate).

4.6 KYC, Identity & Verification Data

For owners and where required, we may collect government ID, business registration, tax ID and other documents to verify identity or eligibility to operate.

4.7 User-Generated Content

Reviews, ratings, messages, images and videos you voluntarily upload. Such content may be public depending on your settings.

4.8 Cookies & Third-Party Data

We receive information from third-party sources (social login providers, analytics vendors, advertising partners) and combine it with our own data.

5. How We Use Personal Data (purposes & examples)

  • To provide core platform functionality: account creation, searching studios, displaying listings, booking flows and messaging between users and studios.
  • Payments & billing: authorise transactions, generate invoices, process refunds and manage payout flows for studios (via Razorpay or other processors).
  • Safety & fraud prevention: detect abusive behaviour, verify identity for trust and safety, block fraudulent transactions.
  • Personalization & recommendations: suggest studios, services, and search results based on preferences and historical interactions.
  • Customer support & dispute resolution: handle complaints, cancellations, refunds and investigations.
  • Legal & compliance: comply with laws, respond to lawful requests, enforce our Terms and prevent misuse.
  • Analytics & product improvement: analyze usage to improve features, run A/B tests (where permitted), and produce aggregated operational metrics.
  • Marketing & communications: with your consent (where required), send promotional emails, offers and newsletters; enable opt-out functionality.

Examples: We use location data to show studios near you; we use booking history to surface preferred studios at the top of search results; we use payment metadata for refunds and tax reporting.

6. Lawful Basis for Processing (GDPR mapping)

For users in the European Economic Area (EEA), we rely on one or more lawful bases:

  • Contractual necessity: processing necessary to perform the service you requested (e.g., bookings).
  • Legal obligation: processing required to comply with law (e.g., tax, KYC).
  • Legitimate interests: fraud prevention, platform security, analytics — balanced against your rights.
  • Consent: where required for marketing, profiling and non-essential cookies — you may withdraw consent at any time.

Where we rely on legitimate interests, we perform balancing tests and document the justification in our ROPA.

7. Data Subject Rights & How to Exercise Them

Depending on applicable law, you may have the following rights:

  • Right of access: receive a copy of personal data we hold about you.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”): request deletion where legal grounds allow.
  • Right to restriction: ask that processing be limited.
  • Right to data portability: obtain a machine-readable copy of your data.
  • Right to object: object to processing based on legitimate interests or to direct marketing.
  • Right to withdraw consent: where processing is based on consent.
  • Right to lodge a complaint: contact your supervisory authority if you believe your rights are violated.

How to exercise: Email hello@firststudio.in with the subject “Data Subject Request” and provide: (a) your name, (b) account email, (c) description of request. We will verify your identity before fulfilling requests to protect privacy.

8. Verification & Response Times

We will acknowledge receipt of verifiable requests within statutory timeframes and provide a substantive response within 30 days for GDPR requests (may extend by 2 additional months for complex requests). For CCPA requests, we will comply with the statutory timeframes (usually 45 days with possible extension).

We may request proof of identity (government ID, recent utility bill). Unverified requests will be rejected for security reasons.

9. Automated Decision Making, Profiling & Recommendations

We use algorithms for personalization and recommendations (e.g., ordering search results). These processes are designed to improve user experience and are not the sole basis for legal decisions. Where automated decisions have legal or similarly significant effects, you have the right to request human review.

You may contact our Privacy Officer to request explanations of how decisions are made, and to request human intervention where applicable.

10. Cookies, Tracking & Analytics (detailed)

10.1 Cookie types

  • Essential: required for login, sessions and security.
  • Functional: store language or display preferences.
  • Analytics: Google Analytics or similar, used to measure and improve our Services.
  • Advertising / remarketing: third-party providers may deliver targeted ads.

10.2 Managing cookies

You can manage cookies via your browser settings or our cookie consent UI. Disabling non-essential cookies may reduce functionality.

10.3 Third-party trackers

Third parties (analytics, ad partners) operate under their own privacy policies. We do not control their cookie practices; review their policies for details.

11. Payments & Financial Data (Razorpay & PCI-DSS)

Payments are processed by certified third-party payment processors (e.g., Razorpay). We only store minimal transaction metadata necessary for receipts and refunds. We do not store full card numbers, CVV codes, or other sensitive payment details on our servers.

Payment processors are responsible for their own PCI-DSS compliance. Consult the payment provider’s privacy policy for specifics. We will use contractual and technical measures to ensure secure data flows to processors.

12. Data Security Measures (technical & organizational)

We implement reasonable and industry-standard security controls, including:

  • Encryption in transit (TLS) for all data transfers
  • Encryption at rest for sensitive personal data where appropriate
  • Role-based access control and least-privilege principles
  • Regular vulnerability scanning and penetration testing
  • Audit logs and monitoring for suspicious activity
  • Secure development lifecycle, code reviews and dependency checks
  • Data minimization, pseudonymization and hashing for sensitive fields

While we strive to protect personal data, no system is absolutely secure. You play a role in protecting your account (strong passwords, device security, avoid sharing credentials).

13. Data Retention, Archival & Deletion Schedules

We retain data only as long as necessary for legal, operational and business needs. This includes retention for tax, accounting, fraud prevention, and dispute resolution.

Retention summary (indicative)

Data categoryRetention periodReason
Account profileWhile account is active + 2 yearsService provision, support
Bookings & transactions7 years (varies by jurisdiction)Tax, audit, disputes
Analytics (raw)18 months (then aggregated)Product improvement
Logs & security events1–3 years depending on riskSecurity monitoring

Specific retention may vary by jurisdiction and legal requirement. Deleted accounts will have data erased or anonymized except where retention is required by law or for legitimate business reasons (e.g., to defend legal claims).

14. Cross-Border Transfers & Safeguards

We may transfer personal data to countries outside your jurisdiction (including India or the United States) to deliver the Services. Where transfers occur, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other mechanisms recognized by data protection authorities.

Contact our Privacy Officer for details of specific transfers and safeguards.

15. Processors, Subprocessors & Third Parties

We engage processors to provide services such as payments, hosting, analytics, email, SMS, and customer support. We evaluate providers, enter into written contracts with appropriate data protection clauses, and require subprocessors to maintain security standards. A non-exhaustive list of categories of third-party partners include:

  • Payment processors (e.g., Razorpay)
  • Cloud & hosting providers (e.g., AWS, Vercel)
  • Analytics & performance (e.g., Google Analytics)
  • Notification providers (email/SMS)
  • Legal & professional advisors

If we change subprocessors we will update our documentation and provide notice where required.

16. Children & COPPA / Age Restrictions

Our Services are intended for persons aged 18 or older. We do not knowingly collect personal data from children under 18. If you believe we have collected personal data from a minor without parental consent, contact us immediately and we will take steps to remove that data.

17. Data Protection Impact Assessments (DPIA) & ROPA

For high-risk processing (large-scale profiling, precise location processing, sensitive data), we perform DPIAs to identify and mitigate risks. We maintain Records of Processing Activities (ROPA) documenting purposes, categories of data, recipients, and retention.

18. Data Breach Response Plan & Notification

We have an incident response plan. In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law and notify affected users without undue delay. Notifications will include the nature of the breach, categories of data affected, likely consequences, and mitigation steps.

19. Third-Party Links, Embedded Content & Social Logins

Our Services may contain links or embedded content (widgets) to third-party sites (e.g., maps, social logins). These third parties collect data under their own policies. We are not responsible for third-party content or privacy practices.

20. Legal Disclosures & Law Enforcement Requests

We may disclose personal data in response to lawful requests by public authorities, court orders, search warrants, or to comply with legal obligations. We will object to overbroad or unclear requests and require legal process where appropriate.

In some cases we may notify affected users unless prohibited by law or legal process.

21. International & Regional Compliance (GDPR, CCPA, DPDPA)

We strive to comply with major data protection frameworks:

  • GDPR (EU): We provide data subject rights, lawful bases, safeguards for transfers.
  • CCPA/CPRA (California): California residents may request access, deletion and opt-out of sales (we do not sell personal data).
  • DPDPA / India: Where applicable, we follow local requirements for lawful processing, purpose limitation and notice.

This does not create contractual obligations beyond applicable laws. Contact us for jurisdiction-specific inquiries.

22. Updates to This Policy

We may update this Privacy Policy to reflect changes to our practices, legal requirements or our Services. We will post the updated policy with a new “Last updated” date. For material changes we will provide additional notice (email or in-app) as required by law.

23. Contact, Grievance Officer & Supervisory Authority

Data Protection / Grievance Officer: hello@firststudio.in

Phone: +91 836 987 6234

Address: 6th Floor, Building No. 3, Mindspace Airoli West, Mumbai, Maharashtra 400708, India

If you are based in the EU, you may also lodge a complaint with your local supervisory authority.

24. Appendix — Retention Table & Technical Controls (summary)

A. Technical Controls Summary

  • Authentication: OAuth 2.0 / JWT for API access, MFA support.
  • Encryption: TLS 1.2+ minimum for data in transit; AES-256 for sensitive data at rest.
  • Hosting: Certified cloud provider with geographical segregation (where required).
  • Monitoring: Continuous security monitoring and alerting integration.

*See Section 13 for the full retention table.