Privacy Policy

1. Introduction

This Privacy Policy ("Policy") is published by Namma Ashram Private Limited, a company incorporated under the Companies Act, 2013, having its registered office at Brigade Lakefront, Mahadevapura, Bangalore, 560048, India (CIN: U11049KA2024PTC186562) (the "Company", "we", "us", "our"), which owns and operates the website thecuriotable.in, any associated mobile-optimised platforms, booking widgets, WhatsApp/SMS booking channels, and point-of-sale systems (collectively, the "Platform"), and which carries on the business of dining, events, workshops, games, and experiential hospitality under the brand name "The Curio Table & Namma Ashram" ("Brand") at its venue located at Curiouscity Science Center, Kachamaranahalli, Thigala Chowdadenahalli, Sarjapur Road, Bengaluru, Karnataka 562125, and at any other venue it may operate from time to time (the "Venue").

This Policy explains how we collect, use, store, share, and protect personal data of individuals who browse the Platform, visit the Venue, or transact with us for table reservations, event or workshop tickets, games or activity bookings, memberships, gift vouchers, or any other product or service we offer from time to time (collectively, the "Services"). This Policy is published in compliance with, among other applicable laws, Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 (together, the "DPDP Law"), and Rule 4 of the Consumer Protection (E-Commerce) Rules, 2020.

A note on timing: the DPDP Law is being brought into force in phases notified by the Central Government, with consent-manager provisions effective from November 2026 and the core operational obligations (consent architecture, security safeguards, breach notification, retention, and erasure) effective from May 2027. Pending full applicability of those provisions, the Company continues to be bound by, and this Policy continues to reflect, the SPDI Rules. We have nonetheless drafted this Policy to align with the DPDP Law in advance, so that our practices remain consistent as each phase comes into force.

By accessing the Platform, visiting the Venue, making a Booking, or otherwise providing personal data to us, you confirm that you have read and understood this Policy. If you do not agree with this Policy, please refrain from using the Platform or providing personal data to us.

2. Definitions

"Booking" means any reservation, ticket purchase, registration, or order placed through the Platform or at the Venue.

"Data Principal" means the individual to whom the personal data relates (referred to as "you", "User", "Guest", or "Participant" in this Policy).

"Personal Data" means any data about an individual who is identifiable by or in relation to such data.

"Processing" means any operation performed on personal data, including collection, storage, use, sharing, and erasure.

"Sensitive Personal Data" means personal data revealing health conditions, allergies, biometric data, or similar categories that warrant heightened protection.

"Payment Partner" means any RBI-authorised payment aggregator, payment gateway, or banking partner engaged by the Company to process payments on the Platform.

3. Who We Are (Data Fiduciary Details)

4. Personal Data We Collect

This Section reflects the categories of personal data actually collected through the Platform's reservation, events, and contact flows, and is updated as those flows evolve (for example, as ticketing and payment features are added).

4.1 Identity and contact data: full name, mobile number, email address, and, where relevant to age-restricted Services such as alcohol service or age-gated events, date of birth or age confirmation.

4.2 Booking and reservation data: when you use our "Book / Reserve" flow, we collect the experience you select (such as Regular Dining, ticketed events, or, as these are introduced, Immersive Dining, Mystery Dining, or Curio Workshop sessions), your preferred date and time, party size, and, at the confirmation step, your name, mobile number, and email address. Where you choose to add a special request, dietary note, or allergy information (for example, in connection with our Mystery Dining experience, which expressly invites guests to flag allergies), we collect that information as well.

4.3 Sensitive personal data: dietary restrictions, food allergies, and any health, fitness, or medical information you choose to disclose in connection with a Booking, a workshop, or a physical game or activity. We collect this category of data only where you voluntarily provide it, treat it as sensitive personal data, and use it solely to personalise your experience and protect your safety, including by sharing it internally with kitchen or facilitation staff on a need-to-know basis.

4.4 Payment data: as we introduce online payment for table reservations, event and workshop tickets, games bookings, and memberships, payments will be processed by an RBI-authorised Payment Partner. We do not collect or store full card numbers, CVV, or UPI PINs; we receive only a tokenised transaction reference, the last four digits of the payment instrument (where applicable), payment status, and transaction identifiers.

4.5 Communications data: the content of messages and call records when you contact us through the channels we publish on the Platform, including WhatsApp (via our published WhatsApp number), phone calls to our listed number, and email to our published addresses, whether for a Booking query, support, or grievance redressal.

4.6 Device, usage, and technical data: when you browse the Platform, we and our hosting, content-delivery, and analytics infrastructure providers automatically collect IP address, browser and device type, operating system, pages visited, referral source, and, where you permit it, approximate location. The Platform is built and delivered using third-party website, hosting, and content-delivery infrastructure, which independently log standard technical request data as part of providing that infrastructure to us.

4.7 Social media and third-party platform interactions: links on the Platform to our Instagram page and to WhatsApp will take you to a third-party platform governed by that platform's own privacy policy, over which we have no control. We are not responsible for the data practices of those third-party platforms.

4.8 Venue surveillance data: for the safety and security of guests, staff, and property, CCTV recording operates in common and dining areas of the Venue (never in restrooms or similarly private areas). Footage is retained in accordance with Section 10.

4.9 Marketing preferences: where we introduce newsletter sign-up or other opt-in marketing features, we will collect and retain a record of your consent to, or opt-out from, such communications.

5. How We Collect Personal Data

We collect personal data: (a) directly from you, when you create an account, make a Booking, fill a form, or speak with our staff; (b) automatically, through cookies, analytics tools, and server logs when you use the Platform; and (c) from third parties, such as our Payment Partner confirming a successful transaction, a social-login provider if you choose to sign in via a third-party account, or a corporate or group organiser booking on your behalf.

6. Purposes for Which We Process Personal Data

We process personal data to: process and confirm Bookings; verify age where required by law (including for alcohol service and age-restricted events); process payments and prevent fraud; send Booking confirmations, reminders, and operational updates via email, SMS, or WhatsApp; provide customer support and respond to grievances; personalise your experience, including flagging allergens or accessibility needs internally to kitchen or facilitation staff; operate Venue safety and security systems, including CCTV; send marketing communications where you have opted in (and allow you to opt out at any time); comply with tax, FSSAI, excise, and other regulatory obligations and maintain statutory records; and establish, exercise, or defend legal claims.

We process personal data on the basis of your consent, for the performance of a contract with you (e.g., fulfilling a Booking), or as otherwise permitted as a legitimate use under the DPDP Law, such as compliance with a legal obligation.

7. Cookies and Tracking Technologies

The Platform uses essential cookies (required for the Platform to function, such as maintaining your Booking session), and, as we introduce them, performance and analytics cookies (to understand usage patterns), functional cookies (to remember your preferences), and marketing cookies (to measure the effectiveness of campaigns), the last of which will be set only with your consent. Where non-essential cookies are used, we will display a cookie consent banner on your first visit, allowing you to accept or manage them. You may also control cookies through your browser settings; disabling certain cookies may affect Platform functionality, including your ability to complete a Booking.

8. Disclosure of Personal Data to Third Parties

8.1 Service providers: our Payment Partner; SMS, WhatsApp, and email communication providers; the third-party platform, hosting, and content-delivery providers used to build and operate the Platform; analytics providers; and accounting, CRM, and ticketing software providers — each engaged under contractual confidentiality and data-protection obligations, and permitted to use personal data solely to provide the relevant service to us.

8.2 Event and workshop facilitators: where you book a session led by a third-party facilitator, we may share your name, contact details, and any relevant health or dietary information solely for the purpose of conducting that specific session.

8.3 Legal and regulatory authorities: courts, law-enforcement agencies, tax authorities, FSSAI, excise authorities, and the Data Protection Board of India, where required by applicable law or to establish, exercise, or defend our legal rights.

8.4 Business transfers: in connection with a merger, acquisition, restructuring, or sale of business assets, subject to the recipient being bound by protections at least equivalent to this Policy.

8.5 With your consent: for any other purpose for which you have given explicit consent.

We do not sell personal data to third parties for their independent marketing purposes.

9. Cross-Border Transfer of Data

Personal data may be processed on servers located in India or in other jurisdictions used by our cloud infrastructure or Payment Partner. Where personal data is transferred outside India, we take reasonable steps to ensure such transfer is permitted under the DPDP Law and is subject to contractual safeguards. Should the Central Government notify any restriction on transfer of personal data to specific countries or territories under the DPDP Law, we will comply with such restriction.

10. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. As a general guide: Booking, invoice, and transaction records are retained for the period required under the Income Tax Act, 1961, the Central Goods and Services Tax Act, 2017, and the Companies Act, 2013 (currently up to eight years for certain financial records); CCTV footage is ordinarily retained for 30 to 90 days unless required for longer in connection with an ongoing investigation, dispute, or legal proceeding; marketing consent records are retained until you withdraw consent; and account data is retained until you request deletion or until three years of account inactivity, whichever is earlier, subject always to our legal retention obligations.

11. Data Security

We implement reasonable security practices and procedures, including encryption of data in transit, access controls limiting personal data access to authorised personnel on a need-to-know basis, periodic security reviews, confidentiality undertakings from employees and contractors who handle personal data, and an internal incident-response process. No method of electronic transmission or storage is completely secure, and while we take reasonable steps to protect your personal data, we cannot guarantee its absolute security. In the event of a personal data breach, we will take reasonable steps to assess and contain it and will notify the Data Protection Board of India and affected Data Principals in accordance with applicable law, including the breach-notification obligations under the DPDP Law as and when they come into force. Our liability in connection with the processing of personal data is, in any event, subject to the limitation of liability set out in Section 13 of our Website Terms of Use.

12. Minors

Alcohol is served only to individuals who are 21 years of age or older, the legal drinking age in Karnataka, and we may request valid government-issued photo identification from any guest who appears to be under that age. Certain games, workshops, or events may be designed for or open to children. Where a Booking involves a minor, we collect personal data of the minor only with the consent of, and through, a parent or lawful guardian, who will be treated as the primary point of contact for that Booking, in accordance with Section 9 of the Digital Personal Data Protection Act, 2023.

13. Your Rights

Subject to applicable law and its phased implementation, you have the right to: obtain a summary of the personal data we hold about you and the processing activities undertaken; request correction or completion of inaccurate or incomplete personal data; request erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations; withdraw consent at any time, without affecting the lawfulness of processing carried out before such withdrawal; nominate another individual to exercise these rights in the event of your death or incapacity; and raise a grievance regarding our processing of your personal data.

14. How to Exercise Your Rights / Grievance Redressal

To exercise any right described in Section 13, or to raise a grievance regarding the processing of your personal data, please write to admin@thecuriotable.in with the subject line "Privacy Request" or "Data Grievance," along with sufficient information for us to verify your identity. We will acknowledge your request within 48 hours and respond or resolve it within 30 days, consistent with the grievance-redressal timelines under the Consumer Protection (E-Commerce) Rules, 2020. If you remain dissatisfied, you may approach the Data Protection Board of India once its complaint-handling mechanism is operationalised, or any other competent authority or forum.

15. Marketing Communications

We send marketing communications only where you have opted in, and every marketing email and SMS includes a clear means to unsubscribe or reply "STOP." We do not make promotional calls to numbers registered on the National Customer Preference Register (NDNC) except where you have specifically consented to such communication, in line with TRAI's Telecom Commercial Communications Customer Preference Regulations.

16. Third-Party Links

The Platform may contain links to third-party websites or services, including our Payment Partner's hosted checkout page, social media platforms, and map services. We are not responsible for the privacy practices of such third parties, and we encourage you to review their respective privacy policies.

17. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices or applicable law. We will post the revised Policy on the Platform with an updated "Last Updated" date, and where changes are material, we will provide additional notice, such as a banner on the Platform or an email notification. Your continued use of the Platform after such changes take effect constitutes acceptance of the revised Policy.

18. Governing Law and Jurisdiction

This Policy is governed by the laws of India. Subject to Section 14 above and without prejudice to any statutory right you may have to approach the Data Protection Board of India, a consumer forum, or any other competent authority, the courts at Bengaluru, Karnataka shall have exclusive jurisdiction over any dispute arising out of or in connection with this Policy.

19. Contact Us

For general queries about this Policy or our data practices, write to community@thecuriotable.in. For grievances, escalations, or to exercise your rights as a Data Principal, write to admin@thecuriotable.in.

Namma Ashram Private Limited, operating "The Curio Table & Namma Ashram." Registered office: Brigade Lakefront, Mahadevapura, Bangalore, 560048.