Trust, Security & Privacy

Customer accounts use email/password or Google sign-in. Sessions are managed by our authentication provider and stored only in your browser.

Admin features are gated by server-side role checks — client-side flags alone never grant access.

Online payments are processed by Razorpay. We never see or store full card numbers, UPI PINs, or net-banking credentials on our servers.

Every payment is verified server-side by validating Razorpay's signed response before an order is marked paid.

To fulfil orders we collect your name, shipping address, phone, email and order history. Guest checkout is supported — an account is not required to place an order.

Order data is stored in our managed backend with row-level access policies so signed-in customers see only their own orders.

Guest customers track orders by entering their order number together with the email or phone used at checkout. The lookup runs server-side and returns masked contact details only — it never exposes another customer's information.

• Razorpay — payment processing
• Shiprocket — shipping & tracking
• Supabase (Lovable Cloud) — database, auth & storage

We share with each provider only the data needed to deliver your order.

To request a copy or deletion of your data, or to report a security concern, email support@joytoys.in. We respond to verified requests within a reasonable timeframe.