Privacy Policy.

01 Who we are

Kura is a specialty coffee café operating in Indiranagar, Bangalore. The website at www.kuracafe.in and the café itself are operated by Gem Cap Synergy ("Kura," "we," "us," or "our").

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. It is written in accordance with the Information Technology Act, 2000 and the rules made under it, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023.

02 What we collect

We collect only the data we need to run the café and serve you well.

When you visit our website

• Pages visited, time spent, and approximate location (city-level) from your IP address.
• Device type, browser, and operating system.
• Referrer and search terms used to reach us.

When you apply for a job

• Your full name, email, and phone number.
• The role you are applying for and your years of experience.
• Your résumé or CV (PDF or Word document).
• Your cover note, if you choose to write one.

When you visit the café

• Reservation details (name, phone, party size, special requests) if you make a booking.
• Payment information processed by our payment gateway. We do not store full card numbers; only the last four digits and a transaction reference are kept.
• CCTV footage of public areas, for safety and security only.

When you contact us

• The contents of your email, message, or feedback, and any contact details you choose to share.

03 Why we collect it

• To operate the café and serve you. Reservations, orders, payments, feedback.
• To consider you for a job. If you apply, your data is used solely to evaluate your application, communicate with you about the role, and — if hired — to onboard you.
• To improve the website and the experience. Anonymous, aggregated analytics tell us which pages are useful and where we are losing visitors.
• To meet legal and regulatory obligations. Tax invoices under GST, FSSAI hygiene compliance, employment law for hired staff, and record-keeping required by the Companies Act and the Income-tax Act.
• To protect the café and our guests. Limited CCTV and incident logs.

04 Lawful basis

We process your personal data under one of the following lawful bases recognised by Indian law:

• Your consent. Given freely when you submit a form, make a reservation, or email us.
• The performance of a contract. When you order from us or apply for a role you have offered to take up.
• Compliance with a legal obligation. Tax records, hygiene records, employment compliance.
• Our legitimate interests. Such as keeping the café safe, preventing fraud, and improving our service — balanced against your rights.

05 Who we share it with

We share your data only with the small number of service providers we need to operate.

• Notion (notion.so) — where we keep our recruitment records.
• Vercel (vercel.com) — where this website is hosted.
• Our email provider — for transactional emails such as the application acknowledgement.
• Our payment gateway and bank — to process card and UPI transactions in the café.
• Government authorities — only when required by Indian law (for example, tax filings, FSSAI inspections, or a lawful court order).

Each of these providers is contractually required, or required by law, to protect your data and use it only for the purposes we have set.

Cross-border transfers. Some of our service providers (such as Notion and Vercel) may store data on servers outside India. When this happens, we rely on the protections those providers offer under their own data-protection commitments and, where applicable, on standard contractual safeguards.

06 How long we keep it

• Job applications — up to 24 months from the date of application, after which records are deleted, unless you are hired (in which case employment-record retention applies).
• Reservation records — up to 12 months.
• Payment and tax records — at least 8 years, as required by the Companies Act and the Income-tax Act.
• CCTV footage — up to 30 days, unless extended for an incident under investigation.
• Email and contact correspondence — up to 36 months.
• Anonymous analytics — up to 26 months.

You may ask us to delete your data earlier, subject to legal retention obligations. See your rights below.

07 How we keep it safe

We follow the reasonable security practices required by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

• Data in transit is encrypted using TLS.
• Access to personal data is restricted to a small number of authorised staff on a need-to-know basis.
• Service providers we use are reputable companies with their own published security commitments.
• We review our practices periodically and on any reported security incident.

No system is perfect. If we ever become aware of a personal data breach that affects you, we will notify you and the Data Protection Board of India in accordance with the law.

08 Your rights

You have the following rights in relation to your personal data:

• Access. Ask for a summary of the personal data we hold about you.
• Correction. Ask us to correct any data that is wrong, incomplete, or out of date.
• Erasure. Ask us to delete your data, subject to the retention obligations above.
• Withdraw consent. Withdraw the consent you gave us for any purpose, at any time. Withdrawing consent does not affect the lawfulness of past processing.
• Nominate. Nominate another person to exercise your rights on your behalf in the event of your death or incapacity.
• Grievance redressal. Raise any concern with our Grievance Officer (see section 12).

To exercise any of these rights, email us at kiran@gemcapsynergy.com with the subject line "Privacy request". We respond within thirty days.

09 Cookies & analytics

Our website uses a small number of cookies and similar technologies:

• Strictly necessary — to remember where you are in a form or page and to keep the site working. These cannot be turned off.
• Analytics — anonymous traffic measurement (Vercel Analytics) that tells us which pages are useful. No personal data is collected through this.

We do not use cookies for advertising. You can clear cookies at any time in your browser settings.

10 Children's data

Our website and recruitment service are not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted data to us, please write to our Grievance Officer and we will delete it.

11 Updates to this policy

We may update this Privacy Policy from time to time — for example, when we add a new service or when the law changes. The "Last updated" date at the top of this page reflects the most recent change. For material changes, we will draw your attention to them on the website. Continued use of the website or the café after a change means you accept the updated policy.

12 Grievance officer & contact

If you have any question about this policy, or any complaint about how we have handled your personal data, please contact our Grievance Officer.

If you are not satisfied with our response, you may complain to the Data Protection Board of India once it has been constituted under the Digital Personal Data Protection Act, 2023.