Ragi.design
Legal — Compliance

Global Compliance
Standards we operate under.

A single-page reference to the payment, data-protection and international-remittance standards Ragi.design operates under. Prepared to support due diligence by clients, auditors, banks and payment partners.

Effective[Add effective date]
EntityRagi Media Pvt Ltd
JurisdictionBengaluru, India
01Payment card security — PCI DSS

All card payments to Ragi.design are processed by Razorpay Software Pvt Ltd, which is certified as a PCI DSS Level 1 service provider — the highest level of payment card security assessment under the Payment Card Industry Data Security Standard. Ragi.design does not itself store, process or transmit cardholder data on its own servers; the payment page is hosted and secured entirely by Razorpay's compliant environment.

02Reserve Bank of India (RBI) — payment aggregator regulation

Razorpay operates as an authorised Payment Aggregator under the RBI's Guidelines on Regulation of Payment Aggregators and Payment Gateways (originally issued March 2020, as periodically amended). Our merchant onboarding, transaction reconciliation and settlement follow these guidelines, including nodal-account settlement and prescribed transaction reporting.

03Strong Customer Authentication — 3DS2 / PSD2

Card payments are authenticated using 3D Secure 2.0 (3DS2) protocols where issued by the cardholder's bank. For payments originating from the European Economic Area and the United Kingdom, we apply Strong Customer Authentication as required by the revised Payment Services Directive (PSD2) — meaning a two-factor challenge combining something the customer knows, has or is, unless a valid regulatory exemption applies.

04Foreign Exchange Management Act (FEMA)

Cross-border payments received by Ragi Media Pvt Ltd for services rendered are handled in accordance with the Foreign Exchange Management Act, 1999 and directions issued by the RBI thereunder. Foreign inward remittances are received through authorised banking channels and reported under the appropriate purpose codes, with FIRC (Foreign Inward Remittance Certificate) or eBRC available to clients on request.

05GST and cross-border services

Ragi Media Pvt Ltd is registered under the Goods and Services Tax Act (GSTIN: [Add GSTIN]). Services delivered to clients in India attract GST at the applicable rate. Services delivered to clients outside India and paid for in convertible foreign exchange are treated as export of services and are zero-rated where the conditions of the IGST Act are satisfied.

06Data protection — DPDP Act (India)

Personal data collected from clients is processed under the Digital Personal Data Protection Act, 2023 (DPDP Act). Ragi Media Pvt Ltd acts as a Data Fiduciary and adheres to the principles of lawful purpose, notice, informed consent, purpose limitation, data minimisation, accuracy, storage limitation and reasonable security safeguards.

07Data protection — GDPR (European Economic Area & UK)

For clients based in the EEA or the United Kingdom, we process personal data under the EU General Data Protection Regulation (GDPR) and the UK GDPR. We rely on the lawful bases of consent, contract performance and legitimate interest, as appropriate. Standard Contractual Clauses are executed with any sub-processor that transfers EEA data outside the EEA.

08Data protection — CCPA / CPRA (California)

For clients resident in California, we recognise the rights to know, delete, correct, opt out of sale (we do not sell personal data), and limit use of sensitive personal information under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

09AML / KYC

Razorpay conducts KYC on Ragi.design as a merchant under RBI norms. For high-value engagements or unusual transaction patterns, Razorpay may seek additional information from the payer. We cooperate fully with any legitimate anti-money-laundering enquiry from a regulated financial institution.

10Security practices

Baseline security controls we operate:

  • TLS 1.2+ enforced across the site and all API endpoints
  • HTTPS-only cookies and secure headers (HSTS, X-Content-Type-Options, Referrer-Policy)
  • Least-privilege access to internal tools; MFA on all administrative accounts
  • Encrypted backups with retention consistent with tax and contractual obligations
  • Documented incident response process with defined breach-notification timelines
11Retention and deletion

Personal data is retained only as long as required for the purpose collected and to meet statutory obligations (typically eight years for tax records in India). On expiry, data is either securely deleted or irreversibly anonymised. Deletion requests are actioned within thirty days, subject to legal-hold exceptions.

12Contact — data protection & compliance

Data protection queries: privacy@ragimedia.com

Compliance and audit queries: compliance@ragimedia.com

Payment-related queries: accounts@ragimedia.com

This page is provided for reference and is updated as regulations evolve. It does not constitute legal advice.

Start a project

A brief. An idea.
A problem worth solving.

One-day reply. 15-minute intro call.