Privacy Policy

1. Introduction & Scope

This Privacy Policy (“Policy”) is published by Tech101 Informatics Private Limited, a company incorporated under the Companies Act, 2013 (hereinafter referred to as “Storepecker”, “Company”, “we”, “our”, or “us”).

Storepecker is a multi-tenant Software-as-a-Service (SaaS) e-commerce platform that enables brands and direct-to-consumer (D2C) sellers to create, manage, and operate their own branded online stores. Our services include website building, domain hosting, payment gateway integrations, shipping partner integrations, inventory management, and order management. We are not a marketplace and do not operate as one.

Our services are available globally. While our primary operations are based in India, merchants and their customers from around the world may use the Platform.

This Policy describes how we collect, use, store, process, and protect personal data in compliance with:

• The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)

• The Digital Personal Data Protection Act, 2023 (DPDP Act)

• The Consumer Protection Act, 2019

• Any other applicable laws and regulations in force

By accessing or using the Platform in any capacity — whether as a Merchant, End Customer, or visitor — you confirm that you have read, understood, and agree to be bound by this Policy. If you do not agree, please discontinue use of the Platform immediately.

This Policy does not govern the independent privacy practices of Merchants operating stores on the Platform. Merchants are independent data fiduciaries with respect to personal data they collect from their End Customers and are solely responsible for their own compliance with applicable data protection laws.

2. Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed to them below:

• Data Fiduciary: Any person who alone or in conjunction with others determines the purpose and means of processing of personal data, as defined under the DPDP Act, 2023.

• Data Principal: The individual to whom the personal data relates, as defined under the DPDP Act, 2023.

• Data Processor: Any person who processes personal data on behalf of a Data Fiduciary, as defined under the DPDP Act, 2023.

• Merchant / Store Owner: An individual or business entity that registers on the Platform to create and operate an online store, manage inventory, process orders, and conduct e-commerce activities.

• End Customer / Buyer / Shopper: An individual who browses, purchases products from, or otherwise interacts with a store hosted on the Platform.

• Merchant Data: All personal data and information provided by or generated in relation to a Merchant, including account registration details, business information, store configuration data, transaction records, analytics data, and communications.

• End Customer Data: All personal data and information provided by or generated in relation to an End Customer, including order information, shipping addresses, payment references, and browsing activity on Merchant stores.

• Personal Data: Any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023.

• Processing: Includes collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction of data.

• Sensitive Personal Data or Information (SPDI): Such personal information as defined under the SPDI Rules, 2011, including passwords, financial information, health data, biometric data, and sexual orientation.

• Platform Data: Aggregated, anonymised, or de-identified data derived from the use of the Platform that does not identify any individual.

3. Data We Collect

3.1 Data Collected from Merchants

When you register and use Storepecker, we collect the following categories of data:

3.2 Data Collected from End Customers (Buyers)

When buyers transact on stores built on Storepecker’s infrastructure, the following data is stored on our servers on behalf of the Merchant:

Storepecker uses End Customer data solely for internal platform analytics to improve performance and features. We do not use buyer data for advertising, profiling, or any commercial purpose. Buyer data is never sold and never shared with external parties.

3.3 Data Collected Automatically

From all users interacting with the Platform, we may automatically collect:

• Device Information: Device type, operating system, browser type and version, screen resolution

• Log Data: IP addresses, access timestamps, referring URLs, pages viewed, actions taken, error logs

• Cookie and Tracking Data: Session identifiers, authentication tokens, and preferences (see Section 13)

3.4 Data We Do NOT Collect

We do not knowingly or intentionally collect:

• Full payment card numbers, CVV/CVC codes, or complete bank account details — these are processed directly by third-party payment gateways and never touch our servers in unmasked form

• Government-issued identity documents unless specifically required for regulatory compliance and separately consented to

• Biometric data of any kind

• Data relating to caste, tribe, religious or political beliefs, unless voluntarily provided and not solicited by the Platform

4. Lawful Basis for Processing

We process personal data on the following lawful bases under the DPDP Act, 2023 and applicable Indian law:

• Consent: Where you have given clear, informed consent for specific processing activities, including at the time of account registration and when using Platform features. Consent is obtained through affirmative action.

• Contractual Necessity: Processing necessary for the performance of a contract to which you are a party — including providing Platform services, processing orders, managing subscriptions, and fulfilling service obligations.

• Legitimate Uses: Processing for legitimate uses as prescribed under Section 7 of the DPDP Act, 2023, including compliance with law, court orders, government directives, and safety-related purposes.

• Legal Obligation: Processing necessary for compliance with applicable laws, including the IT Act, tax laws, the Companies Act, and directions from regulatory authorities.

The Company reserves the right, at its sole and absolute discretion, to determine the manner, methods, and purposes of internal data processing — including the selection of analytical tools, machine learning models, and processing workflows — within the bounds of applicable law and this Policy.

5. How We Use Your Data

5.1 Primary Service Delivery

• Operating and maintaining the Platform and all associated services

• Creating, managing, and authenticating user accounts

• Processing and fulfilling orders placed through Merchant stores

• Facilitating communication between Merchants and their End Customers via WhatsApp, SMS, and email

• Processing subscription payments and managing Merchant billing

• Providing customer support and resolving disputes

5.2 Internal Processing & Platform Improvement

The Company processes data internally for the following purposes:

• Analytics & Insights: Generating aggregated analytics, dashboards, and reports for Merchants regarding store performance, sales trends, customer behaviour, and inventory.

• System Improvement: Improving Platform features, performance, reliability, scalability, and user experience based on usage patterns and feedback.

• Machine Learning & AI: Training and improving machine learning models, recommendation engines, fraud detection algorithms, and automated systems. Conducted on aggregated or anonymised data wherever feasible, and on identifiable data only where strictly necessary.

• Security & Fraud Prevention: Detecting, preventing, and responding to fraud, security incidents, technical issues, and violations of our Terms of Service.

• Research & Development: Conducting internal research, testing, and development of new features and products.

• Compliance & Audit: Maintaining records for internal auditing, regulatory compliance, and legal proceedings.

All internal processing described above is conducted exclusively by the Company and its authorised personnel. No personal data is shared with external parties for these purposes.

5.3 Communications

• Transactional communications (order confirmations, shipping updates, payment receipts) — essential to service delivery and cannot be opted out of while using the Platform.

• Service announcements (maintenance schedules, policy updates, security alerts).

• Promotional communications — only with explicit opt-in consent, and subject to opt-out at any time.

6. Payment Gateway & Shipping Partner Integrations

Storepecker provides technology integrations with the following third-party providers to enable Merchants to accept payments and manage deliveries:

6.1 Payment Gateways

• Razorpay

• PhonePe Payment Gateway

• Stripe

• Tabby

Storepecker provides technology integration only. We do not process, store, or control payment transactions. All payment data is handled directly by the respective payment gateway under their own terms, privacy policies, and PCI-DSS compliance obligations. Payment gateway transaction fees are determined and collected solely by the respective providers and are entirely outside Storepecker’s control.

6.2 Shipping Partners

• Shiprocket

• Delhivery

• iCarry

Shipping and logistics data shared with these partners is governed by their respective privacy policies. Storepecker facilitates the integration but is not responsible for how these partners handle data transmitted to them. We encourage Merchants to review the terms and privacy policies of all integrated partners.

7. Data Sharing & Disclosure — Strict No External Sharing Policy

The Company maintains a strict policy of NOT sharing, selling, renting, leasing, or otherwise disclosing personal data to any external third party for their independent use, marketing, or commercial purposes.

• No Sale of Data: We do not sell personal data under any circumstances.

• No Third-Party Marketing: We do not share personal data with third parties for their marketing or advertising purposes.

7.1 Authorised Data Processors (Not Data Sharing)

The following do not constitute data sharing but rather processing by authorised service providers acting strictly under our instructions and contractual obligations:

• Payment Gateway Providers (Razorpay, PhonePe, Stripe, Tabby): Payment data is transmitted to these providers solely for processing transactions. We do not transmit more data than is strictly necessary.

• Cloud Infrastructure (Amazon Web Services — AWS): Our Platform is hosted on AWS infrastructure. AWS acts as a data processor providing hosting, storage, and content delivery services only.

• Communication Service Providers: SMS gateway, WhatsApp Business API (Meta Platforms), and email delivery services — used solely for sending transactional and, where consented, promotional communications.

• Error Monitoring (Rollbar): Used solely for detecting and resolving technical errors. Only minimal technical error data — never full personal data payloads — is transmitted.

All data processors are bound by written contractual agreements specifying the scope and limitations of processing, obligations of confidentiality, requirements to implement appropriate technical and organisational security measures, and prohibitions on using data for any purpose other than providing services to the Company. These agreements are consistent with the requirements of the DPDP Act, 2023 and applicable Indian law.

7.2 Mandatory Legal Disclosure

The Company may disclose personal data to governmental authorities, law enforcement agencies, or courts ONLY when required by a valid and enforceable legal obligation, including court orders, subpoenas, warrants, or statutory directions under the IT Act, DPDP Act, or other applicable law; or when necessary to prevent, detect, or investigate fraud or crimes.

Every instance of legal disclosure shall be documented in a written record maintained by the Company, including: the identity of the requesting authority, the legal basis for the request, the date and time of disclosure, the nature and scope of data disclosed, and the Company officer who authorised the disclosure. These records shall be maintained for a minimum of eight (8) years.

7.3 Merchant-to-End Customer Data Flow

When an End Customer places an order on a Merchant’s store, the Merchant receives the customer’s name, phone number, email (if provided), and shipping address as necessary for order fulfilment. Merchants are independent data fiduciaries with respect to their End Customer data and are solely responsible for its protection and lawful processing. Merchants are prohibited from using End Customer data for any purpose other than order fulfilment and legitimate store operations.

7.4 Cross-Border Transfers

While our primary infrastructure is based in India, data may be transferred outside India in certain limited circumstances — where third-party service providers (such as Stripe) process data in other jurisdictions, where required for content delivery via global CDN nodes, or where required by law. Any cross-border transfer shall comply with Section 16 of the DPDP Act, 2023, and shall not be made to any country restricted by the Central Government of India. Appropriate contractual safeguards will be in place for all such transfers.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. Specific retention periods are as follows:

Data required to be retained under applicable law, data subject to ongoing disputes or legal proceedings, and anonymised or aggregated data that no longer identifies any individual are exempt from deletion requests. Anonymised data may be retained and used for analytics and research without restriction.

You may request deletion of your account at any time through your profile settings or by writing to us. Upon deletion, your personal data will be removed within ninety (90) days, subject to the exceptions above.

9. Data Security

The Company implements reasonable security practices and procedures as required under Section 8 of the DPDP Act, 2023 and Rule 8 of the SPDI Rules, 2011.

9.1 Technical Measures

• Encryption of data in transit using TLS/SSL protocols

• Encryption of data at rest using AES-256 or equivalent industry-standard algorithms for sensitive data

• Secure cloud hosting on AWS infrastructure with ISO 27001, SOC 2, and PCI-DSS certifications

• Multi-tenant data isolation — each Merchant store’s data is logically segregated and access-controlled, preventing cross-tenant data leakage

• Secure authentication mechanisms including password hashing, OTP verification, and session token management

• Database architecture with access controls restricting write operations

• Regular security patching and updates

9.2 Organisational Measures

• Role-based access controls limiting data access to authorised personnel on a need-to-know basis

• Confidentiality obligations for all employees and contractors

• Security incident response procedures

• Periodic review of security practices

Despite reasonable security measures, no method of electronic transmission or storage is completely secure. The Company cannot guarantee absolute security of data transmitted to or stored on the Platform. Users acknowledge the inherent risks of internet-based data transmission and are responsible for maintaining the confidentiality of their login credentials, API keys, and authentication tokens.

Storepecker will never ask for your password, payment PIN, or banking credentials via email, phone, or any other channel. If you receive such a request claiming to be from Storepecker, do not respond and report it to us and to the appropriate law enforcement authority immediately.

10. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to Data Principals, the Company will:

• Notify the Data Protection Board of India (or such authority as may be constituted under the DPDP Act) in the manner and within the timeframe prescribed by applicable law.

• Notify CERT-In within six (6) hours of becoming aware of the breach, as required under the CERT-In Directions of April 2022, where the breach constitutes a cybersecurity incident.

• Notify affected Data Principals without unreasonable delay, providing: a description of the nature of the breach, the categories and extent of data affected, measures taken to address the breach, and recommendations for affected users.

The Company maintains an internal data breach register documenting all confirmed and suspected breaches, including the facts, effects, and remedial actions taken.

10.2 Merchant Obligations on Breach

Merchants who become aware of any actual or suspected data breach affecting their store’s End Customer data — which is stored on Storepecker’s infrastructure — must notify Storepecker immediately and in any event within twenty-four (24) hours of becoming aware of the breach, by contacting the Grievance Officer at amisha@storepecker.me. The notification must include: a description of the nature of the breach, the categories and approximate number of End Customers affected, and any steps already taken or proposed to address the breach.

Failure by a Merchant to notify Storepecker of a breach in a timely manner may constitute a material violation of these Terms and applicable law, and the Merchant shall bear full liability for any resulting harm to End Customers or regulatory penalties.

11. Your Rights

In accordance with the DPDP Act, 2023, Data Principals have the following rights:

• Right of Access: Obtain confirmation of whether the Company is processing your personal data, and if so, access a summary of such data and processing activities.

• Right to Correction & Erasure: Request correction of inaccurate, incomplete, or outdated data, and erasure of data that is no longer necessary for the purpose for which it was collected.

• Right to Grievance Redressal: Have grievances addressed by our Grievance Officer and, if unresolved, approach the Data Protection Board of India.

• Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.

• Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of the above rights, please submit a written request to our Grievance Officer at the contact details in Section 17. We will verify your identity before processing the request and respond within thirty (30) days. The exercise of rights may be limited where compliance requires disproportionate effort, where data retention is required by law, or where a request is manifestly unfounded or excessive.

12. Consent

Merchants provide consent at the time of account registration and by agreeing to this Policy and the Terms of Service (available at https://www.storepecker.com/terms-of-service). End Customers provide consent when creating accounts on Merchant stores or placing orders. Merchants are solely responsible for ensuring they have obtained adequate, informed, and documented consent from their End Customers for all data processing activities related to their store operations, in compliance with applicable law.

Consent may be withdrawn at any time by submitting a written request to the Grievance Officer or by using the account deletion functionality on the Platform. Withdrawal of consent shall be as easy as the giving of consent, and the Company will cease consent-based processing within thirty (30) days. Withdrawal may result in the inability to use certain or all Platform features.

Withdrawal of consent does not affect: the lawfulness of processing carried out prior to withdrawal; processing carried out on other lawful bases such as legal obligation or contractual necessity; or the Company’s right to retain data required under applicable law.

13. Cookies & Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

• Essential Cookies: Session management, authentication, security tokens, CSRF protection. Strictly necessary for the Platform to function and cannot be disabled.

• Functional Cookies: Remembering user preferences, language settings, and store customisation choices.

• Analytics Cookies: Collecting aggregated usage data to understand how users interact with the Platform and improve user experience. Processed internally — not shared with third-party analytics providers for their independent use.

By using the Platform, you consent to the use of essential and functional cookies. You may manage or disable non-essential cookies through your browser settings, though this may impair certain functionalities. The Company does not use third-party advertising cookies or tracking pixels for behavioural advertising.

14. Children’s Privacy

The Platform is not directed at children under the age of eighteen (18) years. We do not knowingly collect personal data from children under 18.

In compliance with Section 9 of the DPDP Act, 2023, before processing personal data of a child, the Company requires verifiable consent of the parent or lawful guardian. The Company shall not undertake processing of personal data that is likely to cause any detrimental effect on the well-being of a child, and shall not engage in tracking, behavioural monitoring, or targeted advertising directed at children.

If we become aware that we have collected personal data from a child under 18 without verifiable parental consent, we will take steps to delete such data promptly. Parents or guardians who believe their child’s data has been collected without consent should contact the Grievance Officer immediately.

15. Aggregated & Anonymised Data

The Company may create aggregated, anonymised, or de-identified datasets from personal data collected through the Platform. Once data has been irreversibly anonymised such that it cannot, directly or indirectly, identify any individual — either alone or in combination with other data — it ceases to be personal data within the meaning of the DPDP Act and this Policy.

The Company retains full, unrestricted rights to use, process, analyse, publish, and derive commercial value from anonymised and aggregated data, including for benchmarking, industry reports, and research publications. This right is not affected by account deletion, consent withdrawal, or termination of a Merchant’s subscription.

Merchants expressly acknowledge and agree, through their acceptance of the Terms of Service and this Policy, that Storepecker may use anonymised and aggregated data derived from their store activity for the purposes described above.

16. Changes to This Policy

The Company reserves the right to update or modify this Policy at any time. For material changes that significantly alter how we process personal data, we will provide notice through a prominent notice on the Platform, email notification to registered users where feasible, and in-app notification for active users. The “Last Updated” date at the top of this document will always reflect the most recent version.

Continued use of the Platform after the posting of changes constitutes acceptance of the revised Policy.

17. Grievance Redressal & Contact

In accordance with Rule 5(9) of the SPDI Rules, 2011 and the DPDP Act, 2023, the Company has appointed the following Grievance Officer:

The Grievance Officer shall acknowledge receipt of a grievance within forty-eight (48) hours and endeavour to resolve it within thirty (30) days from the date of receipt. If the grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India under the DPDP Act, 2023, or such other authority as may be appropriate under applicable law.

18. Governing Law

This Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts at Ernakulam, Kerala, India.