Privacy Policy

Shopoly is operated by [Red Fig TechnologiesPvt. Ltd.] (“Shopoly”, “we”, “us”), an entity registered in India. We provide a software-as-a-service e-commerce platform that lets vendors host an online storefront, manage orders, process payments, arrange shipping, and issue GST-compliant invoices.

This policy explains what personal data we collect from you when you use Shopoly as a vendor, and from people who buy from your storefront as customers. It is published in line with the Information Technology Act, 2000 (and its Rules), the Digital Personal Data Protection Act, 2023, and applicable Indian law.

From vendors (you)

• Account details: name, phone number, email, password (hashed), business name.
• Business details: GSTIN, PAN, business address, bank account details (for payouts via Razorpay).
• Storefront content: product information, images, prices, inventory, banners, store branding.
• Billing data: subscription plan, billing cycle, invoices, payment status. Card or UPI details are handled by our payment processor, not stored on our servers.
• Communications: support messages, WhatsApp conversations with our team, emails.

From your customers

• Order details: name, phone, email, shipping address, order items, total amount.
• Payment metadata: transaction ID, payment method, success/failure status (not card numbers).
• Shipment data: AWB number, courier, tracking updates (shared with Shiprocket).

When customers buy from your store, you are the data fiduciary (the business responsible for that customer's data). Shopoly processes that data on your behalf as a data processor.

Collected automatically

• Usage analytics: pages visited, features used, timestamps, IP address, browser, device.
• Cookies: session cookies for login, preference cookies, analytics cookies (see Section 6).

• To create and operate your account and storefront.
• To process payments, generate invoices, and arrange shipping for your orders.
• To send transactional messages (order confirmations, invoices, renewal reminders) by email, SMS, or WhatsApp.
• To send product updates, tips, and (with consent) marketing messages. You can opt out at any time.
• To provide customer support and respond to grievances.
• To improve Shopoly through analytics, debugging, and product research. Where possible we use aggregated or anonymised data.
• To comply with legal and regulatory obligations.
• To detect fraud, abuse, and security incidents, and to protect our platform and users.

We do not sell personal data. We share it only with service providers who help us run Shopoly:

• Razorpay — payment processing. Card, UPI, netbanking and wallet details are handled directly by Razorpay under their privacy policy.
• Shiprocket — shipping. Customer name, address, phone and order details are shared to generate shipments.
• Email and SMS providers — to deliver transactional and support messages.
• Cloud hosting — our servers, databases, and image storage are hosted with reputed cloud providers operating data centres in India and/or other jurisdictions.
• Analytics tools — to understand product usage. We do not share data with advertising networks.

We may disclose data when required by law, court order, or a lawful request from a government authority, and to enforce our terms or protect rights, safety, and property.

If Shopoly is acquired or merges with another company, your data may be transferred to the successor entity. We will notify you before any such transfer that materially affects how your data is handled.

We store data on cloud infrastructure with industry-standard safeguards: encryption in transit (HTTPS), encryption at rest for sensitive fields, role-based access controls, audit logs, and regular backups. Passwords are stored as one-way hashes.

No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and the Data Protection Board of India as required under the Digital Personal Data Protection Act, 2023.

We use cookies for:

• Essential cookies: keeping you logged in, storing cart state. These cannot be turned off.
• Preference cookies: remembering your dashboard layout, language, etc.
• Analytics cookies: understanding aggregate usage patterns. You can disable these in your browser.

We do not use third-party advertising cookies and do not allow retargeting on Shopoly.

Storefront visit analytics

When you visit a vendor's storefront on Shopoly, our analytics tracker records page visits, product views, searches, add-to-cart actions, and checkout starts so the vendor can see how their store is performing. The tracker is designed to be privacy-respecting by default:

• No direct identifiers. We do not store your IP address or User-Agent string in our analytics database. Instead, we derive a one-way visitor fingerprint by hashing both with a daily rotating key. The same visitor on different shops, or on different days within the same shop, produces a different fingerprint — there is no cross-shop or cross-day tracking.
• No advertising or third-party trackers. The tracker only sends events to Shopoly. We do not embed any third-party analytics, advertising, or social-media beacons on storefronts.
• Do Not Track is honoured. If your browser sends a Do Not Track (DNT) header or has Global Privacy Control (GPC) enabled, the tracker installs a silent no-op shim and sends nothing. We do not record that you visited.
• Short retention. Raw storefront events are retained for at most 90 days, then automatically deleted. After roll-up, only daily aggregates remain — no per-visitor records.
• Session cookie. A short random ID (cookie name sf_session, 30-day expiry, HttpOnly, SameSite=Lax) is used to group page views from the same browser session. It is not linked to any logged-in customer account.

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your data (subject to legal retention requirements).
• Withdraw consent you have given previously.
• Export your data in a portable format.
• Lodge a grievance with our grievance officer (Section 11).
• Lodge a complaint with the Data Protection Board of India if you believe your rights have been violated.

To exercise any of these rights, email privacy@shopoly.in from the address registered with your account. We aim to respond within 30 days.

We keep your account and storefront data for as long as your Shopoly account is active. After cancellation or non-renewal, we keep it for 90 days in case you reactivate, then delete or anonymise it — except where law requires longer retention (for example, GST invoices and tax records, which are retained for the period prescribed by Indian tax law).

Logs, backups, and analytics records may persist for up to 12 months beyond deletion of the primary record.

Shopoly is not directed to anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has signed up, contact us and we will delete the account.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of Shopoly after a change means you accept the updated policy.

In accordance with the Information Technology Act, 2000 and rules made thereunder, and the Digital Personal Data Protection Act, 2023, the contact details of our Grievance Officer are:

For any privacy questions or requests, email privacy@shopoly.in.