Back to Home

Privacy Policy

This policy explains how ShopMate collects, uses, and protects your personal data.

ShopMate ("[COMPANY NAME]", "we", "us", or "our") is committed to protecting the privacy and security of the personal data you share with us. This Privacy Policy describes what personal data we collect from merchants who register and use the ShopMate platform, how we use it, and the rights you have over it.

This policy is governed by and must be read in conjunction with the following applicable Indian laws:

  • The Digital Personal Data Protection Act, 2023 ("DPDP Act")
  • The Information Technology Act, 2000 and the IT (Amendment) Act, 2008
  • The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
  • The Consumer Protection Act, 2019
  • Any other applicable central or state laws of India

By registering on, accessing, or using the ShopMate platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of your personal data as described herein.

1. Who We Are

[COMPANY NAME], a company incorporated under the laws of India and having its registered office at [REGISTERED ADDRESS], operates the ShopMate platform accessible at www.theshopmate.com.

For the purposes of the DPDP Act, 2023, ShopMate is the Data Fiduciary in respect of merchant personal data. Where ShopMate processes personal data of a merchant's end-customers on behalf of the merchant, ShopMate acts solely as a Data Processor and the merchant is the Data Fiduciary for that data (see Section 9).

2. Information We Collect

We collect personal data only to the extent necessary to operate and improve the ShopMate platform. The categories of information we collect are:

2.1 Account & Identity Information

  • Full name, email address, and mobile number (provided at registration)
  • Password (stored only in encrypted/hashed form — never in plain text)
  • Profile photograph (if voluntarily provided)

2.2 Business Information

  • Business/store name and registered business address
  • GST Identification Number (GSTIN), PAN, or other applicable tax registration details
  • Nature of business and product/service categories
  • Store domain name and brand assets (logo, favicon) uploaded to the platform

2.3 Financial Information

  • Bank account details for settlement/payouts (processed via Razorpay — not stored directly on ShopMate servers)
  • Transaction records and payout history
  • One-time setup fee payment confirmation

Note on payment card data: ShopMate does not store, process, or transmit cardholder data directly. All payment processing is handled exclusively by Razorpay, which is PCI-DSS compliant. We never have access to your full card number, CVV, or net banking credentials.

2.4 Store & Operations Data

  • Product listings, inventory, and pricing data entered by you
  • Order records, shipment details, and transaction logs
  • Supplier/vendor details (where entered for purchase orders)
  • Store configuration settings and theme preferences

2.5 Technical & Usage Data

  • IP address, device type, browser type, and operating system
  • Pages visited, features used, and session duration on the platform
  • Login timestamps and session identifiers
  • Error logs and crash reports

2.6 Communications Data

  • Messages, queries, and feedback submitted via the contact form or support channels
  • Email correspondence with our support team

2.7 Sensitive Personal Data or Information (SPDI)

Under the SPDI Rules, 2011, the following data we collect qualifies as sensitive: bank account and payment settlement information. This data is collected only with your explicit consent, solely for the purpose of processing merchant payouts through Razorpay, and is not shared with any party beyond those strictly necessary to execute the payment.

3. How We Use Your Information

We use your personal data only for the specified, clear, and lawful purposes for which it was collected:

  • Account creation and authentication: To create and manage your merchant account and verify your identity.
  • Platform operations: To provide access to the ShopMate dashboard, storefront, order management, inventory, and all other features you have subscribed to.
  • Payment processing and settlements: To process the one-time setup fee and to facilitate order settlement payouts to your bank account via Razorpay.
  • Shipping and logistics: To share necessary order and delivery information with Shiprocket and other logistics partners to fulfil your customers' orders.
  • Customer support: To respond to your queries, resolve disputes, and provide technical assistance.
  • Platform improvement and analytics: To understand how merchants use the platform and improve features, fix bugs, and enhance user experience — using aggregated or anonymised data wherever possible.
  • Legal and regulatory compliance: To comply with applicable Indian laws, GST obligations, court orders, or requests from law enforcement authorities.
  • Security and fraud prevention: To detect, investigate, and prevent fraudulent transactions, abuse, or security incidents.
  • Communications: To send transactional emails (account notifications, order alerts, platform updates) and, with your separate consent, promotional communications about new features or offerings.

We will not use your personal data for any purpose other than those stated above without informing you and, where required, obtaining fresh consent.

Under the DPDP Act, 2023, we process your personal data on the following legal bases:

  • Consent: You provide free, specific, informed, and unambiguous consent at registration and when using specific features. You may withdraw consent at any time (see Section 10); however, withdrawal for essential processing will result in account closure.
  • Contractual necessity: Processing necessary to perform the Merchant Agreement / Terms of Service you entered into with ShopMate — such as account management, payout processing, and platform access.
  • Legitimate uses under the DPDP Act: Certain processing is permitted without consent for specified legitimate purposes including compliance with legal obligations, responding to court orders, national security, and fraud prevention.
  • Legal obligation: Processing required to comply with applicable Indian law including tax laws (GST Act, Income Tax Act), the IT Act, RBI regulations, and applicable sector regulations.
5. Sharing Your Information with Third Parties

We do not sell, rent, or trade your personal data to third parties. We share data only on a need-to-know basis as follows:

Third Party Purpose Data Shared
Razorpay Financial Solutions Pvt. Ltd. Payment processing & merchant settlement Name, email, mobile, bank account details, transaction records
Shiprocket (Bigfoot Retail Solutions Pvt. Ltd.) Shipping & logistics for merchant orders Order details; customer delivery address & contact (shared on your behalf as merchant)
Amazon Web Services (AWS) Cloud hosting, compute & storage infrastructure All platform data hosted on AWS infrastructure
Cloudinary Ltd. Image and media CDN for product images, logos, and media Images and media files you upload to the platform
Google Analytics / Google Tag Manager Website usage analytics Anonymised/aggregated usage data, IP (anonymised), browser & device type

Each third party operates under its own privacy policies and data processing agreements. We ensure they are bound by appropriate confidentiality and data protection obligations.

We may also disclose your information to: (a) law enforcement, courts, or government authorities as required by applicable Indian law; (b) professional advisors (lawyers, auditors) under strict confidentiality obligations; or (c) a successor entity in the event of a merger, acquisition, or sale — in which case you will be notified in advance.

6. Cookies & Tracking Technologies

ShopMate uses cookies and similar tracking technologies on the marketing website and the merchant dashboard:

  • Strictly necessary cookies: Required for the platform to function — session cookies, CSRF protection tokens, and authentication tokens. These cannot be disabled without preventing the platform from working.
  • Analytics cookies (Google Analytics): Used to understand how visitors use the ShopMate website — pages visited, time spent, and navigation paths. Data is anonymised and aggregated. You can opt out via the Google Analytics Opt-out Add-on.
  • Preference cookies: Store UI preferences (e.g., dark/light mode) to improve your experience.

By continuing to use the ShopMate platform, you consent to our use of cookies as described. You may manage or disable non-essential cookies through your browser settings; however, disabling necessary cookies will impair your ability to use the platform.

7. Data Storage, Security & Retention

7.1 Storage Location

Your personal data is stored on servers hosted by Amazon Web Services (AWS), primarily in the Asia Pacific (Mumbai) — ap-south-1 region, located within India. Certain third-party services (Google Analytics, Cloudinary) may process data outside India — see Section 8.

7.2 Security Measures

We implement reasonable security practices as mandated by the SPDI Rules, 2011 and the DPDP Act, 2023, including:

  • HTTPS/TLS encryption for all data in transit
  • Passwords hashed using industry-standard algorithms; sensitive data encrypted at rest
  • Role-based access controls — staff access only data required for their function
  • Regular security audits and vulnerability assessments
  • AWS security infrastructure including firewalls, DDoS protection, and access logging

In the event of a personal data breach that is likely to cause harm to you, we will notify the Data Protection Board of India and affected data principals as required under the DPDP Act, 2023.

7.3 Data Retention

We retain your personal data for as long as your merchant account is active and as required by applicable Indian law:

  • Account & identity data: Duration of active account + 3 years after account closure (for legal dispute resolution and regulatory audit).
  • Financial & transaction data: 7 years from the relevant financial year-end, as required under the GST Act, 2017 and Income Tax Act, 1961.
  • Support communications: 2 years from the date of last communication.
  • Technical logs (IP, access logs): 90 days, unless required for an ongoing security investigation.
  • Backup copies: May be retained for up to 30 additional days on encrypted backup systems before permanent deletion.

Upon expiry of the applicable retention period, your data will be securely deleted or anonymised such that it can no longer be linked to you.

8. Cross-Border Data Transfers

Certain third-party service providers we use may process or store data outside India:

  • Google Analytics / Google Tag Manager: Usage analytics data may be processed on Google's servers, which may be located in the United States or other countries. You can opt out as described in Section 6.
  • Cloudinary: Media files uploaded to the platform may be distributed on Cloudinary's globally distributed CDN infrastructure.

ShopMate ensures that any cross-border transfer of personal data is subject to safeguards consistent with the DPDP Act, 2023 and applicable Indian law, including contractually requiring third parties to maintain equivalent data protection standards.

9. Merchant Obligations for End-Customer Data

When you use ShopMate to run your store, you collect and process personal data belonging to your end-customers — their names, delivery addresses, phone numbers, email addresses, and order histories. In this context:

  • You (the merchant) are the Data Fiduciary for your customers' personal data under the DPDP Act, 2023.
  • ShopMate acts solely as a Data Processor, processing such data only on your instructions and only for the purpose of operating your store (order processing, payments, shipping).
  • You are solely responsible for: (a) obtaining valid consent from your customers before collecting their data; (b) publishing a compliant privacy policy on your ShopMate storefront; (c) responding to your customers' data rights requests; and (d) notifying your customers of any data breach affecting their data.
  • ShopMate will process your customers' data only as instructed and will not use it for any independent purpose.

Important: Failure to comply with your data protection obligations as a merchant and Data Fiduciary may constitute a violation of the DPDP Act, 2023 and could result in significant penalties under Indian law. We strongly recommend obtaining independent legal advice about your compliance obligations.

10. Your Rights as a Data Principal

Under the DPDP Act, 2023 and IT (SPDI) Rules, 2011, you have the following rights. To exercise any right, contact us at support@theshopmate.com. We will respond within 30 days.

  • Right to access: Request a summary of the personal data we hold about you and how it is being processed.
  • Right to correction and updating: Request correction of inaccurate, incomplete, or outdated personal data. You can also update most information directly from your merchant dashboard.
  • Right to erasure: Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent. Certain data may be retained to comply with legal obligations (e.g., GST records) even after other data is erased.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal for essential processing (e.g., account operation) will result in account closure. Withdrawal for non-essential processing (e.g., marketing emails) will not affect your account.
  • Right to grievance redressal: Raise a complaint with our Grievance Officer (Section 13). If unresolved to your satisfaction, approach the Data Protection Board of India once operationalised.
  • Right to nominate: Under the DPDP Act, you have the right to nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Contact our Grievance Officer to register a nominee.
11. Children's Data

The ShopMate merchant platform is intended exclusively for individuals 18 years of age or older. We do not knowingly collect personal data from minors (persons below 18 years). If you are under 18, you must not register on or use the ShopMate platform.

If we become aware that we have inadvertently collected personal data from a person below 18 years without verifiable parental consent, we will take immediate steps to delete such data. If you believe we have collected a minor's data in error, please contact us immediately at support@theshopmate.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or platform features. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Send a notification to your registered email address at least 15 days before the changes take effect
  • Display a prominent notice on the ShopMate merchant dashboard

Continued use of the platform after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree, you must stop using the platform and may request account closure.

13. Grievance Redressal

In accordance with the IT Act, 2000, SPDI Rules, 2011, and the DPDP Act, 2023, a Grievance Officer has been designated to address complaints and concerns relating to the processing of personal data by ShopMate.

Grievance Officer Details

To raise a complaint, email us at the address above with the subject line "Privacy Grievance — [your registered email]". We will acknowledge your complaint within 72 hours and resolve it within 30 days.

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India (once operationalised under the DPDP Act, 2023) or seek other legal remedies available under Indian law.