Skip to content
ShopQRLegal

Privacy Policy

Last updated May 2026 · DPDP 2023 compliant

1. Data fiduciary

Sheriax Solutions (OPC) Private Limitedis the Data Fiduciary for personal data processed through ShopQR. For any questions about your personal data, or to exercise your rights under the Digital Personal Data Protection Act 2023 ("DPDP"), contact:

Sheriax Solutions (OPC) Private Limited
Chennai, Tamil Nadu, India
privacy@shopqr.org

2. Whose data, in what role

ShopQR has three distinct users, and our role with respect to their personal data differs:

  • Merchant admins (shop owners, managers, staff) — Sheriax is the Data Fiduciary directly.
  • Customers placing orders through a Merchant's storefront— the Merchant is the Data Fiduciary; Sheriax is a Data Processor processing personal data on the Merchant's behalf to deliver the Service.
  • Visitors to shopqr.org marketing pages — Sheriax collects only minimal technical logs.

3. What we collect

We collect the minimum data needed to run the Service:

  • Customers placing orders: name (optional), WhatsApp phone number (required), delivery address (only for delivery orders), latitude/longitude (only if the Customer shares location for delivery), notes to the kitchen (optional), the items + quantities + total in your cart, your loyalty point balance (if the Merchant runs a loyalty program), and the timestamp at which you ticked the consent checkbox at checkout.
  • Merchant admins: email address, name, mobile phone number, Firebase user id (for sign-in), role (owner / manager / staff), and an audit log of administrative actions taken on the shop.
  • Shop content: business name, location address, GST number, menu items, prices, item photos, branding (logo, colours), printer pairing details. This is business data of the Merchant rather than personal data, but it is described here for transparency.
  • Payment data: we do not store full card numbers or UPI PINs. Payment processing is handled by Razorpay; ShopQR records only the order id, payment status, and a Razorpay reference id for reconciliation.
  • Technical data: server logs (timestamps, paths, IP-derived approximate region, error signals) used to operate, debug, and secure the Service. We do not run cross-site tracking cookies, third-party advertising pixels, or analytics SDKs at this time.

4. Purposes & legal basis

We use personal data only for the following specified purposes:

  • Order fulfilment — to display the order to the Merchant, capture payment via Razorpay, and let the Merchant contact the Customer about that order. (Legal basis: contract / DPDP §6 consent at checkout.)
  • Account administration — to authenticate Merchant admins, enforce roles, and produce audit trails. (Legal basis: contract.)
  • Service operation — to host, debug, secure, and improve the platform. (Legal basis: legitimate use under DPDP §7.)
  • Legal compliance — to meet tax, audit, GST invoicing, and law-enforcement obligations. (Legal basis: legal obligation.)
  • Communications with Merchants — invoice emails, security alerts, and material changes to these Terms. (Legal basis: contract.)

We do not use personal data for marketing to Customers, nor for automated decision-making that has a legal or similarly significant effect.

5. Sub-processors

We do not sell or rent personal data. We share it only with the following sub-processors, each engaged under contract and only to the extent strictly required to deliver the Service:

  • Convex (USA) — primary database hosting, serverless function execution, file storage for images.
  • Cloudflare (USA) — DNS, edge TLS, DDoS protection.
  • Hostinger (cloud VPS, India region) — Next.js application server hosting.
  • Firebase Authentication (Google, USA) — admin sign-in (Google SSO, phone OTP, email + password).
  • Razorpay (India) — payment processing for online card, UPI, and netbanking transactions.
  • Resend (USA) — transactional email (invite links, invoice emails, security alerts).
  • Twilio (USA) — WhatsApp Business and SMS delivery for Merchants that select Twilio as their provider.
  • AiSensy (India) — WhatsApp Business Solution Provider for Merchants that select AiSensy.
  • Interakt (India) — WhatsApp Business Solution Provider for Merchants that select Interakt.
  • Meta Cloud API (Meta, USA / Ireland) — WhatsApp Cloud API direct for Merchants that select Meta.
  • Msg91 (India) — SMS / OTP delivery for Merchants that select Msg91.
  • TextLocal (India) — SMS delivery for Merchants that select TextLocal.
  • SendGrid (Twilio, USA) — email delivery for Merchants that select SendGrid.
  • Amazon SES (AWS, multi-region) — email delivery for Merchants that select SES.

We also share personal data with the Merchant whose shop you ordered from (so they can fulfil the order and contact you), and with legal authorities when we receive a valid court order or statutory demand under Indian law.

6. Cross-border transfers

Several sub-processors listed above (Convex, Firebase, Resend, Twilio, Meta, SendGrid, Cloudflare) operate or replicate data outside India. We rely on the contractual safeguards offered by these providers and process only the data strictly required for each provider's function. If the Central Government restricts any country under DPDP §16, we will assess affected processing and adjust accordingly.

7. Retention

  • Customer order records are retained for up to 24 months from the last order placed at a given Merchant, after which the personal-data fields (WhatsApp, name, address, notes) are scrubbed. Aggregate counts (number of orders, total spent) are retained because they no longer identify the Customer.
  • Merchant admin records are retained for the life of the account plus three years after closure, primarily to maintain an audit trail of admin actions.
  • Tax and invoice records are retained for eight years to meet Indian statutory record-keeping requirements.
  • Erasure on request may shorten any of the above; see the Data Erasure & DPDP Rights page for how to ask.

8. Your rights under DPDP 2023

  • Right to access — request a copy of the personal data we hold about you.
  • Right to correction — ask us to correct inaccurate or out-of-date data.
  • Right to erasure — ask us to delete your data when it is no longer needed for the purpose collected. See the DPDP page for the two erasure paths (Customer self-service via the Merchant; or email to the grievance officer).
  • Right to withdraw consent — if processing relies on your consent, you may withdraw it at any time; this does not affect prior lawful processing.
  • Right to nominate — you may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
  • Right to grievance redressal — write to our grievance officer at privacy@shopqr.org (named on the DPDP page). If you are not satisfied with our response, you may complain to the Data Protection Board of India.

9. Security

We take the security of personal data seriously. Concretely:

  • All traffic is served over TLS; certificates are managed by Caddy on the application edge.
  • Per-shop API secrets (Razorpay key secret, WhatsApp tokens, email provider keys) are encrypted at the application layer using AES-GCM before being written to the database; the master key lives only on the application server.
  • Convex stores data at rest with provider-managed encryption.
  • Access to production data by Sheriax personnel is restricted by role and audited.
  • We do not have a formal SOC 2 / ISO 27001 certification at this stage; if our security posture changes we will update this section.

10. Security incidents

If we become aware of a personal-data breach affecting your data, we will notify you and the Data Protection Board of India within the timelines required by DPDP 2023 and applicable rules.

11. Children

ShopQR is not intended for children under 18. We do not knowingly collect personal data from minors. Merchants must not knowingly accept orders that require the sale of age-restricted goods to minors.

12. Cookies

ShopQR uses a small number of first-party cookies and localStorage entries strictly to remember your sign-in session, your cart contents, your selected dine-in table, your preferred language, and similar functional preferences. We do not set third-party advertising or cross-site tracking cookies.

13. Changes

We will post updates to this Policy on this page and notify active Merchants by email when the changes are material. The "Last updated" date at the top of this page always reflects the current version.