Privacy Policy

This Privacy Policy explains how Shubham Garg (Sole Proprietor) ("Apna Store", "we", "us") collects, uses, stores, and shares personal information when you use the Apna Store software platform (the "Service"). It is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Digital Personal Data Protection Act, 2023, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

1. Information we collect

From sellers (business owners)

• Account data: name, email address, phone number, password (hashed), profile picture.
• Business data: store name, slug, category, description, logo, address, WhatsApp number, Instagram handle, GST number.
• Product data: product names, descriptions, prices, images, stock levels, variants, categories.
• Payment gateway keys: Razorpay Key ID and Secret, UPI ID, Setu API key — stored encrypted at rest.
• LLM provider keys: Anthropic, OpenAI, or Gemini API keys if provided for AI order parsing.
• WhatsApp session data: authentication state for the Baileys library if you connect your WhatsApp account.

From buyers (customers of sellers)

• Order data: name, phone number, email (optional), shipping address.
• Order history: items purchased, total spent, order status.
• Messages: content of WhatsApp messages sent to the seller's number, used by the AI to parse order intent.

Automatically collected

• Usage data: IP address, browser type, device type, pages visited, time spent, referrer. Used for analytics and abuse prevention.
• Cookies: session cookies for authentication and remembering your cart. See Section 5.

2. How we use your information

• To operate, maintain, and improve the Service.
• To authenticate you and secure your account.
• To process subscription payments via Razorpay.
• To enable sellers to manage their stores and fulfil customer orders.
• To respond to support requests sent via WhatsApp or the Contact page.
• To send transactional emails (order receipts, password resets).
• To comply with legal obligations including tax filings, law enforcement requests, and court orders.

3. Who we share information with

We do not sell your personal information. We share it only with the following third parties, strictly as necessary to operate the Service:

• Supabase — hosts our database, authentication, and file storage. Data is stored in their India-region data centres where available.
• Vercel — hosts the web application and routes HTTPS traffic.
• Razorpay — processes subscription payments. Razorpay receives your billing details as part of the payment flow. See Razorpay's own privacy policy at razorpay.com/privacy.
• Anthropic / OpenAI / Google — if you or your sellers configure an LLM for WhatsApp order parsing, customer message text is sent to the chosen provider for parsing. These providers have their own data-handling policies.
• Meta Platforms (WhatsApp) — if a seller connects their WhatsApp Business account via Baileys, messages to and from customers pass through WhatsApp's infrastructure.
• Law enforcement — when compelled by valid legal process under Indian law.

4. Data retention

We retain personal information for as long as your account is active or as needed to provide the Service. If you close your account, we will delete or anonymise your personal data within 90 days, except where we are required to retain it for longer under applicable law (for example, tax records which must be retained for eight years under the GST Act).

5. Cookies

We use first-party cookies strictly necessary for authentication, session management, and remembering cart contents. We do not use third-party advertising or tracking cookies. You can disable cookies in your browser but some features of the Service will stop working.

6. Security

We use industry-standard measures to protect your data, including TLS encryption in transit, encryption at rest for sensitive fields, PostgreSQL row-level security policies to isolate each seller's data, and hashed passwords. However, no system is 100% secure. You are responsible for keeping your password confidential.

7. Your rights

Under the Digital Personal Data Protection Act, 2023, you have the right to:

• Access and obtain a copy of your personal data.
• Correct or update inaccurate data.
• Erase your personal data (subject to legal retention requirements).
• Withdraw consent where processing is based on consent.
• Nominate another person to exercise these rights on your behalf.
• File a grievance with our Grievance Officer or the Data Protection Board of India.

To exercise these rights, contact us via WhatsApp at +91 98188 89072 or see the Contact page.

8. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a minor, we will delete it.

9. Grievance Officer

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the name and contact of the Grievance Officer are:

• Name: Shubham Garg
• Email: ShubhamGargCth@gmail.com
• WhatsApp: +91 98188 89072
• Address: SG-5/3501, Saya Gold Avenue, Indirapuram, Ghaziabad, Uttar Pradesh 201014, India

We will acknowledge any complaint within 24 hours and resolve it within 15 days of receipt, as required by the Intermediary Guidelines 2021.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via the Service or by email. Continued use after an update constitutes acceptance.