Privacy Policy
Last updated: February 2026
simplestores ("we", "us", "the platform") is a software-as-a-service e-commerce platform operated from India. This Privacy Policy explains what personal data we collect from merchants and their customers, how we use it, and the rights you have under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable global regulations.
1. Data we collect
From merchants: Email address, mobile number, name, store details, GSTIN (optional), payment-gateway credentials (encrypted), domain configuration, uploaded product images and content.
From shoppers visiting merchant storefronts: Name, delivery address, mobile number, email (if provided), order history, payment method (we never see card numbers — Razorpay/Stripe handle that), IP-derived location for fraud prevention, browser fingerprint for cart recovery.
Automatically: Server logs, error reports, anonymous usage analytics via PostHog (you can opt out).
2. How we use it
- Operating your store: products, orders, payments, shipping.
- Sending transactional emails / WhatsApp / SMS to your customers (order confirmation, status updates, abandoned-cart recovery).
- Improving the platform — diagnostics, error fixes, fraud detection.
- Compliance with Indian tax / DPDP obligations.
We never sell your data, your customer list, or your order data to anyone.
3. Who we share with
- Sub-processors (each under a Data Processing Agreement): Razorpay (payments), MSG91 (SMS/WhatsApp/OTP), Cloudinary (images), MongoDB Atlas (database), SendGrid (email), Cloudflare (CDN/DDoS), Domainee (custom domains).
- Law enforcement — only on a valid Indian legal order.
- Nobody else.
4. Your rights under the DPDP Act
- Access — request a copy of your data.
- Correction / Erasure — email privacy@simplestores.in.
- Withdraw consent — close your account at any time via Settings → Account → Delete.
- Lodge a complaint with the Data Protection Board of India.
5. Data security
Encryption in transit (TLS 1.2+). Passwords bcrypt-hashed. Payment credentials encrypted at rest. Daily backups, restricted-access engineering team, security incident response in < 72 hours per DPDP requirements.
6. Retention
Merchant data: retained while your account is active and for 90 days after deletion (for legal / accounting). Shopper data within a merchant's store: governed by the merchant's own privacy notice.
7. Contact
Grievance Officer (DPDP Act §10): privacy@simplestores.in · Security: security@simplestores.in.