1. Introduction and Scope
Skyora Solutions Private Limited ("we", "us", "our", or "Company") operates Checkoutify, a mobile self-checkout application ("App") for physical retail stores in India. Checkoutify enables consumers to scan product barcodes, build a shopping cart, pay via UPI, and receive a digital e-bill — without the need for a cashier.
This Privacy Policy explains how we collect, use, store, share, and protect the personal data of users of the Checkoutify consumer mobile application. It applies to both the Android and iOS versions of the App.
This Policy is published in compliance with:
- The Digital Personal Data Protection Act, 2023 ("DPDP Act")
- The Information Technology Act, 2000 ("IT Act") and the SPDI Rules, 2011
- The Consumer Protection Act, 2019
- Google Play Store and Apple App Store privacy disclosure requirements
By downloading, installing, or using the App, you agree to the collection and use of your information as described in this Policy. If you do not agree, please do not use the App.
2. Identity of the Data Fiduciary
Under the DPDP Act, 2023, Skyora Solutions Private Limited is the Data Fiduciary responsible for processing your personal data collected through the Checkoutify App.
| Field | Details |
|---|---|
| Company Name | Skyora Solutions Private Limited |
| App Name | Checkoutify |
| Android Package | com.checkoutify.app |
| iOS Bundle ID | com.checkoutify.app |
| Platforms | Android and iOS |
| Registered Address | Sunrise Mall, Office No. 4, First Floor, Sector-11, Vasundhara, Ghaziabad - 201012, Uttar Pradesh, India |
| Country | India |
| Grievance Officer | Bhavya Sethi |
| Contact | [email protected] |
3. Information We Collect
We collect personal data only to the extent necessary to provide the Checkoutify service.
3.1 Information You Provide Directly
| Data | When Collected | Purpose | Required? |
|---|---|---|---|
| Mobile phone number | Sign-up / Login | Phone-based OTP authentication via Firebase | Required |
| OTP via SMS | At login | Verify your phone number. Processed transiently, never stored. | Required |
| Full name | Profile completion | Personalise your account and digital receipts | Required |
| Email address | Profile completion | Account identification, receipts, support | Required |
| Support ticket details | When raising a request | Route and resolve your support query | For support |
| Support chat messages | During conversations | Provide ongoing customer support | For support |
Google Sign-In users: If you log in using your Google account, we receive your Google account email address and display name. You will also be required to add and verify an Indian mobile number during profile completion.
3.2 Information Collected Automatically
| Data | When Collected | Purpose |
|---|---|---|
| Device GPS location | Store Selection screen, after permission | Find nearby stores. GPS coordinates are never transmitted to our servers. |
| City name (from GPS) | After GPS obtained | Display your city. Saved locally on your device only. |
| Camera feed (transient) | During barcode scanning | Scan barcodes. On-device only. No images ever transmitted or stored. |
| Scanned barcode values | When you scan a product | Look up the product in the store catalogue |
| Device root/jailbreak status | At App launch (release only) | Security check. Logged to crash monitoring only. |
| Crash data and stack traces | On any crash | Bug fixing via Firebase Crashlytics. No PII attached. |
| Consumer ID (UUID v4) | First authentication | Unique identifier linking your account across our systems |
Firebase Analytics automatically collects default usage events (app open, session duration, screen views, device model, OS version, country). No custom tracking events have been added by Checkoutify.
3.3 Transaction and Usage Data
- Shopping cart contents: product IDs, barcodes, names, quantities, prices, tax rates, tax amounts, line totals, MRP values
- Payment records: Razorpay order ID, payment ID, reference, amount, currency, timestamp
- Digital e-bill: e-bill ID, GST invoice reference, security QR token, item list, totals, tax breakdown, payment reference, store details, expiry
- Purchase history: order ID, date, store name, item count, total, payment method, status, item details
- Notifications: notification ID, title, message, type, read status, timestamp
3.4 What We Do Not Collect
4. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Authentication | Phone number, OTP, OAuth tokens, JWT | Consent at sign-up |
| Checkout service | Barcode data, cart, payments, e-bill | Contract / consent |
| Store discovery | GPS (on-device), city name | Consent (location permission) |
| Customer support | Name, email, messages | Consent / legitimate use |
| Transaction records | E-bills, payments, order history | GST law (6-year retention) |
| Security | Root status, JWT, payment verification | Legitimate use / security |
| Crash monitoring | Crash logs (no PII) | Legitimate use |
| Purchase history | Order records | Contract |
5. How We Share Your Information
5.1 With the Merchant (Store Owner)
When you complete a purchase, the following is shared with the merchant: your name, phone number, email; items purchased (name, barcode, quantity, price, tax, discount, line total); payment amount, method, and reference; transaction status.
5.2 With Third-Party Service Providers
| Provider | Data Shared | Purpose |
|---|---|---|
| Firebase Auth | Phone, OTP, OAuth tokens | Authentication |
| Firebase Crashlytics | Crash logs, device info (no PII) | Crash monitoring |
| Firebase Analytics | Default usage events | App analytics |
| Google Sign-In | Email, display name | OAuth authentication |
| Razorpay | Payment amount, Order ID | UPI payment processing |
| MongoDB Atlas (GCP Mumbai) | Server-side user/transaction data | Database hosting (India) |
| Google Cloud Run (asia-south1) | API traffic | Backend hosting (India) |
| Google Fonts CDN | No user data | Typography |
5.3 With Authorities
We may disclose data to law enforcement, regulatory authorities, or courts if required by Indian law.
5.4 Business Transfers
In the event of a merger or acquisition, your data may be transferred to the successor entity with equivalent privacy protections.
5.5 What We Do Not Share
- We do not sell your personal data
- We do not share data with advertisers
- Camera data never leaves your device
- GPS coordinates are never shared — only city name, stored locally
- UPI PIN and bank credentials are handled entirely by Razorpay
6. Data Storage and Security
6.1 Where Your Data Is Stored
All primary infrastructure is in India: Google Cloud Run (Mumbai), MongoDB Atlas (GCP Mumbai). Firebase services are operated by Google LLC and may use global infrastructure.
6.2 On-Device Security
Sensitive credentials are encrypted at rest: JWT via Android EncryptedSharedPreferences (AES-256) and iOS Keychain Services.
6.3 Network Security
All communications use HTTPS (TLS). No unencrypted HTTP connections.
6.4 Payment Security
- Server-side price calculation — client amounts are discarded
- Razorpay cryptographic signature verification on every payment
- Server recomputes all cart totals from product database
- Your UPI PIN is entered directly into Razorpay's secure interface — Checkoutify never sees it
6.5 Session Management
On logout, all local data is permanently deleted. Store sessions expire after 3 hours. Auth tokens expire automatically.
7. Device Permissions
| Permission | Platform | Why | If Denied |
|---|---|---|---|
| Camera | Both | Barcode scanning (on-device only) | Cannot scan products |
| Location (Fine) | Both | City detection, nearby stores. GPS never sent to servers. | Manual city selection |
| Location (Coarse) | Android | Fallback city detection | Manual selection |
| Vibration | Android | Haptic feedback | No impact |
| Face ID | iOS | System-level Keychain protection | Different keychain protection |
| Internet | Android | API calls, auth, payments | App cannot function |
8. Data Retention
8.1 On-Device
| Data | Retention |
|---|---|
| JWT token | Until expiry or logout |
| Consumer ID | Until logout |
| Product catalogue cache | Until logout or new store session |
| City, recent stores, onboarding | Until logout |
8.2 Server-Side
| Data | Retention | Reason |
|---|---|---|
| Consumer profile | Until account deletion | Service provision |
| Transaction records & e-bills | Minimum 6 years | GST law requirement |
| Payment records | 6-year GST obligation | Legal obligation |
| Cart data | Active cart only | Service provision |
| Support tickets | Up to 2 years post-resolution | Dispute resolution |
9. Your Rights as a Data Principal
Under the DPDP Act, 2023:
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Request a summary of data we hold about you | Email [email protected] — "Data Access Request" |
| Correction | Request correction of inaccurate data | Update in-app or email us |
| Erasure | Request account deletion (subject to GST retention) | Email — "Account Deletion Request" |
| Grievance | File a complaint about data handling | Email us. Acknowledged within 48 hours, resolved within 30 days. |
| Nomination | Nominate someone to exercise rights on your behalf | Email — "Nomination Request" |
10. Children's Privacy
Checkoutify is not intended for individuals below 18 years. The App facilitates real financial transactions via UPI, requiring a valid bank account linked to a verified adult identity.
We do not knowingly collect data from persons below 18. If you believe a child has used the App, contact us at [email protected].
11. Cookies and Tracking
Checkoutify is a native mobile application and does not use browser cookies. The only identifier is your Consumer ID (UUID v4), used solely to link your account data. No third-party advertising SDKs. No cross-app tracking.
12. Third-Party Services
| Service | Provider | Privacy Policy |
|---|---|---|
| Firebase (Auth, Crashlytics, Analytics) | Google LLC | firebase.google.com/support/privacy |
| Google Sign-In | Google LLC | policies.google.com/privacy |
| Razorpay Payment Gateway | Razorpay Software Pvt. Ltd. | razorpay.com/privacy |
| MongoDB Atlas | MongoDB, Inc. | mongodb.com/legal/privacy-policy |
| Google Cloud Run | Google LLC | cloud.google.com/terms/cloud-privacy-notice |
| Google Fonts | Google LLC | developers.google.com/fonts/faq/privacy |
13. International Data Transfers
Primary infrastructure is hosted in India (MongoDB Atlas GCP Mumbai, Google Cloud Run asia-south1). Firebase services may process data on Google's global infrastructure. Google Fonts uses a global CDN. By using the App, you acknowledge data may be processed outside India as described.
14. Security and Data Breach Notification
We implement reasonable technical and organisational security measures including encrypted storage, HTTPS, server-side payment verification, and JWT-based access controls.
In the event of a breach, we will:
- Report to CERT-In within 6 hours
- Notify affected users as required under the DPDP Act
- Take immediate steps to contain and remediate
15. Changes to This Privacy Policy
We may update this Policy to reflect changes in practices, technology, or legal requirements. Material changes will update the "Last Updated" date and notify you through the App or email. Continued use after changes constitutes acceptance.
16. Contact Us and Grievance Redressal
| Field | Details |
|---|---|
| Grievance Officer | Bhavya Sethi |
| Company | Skyora Solutions Private Limited |
| [email protected] | |
| Address | Sunrise Mall, Office No. 4, First Floor, Sector-11, Vasundhara, Ghaziabad - 201012, UP, India |
| +91 98916 97888 |
We will acknowledge within 48 hours and resolve within 30 days. Unresolved complaints may be escalated to the Data Protection Board of India.