1. About This Policy
This Privacy Policy ("Policy") is published by Skyora Solutions Private Limited ("Skyora", "we", "us", or "our"), a company incorporated under the Companies Act, 2013, with its registered office at Sunrise Mall, Office No. 4, First Floor, Sector-11, Vasundhara, Ghaziabad - 201012, Uttar Pradesh, India.
This Policy governs how Skyora collects, uses, stores, and protects personal data in connection with the Checkoutify Storefront Platform ("Platform"), which consists of:
- The Checkoutify Storefront Web Panel — a browser-based merchant management portal; and
- The Checkoutify Storefront Mobile Application (Android and iOS) — a mobile application that delivers the Storefront Web Panel inside an embedded browser (WebView). The mobile app contains no independent business logic or database. It is a thin-client wrapper that securely loads the web panel over HTTPS.
Because the mobile application simply loads the web panel inside a mobile browser shell, there is one Platform and therefore one Privacy Policy. This document covers both access methods — browser and mobile app — in full.
This Policy complies with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and all other applicable Indian laws.
By accessing or using the Platform in any form, you acknowledge that you have read and understood this Policy.
2. Who This Policy Applies To
This Policy applies to:
- Merchants, retail store owners, and business entities onboarded onto the Checkoutify platform ("Merchants"); and
- Authorised employees, managers, and store personnel who access the Platform on behalf of an onboarded Merchant.
The Platform is not intended for use by end consumers. Consumer-facing data practices are governed separately under the Checkoutify Consumer App Privacy Policy.
3. How the Platform Works — Architecture
Understanding the architecture is important for interpreting this Policy accurately.
3.1 Storefront Web Panel
The Storefront Web Panel is the core application. It is a web-based portal hosted on Google Cloud Run (region: asia-south1, Mumbai). When a merchant logs in — whether via a desktop browser or the mobile app — they are interacting with this web panel. The web panel connects to a MongoDB database backend hosted on MongoDB Atlas (GCP Mumbai). All business logic, data storage, and API communication occurs at this layer.
3.2 Storefront Mobile Application
The mobile application is a WebView wrapper. It opens a secure, full-screen browser session that loads the Storefront Web Panel. The native mobile app layer:
- Does not have its own database or local data store.
- Does not contain independent API calls.
- Does not intercept, modify, or redirect data entered by the merchant.
- Requests only the device permissions necessary to support the web panel's functionality (camera for barcode scanning, internet access, and vibration for scan feedback).
All merchant data entered through the mobile app travels directly over HTTPS to the same backend as the web panel. The data practices are therefore identical regardless of access method.
4. What Data We Collect
The Platform collects the following categories of data when merchants register and use the Storefront Platform.
4.1 Merchant Account and Personal Information
- Full name, email address, phone number, and physical address.
- Profile photo or avatar.
- Social media or professional profile links (Google, Facebook, X/Twitter, LinkedIn) where provided.
- Password — stored as a one-way bcrypt hash. We never store your password in readable form.
4.2 Business and KYC Information
As part of merchant onboarding and compliance verification, we collect:
- Legal business name, trade name, business type and category, years in operation.
- Store address, operating hours, and geolocation coordinates (latitude and longitude) for store mapping.
- GST number, PAN number, and FSSAI licence number (where applicable).
- Bank account number, IFSC code, and account holder name for settlement purposes.
- Identity verification details: ID type (Aadhaar, Passport, or equivalent) and ID number.
- Uploaded KYC documents: GST certificate, PAN card, business registration documents, bank statement, and identity proof files.
4.3 Consumer Transaction Data
When merchants process transactions through the Platform, the following end-consumer data is recorded and stored on behalf of the merchant:
- Consumer name, phone number, email address, and a platform-assigned consumer identifier (UUID).
- Purchase history: product line items, barcodes, unit prices, tax amounts (CGST/SGST), applied discounts or coupons, and transaction totals.
- Outreach logs: a record of when a merchant initiates contact with a consumer (via WhatsApp, SMS, or phone), including a partial phone reference and timestamp.
4.4 Technical and Usage Data
- Standard server logs including IP addresses and browser or device type, processed by backend middleware for security and performance monitoring.
- Session tokens (JWT) used to maintain authenticated sessions. These are not persistent tracking cookies.
- Temporary WebView cache maintained by the mobile device's operating system to improve page load performance. This cache contains web assets, not personal data, and is managed by the device OS.
5. Device Permissions — Mobile Application
The Storefront Mobile App requests the following device permissions. These permissions exist solely to support the functionality of the Storefront Web Panel within the mobile browser shell.
5.1 Camera
| Platform | Permission |
|---|---|
| Android | android.permission.CAMERA |
| iOS | NSCameraUsageDescription |
Purpose: To allow merchants to scan product barcodes and QR codes through the web panel interface for inventory management and transaction processing.
The camera feed is processed in real time by the web panel. The native app layer does not record, capture, store, or transmit photographs or video. No biometric data is collected.
5.2 Internet and Network Access
| Platform | Permission |
|---|---|
| Android | android.permission.INTERNET, android.permission.ACCESS_NETWORK_STATE |
| iOS | Implicit HTTPS access |
Purpose: Required to load the Storefront Web Panel and to check device connectivity before initiating a session.
5.3 Vibration / Haptic Feedback
| Platform | Permission |
|---|---|
| Android | android.permission.VIBRATE |
Purpose: To provide tactile feedback to the merchant upon a successful barcode scan. No data is collected through this permission.
6. How We Use Your Data
We use the data collected for the following purposes:
- Account creation, authentication, and management.
- Merchant onboarding, KYC verification, and compliance with applicable Indian laws and regulations.
- Processing and recording retail transactions on behalf of merchants.
- Calculating, processing, and disbursing merchant settlements.
- Generating GST-compliant invoices and transaction records.
- Providing technical support, resolving disputes, and responding to grievances.
- Sending operational communications including onboarding updates, settlement notifications, and system alerts via email.
- Maintaining platform security, detecting fraud, and preventing unauthorised access.
- Complying with our legal obligations under applicable Indian law.
7. Third-Party Services and Data Sharing
The Platform uses the following third-party service providers in the course of its operations. We share only the minimum data necessary for each provider to perform their function.
7.1 Cloud Infrastructure — Google Cloud Platform
The Storefront Web Panel and its backend are hosted on Google Cloud Run in the asia-south1 (Mumbai) region. Merchant data processed by the platform resides within GCP infrastructure.
7.2 Database — MongoDB Atlas
All merchant and transaction data is stored in a MongoDB Atlas Flex cluster hosted on GCP Mumbai, operated within Skyora's own Atlas organisation.
7.3 Document Storage — AWS S3
Uploaded KYC documents, store profile images, and generated GST invoice PDFs are stored securely on Amazon Web Services S3. These files are accessible only to authorised Skyora personnel and are not publicly accessible.
7.4 Email — Nodemailer
Transactional emails (password resets, onboarding confirmations, system notifications) are sent using Nodemailer via a configured email service. Recipient email addresses are shared with this service solely for message delivery.
7.5 Payment Processing — Razorpay
Consumer payments processed through the Checkoutify ecosystem are handled by Razorpay Software Private Limited, a duly licensed Payment Aggregator under the Reserve Bank of India. Skyora does not directly hold or process consumer payment funds. Payment data is governed by Razorpay's privacy policy.
8. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Merchant account & KYC data | Duration of relationship + minimum 5 years | Indian financial & tax record-keeping |
| Transaction records | Minimum 8 years | GST record-keeping obligations |
| KYC documents (rejected applications) | Deleted within 90 days of rejection | No longer necessary |
| Server logs (IP addresses) | Up to 180 days | Security monitoring |
| Mobile app WebView cache | Managed by device OS | Can be cleared by merchant via device settings |
9. Security
Skyora implements reasonable technical and organisational security measures to protect your data, including:
- All communication between the Platform and backend servers is encrypted using HTTPS/TLS.
- Passwords are stored as one-way bcrypt hashes and are never accessible in readable form.
- Authenticated sessions are managed using JSON Web Tokens (JWT).
- Rate limiting is applied to authentication endpoints to prevent brute-force attacks.
- KYC documents are stored in access-controlled cloud storage, not accessible publicly.
- The mobile app enforces secure HTTPS connections and does not permit loading of non-HTTPS content.
10. Your Rights Under the DPDP Act, 2023
As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to personal data we hold about you:
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Request information about the personal data we process about you and the purposes for which it is processed. | Email [email protected] |
| Correction & Erasure | Request correction of inaccurate or incomplete data, or erasure of data no longer necessary, subject to legal retention obligations. | Email [email protected] |
| Grievance Redressal | Raise a grievance with our Grievance Officer. | See Section 12 below |
| Nomination | Nominate a person to exercise your data rights in the event of your death or incapacity. | Email [email protected] |
We will acknowledge your request within 48 hours and respond within 30 days.
11. Changes to This Policy
Skyora reserves the right to update this Privacy Policy at any time to reflect changes in our practices, the Platform, or applicable law. We will notify you of material changes via an in-app notice or email to your registered address. The updated Policy will carry a revised effective date at the top of this document. Continued use of the Platform following notification constitutes your acceptance of the updated Policy.
12. Grievance Officer
In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the details of our Grievance Officer are as follows:
| Field | Details |
|---|---|
| Name | Bhavya Sethi |
| Designation | Director, Skyora Solutions Private Limited |
| [email protected] | |
| Address | Sunrise Mall, Office No. 4, First Floor, Sector-11, Vasundhara, Ghaziabad - 201012, Uttar Pradesh, India |
All grievances will be acknowledged within 48 hours of receipt and resolved within 30 days.