Privacy Policy

Retail Commerce OS ("we", "us", "our") is a retail management software-as-a-service platform. Our platform helps merchants manage point-of-sale, inventory, orders, staff, and analytics — including through a Shopify integration.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform at retailcommerceos.com and related services.

2.1 Information you provide

• Account data: Name, email address, phone number, business name, and billing address collected during signup and onboarding.
• Business data: Products, inventory levels, orders, customers, staff records, and transaction data you enter or import into the platform.
• Payment data: Billing information processed via our payment provider. We do not store full card numbers — the provider handles all PCI-DSS compliance.
• Support communications: Messages, attachments, and context you share when contacting our support team.

2.2 Data collected automatically

• Usage data: Pages visited, features used, timestamps, and session duration to improve the platform.
• Device and browser data: IP address, browser type, operating system, and device identifiers for security and analytics.
• Shopify integration data: When you connect your Shopify store, we receive product, order, inventory, and customer data as authorised by your Shopify access token scope.
• Audit events: All actions within the platform are logged with user ID, IP address, and timestamp for security and compliance.

• To provide, maintain, and improve the Retail Commerce OS platform and its features.
• To process transactions, send invoices, and manage subscription billing.
• To sync data with Shopify and other connected services on your behalf.
• To send transactional emails (order confirmations, low-stock alerts, system notifications).
• To respond to support requests and troubleshoot issues.
• To detect fraud, abuse, and security threats.
• To comply with legal obligations applicable in India and other jurisdictions where we operate.
• To generate anonymised, aggregated analytics that help us improve our product — your identifiable business data is never included in these aggregates.

We do not sell your data to third parties, use it for advertising, or share it with data brokers.

4.1 Sub-processors

We share data with the following sub-processors to deliver our services:

• Shopify — e-commerce platform integration (data shared only with your Shopify store)
• Stripe / Razorpay — subscription billing and payment processing
• Cloudflare — edge hosting, CDN, and DDoS protection
• Email delivery providers — transactional email delivery
• Telephony providers (optional) — Twilio, Exotel, Knowlarity, or Aircall; engaged only if your workspace enables the Calling module. Processes call routing, IVR, and call recording metadata (duration, participant phone numbers, recordings).
• Deepgram (optional) — speech-to-text transcription of call recordings; engaged only when AI transcription is enabled in your workspace.
• Anthropic (optional) — AI call analysis (summaries, sentiment, quality scoring); engaged only when AI features are configured.
• Product analytics — anonymised events only
• Error monitoring — sanitised stack traces, no PII

4.1a Voice data and call recordings

When you enable the Calling module, voice call recordings are personal data. You control whether recording is enabled, which calls are recorded, and how long recordings are retained (configurable from 30 days to indefinitely). Recordings are stored in your configured cloud storage bucket. You may delete individual recordings or all recording data at any time. We process recordings only to deliver transcription, AI analysis, and quality-scoring features you have enabled.

4.2 Legal disclosures

We may disclose your information if required by law, court order, or government request under applicable Indian law (IT Act 2000, DPDP Act 2023) or other jurisdiction requirements.

4.3 Business transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you via email at least 30 days before any such transfer.

• Data is stored on global cloud infrastructure with primary nodes in the Asia-Pacific region.
• All data in transit is encrypted via TLS 1.3. Data at rest is encrypted with AES-256.
• Access to production data is restricted to authorised personnel only, governed by role-based access controls.
• We conduct periodic security reviews and penetration testing.
• Backups are taken daily and retained for 30 days.

• Active accounts: Data is retained for the duration of your subscription.
• Post-cancellation: Data is retained for 90 days after cancellation to allow recovery, then permanently deleted.
• Audit logs: Security audit logs are retained for 12 months for compliance purposes.
• Backups: Backup snapshots are purged on a rolling 30-day cycle.

Under applicable law (including India's DPDP Act 2023 and GDPR for EU users), you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Portability: Request your business data in a machine-readable format (CSV/JSON export available from the platform directly).
• Objection: Object to processing of your data for specific purposes.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@retailcommerceos.com. We will respond within 30 days.

• Session cookies: Strictly necessary for authentication and maintaining your logged-in state.
• Analytics cookies: First-party cookies for anonymised usage analytics. No cross-site tracking.
• No advertising cookies: We do not use Facebook Pixel, Google Ads, or any retargeting technology.

You can disable non-essential cookies in your browser settings without affecting core platform functionality.

Retail Commerce OS is a business platform not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on the platform at least 14 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

For privacy-related questions, data requests, or concerns:

• Email: privacy@retailcommerceos.com
• Website: retailcommerceos.com
• Address: Retail Commerce OS, Mumbai, Maharashtra, India