Last updated · [DD Month 2026] · Placeholder

Privacy Policy

This page is a template. Afflow Technologies Pvt Ltd ("Afflow", "we", "us") will replace each placeholder section with final, legally-reviewed text before launch.

⚠ PLACEHOLDER CONTENT — Every section below is structural copy to be replaced with your final policy text, reviewed by your counsel. The headings, order, and disclosure topics follow the Shopify BFS, DPDPA (India), and GDPR (EU) requirements Afflow is bound by.

1 · Introduction

[Placeholder] — Summary paragraph: what this policy covers, who it applies to, and the legal jurisdictions it complies with (Digital Personal Data Protection Act, 2023; GDPR where applicable; Shopify partner program).

2 · Data we collect

From merchants

Shop domain, owner name, email, billing details (via Shopify)
Shopify access token (encrypted at rest)
App configuration: commission rates, GST rate, TDS threshold, portal branding
Subscription status

From affiliates

Name, email, phone, password (bcrypt hashed)
Optional: PAN, GSTIN, address, bank account or UPI VPA (AES-256-GCM encrypted)
Referral / click metadata: IP address, user agent, device fingerprint hash

From shoppers (indirectly)

[Placeholder] — Order metadata received via Shopify's orders/create webhook when an affiliate's discount code is used. We do not store shopper PII beyond what Shopify forwards.

3 · How we use data

[Placeholder] To operate the affiliate program you configure
[Placeholder] To compute commissions, GST, and TDS accurately
[Placeholder] To issue payouts via Razorpay X
[Placeholder] To detect fraud and protect merchants
[Placeholder] To send transactional emails (via Resend)
[Placeholder] To comply with tax, accounting, and legal obligations

[Placeholder] — We share data only with vendors required to run the service:

Shopify — hosting, billing, OAuth, webhooks
Razorpay X — payout execution (Pro plan only)
Resend — transactional email
PostgreSQL cloud hosting provider (to be confirmed before launch) — encrypted PostgreSQL hosting
Error and performance monitoring provider (to be confirmed before launch) — error and performance telemetry

[Placeholder] — No data is sold. No data is used for advertising. We will never train an ML model on customer data.

5 · Security measures

AES-256-GCM field-level encryption with unique IV for PAN, GSTIN, bank details, legal name, address
Shopify access tokens encrypted at rest using the same scheme
bcrypt password hashing for affiliates
JWT auth with 7-day expiry for the affiliate portal
TLS 1.2+ for all traffic
Principle of least privilege — three Shopify scopes only: read_orders, write_discounts, write_app_proxy
[Placeholder] Annual penetration testing
[Placeholder] Incident response: 72-hour breach notification window

6 · Retention

[Placeholder] — Affiliate records are retained while the merchant's app installation is active. On uninstall or on a verified shop/redact GDPR webhook, all shop-scoped data is destroyed within 30 days. Financial records required for tax filing (GST invoices, TDS certificates) may be retained for up to 8 years per Indian tax law.

7 · Your rights

[Placeholder] — Under the DPDPA (India) and GDPR (EU), you can: access your data, correct it, delete it, export it, and withdraw consent. Merchants exercise these through their Shopify admin. Affiliates exercise these from the portal or by email.

Afflow honours these Shopify GDPR webhooks automatically:

customers/data_request
customers/redact
shop/redact

8 · Cookies

[Placeholder] — afflow.in (this marketing site) uses no tracking cookies. The Shopify-embedded admin uses only session cookies required for Shopify auth. The affiliate portal uses a single JWT stored in an httpOnly cookie for login.

9 · Contact

Data Protection Officer · hello@afflow.in

Postal · [Placeholder registered address], Bengaluru, Karnataka, India.

This is placeholder text. Review with counsel before publishing.