This Privacy Policy applies to the Brand Stacc application (the “App”) made available by CUSTCAP Solutions Private Limited (“Custcap”, “Customer Capital”, “we”, “us” or “our”) through the Shopify App Store. This Privacy Policy (the “Privacy Policy”) sets out how Customer Capital collects, uses and discloses information in relation to the Shopify merchant who installs the App (the “Merchant”, “you” or “your”) and the personal data processed through the App, including the personal data of the Merchant’s customers that is necessary to relay and fulfil orders. The purpose of this Policy is to ensure the protection of personal data in compliance with the Information Technology Act, 2000 (as amended from time to time), the Digital Personal Data Protection Act, 2023 and other applicable laws relating to data protection.

All Merchants must read and understand this Privacy Policy, as it has been formulated to safeguard privacy. You must accept the contents of this Privacy Policy to install or continue using the App.

The App is intended for use by businesses. To install and use the App, you must be 18 years of age or older and authorised to act for the Shopify store on which the App is installed.

We may update this Privacy Policy periodically, and we encourage you to revisit this page to stay informed about our current stance on privacy.

1. Personal Data Collection

When you install and use the App, we may collect: store and account information made available through the Shopify APIs, such as your store name, domain, contact details and store settings; product and inventory data that you choose to synchronise, such as listings, descriptions, images, pricing, variants and stock levels; order and fulfilment data generated for your products, which may include the personal data of your customers, such as name, contact details and shipping address, where this is necessary to relay an order to you for fulfilment; and usage and technical data, such as log data, IP addresses and records of how the App is used. This data and information shared by you and/or collected by us is hereinafter referred to as “Personal Data”.

2. Use of Personal Data

Customer Capital processes Personal Data in its capacity as a Data Fiduciary in respect of the store and account information, usage data, and technical data collected directly from Merchants. In respect of the personal data of a Merchant's end customers accessed through the Shopify API solely for the purpose of relaying and fulfilling an order ('Customer Fulfilment Data'), Customer Capital acts as a Data Processor on the instructions of the Merchant, who is the Data Fiduciary in respect of such data.
"In either case, Customer Capital processes Personal Data on the following legal grounds:
"(a) Performance of contract or pre-contractual steps: processing necessary to provide the App and to fulfil orders placed through it;
"(b) Legitimate uses: processing necessary for compliance with a legal obligation applicable to Customer Capital, and processing to detect and prevent fraud and security threats to the App;
"(c) Consent: where Customer Capital seeks to use Personal Data for a purpose beyond those described above (for example, for research or analytics not directly related to App provision), Customer Capital will obtain the Merchant's prior consent.

We use Personal Data to deliver and improve the App and to support your use of it. The key purposes are:

Operation and Provision of the App: To operate the App and synchronise your catalogue, pricing and inventory to Customer Capital’s connected surfaces, and to relay the resulting orders back to you for fulfilment.
Security and Verification: To verify access, protect against fraudulent activity and ensure the integrity and safety of the service.
Support: To provide effective support and to address any query or issue you may encounter while using the App.
Legal and Regulatory Compliance: To comply with legal and regulatory obligations that apply to us.
We may also use Personal Data to: (i) resolve disputes; (ii) troubleshoot problems; (iii) maintain a safe service; (iv) detect and protect against error, fraud and other criminal activity; (v) enforce these terms and our policies; (vi) conduct research and analysis to improve the App; (vii) conduct periodic audits; and (viii) send important information or notices, and as otherwise described to you at the time of collection.

3. Data Sharing with Third Parties

To deliver the App and meet our obligations, we share Personal Data with Customer Capital’s connected retail surfaces and the partner institutions through which your catalogue is presented and orders are generated, only to the extent necessary to provide the service. We may also engage external service providers, such as hosting and infrastructure providers, who act on our instructions and under confidentiality obligations. Where required by law, or by a legal or judicial authority, we may be required to share data with governmental or other authorities. When sharing Personal Data, we make every reasonable effort to ensure that third parties maintain its security and use it only for the purposes for which it is shared. We do not sell your Personal Data or your customers’ Personal Data.
3A. Cross-Border Data Transfers. Customer Capital may transfer Personal Data to countries outside India where Customer Capital's infrastructure or sub-processors are located, including countries where cloud computing, hosting, analytics or support services are provided. Customer Capital ensures that such transfers are made in accordance with the Digital Personal Data Protection Act, 2023 and are subject to appropriate safeguards including contractual clauses, data processing agreements and, where required, transfers only to countries or territories identified as permissible under the applicable rules. Where you would like further information about the safeguards applicable to cross-border transfers of your Personal Data, please contact our Grievance Officer at the address provided in Clause 8."

4. Security and Data Retention Procedures

We have established reasonable physical, administrative, technical and electronic safeguards to protect Personal Data against loss, misuse and unauthorised alteration. While we observe reasonable procedures to prevent unauthorised access to and misuse of Personal Data, no security measures are perfect or impenetrable. In the event that you believe your privacy has been breached, please contact us immediately at aashish.walia@customer-capital.com or call us at +91 98198 92542.

5. Personal Data Retention

Customer Capital retains different categories of Personal Data for the periods described below.
"Store and account data (store name, domain, settings): Retained for the duration of the App installation and for a period of ninety (90) days following uninstallation, after which it is deleted or de-identified, except to the extent required for accounting or tax purposes.
"Order and fulfilment data, including Customer Fulfilment Data: Retained for the period necessary to complete the fulfilment transaction and, following completion, for such further period as is required to comply with applicable tax and accounting obligations under the Income Tax Act, 1961 and the Companies Act, 2013 (ordinarily not exceeding eight (8) years from the relevant financial year).
"Usage and technical data (logs, IP addresses, activity records): Retained for a rolling period not exceeding twelve (12) months, except where specific data is required for an ongoing security investigation, fraud prevention proceeding, or dispute.
"Notwithstanding the above, if you make a valid erasure request, Customer Capital will delete or de-identify the relevant Personal Data within the timeframe required by applicable law, except where retention is required by law or regulation or necessary to defend a legal claim.
"When you uninstall the App, Customer Capital will process deletion or de-identification of your Merchant account data within thirty (30) days of uninstallation, consistent with the Shopify API Terms.

You may request the withdrawal, erasure or modification of your Personal Data at any time by writing to us at aashish.walia@customer-capital.com with the specific details of your request.

6. Access to Personal Data
As a Merchant, you may access, correct or modify the Personal Data held in connection with your account through your Shopify admin, or by writing to us at aashish.walia@customer-capital.com.
6A. Your Rights as a Data Principal. To the extent applicable under the Digital Personal Data Protection Act, 2023 and rules made thereunder, you have the following rights in respect of Personal Data that Customer Capital holds about you:
"(a) Right to Access: You may request confirmation of whether Customer Capital processes Personal Data about you and, if so, a summary of the Personal Data and the purposes for which it is processed.
"(b) Right to Correction and Erasure: You may request that Customer Capital correct inaccurate or incomplete Personal Data about you, or erase Personal Data where the purpose for which it was collected has been fulfilled or where you have withdrawn your consent (where consent was the basis for processing).
"(c) Right to Grievance Redressal: You may raise a complaint with Customer Capital's Grievance Officer (details in Clause 8) and, if not resolved to your satisfaction, with the Data Protection Board of India.
"(d) Right to Withdraw Consent: Where Customer Capital processes your Personal Data on the basis of your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
"(e) Right of Nomination: You may nominate another individual to exercise your data rights in the event of your death or incapacity, in accordance with the Digital Personal Data Protection Act, 2023.
"To exercise any of these rights, please contact our Grievance Officer at the details set out in Clause 8.

7. Cookie Statement

Where the App or its administrative interface uses cookies or similar technologies, these are used to remember your preferences and to provide a more efficient and secure service. By using the App’s interface, you consent to the use of such cookies. You can manage your cookie preferences through your browser settings, although disabling certain cookies may affect functionality.
8. Grievance Redressal and Data Principal Rights
If you have an enquiry or complaint about the way we handle your Personal Data, or wish to exercise your privacy rights in relation to the Personal Data that we hold about you — including the right to access, correct, complete or erase your Personal Data — you may contact our Grievance Officer:
Name: Aashish Walia
Email: aashish.walia@customer-capital.com
Phone: +91 98198 92542
"Customer Capital will acknowledge and endeavour to resolve it within 30 (thirty) business days. Where a request concerns the erasure or correction of Personal Data, Customer Capital will respond within the timeframe required by applicable law, including the Digital Personal Data Protection Act, 2023 and the DPDP Rules thereunder. Where a grievance relates to a decision taken by an automated system, you may request a human review of that decision.

If you are not satisfied with the resolution of your grievance, you may approach the Data Protection Board of India established under the Digital Personal Data Protection Act, 2023.

9. Links

The App or its interface may link you to other websites or services that may request your personal information. Customer Capital is not responsible for the privacy practices or content of those websites or services. We take responsibility only for the policies and content that we control.

10. Disclaimer

Accuracy of this Policy. Customer Capital makes reasonable efforts to ensure that this Privacy Policy accurately reflects its data practices. However, data practices may evolve as Customer Capital's services develop. Customer Capital will notify Merchants of material changes to this Privacy Policy in accordance with Clause 1 of this Policy [or cross-reference the T&C notification clause]. Nothing in this Policy is intended to limit Customer Capital's liability or exclude rights that cannot be excluded under applicable law.

11. Overriding Effect

Notwithstanding anything contained in this Policy, to the extent that there is any inconsistency or discrepancy between this Policy and any applicable law, including the Information Technology Act, 2000 (as amended from time to time) and the Digital Personal Data Protection Act, 2023, the statutory provisions will prevail and supersede this Policy. Any matter related to this Policy that is not covered herein will be dealt with in the manner prescribed under the applicable laws.