Privacy Policy

This Privacy Policy describes how Appify Retail Private Limited collects, uses, shares, retains, and protects personal data when you use our services. We have written it to comply with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000, and to be readable in plain language.

This policy applies to:

• Merchants who sign up for Appify to operate AI-generated storefronts;
• Customers who purchase products from those storefronts;
• Visitors to appi-fy.ai who do not have an account.

It should be read alongside our Terms & Conditions and Refund Policy.

1. Who is responsible for your data

Appify acts in two distinct roles depending on the context:

• As a Data Fiduciary: For Merchant account data (sign-up information, billing details, KYC documents, account preferences) and for visitor data on appi-fy.ai, Appify determines the purposes and means of processing and is the Data Fiduciary under the DPDP Act.
• As a Data Processor:For Customer Data collected through a Merchant's storefront (the names, contact details, and order histories of people who shop at a merchant's store), the Merchant is the Data Fiduciary— they decide what to sell, who to contact, and what marketing to send. Appify processes that data on the Merchant's behalf and under their instructions.

Throughout this policy, "you" refers to whoever is interacting with us — Merchant, Customer, or Visitor — and the section context clarifies which.

2. What data we collect

2.1 Merchant account data

When you sign up as a Merchant, we collect:

• Name, email address, and phone number
• Business name and GSTIN (where applicable)
• Bank account details for payout processing
• KYC documents required for payment-gateway compliance (typically PAN, address proof, business registration documents)
• Account credentials (hashed password)

2.2 Storefront generation inputs

When you use Appify's AI to generate a storefront, we collect:

• Business inputs you provide (brand description, product information, target audience, design preferences, etc.)
• AI-generated outputs (storefront copy, design choices, product descriptions)
• Subsequent edits, regenerations, and configuration changes

2.3 Customer (end-shopper) data

When a Customer makes a purchase from a Merchant's storefront, we process on the Merchant's behalf:

• Name, email address, and phone number
• Shipping address(es)
• Order history (products purchased, dates, amounts)
• Payment metadata returned by the payment partner (last 4 digits of card, payment method type, transaction ID — but notfull card numbers, CVVs, or banking credentials, which are handled directly by our payment partners and never reach Appify's systems)

2.4 Automatically collected data

When you use our services, our infrastructure automatically logs:

• IP address, device type, browser, and operating system
• Referrer URL, pages visited, and timestamps
• Standard request/response data needed for security, debugging, and abuse prevention

2.5 Cookies and similar technologies

Appify uses cookies and similar technologies that are strictly necessary for the operation of our services — authentication, session management, security, and preferences. We do not currently use third-party analytics, behavioral tracking, advertising pixels, or session-recording tools on appi-fy.ai or on Merchant Storefronts that Appify itself deploys.

Merchants who wish to add their own third-party trackers (for example, Meta Pixel or Google Analytics for their own storefront analytics) may do so through their storefront configuration. Where a Merchant deploys such tools, the Merchant is responsible for disclosing them and obtaining any required consent from their Customers, and the third party's own terms and privacy policy apply.

2.6 Children's data

Appify does not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected personal data from a person under 18 without verifiable parental consent, we will delete that data promptly. Parents or guardians who believe their child has provided personal data to us may contact support@appi-fy.ai to request deletion.

Merchants who sell products that are legally restricted by age (such as alcohol or tobacco) are responsible for verifying Customer age in accordance with applicable law.

3. How we use your data

We use data for the following purposes:

Service delivery:

• Providing, maintaining, and operating the Appify platform
• Generating storefronts using AI based on Merchant inputs
• Processing payments through our payment partners
• Sending order notifications, account alerts, and other transactional/service communications
• Providing customer support and responding to enquiries

Service improvement:

• Diagnosing errors, monitoring performance, and improving security
• Using aggregate, anonymized, and de-identified datato improve our AI models and platform features. This anonymized data does not identify any individual Merchant or Customer and is described in our Terms & Conditions, Section 7.3.

Communications:

• Sending transactional and service emails (order receipts, account notices, billing reminders, security alerts) — these are necessary for operating your account and cannot be opted out of while your account is active
• Sending marketing communications to Merchants (product updates, new feature announcements, surveys) — these are opt-out; every marketing email contains an unsubscribe link, and Merchants can update preferences at any time by contacting support@appi-fy.ai
• Appify does not send its own marketing communications to Customers of Merchant Storefronts. We only send operational notifications (order updates, shipping notifications) on behalf of Merchants.

Legal and compliance:

• Complying with applicable law, including tax, anti-money-laundering, and consumer-protection regulations
• Detecting, investigating, and preventing fraud, security incidents, and abuse
• Enforcing our Terms & Conditions

4. Legal basis for processing

Under the DPDP Act, we process personal data on the following bases:

• Consent: For most processing of Merchant data and Customer Data, including marketing communications and optional features, processing is based on the consent collected at sign-up or when you provide the data.
• Legitimate uses recognized by the DPDP Act: Including processing for the performance of a contract, compliance with legal obligations, and the maintenance of platform security.

You may withdraw your consent at any time (see Section 8). Withdrawing consent for processing that is essential to delivering the services will typically result in your account being closed, because we cannot continue to operate the platform for you without that data.

5. Who we share data with

We share personal data only with the following categories of recipients, and only as needed for the purposes described above:

5.1 Service providers (Data Processors acting for Appify)

We rely on the following third-party services to operate the platform. Each is bound by a written agreement to process data only on our instructions and only for the purposes for which we engaged them.

5.2 Sharing at the Merchant's direction

A Merchant may explicitly direct Appify to share specific data with a designated third party — for example, exporting a customer list to a marketing tool the Merchant uses, or integrating a shipping partner. Such sharing happens only with the Merchant's explicit instruction and is documented in the Merchant's account.

5.3 Sharing required by law

We may disclose personal data when required by law, court order, or other legal process, including in response to lawful requests from government authorities (regulators, law enforcement, tax authorities). Where legally permitted, we will notify the affected Merchant or Data Principal of such a request before responding.

5.4 Business transfers

If Appify is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will provide notice (typically by email and a prominent notice on appi-fy.ai) before personal data is transferred and becomes subject to a different privacy policy.

5.5 No sale of data

Appify does not sell personal data to third parties.We do not share personal data with advertising networks, data brokers, or any party for the purpose of targeted advertising outside of the Merchant's own storefront.

6. Cross-border data transfers

Most personal data collected by Appify is stored and processed in India — specifically, in the Mumbai (ap-south-1 / bom1) regions of our hosting and database providers.

Limited cross-border transfers to the United States occur for the following purposes:

• AI processing (Anthropic):When generating storefronts, the Merchant's business inputs (the brief, brand description, product information) are sent to Anthropic's API, which is hosted in the United States. Anthropic processes the inputs to generate the storefront content and returns the result; Anthropic is contractually obligated not to retain or use the inputs to train its models.
• Communications (Twilio):SMS and push notification delivery is routed through Twilio's infrastructure, which is primarily based in the United States.

These cross-border transfers are necessary to provide the services. Personal data transferred outside India remains subject to confidentiality and security obligations under our agreements with the relevant provider.

The Government of India may, under the DPDP Act, restrict transfers of personal data to specific countries from time to time. If such a restriction affects our service providers, we will adapt our data flows to comply.

7. How long we retain data

We retain personal data for the following periods:

• Active Merchant accounts: Data is retained throughout the subscription period.
• Closed/churned Merchant accounts: Data is retained for 1 year after account closure, then deleted, except where longer retention is required by law (see below).
• Active Customer accounts: Data is retained for as long as the Customer has an active relationship with a Merchant. Customer accounts that show no purchase or interaction for 12 monthsare considered inactive; we provide notice and then delete inactive Customer data, subject to the Merchant's own retention requirements and applicable law.
• Tax, financial, and accounting records: Retained for 7 years as required by Indian tax law, regardless of account closure.
• Backups: Routine backups may retain copies of data for up to 90 days after deletion from primary storage, after which the backup data is overwritten.
• Legal holds: If a dispute, investigation, or legal proceeding requires us to preserve data, retention is extended for the duration of that matter.

When retention periods expire, we delete personal data or, where deletion is not technically feasible, we de-identify it so that it can no longer be associated with any specific individual.

8. Your rights

Under the DPDP Act, you have the following rights with respect to your personal data:

• Right to access: You may request a summary of the personal data we hold about you and how it is being processed.
• Right to correction: You may request correction of inaccurate, incomplete, or outdated data.
• Right to deletion: You may request deletion of your data, subject to our right to retain data required by law (such as tax records).
• Right to data portability: Where technically feasible, you may request a copy of your data in a structured, commonly used format.
• Right to withdraw consent: You may withdraw consent for processing at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to nomination: You may designate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
• Right to grievance redressal: You may file a grievance with us at any time using the contact details in Section 11. If unsatisfied with our response, you may approach the Data Protection Board of India.

8.1 How to exercise your rights

To exercise any of the rights above, email support@appi-fy.ai with:

• Your name and the account email associated with the request (for verification)
• A clear description of the right you are exercising and what you are requesting

We will respond within 30 days of receiving a complete request. If we need more time for a complex request, we will let you know and explain why.

There is no fee for reasonable requests. We may charge a reasonable fee for repeated, manifestly unfounded, or excessive requests, or refuse to act on them.

8.2 Identity verification

To protect your data, we may need to verify your identity before responding to a request. We will ask for the minimum information necessary to confirm you are who you say you are.

8.3 Customer data requests

A Customer of a Merchant's storefront should typically contact the Merchant directly to exercise rights with respect to their data, because the Merchant is the Data Fiduciary for that data. If the Customer cannot reach the Merchant, or if Appify holds the relevant data independently (for example, payment metadata processed for fraud prevention), Customers may contact Appify directly at support@appi-fy.ai and we will assist within our role as Data Processor.

9. Security

We take reasonable technical and organizational measures to protect personal data, including:

• Encryption in transit (HTTPS/TLS) for all data sent to and from our services
• Encryption at rest for data stored in our databases
• Access controls limiting employee and contractor access to personal data to those who need it for their role
• Logging and monitoring of access to sensitive systems
• Regular security review of our infrastructure and third-party providers

No system is perfectly secure. While we work to protect your data, we cannot guarantee absolute security.

9.1 Data breach notification

In the event of a personal data breach that is likely to result in risk to affected Data Principals, Appify will:

• Notify the Data Protection Board of India within 72 hours of becoming aware of the breach, in accordance with the DPDP Act
• Notify affected Merchants and (where Appify acts as Data Fiduciary) affected Customers without undue delay, with information about what happened, what data was affected, what we are doing to mitigate, and what steps the affected person can take
• Where Appify acts as Data Processor on behalf of a Merchant, we will notify the Merchant promptly so the Merchant can fulfill its own notification obligations to its Customers under the DPDP Act

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, the law, or our business. Material changes will be communicated to active Merchants by email at least 14 daysbefore they take effect, and the "Last updated" date at the top of this page will be updated.

Continued use of the services after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree to a change, you may close your account.

11. Contact

For any privacy-related question, request, or complaint:

Appify Retail Private Limited
Hyderabad, Telangana, India
Email: support@appi-fy.ai

The founder currently serves as the Data Protection contact at Appify. As we grow, we will appoint a dedicated Data Protection Officer where required by law and update this policy accordingly.

If you are not satisfied with our response to a privacy request, you may file a complaint with the Data Protection Board of India under the procedures established by the DPDP Act.