Privacy Policy | Cashier Logic

1. Introduction

CashierLogic ("we", "us", or "our") is a checkout optimization platform for Shopify merchants operating in India. We provide an inline checkout experience, cart drawer replacement, COD management, and payment processing integration to help merchants increase conversion rates and reduce return-to-origin (RTO) rates.

This Privacy Policy explains how we collect, use, store, and protect information when shoppers interact with our checkout on merchant stores, and when merchants use our dashboard and services. We are committed to protecting your privacy and handling your data transparently.

By using any store powered by CashierLogic (as a shopper) or by installing CashierLogic on your Shopify store (as a merchant), you agree to the practices described in this policy.

2. Data We Collect

From Shoppers

Contact information: Phone number, full name, and email address provided during checkout.
Shipping address: Street address, city, state, PIN code, and any delivery instructions.
Payment method tokens: Tokenized payment references only. We never store raw credit or debit card numbers.
Order history: Items purchased, order values, payment methods used, and order status.
Device and browser information: Browser type, operating system, screen resolution, and device identifiers used for fraud prevention.

From Merchants

Business details: Store name, business contact information, and Shopify store URL.
Shopify API credentials: Access tokens required to integrate with your store. These are encrypted at rest using AES-256-GCM and are never exposed in logs or dashboards.
Dashboard account information: Login credentials (passwords are hashed, never stored in plain text), team member details, and role assignments.

Collected Automatically

IP address: Used for fraud detection and geographic analytics.
Cookies and session data: Essential for maintaining checkout state and authentication. See the Cookies section below.
Checkout interaction events: Button clicks, form field interactions, payment method selections, and time-on-step metrics used to generate conversion analytics for merchants.

3. How We Use Data

Process checkout transactions: We use shopper information to complete orders, calculate shipping, apply discounts, and route payments through our payment gateway partner.
OTP verification: Phone numbers are used to send one-time passwords for Cash on Delivery (COD) order verification. This reduces fraudulent and undeliverable COD orders. Phone numbers collected for OTP are never used for marketing purposes.
Address autofill: When a returning shopper is recognized (via phone number), we pre-fill their previously used shipping address to speed up checkout. This works across different merchant stores within the CashierLogic network. See the Cross-Store Shopper Network section for details.
Merchant analytics: We aggregate checkout data to provide merchants with conversion rate insights, payment method usage breakdowns, average order values, and abandonment analytics through the CashierLogic dashboard.
Risk scoring for COD orders: We analyze order patterns, address history, and shopper behavior to assign risk scores to COD orders, helping merchants reduce losses from undelivered shipments.

4. Cross-Store Shopper Network

CashierLogic operates a shopper recognition network across all merchant stores that use our platform. When you check out on one CashierLogic-powered store, we may recognize you on a different store using the same phone number.

What the cross-store network is used for: Address autofill (so you do not need to re-type your shipping details), faster checkout completion, and fraud prevention (identifying suspicious patterns across stores).

The cross-store network is not used for:

Marketing or promotional communications
Selling or sharing your personal data with third parties
Sharing your purchase history between merchants
Building advertising profiles

Merchants do not see data from other stores. Each merchant only has access to orders and customer data from their own store.

Opting out: If you would like to opt out of the cross-store shopper network, email support@cashierlogic.com with your phone number and we will remove your data from the network within 7 business days. You can still check out on CashierLogic-powered stores after opting out, but you will need to enter your address manually each time.

5. Shopify Data Access

When a merchant installs CashierLogic on their Shopify store, we request specific API scopes. We follow the principle of least privilege and only request scopes necessary for checkout optimization.

Scope	Why We Need It
`read_products`	Display product information (name, price, images, variants) inside the CashierLogic checkout and cart drawer.
`read_orders`	Sync order data for merchant analytics, conversion tracking, and reconciliation with payment gateway records.
`write_orders`	Create and update orders when shoppers complete checkout through CashierLogic, including applying discounts and attaching payment metadata.
`read_customers`	Retrieve existing customer records to enable address autofill and provide a seamless returning-customer experience.
`write_script_tags`	Inject the CashierLogic checkout widget script into the merchant's storefront so the inline checkout experience loads on the store.

We do not access Shopify data beyond these scopes. We do not read or modify store themes, blog posts, pages, shipping settings, or any other Shopify resources outside of what is listed above.

6. Payment Processing

CashierLogic integrates with CyberPay, a PCI DSS compliant payment gateway, to process online payments (UPI, credit/debit cards, net banking, and wallets).

We do not store raw credit card numbers, debit card numbers, CVVs, or bank account details on our servers.
All card data is collected and processed directly by CyberPay in their PCI-compliant environment.
We store only tokenized payment references (transaction IDs, payment status, and masked card identifiers like "ending in 4242") for order tracking and reconciliation.
For UPI payments, we store only the transaction reference ID, not the UPI handle or PIN.

7. Data Sharing

We share personal data only with the following categories of service providers, and only to the extent necessary to operate the CashierLogic platform:

Payment processors (CyberPay): To process and settle payment transactions. CyberPay receives transaction amounts, tokenized payment details, and order identifiers.
SMS and messaging providers: To deliver OTP verification codes during COD checkout. These providers receive only the phone number and the OTP message content. They do not receive order details, addresses, or any other personal data.
Cloud infrastructure providers: Our servers and databases are hosted on infrastructure that may process data as part of providing hosting services.

We do not sell personal data to third parties. We do not share personal data with advertisers, data brokers, or any entity for marketing purposes.

8. Data Retention

Shopper data: Retained for as long as the merchant's CashierLogic account is active. When a merchant uninstalls CashierLogic from their Shopify store, all associated shopper personal data (names, phone numbers, email addresses, and shipping addresses) is deleted from our systems within 48 hours, in compliance with Shopify's GDPR and data protection requirements.
Transaction records: Order transaction records (amounts, dates, payment method types, and anonymized identifiers) are retained for a minimum of 8 years as required by Indian tax and financial regulations under the Income Tax Act and GST laws.
Analytics data: Checkout interaction data and conversion metrics are aggregated and anonymized after 24 months. After anonymization, individual shoppers cannot be identified from the analytics data.
Merchant account data: Retained for the duration of the merchant's account, plus 30 days after account closure to allow for reactivation.

9. Your Rights

Under the EU General Data Protection Regulation (GDPR), India's Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023, you have the following rights regarding your personal data:

Right to access: You can request a copy of all personal data we hold about you.
Right to correction: You can request that we correct any inaccurate or incomplete personal data.
Right to deletion: You can request that we delete your personal data. We will comply unless we are legally required to retain it (for example, transaction records required under Indian tax law).
Right to data portability: You can request your data in a structured, machine-readable format (JSON or CSV).
Right to withdraw consent: You can withdraw consent for data processing at any time, though this may affect your ability to use certain features (such as address autofill).
Right to lodge a complaint: You have the right to file a complaint with the relevant data protection authority.

How to exercise your rights: Send an email to support@cashierlogic.com with the subject line "Data Rights Request" and include your phone number or email address so we can locate your records. We will respond within 30 days.

10. Cookies

CashierLogic uses a limited number of cookies, all directly related to checkout functionality:

Session cookies (required): These maintain your checkout state as you move through the purchase flow -- cart contents, selected payment method, and shipping address. These cookies expire when you close your browser or after 24 hours, whichever comes first.
Authentication cookies (required): For merchants logged into the CashierLogic dashboard, these cookies maintain your login session. They expire after 7 days of inactivity.
Analytics cookies (optional): These help us measure checkout performance (conversion rates, drop-off points) and are used to generate the analytics merchants see in their dashboard. No personally identifiable information is stored in analytics cookies.

We do not use third-party advertising cookies. We do not use cookies for retargeting, behavioral advertising, or cross-site tracking beyond our own checkout network.

11. Security

We take the security of your data seriously and employ multiple layers of protection:

Encryption at rest: All sensitive data (API credentials, personal information, session tokens) is encrypted using AES-256-GCM before being written to our database.
Encryption in transit: All data transmitted between your browser, our servers, and third-party services is protected by HTTPS/TLS.
Webhook verification: All incoming webhooks from Shopify and payment providers are verified using HMAC signatures to prevent tampering and spoofing.
Access controls: Our platform implements role-based access control (RBAC). Merchant team members can only access data appropriate to their assigned role.
Password security: All passwords are hashed using bcrypt with appropriate salt rounds. We support multi-factor authentication (MFA) via TOTP for merchant accounts.
Regular security audits: We perform regular security reviews and vulnerability assessments of our codebase and infrastructure.
Environment isolation: Production secrets are encrypted at rest using age encryption and are never stored in plain text on disk.

12. Children's Privacy

CashierLogic is a business-to-business service for Shopify merchants and a checkout tool for online shoppers. Our service is not directed at children under the age of 18.

We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete that data from our systems. If you believe a minor has provided us with personal data, please contact us at support@cashierlogic.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

The "Last updated" date at the top of this page will always reflect the most recent revision.
For material changes (such as new categories of data collection, new third-party sharing, or changes to retention periods), we will notify merchants through a prominent notice in the CashierLogic dashboard.
Continued use of our service after changes are posted constitutes acceptance of the updated policy.

We encourage you to review this page periodically to stay informed about how we protect your data.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:

Email: support@cashierlogic.com
Website: cashierlogic.com

CashierLogic is a product of CashierLogic.