Legal

Terms of Service & Data Processing Agreement

Your rights, our obligations, and how we handle data on your behalf as a Shopify merchant.

Last updated: 28 June 2026

By installing or using the Tattva Fulfilment Portal Shopify app, you ("the Merchant") agree to these Terms of Service and the Data Processing Agreement set out below.

Part A — Terms of Service

1. The Service

Tattva Fulfilment Portal provides a web and mobile application that allows merchant staff to manage in-store and fulfilment-centre pickup orders synced from a Shopify store. Features include: order management, inventory snapshots, dispatch creation, and QR-based order confirmation.

2. Merchant responsibilities

You are responsible for ensuring your staff are authorised to access the App and for revoking access when staff leave.
You must not use the App to process orders outside your Shopify store's lawful scope.
You are responsible for informing your customers that their order data is processed by the App for fulfilment purposes.

3. Availability

The App is provided on a best-effort basis. We aim for high availability but do not guarantee uninterrupted service. Planned maintenance will be announced where possible.

4. Intellectual property

The App and its source code remain the property of the operator. Your order and product data remains your property at all times.

5. Limitation of liability

To the maximum extent permitted by law, the operator's liability for any claim arising from use of the App is limited to the fees paid by you in the preceding 12 months. The operator is not liable for indirect, incidental, or consequential losses.

6. Termination

Either party may terminate this agreement at any time by uninstalling the App. Upon termination, your data will be deleted within 30 days per the Data Processing Agreement below.

7. Governing law

These terms are governed by the laws of India. Disputes shall be subject to the exclusive jurisdiction of the courts of Bangalore, Karnataka.

Part B — Data Processing Agreement (DPA)

This DPA forms part of the Terms of Service and sets out the obligations of Dinesh Kashikar ("Processor") when processing personal data on behalf of the Merchant ("Controller"). It is intended to meet the requirements of GDPR Article 28 and equivalent regulations.

8. Scope and subject matter

The Processor processes personal data as described below, for the duration of the Merchant's use of the App, on the Merchant's documented instructions.

Subject matter	Detail
Nature	Storage, retrieval, and display of order data to authorised staff
Purpose	Fulfilment-centre pickup order management
Types of personal data	Customer name, customer email, order number, order line items (product, SKU, quantity)
Categories of data subjects	The Merchant's customers who have placed pickup orders
Duration	For as long as the App is installed; deleted within 30 days of uninstall

9. Processor obligations

The Processor will:

Process personal data only on documented instructions from the Merchant (i.e., only for the fulfilment workflow).
Ensure persons authorised to process the personal data are bound by confidentiality.
Implement the technical and organisational measures described in Section 10.
Not engage sub-processors without informing the Merchant (see Section 11).
Assist the Merchant in responding to data subject access, correction, and deletion requests.
Delete or return all personal data upon termination of the agreement.
Provide the Merchant with all information necessary to demonstrate compliance with this DPA.
Notify the Merchant within 72 hours of becoming aware of a personal data breach.

10. Technical & organisational security measures

Measure	Implementation
Encryption in transit	TLS 1.3 enforced by Cloudflare Workers on all API endpoints
Encryption at rest	Cloudflare D1 — AES-256 at rest; backups encrypted by Cloudflare
Access control	OTP-only staff authentication; role-based access enforced at API level (staff see only their assigned FC's orders)
Session management	Short-lived signed JWTs (1-hour expiry); device tokens stored in encrypted device secure storage
Audit logging	Every API access logged by Cloudflare Workers (timestamp, endpoint, status, device); retained 30 days
Test / production separation	Isolated databases and mock credentials for development; no real customer data in test environments
Incident response	72-hour merchant notification; immediate token rotation; 7-day written report

11. Sub-processors

The Processor uses the following sub-processors:

Sub-processor	Purpose	Location
Cloudflare, Inc.	API hosting (Workers), database (D1), web hosting (Pages)	APAC (Singapore) region

The Merchant will be notified by email at least 14 days before any new sub-processor is added.

12. International transfers

Data is stored in Cloudflare's APAC region (Singapore). Cloudflare, Inc. is certified under the EU-U.S. Data Privacy Framework and provides Standard Contractual Clauses for international data transfers where required.

13. Data subject rights

The Processor will assist the Merchant in fulfilling data subject requests (access, rectification, erasure, portability) within 5 business days of receiving an instruction. Requests should be sent to [email protected].

14. Contact & DPA enquiries

For any questions about this DPA or to exercise your rights as a Merchant:
[email protected]