Privacy Policy

1. Who we are

This Privacy Policy describes how Zemuria Technologies Private Limited ("Mercemur", "we", "us") collects, uses, stores, and protects personal data in connection with the Mercemur commerce platform (the "Service"). We comply with the Digital Personal Data Protection Act, 2023 (DPDPA) and, where applicable, the EU General Data Protection Regulation (GDPR).

Our registered office is at [Registered office -- please update with full address].

2. Data we collect

2.1 From merchants (account holders)

• Account data: name, email, password hash, phone number.
• Business data: store name, subdomain, business description, GST/tax identifiers (where provided).
• Billing data: subscription plan, payment status, invoices. We do not store full card numbers -- payment details are processed by our payment provider (Stripe).
• Usage data: login timestamps, IP address, pages visited, features used, error logs.

2.2 From customers (shoppers on merchant stores)

When a merchant's customer places an order, we process personal data (name, email, shipping address, order details) on behalf of the merchant. The merchant is the data controller; Mercemur is the data processor. Our handling of this data is governed by our Data Processing Agreement with merchants.

2.3 From website visitors

When you visit mercemur.com, we collect basic analytics (page views, referrer, browser type) and, where you consent, cookies for analytics.

3. How we use your data

• To provide and operate the Service.
• To authenticate you and secure your account.
• To process subscription payments and issue invoices.
• To communicate service updates, security notices, and (with your consent) marketing emails.
• To diagnose technical issues and improve the Service.
• To comply with legal obligations (tax, accounting, law enforcement).
• To detect and prevent fraud, abuse, or security incidents.

We do not sell your personal data. We do not use your business data to train machine learning models without your explicit consent.

4. Legal basis for processing

Under DPDPA and GDPR, we process personal data on the following bases:

• Contract: to provide the Service you requested.
• Consent: for marketing emails and optional analytics cookies.
• Legitimate interests: to secure the Service, prevent fraud, and improve features.
• Legal obligation: to comply with tax, accounting, and law-enforcement requirements.

5. Data sharing

We share personal data only with:

• Service providers (processors) who help us operate the Service -- cloud hosting (AWS / self-hosted VPS), email delivery (AWS SES / SendGrid), payment processing (Stripe), shipping calculation (ShipEngine), error monitoring, and analytics. All are bound by data processing agreements.
• Legal authorities when required by law, court order, or to protect our rights.
• Business transfers: in the event of a merger, acquisition, or sale of assets, subject to the acquirer honoring this Privacy Policy.

6. International transfers

Some of our service providers (e.g. AWS, Stripe, ShipEngine) operate outside India. When we transfer personal data internationally, we rely on standard contractual clauses or equivalent safeguards to ensure your data remains protected under standards comparable to Indian law.

7. Data retention

• Account data: retained while your account is active, plus 6 months after cancellation for dispute resolution and legal obligations.
• Financial records: retained for 8 years as required by Indian tax law.
• Logs and analytics: retained for up to 13 months.
• Customer data processed on behalf of merchants:deleted in accordance with the merchant's instructions and their own retention policies.

8. Your rights

Under DPDPA and GDPR you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your data (subject to our legal retention obligations).
• Withdraw consent for marketing communications.
• Port your data to another provider.
• Lodge a complaint with the Data Protection Board of India (DPB) or your local data protection authority.

To exercise these rights, email [email protected]. We respond within 30 days.

9. Security

We protect your data with industry-standard safeguards, including:

• TLS encryption for data in transit.
• AES-256-GCM encryption for sensitive credentials at rest (e.g. payment provider API keys).
• Row-level security (RLS) in our database to ensure merchants only access their own data.
• Regular security reviews and vulnerability patching.
• Access controls limiting employee data access to what is necessary for their role.

No security system is perfectly impenetrable. If you suspect your account has been compromised, notify us immediately at [email protected].

10. Cookies

We use cookies for essential functionality (authentication, session management) and, with your consent, for analytics. You can disable non-essential cookies through your browser settings or our cookie consent banner.

11. Children

Mercemur is not intended for individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified to account holders by email. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For privacy questions or to exercise your rights, contact our Data Protection Officer: