Legal

EcomLinx Solutions Private Limited ("EcomLinx", "we", "us", or "our") is a company registered in India. We operate the EcomLinx SaaS platform and managed ecommerce services available at app.ecomlinx.com and ecomlinx.com. For the purposes of the UK GDPR and EU GDPR, EcomLinx Solutions Private Limited is the data controller for personal data processed through our services. Contact: info@ecomlinx.com

We collect the following categories of personal data: Account data: name, email address, business name, country, phone number (WhatsApp), tax ID (GSTIN/VAT/EIN). Business data: marketplace credentials (stored AES-256 encrypted), product catalogs, order data, inventory levels, P&L figures. This data belongs to you and is processed on your behalf. Usage data: pages visited, features used, session duration, device type, browser, IP address. Payment data: transaction IDs from Razorpay (India) and Stripe (UK/US). We do not store raw card numbers - payment processing is handled directly by Razorpay and Stripe under their own PCI DSS compliance. Communications: emails and support ticket messages you send to us.

We use your personal data to: - Provide, operate, and improve the EcomLinx platform and services - Process payments and manage billing - Send transactional emails (account verification, payment receipts, SLA alerts) - Send service communications (downtime notices, feature updates) - you cannot opt out of these - Send marketing emails - you can opt out at any time via the unsubscribe link - Comply with legal obligations (tax, accounting, anti-fraud) - Respond to support requests Legal bases (UK/EU GDPR): performance of contract (service delivery), legitimate interests (fraud prevention, platform improvement), legal obligation, and consent (marketing).

When you connect a marketplace (Amazon, Flipkart, Shopify, etc.) to EcomLinx, you provide API credentials (keys, tokens, or OAuth authorisation). These credentials are: - Encrypted at rest using AES-256 - Transmitted over TLS 1.2+ - Never shared with third parties except the marketplace API itself - Deletable at any time from your Settings → Integrations page We use these credentials solely to fetch and push data on your behalf - orders, inventory, listings, and reports - as directed by your use of the platform.

We share your data with: Infrastructure: AWS (ap-south-1, us-east-1, eu-west-2), Railway.app - for hosting and database services. Auth: EcomLinx in-house authentication (bcrypt + JWT, no third-party auth provider). Payments: Razorpay (India transactions), Stripe (UK/US transactions). Email: Resend.com - for transactional and marketing emails. Analytics: We use anonymised, aggregated platform analytics and do not sell individual user data to any third party. All sub-processors are bound by data processing agreements. We do not sell your personal data.

Account data: retained for the duration of your account plus 90 days after closure, then deleted. Order and P&L data: retained for 7 years to comply with Indian Companies Act and UK HMRC requirements. Support tickets: retained for 2 years. Usage logs: retained for 90 days. You may request earlier deletion of certain data - see Section 8.

EcomLinx is incorporated in India. Your data may be processed in India (ap-south-1), the United States (us-east-1), and the United Kingdom (eu-west-2). For UK and EU users: transfers to India are made under appropriate safeguards. We are working toward Standard Contractual Clauses (SCCs) with all sub-processors for cross-border transfers.

Under UK GDPR, EU GDPR, and applicable Indian data protection law, you have the right to: - Access the personal data we hold about you - Correct inaccurate data - Request deletion ("right to be forgotten") - subject to legal retention obligations - Restrict or object to processing - Data portability - receive your data in a structured, machine-readable format - Withdraw consent (where processing is based on consent) To exercise any right, email info@ecomlinx.com. We will respond within 30 days.

We use the following cookies: Essential cookies: authentication session (HTTP-only JWT cookie), CSRF protection. Cannot be disabled. Analytics cookies: anonymised usage tracking (no cross-site tracking). You can opt out via your browser settings. Marketing cookies: we do not use advertising or retargeting cookies. You can manage cookie preferences in your browser settings at any time.

We implement appropriate technical and organisational measures to protect your data: - TLS 1.2+ for all data in transit - AES-256 encryption for stored marketplace credentials - Role-based access control - EcomLinx staff cannot access your marketplace data without your authorisation - Regular security reviews and penetration testing - SOC 2 Type II certification in progress In the event of a data breach affecting your rights, we will notify you within 72 hours as required by UK GDPR.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on the platform at least 14 days before the change takes effect. Your continued use of the platform after the effective date constitutes acceptance.

For privacy questions: info@ecomlinx.com For general enquiries: info@ecomlinx.com If you are a UK user and are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are an EU user, you may contact your local supervisory authority.