Privacy Policy

1. Introduction & Scope

SR Innovations (“we,” “us,” or “our”) is committed to protecting the privacy and security of personal data entrusted to us by merchants, their customers, and visitors to our website. This Privacy Policy describes our practices in accordance with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), India's Information Technology Act and applicable rules, and other privacy laws that may apply to your jurisdiction.

This policy covers personal data collected through (a) the SR Innovations website at srinnovations.dev and its subdomains, (b) our Shopify apps including SmartSubscription, and (c) communications between you and SR Innovations via email, chat, or support channels. It does not cover third-party websites, services, or applications that may be linked to from our platforms, even if those links are provided for convenience.

By accessing or using our services, you acknowledge that you have read and understood this policy. If you are a Shopify merchant installing one of our apps, your acceptance of our Terms of Service at the time of installation constitutes agreement with this policy. If you do not agree with any part of this policy, please discontinue use of our services immediately and contact us at legal@srinnovations.dev to request deletion of any data we hold about you.

We review and update this policy periodically. Material changes will be communicated via email to registered account holders and posted prominently on this page with an updated effective date. Continued use of our services after the effective date of a revised policy constitutes your acceptance of the revised terms.

2. Data Controller Information

For the purposes of GDPR and equivalent data protection legislation, the data controller — the entity that determines the purposes and means of processing your personal data — is SR Innovations, a company registered and operating in India. Our registered address is [Company Address], India. We can be reached for all data protection matters at legal@srinnovations.dev.

Because SR Innovations is incorporated in India and serves merchants and users globally, we operate under both Indian data protection law and, where applicable, the GDPR. Merchants or users located in the European Economic Area (EEA) or the United Kingdom may direct data protection enquiries and formal complaints to legal@srinnovations.dev. We will respond to all data subject requests within the timeframes required by applicable law — in no case exceeding 30 days for GDPR requests.

If you are a Shopify merchant, please note that SR Innovations is the data controller for the merchant account and app configuration data we hold. With respect to the personal data of your end customers processed through our apps (such as subscription records and order history), SR Innovations acts as a data processor on your behalf, and you remain the controller. We process such customer data only to provide the services you have contracted for, in accordance with the Data Processing Agreement incorporated into our Terms of Service.

3. Personal Data We Collect

We collect personal data only to the extent necessary to provide our services, comply with legal obligations, and improve our products. The categories below describe what we collect, organised by the context in which it arises.

Account and identity data: When you install our Shopify app or create an account, we collect your name, business email address, Shopify store URL, and the OAuth access token issued by Shopify that authorises our app to read and write data on your store. We also record the date and time of installation, your subscription plan, and billing status. This information is required to provide the service and cannot be avoided through privacy settings.

Order and subscription data: To manage subscription plans on your behalf, we access and store records of subscription-linked orders from your Shopify store, including order identifiers, product information, subscription schedule, and the fulfilment status of recurring orders. We also store subscriber-level data — first name, last name, email address, and shipping address — as provided by Shopify, to the extent necessary to process renewals and handle disputes.

Payment data: SR Innovations does not store full payment card numbers, CVV codes, or banking credentials. Billing for your subscription to our app is handled exclusively by Shopify Billing. Where payment processing for your store's customers is handled via Razorpay integration, payment tokens and transaction identifiers are stored by Razorpay under their own privacy policy; we retain only a transaction reference ID and status for reconciliation purposes.

Usage and analytics data: We collect anonymised and aggregated usage data about how merchants interact with our dashboard — such as feature adoption rates, session durations, and error events — to improve product quality. This data is not linked to individual identifiable users. We may also log IP addresses and browser user-agent strings in server access logs for security monitoring purposes; these logs are retained for 90 days and then automatically deleted.

4. How We Use Your Data

Service delivery: The primary purpose for which we process your data is to provide, operate, and maintain the services you have subscribed to. This includes creating and managing subscription plans, processing renewal orders via the Shopify API, handling cancellations and pauses, generating subscription analytics and reports, and providing the merchant dashboard through which you configure all of the above.

Product improvement: We use aggregated, de-identified usage analytics to understand which features are most valuable, identify usability problems, prioritise engineering work, and make decisions about the direction of our product roadmap. No individual user is identified in this analysis. Where we wish to contact you directly for product feedback, we will do so only with your explicit consent.

Transactional and service communications: We send emails necessary to the delivery of the service: account setup confirmations, billing receipts, important product and policy updates, and security notifications. These communications are not marketing — they are operational and cannot be unsubscribed from while your account is active, because they are required to fulfil our contractual obligations to you.

Legal compliance and security: We may process personal data where required to comply with applicable laws, regulations, or binding court or government orders — including tax, accounting, and anti-money-laundering obligations. We also process data to detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms of Service. In all such cases, we apply a principle of minimum necessary access and retain data only for as long as required by the relevant legal obligation.

5. Legal Basis for Processing

Where GDPR applies, every processing activity we undertake must rest on one of the lawful bases defined in Article 6 of the GDPR. The bases we rely on are as follows.

Contract performance (Article 6(1)(b)): Most of our core data processing — account management, subscription plan configuration, order processing, and transactional communications — is necessary to perform the contract between SR Innovations and the merchant. Without this processing, we cannot deliver the service. This basis applies from the moment you install our app and accept our Terms of Service.

Legitimate interests (Article 6(1)(f)): We process certain data on the basis of our legitimate business interests, where those interests are not overridden by your rights and freedoms. Specifically: we log server access data for security monitoring and fraud prevention; we use aggregated analytics to improve our product; and we retain records of terminated accounts for a limited period to handle any post-termination disputes. We have conducted legitimate interest assessments for each such activity and are satisfied that our interests are proportionate and do not override the interests of data subjects.

Legal obligation (Article 6(1)(c)): Where we are required by law to retain certain records — for example, invoices and financial records under Indian tax law, or data subject to a court order — we process that data to fulfil our legal obligations. We do not rely on consent as a lawful basis for routine processing. Where we do request consent — for example, for optional marketing communications — we will make clear that consent is freely given, specific, and withdrawable at any time without affecting the service.

6. Data Sharing & Third Parties

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We share data only where necessary to deliver our services, and exclusively with processors who have signed a Data Processing Agreement that meets the requirements of GDPR Article 28.

Shopify Inc.: Our apps operate as Shopify partners within the Shopify ecosystem. We exchange data with Shopify's APIs to read store configurations and write subscription and order data. Shopify is itself a data controller for the data on its platform; its privacy practices are governed by Shopify's Privacy Policy. Our use of Shopify's APIs is restricted to the minimum scopes necessary for app functionality.

Razorpay: Where merchants use Razorpay integration for payment processing, billing-related data (including customer identifiers and transaction references) is transmitted to Razorpay's systems. Razorpay is an independent data controller for the payment data it processes; SR Innovations receives only a transaction reference and status in return. We have entered into a Data Processing Agreement with Razorpay covering any personal data shared in the course of this integration.

Amazon Web Services (AWS): Our infrastructure is hosted on AWS in data centres located in India and, for redundancy, Singapore. AWS processes personal data only on our instructions, as set out in the AWS Data Processing Addendum. All data at rest on AWS is encrypted using AES-256; all data in transit uses TLS 1.3 minimum. We do not permit AWS to use the data we store for any purpose other than providing us with cloud infrastructure services.

7. International Data Transfers

SR Innovations is based in India and our primary data processing infrastructure is located there. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data may be transferred to and processed in India, which is a third country under GDPR. We ensure that such transfers are made with appropriate safeguards in place.

Where India does not have an adequacy decision from the European Commission, we rely on the European Commission's Standard Contractual Clauses (SCCs) — the version adopted by Commission Implementing Decision (EU) 2021/914 — as the legal mechanism for transfers of personal data from the EEA to SR Innovations in India. A copy of the applicable SCCs is available upon request at legal@srinnovations.dev.

For transfers to AWS infrastructure located in Singapore, we rely on AWS's standard SCCs as documented in the AWS Data Processing Addendum. We conduct periodic reviews of our transfer mechanisms to ensure they remain adequate under current data protection law. If the legal framework governing any transfer changes materially, we will update our safeguards and notify affected data subjects as required by law.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. We do not keep data beyond the point at which it is no longer needed.

Active accounts: Personal data associated with an active merchant account is retained for the duration of the subscription. This includes account data, app configuration, subscription records, and associated customer data processed on the merchant's behalf. We do not delete this data while the account is in active use, as doing so would disrupt the service.

After account closure or app uninstall: When a merchant uninstalls our app or their account is closed, we initiate a data deletion process. All personal data — including merchant account data and end-customer subscription records — is deleted from our production systems within 30 days of account closure. Anonymised, aggregated analytics derived from that data may be retained indefinitely, as they cannot be used to identify individuals.

Legal retention obligations: Notwithstanding the above, certain categories of data must be retained for longer periods to comply with legal obligations. Specifically, financial records, invoices, and billing data are retained for a minimum of 7 years from the date of transaction, as required by Indian tax law. Where a legal obligation requires us to retain data beyond the periods described above, we will store that data in a restricted archive, accessible only to personnel with a specific need to access it for legal or compliance purposes.

9. Your Rights

Depending on your location, you may have a number of rights with respect to the personal data we hold about you. These rights are not absolute — each is subject to conditions and limitations set by applicable law — but we take them seriously and will respond to all valid requests promptly.

GDPR rights (EEA, UK, Switzerland): If you are located in a GDPR jurisdiction, you have the right to access the personal data we hold about you (Article 15); the right to rectification of inaccurate data (Article 16); the right to erasure (“right to be forgotten”) where no overriding legal basis for retention exists (Article 17); the right to restriction of processing in certain circumstances (Article 18); the right to data portability in a machine-readable format (Article 20); and the right to object to processing based on legitimate interests (Article 21). You also have the right to lodge a complaint with your national supervisory authority if you believe we have processed your data in violation of the GDPR.

CCPA rights (California residents): If you are a California resident, you have the right to know what personal information we have collected about you and how it is used and shared; the right to delete personal information we have collected, subject to certain exceptions; the right to opt out of the sale of personal information (we do not sell personal information); the right to non-discrimination for exercising your privacy rights; and, where applicable, the right to correct inaccurate personal information.

To exercise any of these rights, submit a written request to legal@srinnovations.dev with “Data Rights Request” in the subject line. Include sufficient information to identify your account (such as your registered email address and Shopify store URL). We will verify your identity before processing any request and will respond within 30 days. In complex cases, we may extend this by a further 30 days, providing notice and reasons for the extension.

10. Cookies

SR Innovations uses cookies and similar tracking technologies on our website and within our app dashboard to maintain session state, remember preferences, and gather aggregated analytics. We use only the cookies necessary to operate the service and a limited set of analytics cookies to understand aggregate usage patterns.

For a full description of the cookies we use, their purposes, and how to control them, please see our Cookie Policy. You may adjust your cookie preferences at any time through your browser settings or our cookie preference centre. Please note that disabling strictly necessary cookies will affect the functionality of our app dashboard.

11. Data Breach Notification

Despite our technical and organisational security measures, no system can be guaranteed immune to breach. In the event of a personal data breach — meaning a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data we hold — we have a documented incident response procedure that activates immediately.

Where a breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Article 33. The notification will include the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences of the breach, and the measures taken or proposed to address it.

Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals directly without undue delay, as required by GDPR Article 34. Such notifications will describe the nature of the breach in clear, plain language, the name and contact details of our data protection point of contact, the likely consequences, and the steps you can take to protect yourself. We will never ask you to provide passwords or payment information in a breach notification.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, applicable law, or regulatory guidance. When we do so, we will revise the “Last updated” date at the top of this page. If the changes are material — meaning they significantly affect how we handle your personal data or your rights — we will provide a more prominent notice, including email notification to registered account holders at least 14 days before the changes take effect.

We encourage you to review this policy periodically to stay informed about how we protect your data. If you have questions about any changes, please contact us at legal@srinnovations.dev before the effective date of the revised policy.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our handling of your personal data, please contact us:

We aim to respond to all privacy-related enquiries within 5 business days. For formal data subject access requests, the statutory response window is 30 days from receipt of a verified request.