1. Who we are
Tvora (“Tvora”, “we”, “us”, or “our”) is a post-order operations and workflow management application for Shopify, operated by Hikedeal Digital Media Private Limited, India. This Privacy Policy describes how we handle personal data when a merchant installs and uses the Tvora app (the “App”) on their Shopify store.
For the order and customer data we process on a merchant’s behalf, the merchant is the data controller and Tvora acts as a data processor. For the merchant’s own account and team-member data, Tvora is the controller.
2. Scope
This policy applies to the Tvora App and the website at baton.tvora.co. It does not apply to Shopify itself or to any third-party service you connect separately. Your use of Shopify is governed by Shopify’s own privacy policy.
3. Data we collect
When you install and use Tvora, we access and store the following, strictly to provide the service:
Store & account data
- Your Shopify store domain, shop name, store owner email, and installation timestamp.
- Your subscription plan and billing status (managed through Shopify Billing).
Order data (Shopify scope: read_orders, read_fulfillments)
- Order number, status, financial and fulfillment status, totals, currency, payment gateway and tags.
- Line items: product title, quantity, SKU, variant, price, and product image.
- Order and fulfillment timestamps.
Customer personal data (Shopify scope: read_customers)
- Customer name, email address, phone number, and shipping address attached to an order.
This is treated as Shopify Protected Customer Data and handled under the additional safeguards in Section 6.
Team member account data
- The name, email address, role, and a securely hashed password for each team member a merchant invites.
Technical & usage data
- IP address and request metadata, used for login rate-limiting, abuse prevention and security logging.
- Application logs needed to operate, debug and secure the service.
We do not use advertising cookies or third-party tracking, and we do not build advertising profiles.
4. How we use data
- To sync orders from your store and move them through your operational pipeline (routing, assignment, hand-offs).
- To run SLA timers and notify your team of approaching or breached deadlines.
- To display order, customer and fulfillment details to authorised members of your team.
- To send transactional emails (team invitations, SLA breach alerts) to your team members.
- To provide analytics and reporting about your own store’s operations.
- To manage your subscription and process billing through Shopify.
- To secure the service, prevent abuse, and comply with legal obligations.
We never sell personal data, and we never use your customers’ personal data for our own marketing.
5. Legal bases (GDPR)
- Performance of a contract — to provide the App you signed up for.
- Legitimate interests — to secure, maintain and improve the service, where not overridden by your rights.
- Legal obligation — to comply with applicable law and Shopify’s requirements.
- Consent — where specifically required; you may withdraw consent at any time.
6. Protected Customer Data
For customer personal data received through Shopify, we comply with Shopify’s Protected Customer Data requirements:
- Data minimisation — we request only the fields required to operate the pipeline and display orders.
- Purpose limitation — customer data is used only to provide the App’s features to the merchant, never for our own purposes.
- No sale or sharing — we never sell customer data or share it with third parties for their own use.
- Encryption — data is encrypted in transit (TLS) and access is restricted.
- Retention & deletion — we honour Shopify’s mandatory data-request and redaction webhooks (Section 9).
- Access control — within a merchant’s workspace, only authorised team members can view customer data, scoped to their role.
- Tenant isolation — each store’s data is isolated; one merchant can never access another merchant’s data.
7. Sharing & sub-processors
We do not sell your data. We share data only with the service providers required to run Tvora:
| Sub-processor | Purpose |
|---|---|
| Shopify Inc. | Source platform; provides order, customer and store data and processes billing. |
| Hostinger International Ltd. | Cloud hosting and database infrastructure where data is stored. |
| Resend (resend.com) | Delivery of transactional emails (invites and alerts). |
Each sub-processor is bound to handle data only on our instructions. We may also disclose data where required by law, or to protect the rights, safety and security of Tvora and its users.
8. Data retention
- We retain your store and order data for as long as the App is installed and you have an active workspace.
- If you uninstall the App, we delete or anonymise your store’s data within 90 days, unless a longer period is required by law.
- Customer redaction and shop redaction requests are processed as described in Section 9.
9. Deletion & Shopify compliance webhooks
Tvora implements Shopify’s mandatory GDPR/privacy webhooks:
- customers/data_request — when a customer requests their data, we make available the data we hold for that customer.
- customers/redact — when a customer requests deletion, we erase that customer’s personal data from our records.
- shop/redact — 48 hours after a store uninstalls Tvora, Shopify sends this request and we erase the store’s data.
You can also email us (Section 15) to request access to, or deletion of, your data at any time.
10. Your rights
Depending on your location (including under the GDPR and CCPA), you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data or complete incomplete data.
- Request erasure of your data.
- Restrict or object to certain processing.
- Receive your data in a portable format.
- Lodge a complaint with your data-protection authority.
Because Tvora usually acts as a processor for customer data, requests from a store’s customers are normally directed to the merchant (the controller); we assist merchants in fulfilling them.
11. Security
- All traffic is encrypted in transit using TLS/HTTPS.
- Passwords are stored only as salted bcrypt hashes — never in plain text.
- Multi-tenant isolation keeps every store’s data separate at the data layer.
- Access is role-based; team members only see what their role permits.
- We apply rate-limiting, security headers and structured audit logging.
No method of transmission or storage is 100% secure, but we work to protect your data using industry-standard measures.
12. International transfers
Tvora is operated from India and uses cloud infrastructure that may process data in other countries. Where personal data is transferred internationally, we rely on appropriate safeguards as required by applicable law.
13. Children’s privacy
Tvora is a business tool not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, please contact us and we will delete it.
14. Changes to this policy
We may update this policy from time to time. Material changes will be reflected by the “Last updated” date above and, where appropriate, communicated to merchants. Continued use of the App after an update constitutes acceptance.
15. Contact us
For any privacy question or request, contact Hikedeal Digital Media Private Limited at info@hikedeal.in. We aim to respond within 30 days.