Privacy Policy

1. Who we are

XLeShop is a software-as-a-service (SaaS) e-commerce platform operated by MVR IT Services Ltd. We provide businesses with the tools to create, manage, and operate online stores.

Contact: contact@xleshop.com

For purposes of the UK GDPR and the Indian Information Technology Act, 2000 (as amended by the IT Amendment Act, 2008) and the Digital Personal Data Protection Act, 2023, MVR IT Services Ltd is the data controller for merchant data and processes end-customer data as a data processor on behalf of merchants.

2. Information we collect

2.1 Merchant data (businesses using XLeShop)

• Account information: name, email address, phone number, business name, business address
• Billing information: payment method details (processed securely through payment processors; we do not store raw card numbers)
• Store configuration: product listings, pricing, brand assets, page content
• Usage data: login times, features used, dashboard activity, support interactions

2.2 End-customer data (customers shopping on XLeShop stores)

• Order information: name, email address, delivery address, phone number, items ordered, payment confirmation
• Order tracking: order status, delivery updates
• Technical data: IP address, browser type, device type (for fraud prevention and service operation)

2.3 Data we do not collect

We do not collect sensitive personal data such as biometric data, religious beliefs, health information, or financial account numbers beyond what is required for payment processing. We do not sell personal data to third parties.

3. How we use your information

Merchant data is used to:

• Provide, operate, and improve the XLeShop platform
• Process subscription payments and manage billing
• Provide customer support and technical assistance
• Send service-related communications (account notices, security alerts, product updates)
• Comply with legal obligations
• Prevent fraud and ensure platform security

End-customer data is used to:

• Process and fulfil orders placed on merchant stores
• Enable order tracking and status updates
• Communicate with customers about their specific orders
• Prevent fraud and comply with legal obligations

End-customer data is processed on behalf of the merchant (the business operating the store). Merchants are responsible for ensuring they have appropriate lawful grounds to process their customers' data.

4. Legal basis for processing

We rely on the following legal bases to process personal data:

• Contract performance: processing necessary to deliver the XLeShop service to merchants and to fulfil orders for end customers
• Legitimate interests: fraud prevention, platform security, and service improvement
• Legal obligation: where we are required to process data to comply with applicable law
• Consent: for any marketing communications (you may withdraw consent at any time)

5. Data sharing and disclosure

We do not sell, rent, or trade personal data. We share data only in the following circumstances:

• Service providers: we use trusted third-party services for hosting, payment processing, email delivery, and analytics. These providers are contractually bound to process data only as directed by us and in accordance with applicable data protection law
• Merchant–customer relationship: end-customer data is shared with the merchant whose store the order was placed on, for order fulfilment purposes
• Legal requirements: we may disclose data where required by court order, regulatory authority, or applicable law (Indian IT Act, UK GDPR, or other applicable legislation)
• Business transfers: in the event of a merger, acquisition, or sale of assets, data may be transferred as part of that transaction, subject to equivalent privacy protections

6. Data retention

• Merchant account data: retained for the duration of the subscription and for up to 7 years after account closure for legal and tax compliance purposes
• Order data: retained for up to 7 years for tax, accounting, and legal compliance
• Support interactions: retained for up to 3 years
• Technical/log data: retained for up to 90 days

You may request deletion of your personal data subject to our legal retention obligations. See Section 7 for how to make a request.

7. Your rights

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention requirements
• Right to restriction: request that we limit processing of your data in certain circumstances
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at contact@xleshop.com. We will respond within 30 days. We may need to verify your identity before acting on your request.

If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are in India, you may raise a grievance with our Grievance Officer (contact details in Section 13).

8. Cookies

XLeShop uses cookies and similar technologies to operate the platform and improve your experience. Types of cookies used:

• Essential cookies: required for the platform to function (login sessions, shopping cart, security). Cannot be disabled.
• Analytics cookies: help us understand how the platform is used so we can improve it. These do not identify you personally.
• Preference cookies: remember your settings and preferences.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• HTTPS/TLS encryption for all data in transit
• Encryption of sensitive data at rest
• Access controls limiting data access to authorised personnel only
• Regular security reviews and monitoring

No system is 100% secure. If you believe your account has been compromised, contact us immediately at contact@xleshop.com.

10. International data transfers

XLeShop serves customers in India, the United Kingdom, and internationally. Your data may be stored and processed in countries other than where you reside. Where we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses or adequacy decisions as applicable under UK GDPR and India's DPDPA.

11. Children's privacy

The XLeShop platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.

12. Changes to this policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will notify merchants of material changes via email or a notice in the dashboard. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of XLeShop after changes are posted constitutes acceptance of the updated policy.

13. Contact us & Grievance Officer

For any privacy-related queries, requests, or complaints:

• Email: contact@xleshop.com
• Company: MVR IT Services Ltd

For users in India, in accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, our Grievance Officer can be contacted at contact@xleshop.com. We will acknowledge grievances within 48 hours and resolve them within 30 days.