inback
Get a Demo
Install on Shopify

Privacy Policy

Privacy Policy

Effective Date: 19/02/2026

INRAYS TECH PRIVATE LIMITED (“Company”, “we”, “us”, or “our”) operates the inback loyalty management application (“inback” or the “App”) for Shopify merchants.

This Privacy Policy explains how we collect, use, process, and protect personal data in connection with the use of the inback application.

1. Scope

This Privacy Policy applies to:

  • Shopify merchants who install and use the inback application
  • Customer data processed through Shopify stores using the App

inback operates within the Shopify ecosystem and processes data solely to provide loyalty and rewards functionality to merchants.

2. Our Role: Data Processor

inback acts as a Data Processor on behalf of Shopify merchants.

  • Shopify merchants are the Data Controllers of their customers’ personal data.
  • We process customer data strictly according to merchant instructions and solely

for providing loyalty program functionality.
We do not independently control how merchant customer data is used.

3. Information We Collect

3.1 Merchant Information

To operate the App, we collect and store the following merchant-related data through Shopify APIs:

  • Shopify Shop ID
  • Store domain (shop_domain)
  • Store name
  • Account owner name
  • Merchant email address
  • Store currency code
  • Partner development status (development store indicator)
  • Secure Shopify access token (used solely for authenticated API communication)

The access token is securely stored and used only to enable authorized communication between inback and Shopify APIs.
We do not collect merchant contact numbers or use merchant data for marketing.

3.2 Customer Information (Processed on Behalf of Merchants)

Through Shopify APIs, we process the following customer data:

  • Shopify Customer ID
  • First name
  • Last name
  • Full name
  • Email address
  • Phone number (if provided by merchant through Shopify)
  • Purchase history
  • Loyalty points balance
  • VIP tier status

This data is accessed and processed only to enable loyalty program functionality.

We do not collect:

  • IP addresses
  • Browser information
  • Behavioral tracking data
  • Cookies
  • Third-party tracking data

4. How Information Is Collected

All data processed by inback is obtained:

  • Directly from Shopify APIs
  • Based on merchant authorization during app installation

We do not collect data directly from customers via forms.
We do not use cookies or tracking technologies.

5. Purpose of Processing

We process data solely for the following purposes:

  • Providing loyalty and rewards program functionality
  • Managing earning and redemption rules
  • Managing VIP tier configurations
  • Generating loyalty-related reports and metrics
  • Billing and subscription management
  • Customer support and troubleshooting

We do not use personal data for advertising or marketing purposes.

6. Data Sharing

We do not sell, rent, or trade personal data.
Data may be shared only in the following cases:

  • With Shopify, as required for API operations
  • With trusted service providers (such as secure hosting providers) strictly for operating the App

These service providers are contractually obligated to process data only on our instructions and maintain appropriate security standards.We do not share data for marketing or advertising purposes.

7. Data Retention

We retain merchant and customer data:

  • For as long as the merchant maintains an active installation of the App
  • Until the merchant uninstalls the App

Upon uninstall, associated data is deleted within a reasonable timeframe unless retention is required for legitimate operational or security purposes.

8. Data Security

We implement reasonable administrative, technical, and organizational safeguards to protect data against unauthorized access, alteration, disclosure, or destruction.
Sensitive credentials such as Shopify access tokens are securely stored and protected using appropriate security practices.
Access to data is restricted to authorized personnel only.

9. End-User (Customer) Rights

Because inback acts as a Data Processor:

  • Customers seeking access, correction, or deletion of their data should contact the relevant merchant (Data Controller).
  • Merchants may contact us to assist in fulfilling such requests. We cooperate with merchants to support compliance with applicable data protection laws.

10. International Data Protection Rights (GDPR & CCPA)

10.1 European Economic Area (EEA), United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you may have rights under the General Data Protection Regulation (GDPR), including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction or objection
  • Right to data portability

Since inback acts as a Data Processor, data subject requests must be directed to the merchant (Data Controller). We assist merchants in responding to such requests where required.

10.2 California Residents (CCPA / CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

  • The right to know what personal information is collected
  • The right to request deletion of personal information
  • The right to correct inaccurate personal information
  • The right to non-discrimination for exercising privacy rights

inback does not sell personal information.
As a Data Processor, we process personal information solely on behalf of merchants. Requests should be directed to the relevant merchant.

10.3 Lawful Basis for Processing

When processing personal data under GDPR, inback relies on:

  • Performance of a contract (to provide app functionality to merchants), and
  • Legitimate interests of merchants in operating loyalty programs,

as instructed by the merchant (Data Controller).

10.4 Cross-Border Data Transfers

Where service providers process data internationally, we ensure appropriate safeguards are implemented to protect personal data in accordance with applicable data protection laws.

11. Children’s Privacy

The App is not directed to individuals under the age of 18. We do not knowingly process children’s data outside the scope of merchant-controlled Shopify operations.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted with a revised effective date.

13. Contact Information

INRAYS TECH PRIVATE LIMITED
Mani Tower, Annapurna Road
Indore, Madhya Pradesh, India
Email: connect@inback.in

pop-up