LEGAL

Privacy Policy
What we keep, what we don’t.

Last updated 13 May 2026 · Aeon Technologies, Mumbai · GSTIN 27LPCPK3216C1Z5

1. Who we are

Aeon Technologies is an India-based company building Aeonzap — a platform for running modern ecommerce stores. We are the data fiduciary (controller) for personal data we collect about visitors to aeonzap.com and about merchants who sign up to use the Service. For data that merchants upload about their own customers, we act as a data processor under the merchant’s instructions.

In this policy, “we”, “us” and “our” mean Aeon Technologies; “you” means either a visitor to our website or a merchant using the Service, depending on the context.

2. What data we collect

2.1 Account data. When you sign up we collect your name, work email address, phone number, business name, and (if you provide one) your GSTIN. We store a securely hashed version of your password — never the password itself.

2.2 Usage data. As you use the dashboard, we record the pages you visit, the actions you take (creating products, editing settings, publishing themes), timestamps, your browser and operating system, and your approximate location derived from IP address. IP addresses are anonymised before they hit our analytics store.

2.3 Content you submit. Anything you put into your Aeonzap store — products, prices, inventory, themes, page copy, customer records, orders, invoices, plugin configuration — is processed by us on your behalf so the Service works. This includes personal data about your customers (their names, addresses, contact details, order history), for which you are the data fiduciary.

2.4 Support correspondence. When you email support, chat with us, or file a ticket, we keep the conversation and any screenshots or files you attach, so we can keep helping you and improve our docs.

2.5 Cookies and similar technologies. See section 11.

3. Why we collect it

  • To provide and operate the Service — sign-in, billing (when paid plans exist), order processing, dashboards.
  • To prevent fraud, abuse, and security incidents.
  • To improve the product — fix bugs, understand which features matter, decide what to build next.
  • To send transactional and security email (order receipts, password resets, breach notifications).
  • To send product updates and tips, only if you’ve opted in.
  • To comply with our legal and tax obligations in India and in other jurisdictions where applicable.

4. Legal basis

We rely on the following legal grounds, which map to the Digital Personal Data Protection Act, 2023 (DPDP Act) in India and to the GDPR for visitors based in the EU/UK:

  • Contract — we need this data to provide the Service you’ve signed up for.
  • Consent — for things like marketing email or non-essential cookies, which you can withdraw at any time.
  • Legitimate interest — for fraud prevention, security, and basic product analytics with anonymised identifiers.
  • Legal obligation — for tax records, responses to lawful demands, and statutory retention periods.

5. Who we share it with

We don’t sell personal data. We share it with a small number of vetted service providers (sub-processors) so that Aeonzap can actually run:

  • Payment processors — Razorpay and Cashfree (and, depending on your store’s configuration, other providers you connect) to process payments on your behalf.
  • Our infrastructure providers — for hosting, managed databases, object storage, CDN, and DDoS protection. These providers process data on our instructions under data processing agreements.
  • Transactional email — for password resets, receipts, and security notifications.
  • Analytics — a privacy-friendly analytics product (PostHog or equivalent) with IP anonymisation enabled. No third-party advertising or retargeting pixels are set by default.
  • Legal and regulatory authorities — when we’re compelled by a valid court order, statutory notice, or to protect the safety of users or the public.

The current sub-processor list is published in the trust centre on request — email privacy@aeonzap.com.

6. International transfers

Aeonzap is hosted on Hostinger Cloud servers located in India by default, and merchant databases, object storage, and backups stay within Indian data centres. Some of our sub-processors (for example, transactional email and error monitoring) operate from regions outside India. When personal data leaves India, we rely on Standard Contractual Clauses (or the equivalent under the DPDP Act once the schedule of restricted countries is notified) and appropriate technical measures — encryption in transit and at rest, access controls, and audit logging — to make sure the data stays protected to the same standard.

7. Retention

We keep account and store data for as long as your account is active. After termination we retain personal data for a further seven years in line with Indian tax and corporate-law record-keeping requirements (notably the Income-tax Act and the Companies Act, 2013). After that period, personal data is deleted or fully anonymised.

Support email is kept for three years. Web-server access logs are kept for 30 days. Backups roll off on a 30-day window.

8. Your rights

Under the DPDP Act (and, where applicable, the GDPR), you have the right to:

  • Access the personal data we hold about you.
  • Correct data that’s wrong or incomplete.
  • Delete data we no longer need to hold.
  • Portability — receive a copy of your data in a machine-readable format.
  • Withdraw consent for processing you previously agreed to, without affecting what was done before.
  • Object to processing based on legitimate interest.
  • Nominate another individual to exercise your rights in the event of death or incapacity, as the DPDP Act allows.
  • Grievance redressal — escalate to our Data Protection Officer (section 13) and, if you’re still not satisfied, to the Data Protection Board of India.

To exercise any of these rights, email privacy@aeonzap.com. We’ll respond within the timelines required by law (and usually a lot sooner).

9. Children

Aeonzap is a business tool. It’s not directed to anyone under the age of 18, and we don’t knowingly collect personal data from children. If you believe a child has signed up or had their data submitted to us, please email privacy@aeonzap.com and we’ll remove it.

10. Security

We treat the data merchants trust us with seriously. Our baseline controls include:

  • TLS 1.2+ for all data in transit; HSTS on every domain.
  • AES-256 encryption at rest for managed databases and object storage.
  • Per-tenant key derivation for sensitive payloads.
  • Passwords stored only as Argon2id hashes — never in plaintext.
  • Least-privilege access controls, with all admin actions recorded in immutable audit logs.
  • Mandatory two-factor authentication for our own engineers on every production system.
  • Regular dependency scanning and a clear vulnerability disclosure path (security@aeonzap.com).

11. Cookies

We use as few cookies as we can get away with, and we group them into three buckets:

  • Strictly necessary — session cookie to keep you signed in, CSRF token, and a preference cookie that remembers your theme. These cannot be turned off because the Service won’t work without them.
  • Analytics — set only after you agree to the cookie banner, used to understand which pages and features are useful. IP addresses are anonymised before storage.
  • Third-party tracking — none by default. We do not set advertising, retargeting, or social media tracking pixels. Individual merchant storefronts may set their own — those are governed by that merchant’s privacy policy, not this one.

12. Changes to this policy

We may update this policy from time to time. When the change is material we’ll give you at least 30 days’ notice by email and by a notice in the dashboard. The “Last updated” date at the top of this page always reflects the current version.

13. Data Protection Officer

Our Data Protection Officer is reachable at dpo@aeonzap.com. The DPO is the point of contact for the Data Protection Board of India and for any request relating to the DPDP Act, the GDPR, or equivalent regulation in your jurisdiction.

14. Contact

For anything privacy-related, the fastest path is privacy@aeonzap.com. For general questions about Aeonzap, write to support@aeonzap.com.

Aeon Technologies
GSTIN: 27LPCPK3216C1Z5
Mumbai, Maharashtra, India
support@aeonzap.com