Privacy Policy

ShipWorks is a software service for Indian e-commerce sellers — we help you crop and sort shipping labels for Meesho, Flipkart, and Amazon, and analyse product imagery to surface lower-shipping-cost variants. This policy covers everything you do on the ShipWorks website and inside the signed-in product.

In data protection terms, ShipWorks is the controller of the personal information described below. You can reach us at [email protected] for any privacy question.

We deliberately keep data collection narrow. The categories below are the only personal information that touches our systems.

• Account details — email address (required), name, phone number (both optional, edited from your profile page), and a hashed password. We never see your password in clear text.
• Google sign-in data — if you choose "Continue with Google" instead of email/password, Google sends us a signed ID token from which we extract your email, your Google profile picture URL, and a stable per-user Google identifier (the sub claim). We use these to create or link your account; we never receive your Google password.
• Billing & payment metadata — when you buy credits or a plan, Razorpay collects your card / UPI / netbanking details on their PCI-compliant infrastructure and shares back to us only an order id, payment id, amount, status, and a payment method label. We never store full card numbers, CVVs, or UPI PINs.
• Files you upload — PDF shipping labels and product images you submit for processing. These files are kept only as long as needed to render the output and are then deleted on a rolling basis (see §6 below).
• Usage data — basic event logs (which features you used, how many labels you processed, error traces). We use this to keep the service reliable, calculate plan usage, and debug issues. A small amount of product-analytics telemetry is also sent to our analytics provider (see §5).
• Technical metadata — IP address, browser user-agent string, and a coarse timestamp are recorded on security-sensitive events (signup, login, password reset, contact-form submissions). This is used to detect abuse and preserve an audit trail; it is not used for marketing.
• Communications — emails you send us, and the transactional emails we send you (signup confirmation, receipts, password resets, plan-lifecycle notices). When you submit our contact form, we store your name, email, message, and the technical metadata above so we can respond and triage the request.

We do not collect sensitive personal data (biometrics, health, financial account credentials) and do not run third-party advertising trackers or session-recording tools.

• To create and operate your account, including signing you in.
• To process payments through Razorpay, send payment receipts, and enforce plan limits.
• To render label outputs and AI analysis results back to you, and to maintain a short-lived history of your jobs.
• To send transactional emails — there is no marketing list. If we ever add one, it will be strictly opt-in.
• To prevent abuse and fraud (rate-limits, multiple-session enforcement, refund-window checks).
• To improve the product. Usage data is aggregated and anonymised before any internal analysis.

We process your personal information either because it is necessary to deliver the service you signed up for (contract performance), to comply with Indian tax and consumer-protection law (legal obligation), or because we have a legitimate interest in running ShipWorks safely and reliably. We do not rely on consent except for optional things, and you can always withdraw that consent.

We don't sell your data. The only third parties who ever see any part of it are the service providers we use to run ShipWorks:

• Razorpay — payments, plan-pass mandates, and refunds. Razorpay handles all card/UPI/netbanking data directly; we never see it.
• Google — used only when you choose to sign in with Google. Google verifies your identity and returns an ID token (email, profile picture URL, and a stable user identifier) to ShipWorks. Once you're signed in, no further Google traffic is initiated by us.
• Cloud hosting — our database, file storage, and application servers run on commercial cloud infrastructure (currently Supabase, with database nodes in the Asia-Pacific region) and meet standard industry security baselines.
• Transactional email provider — Resend, used to deliver receipts, password resets, lifecycle notices, and contact-form alerts. Recipient email addresses + the email body we send pass through Resend's infrastructure.
• Product analytics — Google Analytics 4 (GA4), operated by Google, used to record anonymised product-usage events (which feature you clicked, when, on what device class) so we can understand which workflows need fixing. We do not send your name, email, uploaded files, or message contents to Google. Google receives the IP address your browser attaches to every web request; GA4 uses it only to derive a coarse location and does not store it. You can opt out with an analytics-blocker extension in your browser.
• Law enforcement — only when compelled by a valid legal order, and only the minimum the order requires.

• Account data — for as long as your account is active. After you delete the account, basic records (email, user id, payment history) are kept for up to 7 years to meet Indian tax and accounting requirements, then purged.
• Uploaded label and image files — retained for the history window of your active plan: 7 days on the Free trial, 20 days on Starter, 30 days on Growth, and 60 days on Yearly. After the window, files are deleted on a rolling sweep — the metadata row may remain so the historical job is still listed, but the binary file itself is gone.
• Contact-form submissions — kept for up to 2 years from the date of submission so we can refer back to the original message during support follow-ups, then purged.
• Payment and tax records — retained for the period required by Indian law (currently 7 years).
• Webhook and audit logs — up to 1 year for security and debugging.

Low-Shipping AI, shipping-cost scans, variant uploads, and the admin category-sync flow rely on an optional browser extension. The extension runs only on the supplier.meesho.com tab you are already signed into, and only in response to a click you make on ShipWorks or inside its in-page panel on Meesho.

Key points:

• Your Meesho login stays in your browser. The extension never reads, transmits, or stores your Meesho username, password, cookies, or session tokens. Authentication remains entirely between your browser and Meesho.
• Calls run from your own session. Every Meesho API call happens inside your own logged-in tab — ShipWorks does not act as a proxy or relay for those calls.
• What we receive. The numeric pricing, shipping, commission, and GST fields returned by Meesho for your chosen category; for the admin "connect Meesho" flow, your supplier_id and supplier_slug. We do not receive customer orders, settlement data, or your contact list through the extension.
• Uninstall anytime. Removing the extension has no effect on your ShipWorks account or saved scan history; it just stops new scans until you reinstall.

The full data flow for the extension — including what it stores locally on your device, which Meesho endpoints it touches, and its Chrome permission justifications — is documented in our dedicated Browser Extension Privacy Policy.

We use a small set of cookies and browser-storage entries, all functional:

• Access + refresh tokens (httpOnly cookies) — keep you signed in across page loads.
• Sidebar collapse state (cookie) — remembers whether you collapsed the in-app sidebar.
• Theme preference and a "dismissed for today" banner flag (browser localStorage, not cookies) — keep your chosen light/dark theme and stop the plan-expiring banner from re-appearing the same day after you dismiss it.
• Razorpay cookies — set by Razorpay on their checkout iframe during payment flows; governed by Razorpay's own cookie policy.

We do not use advertising cookies, cross-site tracking pixels, or session-recording tools.

You have the right to:

• Access the personal data we hold about you.
• Correct it — most details are editable directly from your profile page. For anything that isn't, write to us.
• Delete your account and the personal data associated with it (subject to the retention rules above for financial records).
• Export a copy of your data in a portable format.
• Withdraw consent for any processing that relies on consent, at any time.

Email [email protected] to exercise any of these. We aim to respond within 7 working days.

We use TLS for every connection, hash passwords with bcrypt, scope access tokens with short-lived JWTs, and verify Razorpay webhooks with HMAC-SHA256 signatures. Production access is restricted, and we run regular dependency and security reviews. No system can be made entirely breach-proof, but we work hard to keep yours safe and will notify you promptly if a security incident affects your data.

ShipWorks is intended for use by Indian sellers aged 18 and older. We do not knowingly collect data from anyone under 18 — if you believe a minor has created an account, please write to us and we will remove it.

Our infrastructure is located in India. Where a service provider (for example a transactional email vendor) processes data outside India, we ensure they apply equivalent safeguards. International payment top-ups in USD / EUR / GBP are processed via Razorpay's international acquiring partners and are subject to their privacy terms in addition to ours.

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, any complaints regarding your data can be sent to the ShipWorks grievance contact at [email protected]. We will acknowledge within 24 hours and resolve within 15 days.

We may update this policy as the product evolves or the law changes. When we do, we'll update the "Last updated" date above and — for material changes — notify signed-in users by email or in-app banner. Continued use of ShipWorks after changes take effect means you accept the revised policy.

Questions, requests, or complaints — write to [email protected]. For commercial questions, the same address works. See also our Terms of Service and Refund Policy.