Skip to content

Legal

Privacy

Last updated:

We're a small team. Here's what we collect, why, and what we promise to do with it.

This policy explains how Folded (“we”, “our”, “us”) handles personal data of shop owners, their staff and drivers, and the end-customers who use the apps shops build with us. We aim for plain language; if anything below is unclear, email hello@folded.app.

What we collect

We collect only what we need to run the product:

  • Account data — name, email, phone (for OTP), shop details (legal name, GSTIN where applicable), country and currency settings.
  • Operational data — orders, garments, customers, payments, drivers, deliveries. This is your shop's data; we process it on your behalf as a data processor.
  • Usage data — pages visited, errors, page performance. Used to improve the product. Anonymized where possible.
  • Device data — browser, OS, IP-derived country. Used for security, analytics, and country-aware pricing.

How we use it

  • To run your shop's POS, customer app, and delivery flows.
  • To deliver notifications you and your customers expect (order ready, payment receipt, etc.).
  • To generate compliant invoices (e.g. GST e-invoicing in India).
  • To prevent fraud and abuse.
  • To improve the product based on aggregated, anonymized usage.

Who we share it with

Service providers we depend on, only to the extent necessary: Clerk (auth), Supabase (database hosting), Vercel (web hosting), Inngest (background jobs), Ably (realtime), Stripe / Razorpay / Cashfree (payments — only if you connect them), ClearTax (e-invoicing — only if you connect it), Twilio / MSG91 / Resend (notifications), Sentry / PostHog (errors and analytics).

We never sell your data. We never share customer PII with marketing partners. We never use your operational data to train AI models.

Security

  • All connections are TLS 1.2+.
  • Per-shop credentials (gateway and GSP API keys) are envelope-encrypted at rest.
  • Database access is row-level-security-isolated per tenant.
  • Operator accounts can enforce TOTP MFA.
  • 2-year audit log of every state-changing action.

Your rights

You can request a copy of all personal data we hold about you, or ask us to delete it. We respond within 30 days. Email privacy@folded.app with “DSAR” in the subject.

Retention

  • Account data: retained for the life of your account, then 30 days post-cancellation for export.
  • Operational data: retained per the shop's settings, with hard-delete cascading after the cancellation grace period.
  • Audit log: 2 years.
  • Anonymized usage data: indefinitely.

Cookies

We use a small number of essential cookies to keep you signed in and to remember your active shop. We do not use third-party advertising cookies. Analytics events are first-party.

Changes

If we change this policy materially, we'll email you at least 30 days before the changes take effect.

Contact

Questions? Email privacy@folded.app. For DPDP / GDPR data-subject requests, mention “DSAR” in the subject line.

Privacy · Folded