Privacy Policy
Last updated: 2026-05-17
1. Who we are
UddoktaPay Shopify Connector ("the connector", "we") is a Shopify app that lets merchants accept BDT payments via UddoktaPay's hosted checkout. The connector is operated by the publisher of this app. Contact: support@uddoktapay.com.
2. What data we collect
- Merchant credentials: the UddoktaPay Base URL and UddoktaPay API Key that the merchant enters in the connector's Settings page. The API Key is encrypted at rest using AES-256-GCM.
- Shopify OAuth session token for each merchant shop, required to tag orders as paid after a successful UddoktaPay payment.
- Order metadata (Shopify order ID, total amount, currency) — required to bind a UddoktaPay invoice to a Shopify order.
- Buyer name, email, phone — only collected when the merchant's Shopify app has been granted Protected Customer Data access. Used solely to fulfil UddoktaPay's create-charge requirements and to bind the transaction to a buyer for refund/dispute handling.
- UddoktaPay invoice ID and status returned by UddoktaPay's verify endpoint, stored to reconcile the Shopify order with the actual payment outcome.
3. What we do not collect
- Buyer payment card or wallet credentials (handled entirely by UddoktaPay's hosted page).
- Browsing history, cart contents, or behavioural analytics.
- Any data from buyers not associated with a payment attempt.
4. How we use the data
- Create a payment invoice on UddoktaPay against a Shopify order.
- Re-verify webhook notifications by calling UddoktaPay's verify-payment endpoint.
- Tag the Shopify order with
uddoktapay_paidon confirmed payment so the merchant can reconcile.
We do not use any data for marketing, analytics, profiling, or sale to third parties.
5. Third-party sharing
Buyer name, email and phone are sent only to the merchant's own self-hosted UddoktaPay instance — the merchant configures the base URL and API key through the connector's Settings page. UddoktaPay (uddoktapay.com) is payment orchestration software operated by the merchant; it does not hold funds. Underlying payment gateways (bKash, Nagad, Rocket, Upay, Bank) settle funds directly to the merchant's accounts under the merchant's own contracts with those providers. We do not share data with any other third party.
6. Storage and security
- Database: encrypted-at-rest disk volume.
- Merchant API keys: AES-256-GCM encrypted at the application layer.
- Transport: HTTPS (TLS 1.2+) for all inbound and outbound traffic.
- Server access: restricted to operations staff.
7. Retention
Payment mapping records (Shopify order ID ↔ UddoktaPay invoice ID, status, and any buyer PII supplied to UddoktaPay's create-charge endpoint) are retained on shopify.uddoktapay.com for 72 hours after creation, then permanently deleted by an automated purge job. The merchant's UddoktaPay dashboard remains the long-term record of the transaction; this connector retains data only long enough to handle late IPN callbacks and buyer return redirects. Buyers may also trigger immediate deletion via Shopify's GDPR customers/redact webhook, and merchants via shop/redact on uninstall.
8. Deletion requests
Buyers may request deletion of their personal data by contacting the merchant; Shopify forwards the request to us via the customers/redact webhook, which we handle automatically. Merchants may request deletion of all their shop's data; Shopify sends the shop/redact webhook 48 hours after uninstall, which we also handle automatically.
For direct requests, contact support@uddoktapay.com.
9. Children's privacy
The connector is not directed at anyone under 16. We do not knowingly process data from minors.
10. Changes
Material changes to this policy will be published at this URL and notified to active merchants via in-app banner before taking effect.
11. Contact
Questions or concerns: support@uddoktapay.com.