Privacy Policy
Contents
1. Overview
๐ The short version: Truwth never stores your phone number in plain text. We convert it into a one-way hash the moment it enters our system. Your identity is anonymous โ merchants only ever see a Truwth ID and score, never your name or number.
Truwth is a buyer trust network for Indian D2C merchants built on Shopify. We create a privacy-preserving trust score for every buyer based on their order behavior across participating merchants. This policy explains what data we collect, why, and how we protect it.
Truwth is operated by Truwth (India). By using our services โ whether as a merchant installing our Shopify app, or as a buyer checking your score โ you agree to this policy.
2. What data we collect
From merchants (via Shopify):
- Order data โ order ID, order value, payment mode (COD or prepaid), fulfillment status, delivery outcome (delivered, returned, RTO)
- Buyer phone number from orders โ immediately hashed, never stored as plain text
- Shipping pincode from orders
- Merchant store domain and access token (to sync orders via Shopify API)
From buyers (via score portal):
- Phone number entered to look up score โ hashed in the browser request, never logged in plain text
- Truwth ID if entered directly
We do NOT collect:
- Full name
- Email address
- Home address or location beyond pincode
- Bank account or payment details
- Device fingerprints, cookies, or tracking pixels on the buyer portal
3. How we use it
- To generate buyer trust scores โ Order history is used to compute a score (300โ900) reflecting delivery acceptance rate, RTO rate, prepaid ratio, and cross-merchant behavior.
- To enable COD screening โ Merchants use scores to decide whether to offer Cash on Delivery at checkout.
- To allow buyers to check their own score โ Buyers can look up their Truwth ID and score by entering their phone number.
- To improve scoring accuracy โ Aggregate, anonymized patterns are used to refine the scoring algorithm. No individual is identified in this process.
We do not use your data for advertising, profiling beyond trust scoring, or sale to third parties.
4. How phone numbers are protected
โ One-way SHA-256 hashing: Your phone number is normalized and passed through a SHA-256 cryptographic hash function. The output (a 64-character hex string) is what we store. It is mathematically impossible to reverse a SHA-256 hash back to the original number.
Here is the process:
- Phone number is received (e.g., from a Shopify order or buyer portal)
- It is normalized to E.164 format (e.g., +919876500000)
- SHA-256 hash is computed immediately
- Only the hash is stored โ the original number is discarded
We store the last 4 digits of the phone number (e.g., 7601) alongside the hash. This is used only to help merchants confirm they are looking at the right buyer โ it cannot be used to reconstruct the full number.
โ ๏ธ Because phone hashing is one-way, we cannot retrieve or disclose your phone number, even upon request. This is by design to protect your privacy.
5. Data sharing
Between Truwth merchants: Buyer scores (Truwth ID, numeric score, tier) are shared across all participating merchants. This is the core function of the network โ a buyer's score at one store is visible to all Truwth merchants. No personal identifiers (name, phone, address) are ever shared between merchants. Only the anonymous Truwth ID and score.
Third parties: We do not sell, rent, or share buyer or merchant data with any third party for marketing, advertising, or commercial purposes.
Service providers: We use Supabase (database) and Railway (hosting). Both are GDPR-compliant infrastructure providers. Data is processed within their secure cloud environments.
Legal requests: We may disclose data if required by law, court order, or regulatory authority in India.
6. Information for merchants
When you install Truwth on your Shopify store:
- We access your store's order history and customer phone numbers via Shopify's API with your explicit permission
- Your store's access token is stored securely and used only to sync orders and receive webhooks
- You can request deletion of all your store's data by emailing us โ we will delete all synced orders and associated scores derived solely from your store within 30 days
- Uninstalling the app from Shopify stops all future data collection immediately
As a merchant using Truwth, you are responsible for informing your customers that their order behavior contributes to a cross-merchant trust score. We recommend adding a short disclosure to your privacy policy.
7. Information for buyers
If you have placed an order at a Truwth-connected merchant, a Truwth ID and score have been created for you based on that order history.
- Check your score: Visit truwth.in/buyer and enter your phone number to see your Truwth ID, score, and tier
- Your score is based on: Order acceptance rate, RTO/return rate, payment mode (COD vs prepaid), and cross-merchant delivery history
- Score improvement: Accepting deliveries and choosing prepaid improves your score over time
- Opt-out / deletion: Email us at privacy@truwth.in to request deletion of your Truwth profile. Because we only store your phone hash (not the number itself), we will require you to provide your Truwth ID to process the request
8. Data retention
- Order records: Retained for as long as the originating merchant's store is connected to Truwth, plus 90 days after disconnection
- Buyer scores and Truwth IDs: Retained indefinitely to maintain score continuity across the network, unless a deletion request is received
- Merchant access tokens: Deleted immediately upon app uninstall
- Score history logs: Retained for 12 months, then automatically purged
9. Your rights
You have the right to:
- Access โ Request a summary of what data Truwth holds about you
- Correction โ Request correction of inaccurate score data if you believe there is an error
- Deletion โ Request deletion of your Truwth profile (subject to verification via Truwth ID)
- Portability โ Request a machine-readable export of your score history
- Objection โ Object to your data being used for cross-merchant scoring
To exercise any of these rights, email privacy@truwth.in with your Truwth ID (found at truwth.in/buyer). We respond within 30 days.
10. DPDPA compliance
Truwth is built to comply with India's Digital Personal Data Protection Act, 2023 (DPDPA).
- Purpose limitation: Data is collected only for trust scoring โ not for advertising, profiling, or resale
- Data minimisation: We collect only what is necessary โ phone hash, order outcome, pincode. No unnecessary PII
- Privacy by design: One-way phone hashing is built into the core architecture โ the system is technically incapable of storing plain-text phone numbers
- Consent: Merchants install Truwth with explicit Shopify permission grants. Buyers are informed of the scoring system via merchant disclosures and this policy
- Data localisation: All data is stored on Supabase infrastructure. We are committed to India-region storage as soon as Supabase makes it available in Mumbai/India regions
- Grievance officer: For privacy grievances, contact privacy@truwth.in. We acknowledge within 48 hours and resolve within 30 days
Contact & Privacy Requests
For any privacy questions, data requests, or complaints:
privacy@truwth.in
We respond to all privacy requests within 30 days.
For urgent grievances, please include "URGENT" in the subject line.
This policy may be updated from time to time. Material changes will be communicated to merchants via email. Continued use of Truwth after changes constitutes acceptance of the updated policy. The version date at the top of this page reflects the most recent update.