Privacy policy
Data Handling Policy
Last Updated: 26 March 2026
This Data Handling Policy describes how Synqqo, a product of Gopal Partani & Co, collects, processes, stores, and disposes of data obtained from marketplace APIs (Amazon SP-API, Flipkart API, Shopify API) and Zoho Books. This policy is designed to meet the data protection requirements of all connected platforms.
1. Data Collection
1.1 What We Collect
| Data Category | Specific Fields | Source |
|---|---|---|
| Order Data | Order ID, order date, order status, item SKU, item name, quantity, unit price, total amount, tax amounts, marketplace fees | Amazon SP-API, Flipkart API, Shopify API |
| Buyer PII | Buyer name, shipping address (street, city, state, postal code, country), phone number (if provided by marketplace) | Amazon SP-API, Flipkart API, Shopify API |
| Seller Account Data | Seller/merchant ID, marketplace region | Amazon SP-API, Flipkart API, Shopify API |
| Zoho Books Data | Organisation ID, item catalogue, customer list, tax configuration | Zoho Books API |
| Authentication Data | OAuth access tokens, refresh tokens, API keys (encrypted) | All connected platforms |
| User Account Data | Google account email, name (via Google OAuth) | Google OAuth 2.0 |
1.2 What We Do NOT Collect
- Marketplace or Zoho Books passwords
- Payment/credit card information of sellers or buyers
- Bank account details
- Buyer email addresses (not provided by Amazon SP-API for order data)
- Product reviews, seller feedback, or advertising data
- Any data beyond what is required to create Sales Orders
2. Data Processing
2.1 Purpose
All marketplace data is processed for a single purpose: to create Sales Orders in the seller's Zoho Books organisation. The processing flow is:
- Synqqo fetches new orders from connected marketplace APIs
- Order data is mapped to Zoho Books Sales Order format (items, customer, tax, amounts)
- A Sales Order is created in the seller's Zoho Books organisation via the Zoho Books API
- Sync status (success/failure) is logged on the Synqqo dashboard
2.2 Usage Restrictions
- Marketing, advertising, or promotional purposes
- Direct communication with buyers/customers
- Selling, renting, or sharing with third parties
- Competitive intelligence, data mining, or market research
- Training machine learning models or AI systems
- Any purpose beyond creating Sales Orders in Zoho Books
2.3 Automated Processing
Synqqo processes orders automatically via a Cloud Function triggered every 15 minutes by Google Cloud Scheduler. No manual human intervention is required for routine order syncing. Human access to data occurs only for troubleshooting failed syncs, upon the seller's request.
3. Data Storage
| Aspect | Detail |
|---|---|
| Cloud Provider | Google Cloud Platform (GCP) |
| Region | asia-south1 (Mumbai, India) |
| Database | Google Cloud Firestore (NoSQL, fully managed) |
| Compute | Google Cloud Run (serverless containers) |
| Encryption at Rest | AES-256, managed by Google Cloud (default encryption) |
| Encryption in Transit | TLS 1.2+ (HTTPS) for all API calls and user access |
| Backups | Google Cloud Firestore automatic replication (multi-zone within asia-south1) |
| Data Residency | All data stored and processed within India |
4. Multi-Tenant Data Isolation
Synqqo is a multi-tenant application. Each seller's data is isolated through:
- Separate document paths: Each client's data is stored under a unique client document in Firestore (e.g.,
/clients/{client_id}/...). No shared collections for order data. - Application-level access controls: API endpoints validate the authenticated user's session against their client ID before returning any data. A user can only access their own data.
- No cross-account queries: Database queries are always scoped to a single client. There are no admin interfaces that display data from multiple clients simultaneously.
- Separate API credentials: Each client's marketplace and Zoho tokens are stored independently and are never shared or reused across accounts.
5. Access Controls
5.1 User Access
- Users authenticate via Google OAuth 2.0 — no passwords are stored by Synqqo
- Each user session is tied to their Google account and mapped to their client record
- Users can only view their own orders, sync history, and connection status
5.2 Administrative Access
- Access to GCP infrastructure is restricted to authorised personnel of Gopal Partani & Co
- GCP access is protected by Google account authentication with 2-factor authentication (2FA) enabled
- Admin access to Firestore data is used only for troubleshooting and support, not routine operations
- All GCP admin actions are logged via Google Cloud Audit Logs
5.3 Third-Party Access
No third parties have access to seller data stored in Synqqo. The only data transmissions are:
- Inbound: From marketplace APIs to Synqqo (fetching orders)
- Outbound: From Synqqo to Zoho Books API (creating Sales Orders)
No data is transmitted to analytics services, advertising networks, or any other third party.
6. Data Retention and Disposal
| Data Type | Retention Period | Disposal Method |
|---|---|---|
| Order sync records (Order ID, status, timestamp) | Active subscription + 90 days | Automated deletion from Firestore |
| Buyer PII (names, addresses) | Processed transiently during sync; retained in sync logs up to 90 days | Automated deletion from Firestore |
| API tokens (OAuth access/refresh tokens) | Duration of active connection | Immediate deletion on disconnect or cancellation |
| Sync error logs | 90 days | Automated deletion |
| Client account data | Active subscription + 90 days | Deletion upon request or after grace period |
- All API tokens (Amazon, Flipkart, Shopify, Zoho) are deleted immediately
- Order data and sync logs are retained for 90 days for dispute resolution
- After 90 days, all data is permanently deleted from Firestore
- Sellers may request immediate deletion at any time by emailing admin@gopalpartani.co
7. Incident Response
In the event of a data security incident:
- Detection: Google Cloud monitoring and alerting for unusual access patterns or errors
- Containment: Affected API tokens revoked immediately; affected services isolated
- Assessment: Scope of affected data identified within 24 hours
- Notification: Affected sellers notified within 72 hours of confirmed breach, with details of data involved and remediation steps
- Remediation: Root cause analysis, security patches, and process improvements implemented
- Platform Notification: Amazon, Flipkart, Shopify, and/or Zoho notified as required by their data protection policies
8. Compliance
Synqqo's data handling practices are designed to comply with:
- Amazon SP-API Data Protection Policy (DPP) — including Acceptable Use Policy and data handling requirements
- Information Technology Act, 2000 (India) — including IT Rules on Reasonable Security Practices
- Digital Personal Data Protection Act, 2023 (India)
- Zoho Books API Terms of Service
- Flipkart Marketplace API Terms
- Shopify API Terms of Service
9. Vulnerability Management
- Application dependencies are monitored for known vulnerabilities
- Google Cloud Platform managed services (Cloud Run, Firestore) receive automatic security patches
- Application code is reviewed before deployment
- No production data is used in testing environments — test environments use synthetic/mock data
10. Changes to This Policy
We may update this Data Handling Policy from time to time to reflect changes in our practices or legal requirements. Updates will be posted on this page with a revised "Last Updated" date. Continued use of Synqqo after changes constitutes acceptance of the updated policy.
11. Contact
For questions about this Data Handling Policy, data access requests, or to report a security concern:
Also see: Privacy Policy
Synqqo is a product of Gopal Partani & Co. © 2026 Gopal Partani & Co. All rights reserved.
