No. Rafto works from your phone.

Do customers need an app?

No. They just open your store link.

Is there any monthly fee?

No. Rafto charges ₹3 per order.

Can I choose my own store name?

Yes. You'll get your own link like yourname.rafto.app

Is this only for big sellers?

No. Rafto is built for small sellers.

Is online payment available?

At launch, orders come through WhatsApp and you collect payment your way. Online payments are coming soon.

Privacy Policy

1. Who We Are

Rafto ("we," "us," or "our") operates the website rafto.app and its subdomains. Rafto is a technology platform that enables sellers ("Merchants") to create online storefronts. Visitors who browse and purchase from merchant storefronts are referred to as "Customers."

We are a SaaS (Software as a Service) provider — we do not sell products, process payments, or ship goods ourselves. This Privacy Policy applies to all users worldwide, regardless of location.

2. Our Values

Trust is the foundation of our platform. Three principles guide how we handle your information:

Your information belongs to you. We only collect what we need to provide our services, and we aim to use your information solely to your benefit. We do not sell your Personal Data.
We protect your information from others. If a third party requests your Personal Data, we will refuse to share it unless you give us permission or we are legally required. When legally required, we will notify you in advance unless prohibited by law.
We help merchants meet their obligations. We build our platform so it can be used in a privacy-friendly way and provide guidance to help merchants protect their customers' data.

3. What Data We Collect

3.1 Waitlist Visitors

If you join our waitlist, we collect your email address solely to notify you when Rafto launches.

3.2 Merchants (Sellers)

When you create a Rafto account, we collect:

Email address and/or phone number (for authentication)
Store name, subdomain, and logo
Business information you choose to provide (business name, address, tax identification number)
Product catalog data (names, descriptions, prices, images)
Communication language preferences

3.3 Customers (Buyers on Merchant Storefronts)

When you place an order on a merchant's Rafto-powered store, the following data is collected on behalf of the merchant:

Name and phone number (required for WhatsApp order delivery)
Email address (optional)
Delivery address

Important: This customer data belongs to the merchant, not to Rafto. The merchant is the data controller for their customers — Rafto acts as a data processor. If you have questions about how a merchant uses your data, please contact the merchant directly or review their privacy policy.

For merchants who require a formal Data Processing Addendum (DPA) to comply with GDPR or other data protection regulations, please contact us at support@rafto.app.

3.4 Automatically Collected Data

Analytics: We use Vercel Analytics and Vercel Speed Insights to collect anonymized page views, device type, browser, country, and performance metrics. These services do not use cookies and do not collect personally identifiable information.
Cookies: We use strictly necessary authentication cookies managed by Supabase to keep you signed in. We do not use advertising, analytics, or tracking cookies. Because we only use cookies that are strictly necessary for the service to function, no cookie consent banner is required under the ePrivacy Directive or similar laws.
Local storage: Your shopping cart data is stored in your browser's local storage. This data never leaves your device unless you place an order.

4. Why We Process Your Data

We process your Personal Data based on the following legal grounds:

Performance of a contract: To set up your account, provide the storefront service, and process your orders
Legitimate interest: To monitor platform performance, prevent fraud, and improve our services
Consent: To send you marketing messages or launch notifications (you can withdraw consent at any time)
Legal obligation: To comply with applicable laws, regulations, or lawful government requests

We do not sell, rent, or trade your Personal Data to third parties for marketing or advertising purposes.

5. Third-Party Services

We use the following services to operate Rafto:

Supabase — Database, authentication, and file storage. Your data is stored in Supabase-managed PostgreSQL databases with encryption at rest.
Vercel — Hosting and content delivery (global edge network). Processes standard web request data (IP addresses, request logs).
Google Fonts — Font delivery. Standard CDN requests that include your IP address.
WhatsApp (Meta) — Order messages are sent via WhatsApp links. Message content is subject to WhatsApp's Privacy Policy.

In future phases, we may integrate with payment processors (e.g., Razorpay) and shipping providers (e.g., Shiprocket, Delhivery). These third parties have their own privacy policies. We will update this policy when such integrations go live.

We will notify merchants of any material changes to our sub-processors (the third-party services listed above) via email or dashboard notification with reasonable advance notice. If you object to a new sub-processor, you may terminate your account before the change takes effect.

6. Where We Send Your Data

Rafto is based in India but operates globally. To provide our services, your Personal Data may be transferred to and processed in countries other than your own, including the United States and Singapore (where our infrastructure providers operate).

When we transfer data across borders, we take steps to ensure your information is protected in accordance with this policy and applicable law, including using standard contractual clauses or equivalent safeguards where required.

7. Data Security

All data in transit is encrypted via SSL/TLS
Database encryption at rest (Supabase-managed)
Row-Level Security (RLS) ensures merchants can only access their own data
Authentication tokens are securely managed and rotated
We do not store credit card, debit card, or bank account information — all payment processing is handled by certified third-party providers

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Breach Notification

In the event of a data breach that affects your Personal Data, we will notify affected users and relevant data protection authorities as required by applicable law. We aim to provide notification within 72 hours of becoming aware of a qualifying breach (as required by GDPR), and without unreasonable delay for other jurisdictions (including under India's DPDP Act and US state breach notification laws). Our notification will describe the nature of the breach, the categories of data affected, the measures we have taken or propose to take, and steps you can take to protect yourself.

8. Data Retention

Account data: Retained while your account is active. After account closure, we retain store information for up to 90 days before beginning permanent deletion.
Deleted products: Moved to trash for 30 days, then permanently deleted.
Analytics events: Automatically deleted after 90 days.
Waitlist emails: Retained until launch notification is sent, then deleted unless you create an account.
Customer order data: Retained by the merchant as long as the merchant's store is active. When a merchant closes their store, associated customer data is deleted as part of the store deletion process.

We may also retain certain information beyond these periods where required by law (e.g., tax records, transaction logs required by financial regulations), to resolve ongoing disputes, or to enforce our agreements. In such cases, we retain only the minimum data necessary and delete it as soon as the legal obligation is fulfilled.

9. Your Rights

We believe you should be able to access and control your Personal Data no matter where you live. Depending on your location and applicable law, you may have the right to:

Access the Personal Data we hold about you
Request correction of inaccurate data
Request deletion of your data
Withdraw consent for data processing
Request a copy of your data in a portable format (data portability)
Object to or restrict certain processing of your data

To exercise any of these rights, contact us at the email address below. We will respond within 30 days (or sooner if required by your local law). We will not charge you more or provide a different level of service for exercising these rights.

How to withdraw consent: You can withdraw consent for marketing emails by clicking the "unsubscribe" link in any email we send. For other consent-based processing, contact us at support@rafto.app. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.

If you are a customer of a merchant's store: Please contact the merchant directly regarding your data. The merchant controls how your data is used. If you submit a request to us, we will forward it to the relevant merchant.

9.1 For Users in the European Economic Area (EEA) and UK

Under the GDPR, you have additional rights including the right to lodge a complaint with your local data protection authority. When transferring data outside the EEA/UK, we use standard contractual clauses or other approved mechanisms.

9.2 For Users in the United States

Under applicable US state privacy laws (such as CCPA, CPRA, and similar laws), you may have rights to know, delete, and opt out of the sale of your Personal Data. We do not sell your Personal Data. You may designate an authorized agent to make requests on your behalf. Under California's Shine the Light law (Civil Code §1798.83), California residents may request information about data shared with third parties for direct marketing purposes. We do not share your Personal Data with third parties for their own marketing purposes.

9.3 For Users in India

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), you have the right to access, correct, and erase your Personal Data, as well as the right to nominate another person to exercise your rights.

10. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. Any decisions about your account (such as suspension for policy violations) are made by humans.

11. Do Not Track

Because there is no common standard for interpreting "Do Not Track" browser signals, we do not currently respond to DNT signals.

12. Children's Privacy

Rafto is not intended for use by individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect Personal Data from minors. If you believe a minor has provided us with their data, please contact us so we can delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If any changes are significant, we will notify you (for example, via email or through a notice on our platform). Changes will be posted on this page with an updated date. Continued use of Rafto after changes constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or want to file a complaint about how we handle your data, contact us at:

Email: support@rafto.app

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.