Privacy Policy — Munshi Trust Network

Munshi Trust Network ("Munshi", "we", "us") is a Shopify app that helps Pakistani e-commerce merchants detect and reduce Cash-on-Delivery (COD) fraud. This Privacy Policy explains exactly what data we collect, how we use it, and the rights you have over it. We have deliberately designed Munshi to collect the minimum possible data — raw phone numbers are never stored.

1. What We Collect

When a merchant installs Munshi and a COD order is placed in their store, we collect:

🏪

Merchant store domain

Your .myshopify.com domain and an encrypted Shopify access token so Munshi can tag orders on your behalf. No payment information is accessed.

📦

Order metadata

Order ID, order name (e.g. #1001), order value (PKR), payment gateway (e.g. "COD" / "manual"), and fulfillment status. No line-item product data is collected.

📱

Phone number hash only

When a COD order arrives, the customer's phone number is immediately normalised to international format (923XXXXXXXXX) and converted to a one-way HMAC-SHA256 cryptographic hash. The original number is discarded and never stored anywhere.

📍

Address quality score

A single numeric quality score derived from the shipping address (e.g. does it contain a landmark, is it unusually short). The full address text is not stored.

📊

Delivery outcome

Whether an order was delivered successfully or returned to origin (RTO). This outcome updates the buyer's anonymous trust score in our network.

✅ We do NOT collect: customer names, full shipping addresses, email addresses, product data, payment card details, or any biometric information.

2. How We Use Your Data

To calculate a fraud-risk trust score for each incoming COD order
To tag Shopify orders with a risk level (Trusted / Neutral / High Risk) using the GraphQL Admin API
To build and maintain a network-level anonymous trust database, shared across all Munshi merchants using only irreversible phone hashes — no personal data is shared
To display analytics and order history to the merchant inside the Munshi dashboard
To allow merchants to manually blacklist specific buyers at their store

We do not sell your data. We do not use it for advertising or any purpose beyond fraud prevention.

3. Shopify Permissions We Use

Munshi requests the following Shopify API scopes and uses each exclusively for the stated purpose:

read_orders / read_all_orders To receive and score incoming COD orders and import historical order data for trust scoring

write_orders To tag Shopify orders with Munshi risk labels (e.g. "Munshi: High Risk")

read_customers To match an order's phone number to a buyer profile for scoring

4. Data Storage & Security

All data is stored on DigitalOcean cloud infrastructure using encrypted PostgreSQL databases
Shopify access tokens are stored using AES-256 encryption at rest
Phone numbers are hashed using HMAC-SHA256 with a secret salt before any storage — the hash cannot be reversed to recover the original number
All connections between your store, Shopify, and our servers use HTTPS/TLS
Webhook payloads are verified using Shopify's HMAC signature before processing

5. Merchant Consent

On first install, every merchant must review and explicitly accept three consent checkboxes before accessing the app:

Understanding that phone numbers are hashed and never stored in plain text
Agreement to contribute anonymised delivery outcomes to the shared trust network
Acceptance of these Terms of Service and this Privacy Policy

Consent is recorded with a timestamp. Merchants may withdraw consent at any time by uninstalling the app.

6. Your Rights

As a merchant, you have the following rights:

ACCESS

Request a copy of all data Munshi holds for your store by emailing us.

DELETION

Delete all your order logs and blacklist entries at any time from the Settings page inside the app. Uninstalling Munshi permanently deletes all your data within 48 hours.

PORTABILITY

Request your store's data in a machine-readable format by contacting us.

WITHDRAWAL

Withdraw consent and stop all data processing at any time by uninstalling the app.

CORRECTION

Request correction of inaccurate trust scores for specific buyers by contacting us.

Regarding your customers: Customer phone numbers cannot be reversed from our database. If a customer requests data deletion under applicable privacy law, Shopify will notify us via our GDPR compliance webhook and we will delete the associated order logs within 30 days.

7. Data Retention

Data is retained for as long as Munshi is installed on your store
Upon uninstall, all merchant and order data is permanently deleted within 48 hours
Order logs contribute to the network trust database and may be retained in anonymised, hashed form for up to 24 months to maintain network integrity
Merchants can also delete their order logs and blacklist entries at any time from Settings → Reset Data inside the app

8. Third-Party Services

Shopify — Order and customer data is received from Shopify via authenticated webhooks and the GraphQL Admin API
Resend — Used to send transactional emails (e.g. feedback notifications). No customer data is passed to Resend
DigitalOcean — Cloud hosting provider for our servers and database

No buyer data (including hashed phone numbers or trust scores) is shared with any third party.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active merchants via a notice inside the Munshi dashboard. The "Last updated" date at the top of this page always reflects the most recent version. Continued use of the app after changes constitutes acceptance of the updated policy.

10. Contact Us

For privacy requests, data deletion requests, or any questions about this policy:

✉️ hello@lyallpurtech.com

We aim to respond to all privacy requests within 5 business days.

How Munshi Protects Your Data