QuantaRoute logo
QuantaRoutedeveloper.portal
Sign in

Buyer data & DPDP

Retention, erasure, and fiduciary roles for checkout buyer personal data under India's Digital Personal Data Protection Act, 2023.

Who is the Data Fiduciary?

When you use QuantaRoute Checkout on your storefront, you are the Data Fiduciaryfor your buyers' personal data. QuantaRoute (SEQUENS LLP) acts as your Data Processor for checkout sessions, saved addresses, OTP verification, and webhook delivery. You must provide buyers with an appropriate privacy notice and honour their rights.

Read the Checkout Data Processing Addendum and Privacy Policy for full terms.

What checkout data is stored?

  • Email and phone (E.164) for OTP authentication
  • Structured delivery address, pincode, latitude/longitude, DigiPin
  • Checkout session ID and buyer ID for webhook correlation
  • Payment references (Razorpay order/payment IDs) when BYO Razorpay is enabled
  • Webhook delivery logs and OTP attempt records

Retention periods

Data typeRetention
Checkout sessions

After session completion, abandonment, or last activity — includes step events and UTM metadata.

90 days
Buyer addresses & saved profiles

Linked to buyer ID, phone, or email within a merchant scope. Merchants may request erasure via the dashboard or checkout-admin API.

Until erasure request or merchant closure + 90 days
OTP / auth login attempts

Phone and email OTP verification attempts (auth_login_attempts) for fraud prevention.

30 days
Webhook delivery logs

Outbound webhook payloads metadata, delivery status, and retry history.

90 days
Payment references (BYO Razorpay)

Razorpay order/payment IDs and transaction metadata where merchants use integrated payment — subject to GST/tax retention.

7 years

Buyer erasure requests

As Data Fiduciary, you must respond to valid buyer deletion requests. To erase buyer data from QuantaRoute systems:

  1. Open Dashboard → Checkout → Buyer data & DPDP and submit a buyer ID, email, or E.164 phone number.
  2. Or call POST checkout-admin?action=erase_buyer with your Admin API key (x-api-key).
  3. If the action is not yet deployed on your checkout stack, email quantaroute@gmail.com with the buyer identifier — we respond within 30 days.
curl -X POST \
  "https://<project>.supabase.co/functions/v1/checkout-admin?action=erase_buyer" \
  -H "x-api-key: YOUR_ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "buyer@example.com"}'

Checkout sub-processors

QuantaRoute may use MSG91 (SMS OTP), Resend (email), MoEngage, CleverTap, WebEngage (when you configure CRM bridges), Razorpay (BYO payment mode), Shopify (app integration), Supabase, and Vercel. See the Privacy Policy sub-processor table for details.

Merchant onboarding

Accept the Checkout DPA during merchant setup before going live.

Merchant setup