← Back to Home

Privacy Policy

Last updated: May 20, 2026

1) Scope And Privacy Roles

This Privacy Policy explains how Shopex collects, uses, stores, shares, and protects personal data when people use the Shopex website, dashboard, storefronts, checkout flow, order tracking pages, support channels, and related services.

In many situations, Shopex acts as a controller of personal data for its own business purposes, such as account creation, billing, fraud prevention, support, website analytics, and platform security. In many order-processing situations, Shopex also acts as a service provider or processor handling customer order data on behalf of the relevant Store. Each Store owner remains independently responsible for its own separate use of customer data, including off-platform marketing, customer relationship management, or any use outside the core Shopex service.

2) Contact Details

For privacy questions, privacy requests, or complaints addressed to Shopex, contact info@shopex.lk. If Shopex is required to appoint or publish the details of a Data Protection Officer or other designated privacy contact under applicable law, the contact details published by Shopex will also apply to this Policy.

3) Categories Of Information We Collect

  • Store account data: names, email addresses, mobile numbers, login and verification details, account history, legal acceptance records, subscription details, and support history.
  • Business and Store data: business names, Store IDs or links, logos, addresses, contact details, payout bank details, storefront settings, ordering settings, and other configuration data.
  • Store content: product names, descriptions, prices, categories, images, policies, delivery settings, promotions, marketing content, and uploaded assets.
  • Customer order data: customer names, delivery details, phone numbers, email addresses, order items, order notes, customization data, selected payment methods, receipts, reference uploads, and order status history.
  • Refund, payout, and payment data: refund-request reasons, proof images, customer refund bank details for eligible manual refunds, payout requests, payout bank selections, on-hold card balances, transaction references, refund status data, and chargeback-related information.
  • Website, device, and usage data: IP address, approximate location, browser and device details, pages visited, timestamps, logs, cookies, local storage data, session storage data, and diagnostics.
  • Contact and support data: contact-form submissions, email messages, WhatsApp or support discussions where provided to Shopex, inquiries, complaints, and feedback.

4) How We Collect Information

We collect personal data directly from Store owners, customers, and site visitors; automatically from devices and browsers; and from service providers such as payment providers, hosting providers, analytics providers, authentication systems, or fraud-prevention tools. Some data is also created within the platform as orders, refunds, support tickets, or verification records are processed.

5) Purposes And Lawful Grounds For Use

Shopex processes personal data only for specified, explicit, and legitimate purposes. Depending on the context, those purposes may include:

  • providing the Shopex service, creating accounts, configuring storefronts, processing orders, operating checkout and tracking flows, and supporting refunds or payouts;
  • performing or preparing to perform a contract with a Store owner or supporting the relevant Store's contract with its customer;
  • complying with legal obligations, lawful requests, payment-provider requirements, accounting duties, dispute handling obligations, or regulatory directions;
  • protecting the security, integrity, and reliability of the platform;
  • preventing fraud, abuse, unauthorized access, duplicate refunds, payment misuse, and chargeback losses;
  • maintaining records, handling complaints, enforcing agreements, and resolving disputes;
  • responding to inquiries, support requests, and onboarding requests;
  • improving platform quality, diagnostics, and user experience; and
  • relying on consent where consent is the appropriate lawful ground, including where required for optional communications or optional processing.

Where Shopex relies on consent, the data subject may withdraw that consent subject to applicable law. Withdrawal does not affect processing that was lawful before the withdrawal.

6) How Information Is Shared

  • With the relevant Store: customer order and refund-request data is shared with the Store whose storefront the customer used so the Store can review, fulfill, support, replace, cancel, or refund the order.
  • With service providers: Shopex may use third-party providers for hosting, storage, authentication, analytics, messaging, email delivery, customer-support tooling, and payment services. This may include providers such as Supabase, Google or Firebase-related services, Genie payment services, banks, or equivalent replacement providers.
  • For payment and payout workflows: payment-related data may be shared with payment processors, banks, card schemes, payout partners, and fraud or reconciliation providers where needed for the transaction.
  • For legal, safety, and compliance reasons: we may disclose personal data where required by law, court order, regulatory request, payment-provider rule, or where reasonably necessary to protect Shopex, Stores, customers, other users, or the public.
  • In a corporate transaction: if Shopex undergoes a merger, restructuring, financing, sale of assets, or similar business transaction, information may be transferred subject to appropriate confidentiality and lawful processing requirements.

7) Processing Outside Sri Lanka

Shopex may use infrastructure or service providers that store or process personal data outside Sri Lanka. Where personal data is processed outside Sri Lanka, Shopex will use lawful transfer or processing arrangements and safeguards required by applicable Sri Lankan data protection law.

8) Cookies, Local Storage, Session Storage, And Analytics

Shopex may use cookies, local storage, session storage, and similar technologies to:

  • keep users signed in;
  • remember cart, storefront, or session state;
  • preserve order verification or payment state;
  • improve performance and security; and
  • measure service usage or page activity where analytics is enabled.

Users can control many cookies and storage settings through their browser. Disabling some browser storage features may affect how Shopex works.

9) Data Retention

Shopex keeps personal data only for as long as reasonably necessary for the purpose for which it was collected or as otherwise permitted or required by law. Retention periods may vary depending on the type of data and the reason it was collected. For example, account, billing, payment, refund, payout, fraud, complaint, and audit-related records may be retained after account closure where reasonably necessary for accounting, dispute resolution, security, legal, regulatory, or evidentiary purposes.

10) Security

Shopex uses reasonable technical and organizational safeguards designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, misuse, or disclosure. These safeguards may include access controls, role-based restrictions, logging, secure hosting, transport security, and other appropriate measures. No system can guarantee absolute security.

11) Rights Of Data Subjects

Subject to applicable law, verification, and any lawful limitations or exceptions, data subjects may request that Shopex:

  • confirm whether Shopex processes their personal data and provide access to relevant information;
  • rectify or complete inaccurate or incomplete personal data;
  • erase personal data where erasure is legally available;
  • stop or refrain from certain further processing in situations allowed by law; or
  • record or give effect to a withdrawal of consent where consent was the lawful basis for the relevant processing.

Requests should be sent to info@shopex.lk. Shopex may need to verify identity, confirm authority, or ask for additional information before acting on a request. A request may be refused or limited where the law allows or requires that outcome.

12) Complaints

If you believe Shopex has handled personal data unlawfully, please contact Shopex first at info@shopex.lk. You may also have the right to complain to the Data Protection Authority of Sri Lanka or another competent authority if applicable.

13) Children

Shopex is not intended for children to create Store owner accounts on their own. Where a Store sells products that may involve children's data, the Store owner is responsible for ensuring it has the lawful basis, notices, and consents required by law.

14) Store Owner Responsibilities For Customer Data

Store owners are responsible for how they use customer data received through Shopex. A Store owner must only use customer data for lawful purposes connected to the order, customer support, legitimate follow-up communications, or another lawful basis. Store owners must not misuse customer data, sell it unlawfully, or send marketing communications without any consent or legal basis required by law.

15) Changes To This Privacy Policy

We may update this Privacy Policy from time to time. The updated version becomes effective when posted or when otherwise communicated by Shopex, unless a later effective date is stated.

16) Contact

For privacy questions or requests, contact info@shopex.lk.