=== TejCart ===
Contributors: tejcart
Tags: ecommerce, shopping cart, store, payments, digital downloads
Requires at least: 6.3
Tested up to: 7.0
Requires PHP: 8.2
Stable tag: 1.0.0
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

A modern shopping cart for WordPress.

== Description ==

TejCart is a shopping cart plugin for WordPress. Sell physical goods, digital downloads, or services with products, cart, checkout, orders, customers, coupons, taxes, and shipping all in one place.

= Features =

* Simple, variable, digital, grouped, external, and bundle products
* AJAX shopping cart with persistent storage for logged-in users
* Single-page checkout with guest checkout
* Multiple payment options including cards, digital wallets, and Pay Later
* Order management with refunds and invoices
* Customer accounts with order history
* Coupons, taxes, and shipping zones
* Transactional emails with template overrides
* Digital downloads with secure delivery URLs
* CSV import / export
* REST API and WP-CLI commands

= Requirements =

* WordPress 6.3 or later
* PHP 8.2 or later
* HTTPS enabled

== Installation ==

1. Upload the `tejcart` folder to the `/wp-content/plugins/` directory, or install the plugin through the **Plugins > Add New** screen in WordPress.
2. Activate the plugin through the **Plugins** screen.
3. Visit **TejCart > Setup Wizard** in the WordPress admin to configure currency, store address, payment methods, shipping zones, and tax preferences.
4. Connect a PayPal account from **TejCart > Settings > Payments** to start accepting payments.
5. Add your first product under **TejCart > Products > Add New**.

The Setup Wizard is optional — every setting it touches is also available under **TejCart > Settings**.

== Frequently Asked Questions ==

= Does TejCart work with any WordPress theme? =

Yes. TejCart uses standard WordPress hooks and works with any properly coded theme.

= Can I sell digital products? =

Yes. TejCart supports digital and downloadable products with secure, time-limited download URLs.

= Does TejCart store credit-card data? =

No. TejCart never accepts or stores raw card numbers, CVV codes, or expiry dates. Card data is tokenised in the buyer's browser by PayPal's hosted fields (PPCP), and only opaque references — capture IDs, payer IDs, and vault tokens — ever reach your database. Vault tokens used for saved payment methods are encrypted at rest with AES-256-GCM. Your store does not enter PCI DSS scope beyond SAQ A.

== Screenshots ==

1. The cart page with a discount applied and the free-shipping progress bar.
2. The single-page checkout with PayPal Smart Buttons, hosted card fields, and Pay Later.
3. The admin orders list with quick filters and bulk actions.
4. The product editor for a variable product with attributes and variations.
5. The Setup Wizard guiding a new merchant through currency, payments, and shipping.
6. The reports dashboard showing revenue, orders, items sold, and coupons used.

== External Services ==

TejCart connects to the external services below to provide payment processing and merchant onboarding. Data is only sent when the corresponding feature is actively used.

= PayPal =

When a shopper checks out, or a merchant refunds, captures, or voids a transaction, TejCart calls PayPal's REST API at `https://api-m.paypal.com` (live) or `https://api-m.sandbox.paypal.com` (sandbox). Order totals, line items, billing and shipping addresses, and buyer contact information are sent as part of the checkout flow. The plugin also loads the PayPal JavaScript SDK from `https://www.paypal.com/sdk/js` and the partner-onboarding lightbox from `https://www.paypal.com/webapps/merchantboarding/js/lib/lightbox/partner.js` on the connect screen.

* Service provider: PayPal, Inc.
* Terms of service: https://www.paypal.com/us/legalhub/paypal/useragreement-full
* Privacy policy: https://www.paypal.com/us/legalhub/paypal/privacy-full

= Google Pay =

When the merchant enables Google Pay, the plugin loads Google's Pay JavaScript SDK from `https://pay.google.com/gp/p/js/pay.js` on the cart and checkout pages so the Google Pay button can render and tokenize the shopper's card.

* Service provider: Google LLC
* Terms of service: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=buyertos&ldr=US
* Privacy policy: https://policies.google.com/privacy

= TejCart Partner Onboarding Proxy =

To enable one-click merchant onboarding without shipping partner credentials in the plugin, TejCart calls a proxy at `https://tejcart.com/ppcp-seller-onboarding/seller-onboarding.php`. The proxy is only contacted while a merchant is connecting or disconnecting a payment account. The plugin sends the merchant's WordPress admin email, the environment (sandbox or live), a return URL pointing back to the WordPress admin, and the requested product bundle. No shopper data, order data, or API credentials are sent.

* Service provider: TejCart
* Terms of service: https://tejcart.com/terms-of-service.html
* Privacy policy: https://tejcart.com/privacy-policy.html

= Optional tax providers (disabled by default) =

The tax services below are opt-in. They are disabled by default and only become active after the merchant explicitly enables the provider under **TejCart > Settings > Tax** and supplies their own API credentials.

**Stripe Tax** — When enabled, the plugin calls `https://api.stripe.com/v1/tax/calculations` at checkout to calculate sales tax / VAT. The request contains the cart's line items, the shopper's shipping address, and the store currency.

* Service provider: Stripe, Inc.
* Terms of service: https://stripe.com/legal/ssa
* Privacy policy: https://stripe.com/privacy

**Avalara AvaTax** — When enabled, the plugin calls `https://rest.avatax.com` (or `https://sandbox-rest.avatax.com` in sandbox mode) at checkout to calculate sales tax. The request contains the cart's line items, the shopper's shipping address, the store's origin address, and the order currency.

* Service provider: Avalara, Inc.
* Terms of service: https://legal.avalara.com/avalaraenduserterms.html
* Privacy policy: https://www.avalara.com/privacy-policy

**TaxJar** — When enabled, the plugin calls `https://api.taxjar.com` (or `https://api.sandbox.taxjar.com` in sandbox mode) at checkout to calculate sales tax. The request contains the cart's line items, the shopper's shipping address, the store's origin address, and the order currency.

* Service provider: TaxJar (a Stripe company)
* Terms of service: https://www.taxjar.com/terms-of-service
* Privacy policy: https://www.taxjar.com/privacy

= Optional bot-mitigation providers (disabled by default) =

The bot-mitigation services below are opt-in. They are disabled by default and only become active after the merchant explicitly selects a provider under **TejCart > Settings** and supplies their own site key and secret. When active, the selected provider's challenge token plus the visitor's IP address are sent to the provider's siteverify endpoint on protected form submissions (checkout, login, registration) so the request can be classified as human or bot. No order, cart, or payment data is transmitted.

**Cloudflare Turnstile** — When enabled, the plugin posts the visitor's challenge token and IP address to `https://challenges.cloudflare.com/turnstile/v0/siteverify`.

* Service provider: Cloudflare, Inc.
* Terms of service: https://www.cloudflare.com/website-terms/
* Privacy policy: https://www.cloudflare.com/privacypolicy/

**hCaptcha** — When enabled, the plugin posts the visitor's challenge token and IP address to `https://hcaptcha.com/siteverify`.

* Service provider: Intuition Machines, Inc. (hCaptcha)
* Terms of service: https://www.hcaptcha.com/terms
* Privacy policy: https://www.hcaptcha.com/privacy

**Google reCAPTCHA v3** — When enabled, the plugin posts the visitor's challenge token and IP address to `https://www.google.com/recaptcha/api/siteverify`.

* Service provider: Google LLC
* Terms of service: https://policies.google.com/terms
* Privacy policy: https://policies.google.com/privacy

== Changelog ==

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.0.0 =
Initial release.