Privacy Policy

1. Data Controller

2. Data We Collect

Orders Tagger for Shopify collects the following data:

From Shopify API (merchant data):

• Shopify store domain: e.g. example.myshopify.com
• Store owner email: used for communication and technical support
• Shop ID: unique identifier in Shopify
• Shop country code: e.g. "GB", "US" (for tagging logic)
• Shop currency: e.g. "GBP", "USD" (for currency conversion)

From Shopify Webhooks (order data):

• Order ID: Shopify order identifier (e.g. #1234)
• Order total value: numeric value in shop's base currency
• Shipping country code: destination country (e.g. "PL", "DE")
• Order timestamp: when the order was created

Order tag logs (operational data):

Purpose of logging exchange rates: Transparency and debugging. This allows merchants to see which exchange rate was used for each order's tagging decision, helping with operational troubleshooting and audit trails.

3. Purpose of Data Processing

We process data for the following purposes:

• Order tagging: Applying tags to orders based on predefined rules (core functionality)
• Currency conversion: Converting order values to EUR for threshold evaluation
• Dashboard analytics: Displaying statistics (total orders processed, tags applied)
• Technical support: Troubleshooting issues and responding to support requests
• Service improvement: Understanding usage patterns to improve the app

4. Legal Basis for Processing (GDPR)

Our legal basis for processing personal data is:

• Contract performance (Art. 6(1)(b) GDPR): Processing is necessary to provide the service you requested by installing the app
• Legitimate interest (Art. 6(1)(f) GDPR): For analytics, service improvement, and fraud prevention

5. Data Sharing and Third Parties

We share data with the following third parties:

Shopify API:

We read shop and order data from Shopify's API and write tags back to orders. This is necessary for the app to function.

exchangerate-api.com:

We fetch daily exchange rates from exchangerate-api.com (powered by European Central Bank). This service receives currency codes (e.g. "GBP", "USD") but no shop or order identifiers.

Hosting provider (Vercel):

The app is hosted on Vercel's infrastructure (data centers in EU and US). Vercel processes data on our behalf as a data processor.

Database (Supabase):

Shop data and order logs are stored in a PostgreSQL database hosted by Supabase (data centers in EU). Supabase acts as a data processor.

We do NOT:

• Sell or rent your data to third parties
• Use your data for advertising or marketing to third parties
• Share data with analytics providers (no Google Analytics, Facebook Pixel, etc.)

6. Data Retention

We retain data for the following periods:

• Shop data: Retained while the app is installed, plus 90 days after uninstallation
• Order tag logs: Retained for 365 days for operational and support purposes
• Exchange rate cache: Retained for 7 days (auto-refresh daily)

After these periods, data is permanently deleted.

7. Your Rights (GDPR)

As a data subject, you have the following rights:

• Right to access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data (uninstall the app)
• Right to restriction: Request temporary suspension of data processing
• Right to data portability: Request your data in a machine-readable format
• Right to object: Object to processing based on legitimate interest

To exercise these rights, contact us at contact@rafalstyblinski.pl. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect data:

• Encryption: All data in transit is encrypted using TLS 1.3
• Access control: Database access is restricted to authorized personnel only
• Shopify OAuth: We use Shopify's secure OAuth flow for authentication
• No plaintext secrets: API keys and tokens are stored as environment variables

9. Cookies and Tracking

The app does NOT use cookies for tracking or analytics.

Shopify may use cookies for session management when you access the app through the Shopify Admin panel. These cookies are managed by Shopify, not by us.

10. Shopify's Privacy Policy

As a Shopify app, we operate within Shopify's ecosystem. Shopify has its own privacy policies that apply to your use of the Shopify platform:

• Shopify Privacy Policy
• Shopify Privacy Policy for App Users

11. International Data Transfers

Data may be transferred to and processed in countries outside the EU/EEA:

• Vercel (hosting): May use data centers in the US and EU
• Supabase (database): EU data centers (primary)

Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.

12. Children's Privacy

The app is intended for business use by merchants. We do not knowingly collect data from individuals under 16 years of age.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the shop owner's registered email address.

The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact & Data Protection Officer

For privacy-related questions, data access requests, or to exercise your GDPR rights, please contact: