1. Introduction
Shopilaw, operated by Tran Consulting UG (haftungsbeschränkt) ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application and related services (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies, please do not use the Service.
2. Information We Collect
2.1 Information from Shopify
When you install our app, we access the following information from your Shopify store:
- Store Information: Shop name, domain, email, currency, timezone, and Shopify plan
- Order Data: Order numbers, items, and status (required to process withdrawal requests)
- Customer Information: Customer name and email (only when a withdrawal is initiated, to send confirmation emails)
We do NOT access or store:
- Payment or financial information (credit card numbers, bank details)
- Full shipping addresses beyond what is needed for withdrawal processing
- Customer browsing or purchasing history unrelated to withdrawals
2.2 Account Information
We collect information you provide during account creation:
- Email address (from Shopify OAuth)
- Username (chosen by you)
- Display preferences (theme, language)
2.3 Usage Data
We automatically collect:
- Withdrawal requests processed through the Service
- Feature usage patterns to improve the Service
- Error logs for debugging and service reliability
2.4 Cookies and Tracking
We use essential cookies for:
- Authentication and session management
- Security (CSRF protection)
- User preferences
We do NOT use third-party advertising cookies or cross-site tracking.
3. How We Use Your Information
We use collected information to:
- Provide, maintain, and improve the Service
- Process withdrawal requests and send confirmation emails
- Display withdrawal history and status in the merchant dashboard
- Generate export files (CSV/PDF) of withdrawal records
- Process billing through Shopify's billing system
- Send important service updates and notifications
- Respond to support requests
- Detect, prevent, and address technical issues
4. Data Sharing and Disclosure
4.1 Third-Party Service Providers
We share data with trusted third parties that help us operate the Service:
- Shopify: OAuth authentication, billing, and API access
- Email Delivery: Transactional email service for sending withdrawal confirmations
- Neon: Database hosting (encrypted at rest)
- Vercel: Application hosting
- Sentry: Error monitoring
4.2 Legal Requirements
We may disclose your information if required by law, legal process, or government request.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
4.4 We Never Sell Your Data
We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.
5. Data Security
We implement industry-standard security measures:
- All data transmitted over HTTPS/TLS encryption
- Database encryption at rest
- Shopify access tokens secured via database encryption at rest (AES-256)
- HMAC-SHA256 webhook signature validation
- Secure OAuth 2.0 authentication flow
- Regular security audits and updates
While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
6. Data Retention
- Active accounts: Data retained while your account is active
- After uninstall: Data deleted within 48 hours of receiving Shopify's shop/redact webhook
- Billing records: Retained for 7 years for legal compliance
- Webhook logs: Retained for 90 days for security auditing, then automatically purged
- Aggregated analytics: May be retained indefinitely in anonymized form
7. Your Rights Under GDPR (European Users)
If you are in the European Economic Area (EEA), you have the right to:
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Request limitation of processing
- Data Portability: Receive your data in a machine-readable format
- Object: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent at any time
To exercise these rights, contact us at . We will respond within 30 days.
Legal Basis for Processing: We process your data based on:
- Contract performance (providing the Service)
- Legitimate interests (improving the Service, security)
- Legal obligations (tax records, compliance)
8. Your Rights Under CCPA (California Users)
If you are a California resident, you have the right to:
- Know: Request disclosure of data collected about you
- Delete: Request deletion of your personal information
- Opt-out: Opt out of the sale of personal information (we do not sell data)
- Non-discrimination: Not be discriminated against for exercising your rights
Categories of personal information collected: Identifiers (email, username), commercial information (billing), and internet activity (usage data).
Do Not Sell My Personal Information: We do not sell your personal information.
9. International Data Transfers
Your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place, including standard contractual clauses where applicable.
10. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.
12. Contact Us
For privacy-related questions or to exercise your rights, contact us at:
Email:
We aim to respond to all requests within 30 days.