Collection of Personal Information through the App
We use the personal information we collect from you and your customers in order to provide the Service and to operate the App. When you install the App, we are automatically able to access certain types of information from your Shopify account:
Shop APIs: general settings and information about your store
Product APIs: your store’s products and collections
Theme APIs: view and modify your store’s theme files
Order APIs: view and modify your store’s orders
ScriptTag APIs: let’s us add functionality to your store without modifying your theme templates
Additionally, we collect the following types of personal information from you and/or your customers once you have installed the App:
Personal information about you and others who may access the App on behalf of your store, such as your name, address, email address, phone number.
Information about individuals who visit your store, such as their IP address, web browser details, time zone, and information about the cookies installed on the particular device.
Use and Share of Information:
Internal record keeping
We may use the information to improve our services. We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
From time to time, we may also use your information to contact you for market research purposes. We may contact you by email or phone. We may use the information to customise the website according to your interests.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
The Company takes appropriate security measures to protect against unauthorized access, alteration, disclosure or destruction of Personal Information. These include, but are not limited to, internal reviews of: (a) the Company’s data collection; (b) storage and processing practices; (c) electronic security measures; and (d) physical security measures to guard against unauthorized access to systems where the Company stores Personal Information.
Unfortunately, no data transmission over the Internet can be guaranteed to be secure. As a result, while we are committed to protecting your Personal Information, we cannot ensure or warrant the security of any information you provide to us.
All Company employees, contractors and agents who access Personal Information are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution or unauthorized use or disclosure of Personal Information.
Some or all of the Personal Information we collect may be stored or processed on servers located outside your jurisdiction of residence, whose data protection laws may differ from the jurisdiction in which you live. As a result, this information may be subject to access requests from governments, courts or law enforcement in those jurisdictions according to laws in those jurisdictions.
We collect personal information directly from the relevant individual, through your Shopify account, or using the following technologies: “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org. “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps. “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the site.
Use Of Services By Minors
Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
Your rights to your information
You can delete your application data by uninstalling the application. Uninstalling the application will also automatically cancel your subscription and recurring charge.
EUROPEAN ECONOMIC AREA (EEA) NOTICE
Transfers of Personal Information:
The company is a data controller and responsible for your Personal Information, which we may process and store in the United States of America. The European Commission has decided that the United States ensures an adequate level of protection of individuals’ Personal Information. The company may use the following safeguards when transferring your personal information to a country, that is not within the EEA:
(a) Only transfer your Personal Information to countries that have been deemed by the European Commission to provide an adequate level of protection for personal information;
(b) Where we use certain service providers, we may use specific contracts approved by the European Commission which give Personal Information the same protection it has in the EU.
Your Legal Rights:
Under certain circumstances, you may have rights under the data protection laws in relation to your personal information, including the right to:
Request access to your personal information.
Request correction of your personal information.
Request erasure of your personal information.
Object to processing of your personal information.
Request restriction of processing your personal information.
Request transfer of your personal information.
Right to withdraw (revoke) consent.
If you wish to exercise any of these rights, please contact our Privacy Officer at the coordinates provided in the section below.
No Fee Usually Required:
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we my charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What We May Need From You:
We may need to request specific information from you to help us to confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time Limit to Respond:
We try to respond to all legitimate requests within [one] month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
-Is it possible to specify used protocols for Data encryption ( at rest and in transit) ?
- Data going from the store’s product pages to PreProducts servers will be over HTTPS.
All requests are automatically redirected from HTTP to HTTPS by our server partner (www.render.com).
- All database backups are encrypted.
- PreProduct does not store or interact with any customer credit card or billing data. We capture and store customer names, email addresses and pre-order details (i.e. X quantity of product A). Billing/credit card data is processed through Shopify, not PreProduct.
-For how long do you store personal data collected from our website ?
- PreProduct has a ‘soft delete’ policy, meaning by default, actions that are taken from within the app, do not destroy data records. Unless requested, we store customer data indefinitely. That said, if you would ever like to have data removed permanently from our databases, we are more than happy to do so.
-How do you secure access to Personal Data and is this access logged ?
Personal data is accessed via https requests to the PreProduct web application. All requests with responses containing customer email addresses are behind Shopify’s wall of security. Meaning only the authorised store owner can see it.
Direct access to the database is secured through our server partner (www.render.com) with two-factor authentication implemented.
We can request access logs from this server partner at any time.
-Is our Data Separated from other clients Data ?
One client’s data is not combined with another’s. Data can be isolated at the store, product listing or individual customer level. It can be retrieved and destroyed easily and quickly.
-Have you conducted a recent intrusion test on the solution ?
No we haven’t. However, the PreProduct application uses the latest stable version of the web application framework; Ruby on Rails. Amongst others, the large internet companies; Shopify, Github and AirBnB all use Ruby on Rails. This means that PreProduct benefits from all of the security updates which are constantly being released for Ruby on Rails and its dependencies.
-Are there regular vulnerability scans performed?
The software repository company that PreProduct’s code is hosted on (Github), scans PreProduct’s dependencies for vulnerabilities and issues automatic recommended updates.
-Is there a security Incident procedure in case of a security attack ?
Yes. Part of this procedure will be complying to the GDPR obligations as a ‘data processor’ of notifying the relevant controllers (your company in this case) without any delay.
Email us: firstname.lastname@example.org