Privacy Policy

1. Introduction

This Privacy Policy explains how ARTEMISSOFT ("ArtemisSoft", "we", "us", "our") handles personal data in connection with:

• the Shopify applications we publish (the "Apps");
• our website at artemissoft.com (the "Website"); and
• our dealings with the merchants who install our Apps.

We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

This policy is written for three audiences:

• Merchants — Shopify store owners who install and use our Apps;
• Shoppers — the customers of those merchants, whose data may flow through our Apps; and
• Website visitors — anyone who visits artemissoft.com.

2. Who we are, and our role

ArtemisSoft is a software business based in the United Kingdom. Our role under data protection law depends on whose data is being processed:

In plain terms: when our Apps query a merchant's customer data and use it to send a notification, the merchant decides why and how that happens — they are the controller, and we process that data on their behalf as their processor. Where required, this relationship is governed by a Data Processing Agreement between us and the merchant, and by Shopify's API Terms.

3. The personal data we process

3.1 Shopper data (we act as processor)

When a merchant uses our Apps, we may process the following categories of shopper personal data:

• Email address
• Phone number
• Name
• Customer identifier (Shopify customer ID)
• Wishlist and product data (the products a shopper has saved or interacted with)

We do not process special category data (such as health, ethnicity, or biometric data), and we do not process payment card details.

Important point on storage and minimisation. The personal data above primarily resides on Shopify's servers, not ours. We query it from Shopify when needed to provide App functionality. We design our systems for data minimisation: our database and server logs are intended to retain only pseudonymous identifiers — Shopify shop ID, customer ID, and product ID — and not shoppers' names, email addresses, or phone numbers. We note that under UK GDPR these identifiers are still personal data, because they can be linked back to an identifiable individual; pseudonymisation reduces risk but is not anonymisation.

Notification content (emails, SMS, etc.) is generated dynamically from templates at the point of sending, drawing the relevant fields from Shopify, and is transmitted to our notification providers (see Section 5) for delivery. [Verify: if rendered notification content containing names/email/phone is persisted anywhere on our systems — e.g. a queue or audit log — disclose the location and retention period here.]

3.2 Merchant data (we act as controller)

When you install an App or contact us, we process:

• store name and Shopify shop domain;
• store-owner name and contact email;
• billing and subscription status communicated to us via Shopify; and
• support correspondence you send us.

3.3 Website visitor data (we act as controller)

When you visit artemissoft.com, we process limited technical and usage data via Google Analytics (see Section 9), and any information you choose to submit through contact forms or email.

4. Why we process personal data, and our legal bases

As a processor (shopper data): we process shopper data only on the documented instructions of the merchant, for the purposes of providing the App's functionality — principally querying customer and product data and sending the notifications the merchant has configured (such as back-in-stock or wishlist-related emails and SMS). The merchant is responsible for establishing the appropriate legal basis (typically consent or legitimate interests) for that processing and for marketing communications under PECR.

As a controller, our legal bases are:

Where we rely on legitimate interests, we have balanced those interests against your rights and concluded they are not overridden. You may object — see Section 8.

5. Who we share personal data with (sub-processors and third parties)

We share personal data only as necessary to operate our services. Our key recipients are:

• Shopify — the platform on which the Apps run and where the underlying customer data is hosted.
• Notification providers — to deliver the emails and SMS that the Apps send. These currently include: Klaviyo, SendGrid, and Mailchimp. [Maintain the definitive, current list of providers and keep it accurate; remove any not in use.]
• Hosting / infrastructure provider — [insert provider name and region, e.g. "located in the European Union"], which hosts our application servers and databases.
• Google Analytics — for Website usage analytics only (Section 9).
• Error and operational monitoring — [insert if applicable, e.g. Sentry; otherwise state "we do not use third-party error monitoring that receives personal data"].

We do not sell personal data, and we do not share it for third-party advertising.

Where we engage sub-processors to process shopper data on a merchant's behalf, we do so under written terms imposing data protection obligations consistent with UK GDPR Article 28.

6. International data transfers

Some of our notification providers and tools are based in, or transfer data to, countries outside the United Kingdom — in particular the United States (this is likely to apply to Klaviyo, SendGrid, and Mailchimp).

Where personal data is transferred outside the UK, we rely on a lawful transfer mechanism, which may include:

• transfer to a provider certified under the UK Extension to the EU–US Data Privacy Framework (the "UK–US Data Bridge"), where the provider is so certified; or
• the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, together with any additional safeguards required.

[Confirm the current certification/transfer status of each provider, as DPF certification can change, and update this section accordingly.]

7. Data retention

• Shopper data: because the source data lives on Shopify, we retain only pseudonymous identifiers for as long as the merchant has the App installed and the data is needed to provide functionality. When an App is uninstalled, or upon a valid redaction request, we delete or anonymise the associated records in line with Shopify's mandatory data-deletion timelines (see Section 8).
• Merchant data: retained for the duration of the relationship and for a reasonable period afterwards to meet legal, accounting, and security obligations.
• Website / analytics data: retained according to our Google Analytics configuration [insert retention period, e.g. 14 months].
• Server and operational logs: retained for [insert period, e.g. 30 days], and are designed to exclude shopper names, emails, and phone numbers.

8. Your rights, and how requests are handled

Under UK GDPR, individuals have the right to: access their data; rectify inaccurate data; erase data; restrict or object to processing; data portability; and to withdraw consent where processing is based on consent.

For shoppers: because the merchant is the controller of your data, please direct your request to the relevant store in the first instance. We will support the merchant in fulfilling it.

Shopify mandatory data requests. Our Apps implement Shopify's required GDPR webhooks, through which we respond to:

• customers/data_request — providing the data we hold relating to a shopper;
• customers/redact — deleting a shopper's data on request; and
• shop/redact — deleting a merchant's data following App uninstallation.

These requests are authenticated using HMAC verification.

For merchants and website visitors: you can exercise your rights by emailing [email protected]. We will respond within one month. There is normally no charge, though we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive, as permitted by law. We may need to verify your identity before acting.

9. Cookies and analytics

Our Website uses Google Analytics to understand how visitors use the site. This involves cookies and similar technologies that collect information such as pages visited, approximate location, and device/browser type.

In line with PECR, non-essential analytics cookies are set only with your consent, which you can give or withhold via our cookie banner and change at any time. You can also control cookies through your browser settings.

[If you use Google Analytics' IP-anonymisation / data-minimisation settings or Google Consent Mode, state that here.]

10. Security

We take appropriate technical and organisational measures to protect personal data, including encryption of data in transit and at rest, access controls, authenticated webhook handling (HMAC), and the principle of data minimisation described above. No system can be guaranteed completely secure, but we work to protect data against unauthorised access, loss, or misuse, and we will notify the ICO and affected individuals of a personal data breach where legally required.

11. Children's data

Our Apps and Website are not directed at children. We do not knowingly process the data of children in a way that requires specific protections; any shopper data we process is provided through the merchant's store. If you believe a child's data has been provided to us inappropriately, please contact us.

12. Changes to this policy

We may update this policy from time to time. We will post the revised version here and update the "Last updated" date above. Material changes affecting merchants will be communicated through the App or by email where appropriate.

13. How to contact us, and your right to complain

If you have a concern about how we handle personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the UK supervisory authority: