Privacy Policy for Shopify Apps

This Privacy Policy describes how DIGIQ GmbH (“DIGIQ”, “we”, “us” or “our”) processes personal data in connection with the public Shopify apps that DIGIQ develops and operates and that are listed on the Shopify App Store (collectively, the “Apps”). It applies to merchants who install one of our Apps on their Shopify store.

We comply with the Swiss Federal Act on Data Protection (revFADP/revDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Controller

The controller for the processing of personal data described in this Privacy Policy is:

2. Scope

This Privacy Policy covers all public Shopify apps developed by DIGIQ and published on the Shopify App Store. The specific Shopify API access scopes requested by each App are displayed by Shopify during installation. We only request the minimum scopes required for the App to function as described on its App Store listing.

This Privacy Policy does not cover Shopify itself, third-party apps installed on the merchant’s store, or merchant storefronts. Please refer to the privacy policy of the merchant or of Shopify for those.

3. Personal Data We Process

Our Apps are designed to operate with the smallest possible amount of personal data. In particular:

• Merchant / shop information:the name and the myshopify domain of the shop on which the App is installed. This information is used to identify the shop, manage the App installation, and administer the merchant’s subscription and billing through Shopify.
• No buyer / end-customer data:our Apps do not access, collect, store, or process personal data of the merchant’s customers (buyers).
• No AI / LLM processing: we do not send any personal data to large language models or other AI providers.
• Operational data: standard server and security logs (e.g. IP address, timestamp, request path, error information) generated by our hosting infrastructure for the purpose of operating, securing, and debugging the Apps.

4. Purposes and Legal Bases

We process the data described above for the following purposes:

• Providing the App’s functionality to the merchant (performance of a contract — Art. 6(1)(b) GDPR; Art. 31(2)(a) revFADP).
• Managing the App installation, subscription, and billing in cooperation with Shopify (performance of a contract — Art. 6(1)(b) GDPR; Art. 31(2)(a) revFADP).
• Operating, securing, and improving the Apps and preventing misuse (legitimate interests — Art. 6(1)(f) GDPR; Art. 31(1) revFADP).
• Complying with legal obligations (Art. 6(1)(c) GDPR; Art. 31(1) revFADP).

5. Hosting and Infrastructure

The Apps and their data are hosted on the following infrastructure providers, which act as data processors on our behalf:

• Fly.io (Fly.io, Inc., USA) — application hosting and managed PostgreSQL database.
• Vercel (Vercel Inc., USA) — application hosting.

We do not use any third-party database or analytics provider for the Apps beyond what is listed above. Where data is transferred to a country outside of Switzerland or the EEA, the transfer is based on appropriate safeguards such as the EU Standard Contractual Clauses and, where applicable, the Swiss addendum.

6. Data Sharing

We do not sell personal data and we do not share personal data with third parties for their own purposes. We share data only:

• with Shopify, to the extent required by the Shopify platform to operate and bill the App;
• with the infrastructure providers listed in Section 5, acting as our processors;
• where required by law, court order, or competent authority.

7. Retention and Deletion

We retain shop information for as long as the App is installed on the merchant’s store. After uninstallation, the data associated with the shop is deleted within 30 days.

Our Apps implement the three mandatory Shopify GDPR webhooks:customers/data_request,customers/redact, andshop/redact. As we do not store any buyer/customer data, the customer-related webhooks are acknowledged with a no-op response. Theshop/redactwebhook triggers the deletion of all shop data within 30 days.

8. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), restricted access to production systems, principle-of-least-privilege access controls, and secure software development practices.

9. Your Rights

Depending on your location and applicable law, you have the right to access, rectify, delete, restrict the processing of, or port your personal data, as well as to object to processing based on legitimate interests. If you are subject to GDPR, you also have the right to lodge a complaint with a supervisory authority. If you are subject to the revFADP, the competent authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

To exercise any of these rights, please contact us at info@digiq.ch. As a merchant, you can also exercise your right to deletion at any time by uninstalling the App, which automatically triggers the deletion process described in Section 7.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Apps, our infrastructure, or applicable law. The current version is always available at this URL, and the effective date at the top of this document indicates when the policy was last updated. Material changes will be communicated to merchants through reasonable means.

11. Contact

For any questions regarding this Privacy Policy or the processing of your personal data, please contact us at: