Privacy Policy

Effective Date: 7 January 2025

At Voodux Plugins, we prioritize the privacy and security of our users. This Privacy Policy explains what data we process, how we use it, and your choices when using our Shopify app.

1. Scope

This policy covers the Voodux Plugins Shopify app and related services provided to merchants via Shopify. Our marketing website (voodux.com) is also covered by our Cookie Policy.

2. Data We Process

Protected Customer Data (PCD) (from Shopify):

  • Customer name
  • Customer email address

We process only the above PCD and only for the purposes described in this policy.

Merchant/App Data (from the app): App configuration, settings, and operational logs necessary to operate the app.

We do not collect or use other protected customer data fields.

3. Role and Legal Basis

We act as a data processor on behalf of the merchant (the data controller). We process data only under the merchant’s instructions and our app agreement. For EEA/UK/Swiss data, we act as a processor under GDPR/UK GDPR and support the merchant’s controller obligations.

4. Purpose Limitation

We process customer name and email solely to render the “Active Subscriptions” view in the merchant’s admin and to support subscription management. We do not use protected customer data for marketing, profiling, advertising, or unrelated analytics.

5. Retention and Deletion

We do not persist protected customer data. It is processed transiently in memory to fulfill the purposes above.

If limited storage (e.g., within security/operational logs) is strictly necessary, we retain it for no longer than 30 days and then delete or anonymize it. Upon app uninstall or contract termination, we delete app data within 30 days unless a longer period is required by law.

6. Security

  • Encryption in transit (TLS) for all network communications.
  • Encryption at rest for any stored data (e.g., settings, sessions, backups).
  • Secure secret management and regular security reviews.

7. Access Controls and Monitoring

  • Least‑privilege, role‑based access for staff and systems.
  • Strong authentication (including SSO/2FA for admin systems).
  • Authentication and data‑access events are logged and monitored.

8. International Transfers

Where data is transferred outside the EEA/UK/Switzerland, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK Addendum, as applicable.

9. Consent and Privacy Signals

We honor Shopify‑provided consent/privacy flags and do not process protected customer data beyond admin use. We process data only on the merchant’s instructions.

10. Sale or Sharing

We do not sell or share protected customer data for cross‑context behavioral advertising or monetization.

11. Automated Decision‑Making

We do not engage in automated decision‑making that produces legal or similarly significant effects on individuals.

12. Testing and Development

We do not use real protected customer data in testing or development. Test environments use synthetic data and are isolated.

13. Data Subject Rights and Requests

We support merchants in fulfilling data subject requests (access, correction, deletion, portability, objection, and restriction) as required by law. End‑customers should contact the merchant directly; we act on the merchant’s instructions.

14. Incident Response

We maintain an incident response process for detection, containment, remediation, and merchant notification without undue delay and in accordance with applicable laws and contractual obligations.

15. Changes to This Policy

We may update this policy from time to time. We encourage you to review it periodically.

16. Contact

For privacy inquiries, DPA requests, or security questions, contact: [email protected]

Copyright 2025 © Voodux