Privacy Policy — Cart Reminder Newsletter Optin

This privacy policy explains how we process personal data in connection with the Shopify app “Cart Reminder Newsletter Optin”.

1) Who we are (Controller / Processor)

BasecapStudio, Owner: Vincent Sahl
Sole proprietorship
Händerlstraße 9, 38304 Wolfenbüttel, Germany
Email: info@vincent-sahl.de · Phone: +49 176 41980885

We act as controller for merchant account data, app operation and analytics. For your store’s customer data processed via the widget (e.g., capturing consent, adding tags), we act as your processor (Art. 28 GDPR).

2) Scope of this policy

This policy covers the app and related websites/endpoints we operate.

3) What we process

3.1 Data from Shopify (merchant side)
On installation we receive store information and an OAuth access token. We may process: store domain/name, contact email, locale, currency, time zone, plan, app scopes/permissions, owner/staff contact details and technical data (IP, device/browser metadata, logs).

3.2 Customer-related data (processor role)
The widget collects opt-in/consent for email and/or SMS reminders/newsletters on your behalf. Depending on your configuration, we may create/update customer records in your Shopify store (e.g., add tags like cart_reminder_email, cart_reminder_sms, cart_reminder_newsletter) and store consent signals. Personal data may include customer identifiers, email address, phone number (if provided), language/locale, consent timestamps and cart context (non-payment). We only store such data transiently to write back to your store and delete it when no longer necessary.

3.3 Analytics and cookies
We use Google Analytics for usage measurement and improvement. Where required, we ask for consent and enable IP anonymization where available.

4) Purposes and legal bases (GDPR Art. 6)

Contract performance (Art. 6(1)(b)): install, authenticate, render opt-in widget, write tags/consent to your store.
Legitimate interests (Art. 6(1)(f)): service security, abuse prevention, product analytics where consent is not legally required.
Consent (Art. 6(1)(a)): non-essential analytics/marketing cookies; customer opt-in is collected on your behalf based on the customer’s consent to you as merchant.
Legal obligations (Art. 6(1)(c)): bookkeeping, compliance, enforcement.

5) Retention

Customer data (processor role): stored only transiently to pass tags/consent into your store. After successful write-back, we either do not persist it or keep short-term logs (max 30 days) and then delete/anonymize.
Uninstallation: after you uninstall, we delete app-related data for your store from our systems within 30 days (accounting data may be retained up to 10 years under German law).
Merchant/store data: retained for the term of use; deleted/anonymized within 30 days after termination/uninstall.
Analytics: according to tool settings and your consent.

6) Recipients / processors

Shopify — app distribution, OAuth, data exchange.
Render.com — hosting for our app and databases.
Google LLC (Google Analytics) — analytics.

We may disclose data to authorities where required by law. We do not sell personal data.

7) International data transfers

Where data is transferred outside the EU/EEA/UK (e.g., to the United States), we rely on safeguards such as the EU Standard Contractual Clauses (and the UK Addendum where applicable). You can request more information from us.

8) Roles and responsibilities (merchant ↔ app)

For your customers’ personal data, you (the merchant) are the controller. We are your processor and will act only on your documented instructions (your app configuration and actions within Shopify), implement appropriate security, support data-subject requests, and delete data upon uninstall. A Data Processing Addendum (DPA) is available on request via info@vincent-sahl.de.

9) Your rights (EU/UK GDPR)

You have rights to access, rectification, erasure, restriction, portability, objection and to withdraw consent at any time. You may also lodge a complaint with your supervisory authority.

10) Security

We implement appropriate technical and organizational measures (encryption in transit, access controls, least-privilege, secure hosting and updates). No method of transmission or storage is 100% secure.

11) Children

The app is not directed to children and we do not knowingly process children’s data.

12) Shopify and third-party tools

Shopify remains responsible for data it processes under its own policy. Any third-party marketing tools you use (e.g., email/SMS providers triggered by Flow) process data under their own terms and privacy policies.

13) Changes

We may update this policy from time to time. The latest version applies.

Contact

BasecapStudio, Owner: Vincent Sahl
Händerlstraße 9, 38304 Wolfenbüttel, Germany
Email: info@vincent-sahl.de · Phone: +49 176 41980885