Privacy Policy for Free Shipping Bar Integration for Shopify
Introduction
With this privacy policy, we aim to inform you about the types of your personal data (hereinafter referred to as "Data") that we process, for what purposes, and to what extent, in the context of providing our application.
The terms used are not gender-specific.
As of: September 8, 2023
Table of Contents
- Introduction
- Controller
- Data Protection Officer Contact
- Overview of Processing Activities
- Relevant Legal Bases
- Security Measures
- Data Processing in Third Countries
- Data Deletion
- Provision of the Online Service and Web Hosting
- Contact and Inquiry Management
- Newsletter and Electronic Notifications
- Web Analytics, Monitoring, and Optimization
- Changes and Updates to the Privacy Policy
- Definitions
Controller
Flanke 7 GmbH
Arnoldstraße 5
73614 Schorndorf
Authorized Representatives:
Carsten Czech, Marcel Rönnfeldt, Philip Vögele
Email Address:
info@flanke7.de
Imprint: https://www.flanke7.de/impressum
Regarding the use of Shopify's App Development Technology, please read Shopify's Privacy Policy: https://www.shopify.com/de/legal/datenschutz
Overview of Processing Activities
The following overview summarizes the types of data processed and the purposes of their processing, as well as the individuals affected.
Types of Data Processed by Shopify
- Contact Data
- Content Data
- Customer Data
- Order Data
Categories of Data Subjects
- Communication Partners
- Users
- Customers of the respective shops
Purposes of Processing
- Generation of legally compliant accounting documents such as invoices, credit notes, and payment suggestions
- Provision of contractual services and customer support
- Contact inquiries and communication
- Management and response to inquiries
- Feedback
- Information technology infrastructure
Relevant Legal Bases
Below, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or business. Furthermore, if more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
- Performance of a Contract and Pre-contractual Inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures requested by the data subject.
- Legitimate Interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
In addition to the data protection regulations of the GDPR, national data protection regulations in Germany apply. This includes, in particular, the Law for the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). The BDSG contains, in particular, special regulations regarding the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for purposes of employment (Section 26 BDSG), especially with regard to the establishment, execution, or termination of employment relationships and the consent of employees. State data protection laws of the individual federal states may also apply.
Security Measures
In accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to data as well as access, input, disclosure, availability, and segregation of data. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and the response to data threats. We also take data protection into account in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and through data protection-friendly default settings.
SSL Encryption (https): To protect your data transmitted via our online service, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.
Data Processing in Third Countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing occurs in the context of using third-party services or the disclosure or transfer of data to other persons, entities, or companies, this will only occur in accordance with legal requirements.
Subject to express consent or transfer required by contract or law, we will process or have processed data only in third countries with a recognized level of data protection, including, for example, by applying EU Commission-approved standard contractual clauses, or on the basis of officially recognized agreements, such as the EU-US Privacy Shield.
Data Deletion
The data processed by us will be deleted in accordance with legal requirements as soon as their consent, which is applicable, is revoked or other permissions cease to apply (e.g., if the purpose of processing this data ceases to apply or it is not required for the purpose).
If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons, or data that must be retained to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person.
Our data protection information may also provide further details on the storage and deletion of data, which may apply to the respective processing activities in question.
Provision of the Online Service and Web Hosting
In order to provide our online service securely and efficiently, we use the services of a web hosting provider, from whose servers (or servers managed by them) the online service can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.
The data processed in the course of providing the hosting service may include all information relating to the users of our online service that arises in the context of use and communication. This includes regularly the Shopify shop ID and URL, which are necessary for providing the functionalities of the online service, and all entries made within our online service or on websites.
- Processed Data Types: Customer Login IDs, Shop IDs, Shop URLs
- Data Subjects: Users of our Shopify application.
- Purposes of Processing: Provision of app functionalities and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
- Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR).
Further Information about Processing Procedures, Services, and Procedures:
- Collection of Access Data and Log Files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). Server log files may include the address and name of the data accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (previously visited page), and usually Shopify shop IDs. Server log files can be used, on the one hand, for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and, on the other hand, to ensure server utilization and its stability; Legal Bases: Legitimate Interests (Art. 6(1)(f) GDPR); Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is exempt from deletion until final clarification of the respective incident.
Contact and Inquiry Management
When contacting us (e.g., via contact form, email, telephone, or social media) and in the context of existing user and business relationships, we process the information provided by the inquiring individuals to the extent necessary to respond to inquiries and any requested actions.
The response to contact inquiries and the management of contact and inquiry data within the framework of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and, otherwise, based on our legitimate interests in responding to inquiries and maintaining user or business relationships.
- Processed Data Types: Contact Data (e.g., email, telephone numbers); Content Data (e.g., entries in online forms); Usage Data (e.g., visited web pages, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses).
- Data Subjects: Communication Partners.
- Purposes of Processing: Provision of contractual services and customer support; Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online service and user-friendliness.
- Legal Bases: Performance of a Contract and Pre-contractual Inquiries (Art. 6(1)(b) GDPR); Legitimate Interests (Art. 6(1)(f) GDPR).
Additional Information about Processing Procedures, Procedures, and Services:
- Contact Form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to process the respective inquiry. For this purpose, we process personal data within the scope of pre-contractual and contractual business relationships as far as it is necessary for its performance and otherwise on the basis of our legitimate interests as well as the interests of communication partners in answering inquiries and our legal obligations to retain data; Legal Bases: Performance of a Contract and Pre-contractual Inquiries (Art. 6(1)(b) GDPR), Legitimate Interests (Art. 6(1)(f) GDPR).
Web Analytics, Monitoring, and Optimization
Web analytics (also referred to as "reach measurement") is used to evaluate visitor flows to our online service and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at which time our online service or its functions or contents are most frequently used or invite for reuse. Likewise, we can understand which areas require optimization.
In addition to web analytics, we may also use test procedures to test and optimize different versions of our online service or its components.
Unless otherwise stated below, user profiles can be created for these purposes, which store data about users in pseudonymous form. This means that we or the software providers used do not know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures.
- Processed Data Types: Usage Data (e.g., visited web pages, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Profiles with user-related information (creation of user profiles); Tracking (e.g., interest/behavior-based profiling, use of cookies); Provision of our online service and user-friendliness.
- Security Measures: IP masking (pseudonymization of the IP address).
- Legal Bases: Consent (Art. 6(1)(a) GDPR).
Changes and Updates to the Privacy Policy
We ask you to regularly inform yourself about the content of our privacy policy. We will adjust the privacy policy as soon as the changes to the data processing we perform make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that the addresses may change over time and to check the information before contacting us.