askbeat
BLOG FAQ

Privacy Policy

Last updated: 29 August 2020

1. Introduction

This Privacy Policy forms part of the Terms of Service. AskBeat Customer Feedback acknowledges your right to confidentiality and is committed to protecting your privacy. This Privacy Policy describes how personal information is collected, used and shared when you install or use the App in connection with your Shopify-supported store.

AskBeat Customer Feedback acts both as a data controller and data processor for different categories of personal data. More specifically:

  • Data processor: for data obtained through Shopify API, data that you enter or upload through your AskBeat Customer Feedback dashboard and data collected on your behalf from your store customers.
  • Data controller: for log and correspondence data.

A session cookie will be stored on your browser when you log in to our App. Insofar as this cookie is strictly necessary for the operation of the App, consent is not required.

2. Personal data that we process as a data processor

In this Section the following are set out: specific categories of personal data that we obtain through Shopify API; personal data that we obtain directly from you; data collected on your behalf; and the purposes for which we may process personal data.

Our App cannot provide the Services to your store, unless you grant us permission to access and process specific personal data, relating to your store and store customers. You still own and control all these data; we process it to provide you with our App and Services. Under Data Protection laws, we are the data processor and you are the data controller of the personal data that we obtain.

2.1 Personal data that we obtain through Shopify API

When you install the App, you will be asked to give us permission to access certain types of information from your Shopify account through Shopify API. If you approve these permissions and install the AskBeat Customer Feedback App, we will be granted access to the following information:

  • View Shopify account data;
  • Read orders; and
  • Read abandoned checkouts.

More specifically we access your:

  • Store Shopify id, domain & name;
  • Store email;
  • Store customer email;
  • Store physical address: address, city, country;
  • Store new orders: date & time created, order ids, customer Shopify ids & customer emails; and
  • Store abandoned checkouts: date & time created, checkout ids & tokens, customer Shopify ids & customer emails, checkout recovery urls.

We process this personal data for the purposes of operating our App, providing the Services, maintaining back-ups, communicating with you and complying with applicable anti-spam and privacy laws requirements. We may also process some of the data in case we receive a GDPR request from Shopify. For more information about the data processed for responding to Shopify GDPR requests, visit the Shopify GDPR requirements page.

2.2 Personal data that you enter or upload through the App dashboard

When using our App, you may edit some of the personal information that was initially obtained through Shopify API. More specifically, you may edit your store name & store customer / reply-to email. This updated data will be processed solely for the provision of the Services and maintaining back-ups.

Also, when using our App, you have the option to enter or upload a customer email list. We process this information for the purposes of providing the Services to you and linking received NPS® surveys responses to your originating customer. We may also process this data in case we receive a GDPR request from Shopify.

2.3 Data collected on your behalf from your store customers

By using our App and the provided Services, responses will be collected from your store customers for the NPS® surveys sent on your behalf. We process this information to present you with the results of your survey and maintaining back-ups. We may also process this data in case we receive a GDPR request from Shopify.

3. Personal data that we collect & process as a data controller

In this Section the following are set out: the general categories of personal data that we may process; the source of that data; the purposes for which we may process personal data; and the legal bases of the processing.

  • We may process your personal data provided in the course of interaction of the App with our servers ("log data"). The log data may include your IP address, timestamp, browser type and version, operating system, device type and url of the request to our servers, as well as any errors that may occur. The source of the log data is our servers. This data is securely stored in our servers, is anonymous, with no Personal Identifiable Information and IP addresses are anonymized through data minimization and cannot be linked to a specific user. The log data may be processed for the purposes of operating the App, providing the Services, ensuring the security of our App and the provided Services, and solving errors in our App and Services. The legal basis for this processing is our legitimate interests, namely the proper administration of our App and Services.
  • We may process information contained in or relating to any communication that you send to us ("correspondence data") through email. The correspondence data will include the communication content and metadata associated with the communication. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests, namely the proper administration of our App and Services and communications with our users.

4. Other types of processing

Overall, all above-mentioned data are and will solely processed for the purposes of operating our App, providing the Services, maintaining back-ups of our databases and communicating with you.

In addition, we may process any of your personal data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.

We may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect ours or your vital interests or the vital interests of another natural person.

5. Providing personal data to others

We do not sell your personal data. We may share and disclose your personal information to third parties in the following circumstances:

  • To sub-processors, insofar as reasonably necessary for the provision of our App and Services. All of our sub-processors are carefully chosen on the basis of their security and privacy standards, their being GDPR compliant, as well as their certification for the EU-U.S. and Swiss-U.S. Privacy Shield for those located outside the European Economic Area (EEA). By agreeing to this Privacy Policy, you give us permission to share personal data with our sub-processors. Specifically, we use the services of the following sub-processors:
    1. DigitalOcean. For more information visit DigitalOcean Privacy Policy and GDPR memo.
    2. Mailgun. For more information visit Mailgun Privacy Policy and GDPR memo.
    3. SMTP2GO. For more information visit SMTP2GP Privacy Policy.
    4. Zoho. For more information visit Zoho Privacy Policy and GDPR memo.
  • We may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect ours or your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
  • Lastly, we may share your personal information in case there is a change in the ownership of the App. In this case, you will be notified via email (using the [Store email], as set forth in Section 2 of this Policy) 30 days in advance.

6. International transfers of your personal data

In this Section, we provide information about the circumstances in which your personal data may be transferred to countries outside the EEA.

Some of our sub-processors are situated in countries outside the EEA, including the United States of America. The European Commission has made an "adequacy decision" with respect to the data protection laws of the USA. Transfers to the United States of America will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission, a copy of which you can obtain from: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

Our sub-processors, that are located in the United States of America, provide Standard Contractual Clauses (SCCs), as a transfer mechanism for personal data being transferred out of the EEA. For more information on their SCCs, please visit their Privacy Policies, as outlined in Section 5 of this Privacy Policy.

Also, our sub-processors, that are located in the United States of America, participate, comply and are certified to the EU-US and Swiss-US Privacy Shield Frameworks:

  • DigitalOcean Privacy Shield Certification

7. Retaining and deleting personal data

This Section sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

7.1 Data that we process as a data processor

We will retain the personal data as follows:

  • 48 hours after you uninstall our App, Shopify will send us a shop/redact GDPR request. We will delete all your store data (including all data received through Shopify API, all data entered or uploaded in the App by you and all survey responses collected), within 30 days of receipt, as long as AskBeat Customer Feedback App is not re-installed at the date of data deletion.
  • We will delete all your store data (including all data received through Shopify API, all data entered or uploaded in the App by you and all survey responses collected), within 60 days of your store being set as closed or paused, as long as it is not re-opened or unpaused at the date of data deletion.
  • We will redact or delete store customer data (including data received through Shopify API, data entered or uploaded in the App by you and survey responses collected), within 30 days of receipt of a customers/redact GDPR request from Shopify.

Notwithstanding the other provisions of this Section, we may retain your personal data, where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect ours or your vital interests or the vital interests of another natural person.

7.2 Data that we collect & process as a data controller

We will retain the personal data as follows:

  • Log data, collected through our web servers, will be retained for a period of 2 months.
  • Correspondence data, will be retained for a minimum period of 1 month following the date that you contacted us, and for a maximum period of 2 years following the date that you contacted us.

Notwithstanding the other provisions of this Section, we may retain your personal data, where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect ours or your vital interests or the vital interests of another natural person.

8. Security

We use a variety of technologies (such as data transmission through SSL, data encryption and anonymization and 24/7 monitoring of our App and Services) to ensure an appropriate level of security for protecting personal data from unauthorized access, use or disclosure. However, please keep in mind that the Internet cannot be guaranteed to be 100% secure.

In the case of a personal data breach:

  1. For the data that we act as a data processor: the processor (we) shall notify the controller (you) without undue delay after becoming aware of a personal data breach.
  2. For the data that we act as a data controller: the controller (we) shall without undue delay notify the personal data breach to our supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

9. Your rights

In this Section, we have listed the rights that you have under data protection law. Your principal rights under the data protection law are:

  • the right to access - ask for a copy of your personal data;
  • the right to rectification - you can ask to rectify inaccurate personal data and to complete incomplete personal data;
  • the right to erasure - you can ask to erase your personal data;
  • the right to restrict processing - you can ask to restrict the processing of your personal data;
  • the right to object to processing - you can object to the processing of your personal data;
  • the right to data portability - you can ask that your personal data is transferred to another organisation or to you; and
  • the right to withdraw consent - to the extent that the legal basis of the processing of your personal data is consent, you can withdraw that consent.

EU individuals also have the right to complain to a supervisory authority.

These rights are subject to certain limitations and exceptions. You can learn more by clicking here.

If you wish to exercise any of your rights in relation to your personal data, please refer / login to the App through your Shopify dashboard (e.g. if you uninstall our App, you withdraw your consent, you restrict processing and your data will be deleted within 30 days) or contact us.

For NPS® survey respondents who wish to opt out from receiving survey email communications from a store, there is an unsubscribe link at the end of each communication. For NPS® survey respondents who wish to exercise other data-related rights, please contact the store directly, who is the data controller of your data or ask us to notify the store about your request. As data processor of respondents’ personal data, we opt to not process data without getting instructed from the data controller first. We will process respondents personal data if we receive a GDPR request from Shopify or we are asked by the data controller to do so (GDPR Article 29: The processor and any person acting under the authority of the controller or the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law).

Note for California residents: Under the California Consumer Privacy Act (“CCPA”), California residents have the right to know what personal information about them is collected, request deletion of their personal data, opt-out of the sale of their personal data, and not be discriminated against if they choose to exercise any of these rights. AskBeat Customer Feedback does not sell and does not process any personal information for any commercial purpose other than operating the App and providing the Services. We will not discriminate against you for exercising any of your CCPA rights.

10. Children’s privacy

AskBeat Customer Feedback is not intended for anyone under 18 years of age (“Children”). We do not knowingly collect any personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you believe that your Children have provided us with personal data, please contact us asap.

11. About cookies

A cookie is a file containing an identifier (a string of letters and numbers) that is stored by the browser. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

A session cookie, which contains no personally identifiable information, will be stored on your browser when you log in to our App. This cookie will keep you logged in during your use of the App, so that you will be able to navigate through and use our Services. This cookie is strictly necessary, thus consent is not required. The cookie will expire when you close your web browser or log out from our App.

12. Managing cookies

Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

  • Chrome;
  • Firefox;
  • Opera;
  • Internet Explorer;
  • Safari; and
  • Edge.

Important note: Blocking all cookies will have a negative impact upon the usability of many websites. If you decide to block all cookies, you will not be able to use our App and the provided Services, as you will be immediately logged out.

13. Amendments

We may update this policy from time to time, in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. We will publish a new version here, mentioning the “Last update date”, which is also the effective date of this policy.

You should check this page occasionally to ensure you are happy with any changes to this policy. If you continue to use our App after the effective date, then you will be considered as having consented to the revised Privacy Policy. If you do not agree with the updated Privacy Policy, you are advised to not use / uninstall the App through your Shopify dashboard.

We will notify you of significant changes to this policy by using a banner on the homepage of AskBeat Customer Feedback dashboard and/or via email.

14. Severability

If a provision of this Privacy Policy is determined by any court or other competent authority to be invalid, unlawful and/or unenforceable, the other provisions will continue in effect. If any invalid and/or unlawful and/or unenforceable provision of this Privacy Policy would be valid, lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect.

15. Credit

This document was created using a template from SEQ Legal.

16. Contact

If you have any questions or concerns about this Privacy Policy, please feel free to email us at privacy@askbeat.com.

© 2020 - AskBeat
Terms |  Privacy |  Contact us