Privacy Policy & Terms of Service
This Privacy Policy & Terms of Service document describes how personal information is collected, used, and shared when you install or use the Consentmo GDPR Compliance app on a Shopify-supported store.
Personal Data
When you install any of our apps, we are automatically able to access certain types of information from your Shopify account. The full list available through Shopify can be seen here. This is visible in the setup process and can be reviewed before finishing the install.
We will store your *.myshopify.com domain as well as the email associated with your store. This is only to provide you with better customer support and is kept strictly confidential from third parties.
Understanding Our Role
iSenseLabs is not a lawyer or a law firm and does not engage in the practice of law or provide legal representation. Our Consentmo GDPR Compliance app is provided as a tool that will serve you in your GDPR/CCPA-CPRA/APPI/PIPEDA/VCDPA/LGPD compliance needs. The app itself is not intended to substitute professional legal advice. You can use it as a tool that will provide you the basis for being compliant (Cookie Bar, Preferences popup, Compliance Pages, Cookie and Data management) and adjust it as per your local needs. The use of our app is subject to our Privacy Policy & Terms of Service. By using our app, you expressly acknowledge that you have read the Privacy Policy & Terms of Service page and agree to its content.
Data Collection and Usage
We have access only to the information that is given to us voluntarily via e-mail, live chat or from direct contact with our customers. We confirm that this information won’t be sold to any third-party organizations.
This information will only be used in responding to our customer’s requests, regarding the various reasons they have contacted us about. This also applies to the store client’s requests submitted through the pre-generated Compliance pages by our app.
From January 2021, all data that is stored on our end for GDPR/CCPA-CPRA/APPI/PIPEDA/VCDPA acceptances and the GDPR/CCPA-CPRA/APPI/PIPEDA/VCDPA requests (all kinds of information that can be requested through the app, including the deletion requests) will be deleted after 12 months. Meaning that, after this period is over, we will no longer keep any data for these respective website visitors/customers associated with the respective merchants/store owners.
We may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy unless you specifically request to be excluded from this list. It is your right to do that too.
The service uses Google Analytics to improve the functionality and the experience for you. You may opt-out of Google Analytics by using the Opt-out Browser add-on, which is available by visiting Google Analytics Opt-out Browser Add-on, to enable you to opt-out of Google’s programs.
We do not use other analytics or tracking cookies on our website.
Data Processing
We are using calls to the Shopify API when we are getting information for the customers, so a Data Processing Agreement for our app is the same as the one for Shopify itself. In addition, you can check our app’s Data Processing Addendum document. By using our Consentmo GDPR Compliance app, you agree to all terms and conditions of this Data Processing Addendum and Terms of use.
Additionally, you can check what we are collecting here: Data Collection and Usage part. Unlike other apps, we are actually not collecting any personal information, such as names, addresses, etc. All this information is stored in Shopify, we do not have access to it. What we do collect, is only the email of the customer, and this is only if he/she makes a GDPR request, otherwise, we do not have it. Having the email when a GDPR, or any other, request is made is required because this is the only way we can track which request was made by this specific user. As for the IPs, they are masked for the Shopify merchants and are visible only for the visitors themselves (if they make a GDPR request). Unfortunately, due to limitations in Shopify, the only personal data that we store (emails and IP), cannot be saved inside of Shopify. No app is able to do that, not just GDPR apps, but apps in general. That is why we have added this Data collection text here in the preferences popup as well as here in the Compliance pages upon submitting a request. For more information, please check this FAQ question
Cookie Information
Our app is setting two cookies on your store, in order for the app to function properly.
Here is a brief explanation for these cookies:
Cookie name: cookieconsent_status
This cookie will be set as soon as one of the Accept or Close buttons is pressed. It holds information about which exact button is pressed. Here is a list of all of the available options for the cookie's contents:
- dismiss - When the 'Close' button is pressed
- allow - When the 'Accept' button from the Consent Bar is pressed
- accept_selected - When the 'Accept Selected' button is pressed ( from the Preferences popup )
- accept_all - When the 'Accept all' button is pressed ( from Preferences popup )
Duration: 1 year
Cookie description: This cookie is set by GDPR/CCPA Compliance + Cookie Management app to hold information on which cookie accept button is pressed by the visitor.
Cookie name: cookieconsent_preferences_disabled
This cookie will be set based on the selected option from the app setting Initial state of the cookie bar. It holds information about the cookie groups, which are currently blocked. The blocking can be either based on the initial state, or when the customer manually opts out of a certain cookie group. Here is an example:
If you have checked the options Block marketing cookies until visitor opts-in and Block analytics cookies until visitor opts-in this would mean that the Analytics and Marketing cookie group will be blocked initially. The information, which this cookie will contain will be: marketing%2Canalytics
The information, which this cookie containts, will be changed every time when the customer changes his preferences. Based on this cookie, the blocking of the cookies is maintained.
Duration: 1 year
Cookie description: This cookie is set by GDPR/CCPA Compliance + Cookie Management app to hold information on which cookie groups are currently blocked by the app.
Application Specifics
1. Policy acceptances
When a visitor of your store accepts your privacy policy through the cookie bar, our app is collecting the following data:
- Customer ID (if registered)
- Customer email (if registered)
- Customer IP (masked for the Shopify merchants)
- Accepted page ID - the ID of the page which you have set for your privacy policy texts
- Date & Time - the exact date of the action
2. GDPR/CCPA-CPRA/APPI/PIPEDA/VCDPA requests
When a visitor of your store makes a GDPR/CCPA-CPRA/APPI/PIPEDA/VCDPA request from the GDPR/CCPA-CPRA/APPI/PIPEDA/VCDPA Compliance page, we are collecting the following data:
- Store ID - the ID of your store
- Request type - the type of the request that was made
- Customer ID (if registered)
- Customer email (if registered)
- Customer IP (masked for the Shopify merchants)
- Customer User Agent (masked for the Shopify merchants)
- Date & Time - the exact date of the request
3. Deletion requests
When a visitor of your store requests his/her data to be removed from your store, we are collecting the following data:
- Customer ID (if registered)
- Customer email (if registered)
- Date & Time - the exact date of the request
Exporting personal customer data
When a visitor of your store makes a GDPR/CCPA-CPRA/APPI/PIPEDA/VCDPA request ("Data Rectification", "Data Portability", "Access to Personal Data", "Right to be Forgotten"), no data will be saved by us or by the app. The data is taken directly from Shopify and sent to the user.
Note: All of the data we collect for the sole purpose of handling the requests through the GDPR/CCPA-CPRA/APPI/PIPEDA/VCDPA Compliance pages is saved with us for 12 months and after this period is over, it is being automatically deleted. All the GDPR data we collect is stored in EU servers, located specifically in a datacenter in Amsterdam, Netherlands.
Security incident response policy page here
Changes
We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.
If you have any questions, feel free to contact us at [email protected].
Last updated: 19 August, 2022