Shppys Privacy Policy

This Privacy Policy explains how Shppys collects, uses, stores, shares, and protects personal data when you visit our websites, create an account, operate a store, buy from a merchant using our platform, contact us, or otherwise interact with our services.

This policy is intended to provide transparency under applicable privacy and data protection laws, including Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR), the UK GDPR as incorporated into United Kingdom law, the Data Protection Act 2018, the Privacy and Electronic Communications rules that may apply to cookies and direct marketing, and relevant United States state privacy laws where they apply.

Depending on the context, Shppys may act as a data controller for account, platform, billing, support, and marketing data, and as a data processor or service provider for data that merchants collect and manage through the Shppys platform.

For platform-level data, Shppys is generally the organisation responsible for deciding why and how personal data is processed. This includes data related to account registration, merchant onboarding, authentication, product analytics, billing, support, fraud prevention, security monitoring, and direct communications from Shppys.

For customer, order, marketing, and store data processed on behalf of merchants, the relevant merchant will usually be the data controller and Shppys will usually operate as a processor or service provider acting on the merchant's documented instructions.

If you have questions about this policy or platform-level privacy practices, you can contact us at legal@shppys.com.

The personal data we collect depends on how you use the platform and which services you use.

We may collect data directly from you, automatically from your device or browser, from merchants and customers using the platform, from payment or identity providers, from support interactions, and from third-party integrations that you choose to connect.

• Identity data, such as name, username, business name, job title, and account identifiers.
• Contact data, such as email address, phone number, billing address, shipping address, and support contact details.
• Commerce data, such as store settings, product data, order data, customer records, returns, discounts, tax settings, and fulfilment information.
• Payment and billing data, such as subscription status, invoices, payout details, transaction metadata, and limited payment-related information provided by payment partners.
• Technical and device data, such as IP address, browser type, device identifiers, operating system, language, referring URLs, and log data.
• Usage data, such as pages viewed, clicks, features used, session patterns, performance metrics, and diagnostic events.
• Communication data, such as emails, chat records, support tickets, feedback, survey responses, and security notifications.
• Compliance and risk data, such as sanctions checks, fraud signals, verification results, abuse reports, and audit records.

We process personal data only where we have a lawful basis to do so and only for specified, legitimate purposes.

Depending on the context, our lawful bases may include performance of a contract under Article 6(1)(b) GDPR and the UK GDPR equivalent, compliance with legal obligations under Article 6(1)(c), legitimate interests under Article 6(1)(f), consent under Article 6(1)(a), and where necessary the establishment, exercise, or defence of legal claims.

Where special category data is ever processed, that processing should only occur where a valid Article 9 GDPR condition and any relevant UK law condition are satisfied. Shppys does not intend to routinely process special category data unless the service context clearly requires it and an appropriate legal basis exists.

• To create, operate, maintain, and secure user accounts and stores.
• To provide storefront, checkout, order management, payment, shipping, analytics, and related platform functionality.
• To process subscriptions, invoices, payouts, tax-related workflows, and account administration.
• To detect fraud, misuse, security threats, and policy violations, and to protect users, merchants, customers, and the platform.
• To provide customer support, troubleshooting, onboarding, and operational communications.
• To improve service quality, performance, product design, usability, and reliability.
• To comply with legal, regulatory, tax, accounting, sanctions, consumer protection, and law-enforcement obligations.
• To send product updates, service notices, and where permitted, marketing communications.

If you are a merchant using Shppys, you are generally responsible for the privacy notices, lawful bases, consent practices, retention decisions, and customer-rights handling connected with the data you collect through your store.

If you are a customer purchasing from a merchant store powered by Shppys, the merchant is generally your primary point of contact for order-related privacy requests, subject to Shppys assisting where required under processor obligations.

Merchants are expected to use the platform in compliance with applicable privacy laws, to provide accurate privacy disclosures, and to enter into any required data processing terms before using regulated personal data through the platform.

We and our partners may use cookies, pixels, local storage, SDKs, and similar technologies to remember settings, keep you signed in, secure the platform, measure performance, understand usage, and support product improvement and lawful marketing activities.

In the European Union and the United Kingdom, non-essential cookies or similar tracking technologies should generally only be activated after valid consent has been obtained in line with the ePrivacy framework and applicable local implementation rules, and users should be given a meaningful way to manage preferences.

Your browser settings may also allow you to refuse or delete certain cookies, but some essential platform functionality may be affected if you disable them.

We do not sell personal data in the ordinary sense of exchanging it for money. We may disclose personal data where necessary to operate the platform, fulfil contracts, protect rights and security, or comply with law.

Recipients may vary based on the service configuration and your use of the platform.

• Infrastructure, hosting, storage, monitoring, email, support, and security vendors.
• Payment processors, banking partners, tax providers, identity or fraud screening providers, and logistics or fulfilment partners.
• Analytics, communications, and product tooling providers acting under contract.
• Professional advisers, auditors, insurers, and legal counsel where reasonably necessary.
• Courts, regulators, supervisory authorities, law-enforcement bodies, or other third parties where legally required or necessary to protect rights, safety, and the platform.
• Corporate transaction participants in connection with mergers, financing, acquisition, asset sale, or reorganisation, subject to appropriate safeguards.

Personal data may be processed in countries other than the country where it was collected, including countries that may have different data protection standards.

Where personal data is transferred from the European Economic Area, the United Kingdom, or another jurisdiction with transfer restrictions, we intend to rely on an appropriate transfer mechanism such as an adequacy decision, the European Commission Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, binding corporate rules where available, supplementary technical and organisational safeguards, or another recognised legal basis for transfer.

Where required, transfer risk assessments or similar assessments should be undertaken to evaluate whether the receiving jurisdiction and transfer arrangement provide a level of protection that is essentially equivalent to the level required under EU and UK law.

We retain personal data only for as long as necessary for the purposes described in this policy, including to provide the services, comply with legal obligations, resolve disputes, maintain security records, enforce agreements, and support legitimate business operations.

Retention periods depend on the type of data, the role in which it is processed, legal and tax requirements, the sensitivity of the information, and whether deletion or anonymisation is possible without undermining required operational or compliance functions.

When data is no longer required, we will seek to delete, anonymise, or securely isolate it in accordance with our retention standards and legal obligations.

We maintain technical, organisational, and administrative safeguards designed to protect personal data against unauthorised access, misuse, disclosure, alteration, and loss. These measures may include encryption, access controls, segmentation, logging, authentication safeguards, backup processes, staff access restrictions, and incident management procedures.

No internet-based service is completely secure, and we cannot guarantee absolute security. Users and merchants are responsible for protecting their own credentials, endpoint devices, and internal operational practices.

Depending on your location and the applicable law, you may have rights relating to access, correction, deletion, restriction, objection, portability, consent withdrawal, complaint submission, and the limitation of certain automated decision-making.

For individuals in the European Union and the United Kingdom, these rights may include the rights set out under GDPR and UK GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and rights relating to decisions based solely on automated processing where applicable.

If Shppys acts as controller for the relevant data, you may contact us directly to exercise applicable rights. If a merchant controls the data, we may direct you to that merchant while assisting as required under applicable processor obligations.

• Access the personal data we hold about you, subject to applicable exceptions.
• Correct inaccurate or incomplete personal data.
• Request deletion of personal data where a valid legal basis exists.
• Object to or restrict certain processing in the situations allowed by law.
• Request portability of certain data where the law provides that right.
• Withdraw consent where processing depends on consent.
• Opt out of direct marketing communications using available unsubscribe tools or by contacting us.

Where EU or UK data protection law applies, Shppys intends to follow the core principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.

Where required, Shppys should maintain records of processing activities, implement appropriate controller-processor terms, support data protection impact assessments for high-risk processing, and apply privacy by design and by default in product and operational decisions.

Individuals in the EU and UK may also have the right to lodge a complaint with the supervisory authority in their habitual residence, place of work, or place of the alleged infringement. In the UK this may include the Information Commissioner's Office, and in the EU this may include the competent supervisory authority in the relevant Member State.

Residents of certain U.S. states may have additional rights, including rights to know, delete, correct, access, opt out of targeted advertising, opt out of certain profiling, and appeal denied privacy requests where required by applicable law.

We may use service providers and contractors to process personal data on our behalf and we may disclose categories of personal data for operational, analytics, support, fraud prevention, and service-delivery purposes. We do not intentionally process sensitive personal data beyond what is reasonably necessary for legitimate and lawful business purposes or where otherwise permitted by law.

Our services are not directed to children and are not intended to be used by individuals below the age required to enter into a binding agreement under applicable law without valid parental or guardian involvement.

If we become aware that we have collected personal data from a child in violation of applicable law, we will seek to delete that information or otherwise take appropriate remedial action.

We may update this Privacy Policy from time to time to reflect product changes, legal developments, operational improvements, or regulatory requirements.

Where changes are material, we may provide notice through the website, the platform, or by email. The current version date shown on the page indicates when this policy was last revised.

For privacy questions, data rights requests, or complaints about platform-level processing, contact legal@shppys.com. For store-specific questions, including order, customer, or merchant-controlled data, contact the relevant merchant first where appropriate.

If you are located in a jurisdiction that grants you the right to lodge a complaint with a supervisory authority or regulator, you may also do so with the authority responsible for your location or data protection matter, including the relevant EU supervisory authority or the UK Information Commissioner's Office where applicable.