Personal Information the App Collects
When data subject install the App, data subject has given consent to the processing of his or her personal data for one or more specific purposes; processor is automatically able to access certain types of information from data subjects Shopify account: [[Shop details(Collection of the general settings and information about the store.) customer data, products and their variants/inventory, order history]]
Additionally, processor collect the following types of personal information from data subject and/or your customers once data subject has installed the App: [[Capturing event of customer interaction like read/write/update of customer, product, order data with merchant’s store via shopify provided webhooks]]. Information about data subject and others who may access the App on behalf of your store, such as data subjects name, address, email address, phone number, and billing information; Information about individuals who visit data subjects store, such as web browser details and information about the cookies installed on the particular device.
Processor collects personal information directly from the relevant individual, through data subjects Shopify account, or using the following technologies: “Cookies” are data files that are placed on data subjects device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org. “Log files” track actions occurring on the Site, and collect data including data subjects IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps. “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how data subject browse the Site. [[Additional data when a customer interacts with the data subjects storefront, events like add to cart, searches a product, recently viewed product information is passed to processor via script-tags]]
SECTION 1 - PURPOSE FOR DATA COLLECTION
Skellam AI is committed to protecting your privacy and compliance with all relevant legislation, including the General Data Protection Regulation (GDPR), where this applies to EU citizens, and the EU-US Privacy Shield.
SECTION 2 - WHAT DO WE DO WITH YOUR INFORMATION?
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address. When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system. Email marketing (if applicable): With your permission, we may send you emails about our store, new products and other updates.
SECTION 3 - CONSENT
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only. If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no. How do I withdraw my consent? If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at anytime, by contacting us at firstname.lastname@example.org.
SECTION 4 - DISCLOSURE
We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.
SECTION 5 - PAYMENT
We use Razorpay for processing payments. We/Razorpay do not store your card data on their servers. The data is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS) when processing payment. Your purchase transaction data is only used as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is not saved. Our payment gateway adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read terms and conditions of razorpay on https://razorpay.com.
SECTION 6 - THIRD-PARTY SERVICES
SECTION 7 - SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
SECTION 8 - INTERNATIONAL DATA TRANSFERS & THIRD-PARTY DISCLOSURES
Where Skellam AI stores or transfers personal information outside the EU, we have safeguarding measures in place to secure, encrypt and maintain the integrity of the data. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
Your information including Personal Data, may be transferred to---and maintained on---computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction.
If you are located outside the United States and choose to provide information to us, please note that we transfer the data, including the Personal Data, to the United States and process it there.
SECTION 9 - COOKIES
SECTION 10 - AGE OF CONSENT
By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.
SECTION 12 - DATA SUBJECT RIGHT
1.Right to be informed
There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data. Therefore, the General Data Protection Regulation (GDPR) gives individuals a right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the processor. The law differentiates between two cases: On the one hand, if personal data is directly obtained from the data subject (Art. 13 of the GDPR) and, on the other hand, if this is not the case (Art. 14 of the GDPR).
Where data is obtained directly, the person must be immediately informed, meaning at the time the data is obtained. In terms of content, the Processor’s obligation to inform includes his identity, the contact data of the Data Protection Officer, the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries. In addition, the right to be informed also includes information about the duration of storage, the rights of the data subject, the ability to withdraw consent, the right to lodge a complaint with the authorities and whether the provision of personal data is a statutory or contractual requirement. In addition, the data subject must be informed of any automated decision-making activities, including profiling. Only if the data subject is already aware of the above information it is not necessary to provide these.
If personal data is not obtained from the data subject, he or she must be provided the information within a reasonable period of time, but at latest after a month. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. As far as content is concerned, the Processor has to provide the same specific information as if the personal data would have been directly obtained from the data subject. The only exception is the information about any obligations to provide the personal data, as the Processor does not have the decision-making authority in this case. In addition, the Processor has the obligation to inform from what sources the personal data originated, and whether it was publicly available. The data subject has a right to be informed in a precise, transparent, comprehensible and easily accessible form. The obligation to inform can be fulfilled in writing or electronic form. It is explicitly stated that so-called ‘standardised image symbols’ can also be used in order to convey a meaningful overview of the intended processing in an easily comprehended, understandable and clear form.
In the case that the personal data is not gathered from the data subject, in exceptional cases there is no obligation to inform. This applies, if providing the information is either impossible or unreasonably expensive, the gathering and/or transmission is required by law, or if the data must remain confidential due to professional secrecy or other statutory secrecy obligations.
2. Right to access
The right of access plays a central role in the General Data Protection Regulation (GDPR). On the one hand, because only the right of access allows the data subject to exercise further rights (such as rectification and erasure). On the other hand, because an omitted or incomplete disclosure is subject to fines
The answer to a right of access request includes two stages. First, the Processor must check whether any personal data of the person seeking information is being processed at all. In any case, one must report a positive or negative result. If the answer should be positive, the second stage involves a whole range of information. The right of access includes information about the processing purposes, the categories of personal data processed, the recipients or categories of recipients, the planned duration of storage or criteria for their definition, information about the rights of the data subject such as rectification, erasure or restriction of processing, the right to object, instructions on the right to lodge a complaint with the authorities, information about the origin of the data, as long as these were not collected from the data subject himself, and any existence of an automated decision-taking process, including profiling, with meaningful information about the logic involved as well as the implications and intended effects of such procedures. Last but not least, if personal data is transmitted to a third country without an adequate level of protection, data subjects must be informed of all appropriate safeguards which have been taken.
Information can be provided to the data subject in writing, electronically or verbally as per Art. 12(1) sentences 2 and 3 of the GDPR, depending on the circumstance. According to Art. 12(3) GDPR information must be provided without undue delay but at latest within one month. Only in reasoned cases may this onemonth deadline be exceptionally exceeded. As a rule, the information has to be provided free of charge. If, in addition, further copies are requested, one can request a reasonable payment which reflects administrative costs. The Processor is also allowed to refuse a data subject’s requests to right of access if it is unjustified or excessive. The Processor additionally has the right, if he is processing a large volume of information about the data subject, that he or she specify their request within the right of access regarding specific data processing or kind of information.
3. Right to rectification
The data subject shall have the right to obtain from the Processor without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
4. Right to erasure
4.1) The data subject shall have the right to obtain from the Processor the erasure of personal data concerning him or her without undue delay and the Processor shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Processor is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
4.2) Where the Processor has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the Processor, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Processors which are processing the personal data that the data subject has requested the erasure by such Processors of any links to, or copy or replication of, those personal data.
4.3) Paragraphs 4.1 and 4.2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Processor is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Processor;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 4.1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims
5. Right to restrict processing
5.1) The data subject shall have the right to obtain from the Processor restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the Processor to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Processor no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Processor override those of the data subject.
5.2) Where processing has been restricted under paragraph 5.1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
5.3) A data subject who has obtained restriction of processing pursuant to paragraph 5.1 shall be informed by the Processor before the restriction of processing is lifted.
6. Right to data portability
6.1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Processor, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Processor without hindrance from the Processor to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
6.2) In exercising his or her right to data portability pursuant to paragraph 6.1, the data subject shall have the right to have the personal data transmitted directly from one Processor to another, where technically feasible.
6.3) The exercise of the right referred to in paragraph 6.1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Processor
6.4) The right referred to in paragraph 6.1 shall not adversely affect the rights and freedoms of others.
7. Right to data object
7.1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The Processor shall no longer process the personal data unless the Processor demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
7.2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
7.3) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
7.4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 7.1 and 7.2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
7.5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
7.6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
8. Right in relation to automated decision making and profiling
8.1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
8.2) Paragraph 8.1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data Processor;
b) is authorised by Union or Member State law to which the Processor is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.
8.3) In the cases referred to in points (a) and (c) of paragraph 8.2, the data Processor shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Processor, to express his or her point of view and to contest the decision.
8.4) Decisions referred to in paragraph 8.2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
SECTION – 13 DATA RETENTION
The Processor will use the data subject’s personal data only as long as necessary to implement, administer and manage the data subject’s participation or as required to comply with legal or regulatory obligations, including under tax and securities laws. The processor no longer needs the data subjects personal data, which will generally be 90 days after the data subject’s uninstallation of the app, the processor will remove it from its systems. If the processor keeps the data longer, it would be to satisfy legal or regulatory obligations and the processor’s legal basis would be relevant laws or regulations.
QUESTIONS AND CONTACT INFORMATION
If you would like to: access, correct, amend or delete any personal information we have about you, or if you have a query on exercising any data subject rights, register a complaint, or simply want more information contact our Privacy Compliance Officer at email@example.com.