Privacy Policy — Customer Account Activation
Effective date: 2026-07-13
App: Customer Account Activation (“the App”)
Provider: GiaTech, Içerenköy Mah. Ertaç Sokak No:13/1, Ataşehir — İstanbul, Türkiye (“we”, “us”)
Contact: info@giatech.com.tr
1. Our role
The App is installed by Shopify merchants (“Merchants”) on their stores. For personal data belonging to a Merchant’s customers, the Merchant is the data controller and we act as a data processor, processing data only on the Merchant’s instructions to provide the App’s functionality.
2. Data we process
When a Merchant installs and uses the App, we access and process the following via the Shopify Admin API:
- Store data: shop domain, installation status, selected plan and billing status.
- Customer data: customer IDs and email addresses of the store’s customers, used solely to send Shopify’s native account-activation invitations on the Merchant’s behalf.
- Operational data: records of invite jobs (status, counts, per-customer send result and any error message) and application logs.
We do not collect customer names, addresses, payment details, or order data.
3. Purpose & legal basis
Data is processed only to: (a) send account-activation invitations requested by the Merchant; (b) show job progress and results; (c) operate billing; and (d) maintain security and diagnose errors. The legal basis is the performance of our contract with the Merchant and the Merchant’s own lawful basis toward its customers.
4. Sub-processors
We use the following service providers to run the App:
- Shopify — platform and email delivery of activation invitations.
- Vercel — application hosting (serverless).
- Neon — PostgreSQL database.
- Upstash — caching (Redis).
- Sentry — error monitoring/diagnostics.
Each processes data only as needed to provide its service.
5. Data retention & deletion
Operational data is retained only as long as needed to provide the service and is subject to automated cleanup. We fully implement Shopify’s mandatory compliance webhooks:
customers/data_request— respond to a customer data-access request.customers/redact— delete a specific customer’s data.shop/redact— delete a store’s data after uninstall (per Shopify’s 48-hour window).
On uninstall, the store’s access is revoked and its data is scheduled for deletion.
6. Security
All traffic is encrypted in transit (HTTPS). Access to the Shopify Admin API uses per-store OAuth access tokens. Data is logically isolated per store (tenant).
7. International transfers
Data may be processed in the regions where our sub-processors operate (primarily the EU — e.g. Frankfurt). Where applicable, appropriate safeguards are used.
8. Your rights
Store customers should direct data requests to the Merchant (the controller). Merchants and customers may contact us at info@giatech.com.tr for assistance with data-access or deletion requests.
9. Changes
We may update this policy; the effective date above reflects the latest version.