Privacy Policy
Effective date: 2026-06-28 Controller for the App's own data: Kadosh (카도쉬), proprietor Kang Seung-hyun (강승현), Republic of Korea — cadosy@gmail.com
This policy explains how GPSR Shield (the "App") handles data. For personal data that we process on
behalf of a merchant, the merchant is the controller and we are the processor — see the
Data Processing Addendum (DPA.md).
1. Data we access and store
From the merchant's Shopify store (via the Shopify API), only what the App needs:
- Store identity & OAuth: shop domain, access token, plan, locale, basic shop info.
- Product data needed to read/write GPSR fields: product IDs, titles, images, and the
gpsrmetafields /gpsr_economic_operator&gpsr_warningmetaobjects. - App session and audit records: who confirmed/published a product and when
(
reviewed_by,reviewed_at), and similar logs.
Personal data this may include:
- Economic-operator contact details (manufacturer / responsible operator) — where these refer to a natural person or a sole trader, they are personal data. They are entered by the merchant and are displayed publicly on the storefront because Article 19 requires it.
- Reviewer/staff identifiers (
reviewed_by) used for the audit trail.
The App does not collect storefront visitors' or end-consumers' personal data, and does not use the data for advertising or profiling.
2. Why we process it (purposes & legal bases)
- To provide the App's features (store, organise, display, gap-detect GPSR data) — performance of the contract / our legitimate interest in operating the service.
- To keep an audit trail of merchant review/publish actions — legitimate interest and the merchant's compliance needs.
- To secure, debug and improve the App — legitimate interest.
- Where we act as processor, we process personal data only on the merchant's documented instructions (the DPA).
3. Sub-processors
We use the following sub-processors to run the App: Shopify (platform & data storage), Cloudflare (hosting/compute), and an email/support provider. We require them to protect data consistent with this policy and the DPA. A current list is available on request.
4. International transfers
Data may be processed outside the EU/EEA (including in Republic of Korea). Where required, transfers rely on appropriate safeguards (e.g. EU Standard Contractual Clauses) — see the DPA.
5. Retention
- Operational data is retained while the App is installed.
- On uninstall, we delete or anonymise the App-side data we hold within 30 days, except where longer retention is required by law. Data stored inside the merchant's Shopify store (metafields/metaobjects) remains under the merchant's control in their store.
- Mandatory Shopify webhooks (
customers/redact,shop/redact,customers/data_request) are honoured.
6. Data subject rights (GDPR & similar)
Where GDPR applies, data subjects have rights of access, rectification, erasure, restriction, objection and portability. Because much of the personal data is controlled by the merchant, we will route requests we receive to the relevant merchant and assist them. To exercise rights or ask questions, contact cadosy@gmail.com (or the merchant who published the data).
7. Security
We use reasonable technical and organisational measures (encryption in transit, least-privilege access, minimal scopes, restricted access tokens). No method is perfectly secure, but we work to protect data and to minimise what we store.
8. Changes
We may update this policy; material changes will be notified via the App or cadosy@gmail.com.
9. Contact
Kadosh (카도쉬) · proprietor Kang Seung-hyun (강승현) 개인사업자 / Business Registration No. 418-06-17117 경기도 고양시 덕양구 향동로 217, 425호 (#425, 217 Hyangdong-ro, Deogyang-gu, Goyang-si, Gyeonggi-do, Republic of Korea) Tel. 02-1522-7824 · cadosy@gmail.com