Privacy Policy

1. Controller

Lukas Zimmermann
Clara-Schumann-Str. 15
74889 Sinsheim, Germany
E-mail: lukastz@icloud.com

2. Categories of data processed

• Shop data (shop domain, app installation status, selected plan, feature flags).
• Authentication and session data (Shopify OAuth tokens, session ID, scopes, expiry).
• Collection and product metadata used for sorting, publishing, and analytics.
• Usage data in the embedded admin UI (pseudonymized analytics via PostHog, EU host).
• Web pixel events from the storefront (views, clicks, add-to-cart, purchases) with consent honors.
• No payment card data is stored; billing runs through Shopify Billing.

3. Purposes of processing

• Provide collection management, sorting, publishing, and A/B testing features.
• Authenticate merchants and maintain secure sessions.
• Operate subscriptions and billing (free/paid plans, trials, discounts).
• Collect storefront performance signals to rank products and report analytics.
• Improve stability and UX via pseudonymous admin analytics and error diagnostics.
• Comply with legal requests (e.g., GDPR access/erasure via Shopify webhooks).

4. Legal bases

• Art. 6 (1) (b) GDPR – performance of contract (provide the app and features).
• Art. 6 (1) (f) GDPR – legitimate interests (security, error analysis, product improvement).
• Art. 6 (1) (c) GDPR – legal obligations (e.g., handling GDPR requests).

5. Processing activities

5.1 Shopify admin app (OAuth & sessions)

During installation and login we obtain Shopify access tokens via OAuth, store a session with shop domain, token, validity, and granted scopes, and delete these after app uninstallation through the uninstall webhook.

5.2 Collection management & sync

We read collection and product data to compute rankings and write ordering, metafields, and publications back to Shopify when you save or publish. For A/B tests we may duplicate collections and keep snapshot history.

5.3 Storefront analytics (Shopify Web Pixel)

Performance events (views, clicks, add-to-cart, purchases) are collected through Shopify Web Pixels. We honor Shopify Customer Privacy and consent signals; events are only processed after consent and may be replayed per Shopify rules.

5.4 Admin analytics (PostHog, EU)

Pseudonymous usage analytics (screen views, clicks, feature flags, errors) are processed in PostHog Cloud EU. No storefront customer data is sent. Identifiers are pseudonymous session/client IDs. You can request disabling admin analytics via support.

5.5 Billing

Subscriptions are handled via Shopify Billing. We receive plan status and billing events (e.g., app_subscriptions/update) but no payment card details.

6. Recipients

• Shopify as platform provider (Shopify Inc., Shopify International Ltd.).
• PostHog as admin analytics provider (EU data center).
• Hosting and infrastructure providers within EU/EEA where required.

7. International transfers

Where providers outside the EU/EEA are used, transfers rely on appropriate safeguards such as EU Standard Contractual Clauses (SCCs) or equivalent mechanisms. PostHog is used with an EU host; Shopify may process data globally under its own safeguards.

8. Storage periods

• Sessions/tokens: until uninstallation or token expiry/rotation.
• Collection snapshots and sync history: retained as long as the feature is active or until you delete the collection.
• Storefront pixel events: raw up to 90 days; aggregated metrics up to 12 months.
• Admin analytics (PostHog): raw events up to 180 days; aggregates up to 365 days.

9. Data subject rights

You have the right of access, rectification, erasure, restriction of processing, data portability, and to object where legal requirements are met. You can lodge a complaint with a competent supervisory authority. For customer data from the Shopify storefront, requests are handled through Shopify’s mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact). Store owners or their customers can also email support@advanced-collections.app or lukastz@icloud.com with the shop domain and request type; we will respond using the same webhooks and confirm completion.

10. Obligation to provide data

Providing the data in Section 5.1 is necessary to use the app. Without these data the app cannot function.

11. No sale or targeted advertising

We do not sell or share personal data for targeted advertising. Storefront pixel events are used solely for ranking, analytics, and A/B testing within the merchant’s shop. If you disable analytics or uninstall the app, processing stops and data is erased per Section 8.

12. Contact

Email: support@advanced-collections.app
Controller: lukastz@icloud.com

For Shopify’s own processing as a separate controller, see the Shopify Privacy Policy.

Imprint

Responsible entity (service provider) for Advanced Collections.

Advanced Collections Attn: Legal / Imprint Clara-Schumann-Str. 15, 74889 Sinsheim, Germany Email: support@advanced-collections.app

Note: This page is intended for public reference and can be linked from the Shopify App Store listing.