Privacy Policy

1. Who we are

This policy is published by Katja Ožbolt s.p., a sole proprietorship registered in Slovenia and trading as Borema Digital (“we”, “us”, “our”). We are the data controller for personal data processed in connection with the apps we publish on the Shopify App Store.

Contact for any privacy matter: support@boremadigital.com

2. Scope

This policy applies to all Borema Digital apps distributed through the Shopify App Store, including COD Fee Pro. It covers data processed when a Shopify merchant installs and uses one of our apps, and data Shopify forwards to us about that merchant’s store and customers.

It does not cover data processed by Shopify Inc. itself, or by other third-party apps installed in the same store. Shopify’s privacy policy is available at shopify.com/legal/privacy.

3. What we collect

Our apps are designed to collect as little personal data as possible. Specifically:

3.1 From the merchant’s store

Shop domain

e.g. your-store.myshopify.com. Used to identify the store across our systems.

OAuth access token

Issued by Shopify when the merchant installs the app. Used to make API calls to the merchant’s store on the merchant’s behalf.

App configuration

The fee amount and product variant identifier the merchant configures inside our app dashboard.

3.2 From the store’s customers

We do not store personal data about a merchant’s customers. Our apps process cart contents at checkout in real time to add or remove a fee line item, but no customer name, email, address, or order detail is persisted to our systems.

3.3 Server logs

Our hosting provider records standard HTTP access logs (IP address, timestamp, request URL, response status). These are retained for up to 30 days for security and operational debugging purposes.

3.4 What we do not collect

• We do not use cookies, fingerprinting, or analytics scripts.
• We do not track customer behaviour across stores or sessions.
• We do not collect payment card information.
• We do not target advertising or share data with advertising networks.

4. How we use the data

We use the data described above only to:

• Authenticate and serve the app dashboard inside Shopify Admin.
• Read and write configuration the merchant has explicitly set.
• Add the configured fee to a cart at checkout when the merchant’s rules are met.
• Communicate with the merchant about support requests.
• Investigate security incidents and abuse.
• Comply with legal obligations.

Legal basis under GDPR: performance of a contract (Article 6(1)(b)) for the merchant’s use of the app, and legitimate interest (Article 6(1)(f)) for security logging, fraud prevention, and improving our apps.

5. Subprocessors

We use the following third-party services to operate our apps. Each is bound by its own data protection terms.

Shopify Inc. (Canada / Ireland)

App distribution, OAuth, webhook delivery, billing.

Render Services, Inc. (United States, EU regions available)

Application hosting and access logs.

Neon Inc. (United States)

Managed PostgreSQL database. Stores OAuth session records (shop domain, access token, scopes).

GoDaddy Operating Company, LLC (United States)

Domain registration.

Where a subprocessor is located outside the European Economic Area, transfers are made under appropriate safeguards (standard contractual clauses or equivalent) as required by GDPR Articles 44–49.

6. Data retention

While the app is installed

OAuth tokens and configuration data are retained for as long as the merchant keeps the app installed.

After uninstall

Shopify sends us a shop/redact webhook 48 hours after uninstall. On receipt we delete all session records for that shop from our database.

Server access logs

Up to 30 days, then automatically purged by our hosting provider.

Support correspondence

Email correspondence is retained while it remains useful for support continuity, then archived or deleted on request.

7. Your rights under GDPR

If you are a merchant or end customer in the European Economic Area, you have the right to:

• Request access to the personal data we hold about you (Article 15).
• Request correction of inaccurate data (Article 16).
• Request deletion of your data (Article 17).
• Restrict or object to certain processing (Articles 18 and 21).
• Receive your data in a portable, machine-readable format (Article 20).
• Lodge a complaint with a supervisory authority. In Slovenia, this is the Information Commissioner.

To exercise any of these rights, email us at support@boremadigital.com. We will respond within 30 days.

Customers of stores using our apps can also contact the merchant of the store directly. Shopify provides standard mechanisms (customers/data_request, customers/redact) which we honour.

8. Security

We protect data through:

• HTTPS/TLS for all traffic between Shopify, our app, and our subprocessors.
• HMAC verification of every webhook to ensure it originated from Shopify.
• OAuth tokens stored in an encrypted-at-rest managed database.
• Principle of least privilege for access scopes — we only request the Shopify scopes our apps actually use.
• Operational access restricted to the company owner.

No system can guarantee absolute security. If we discover a breach affecting personal data, we will notify the relevant supervisory authority and affected merchants without undue delay and within 72 hours where required by GDPR Article 33.

9. Children

Our apps are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child’s data has reached us, please contact us so we can delete it.

10. Changes to this policy

We may update this policy when our apps, subprocessors, or legal obligations change. The current version is always available at boremadigital.com/privacy with an updated “Last updated” date at the top.

For material changes that affect how we use personal data, we will notify installed merchants by email or in-app notice before the change takes effect.

11. Contact

Questions about this policy or how we handle your data:

Borema Digital
support@boremadigital.com