Intro
LLC “Growave” (“Growave” or “we”) welcomes you. We provide you with Growave App at Shopify app store available following the link https://apps.shopify.com/growave (”App”).
The Privacy Notice (“Privacy Notice”) describes how data subjects’ personal data is collected, stored, and used and what happens when you use the App.
Data subjects
We process personal data of store owners and their representatives who use the functionality of our App, as well as their customers.
Data subject
Description
Store Owners
it is you – an owner of the store at Shopify or the representatives, who use the App.
Customers
it is your customers – customers of the store at Shopify, represented by the Store Owners.
Please note! We do not knowingly process the personal data of data subjects under age 16.
If you are such a data subject or you are the legal representative of such a data subject, please,
contact us.
Personal data
Roles in the processing
Growave is the controller of the Store Owners' data.
Growave is the processor of the Customers' data, acting on the behalf of the Store Owners, which are the controller of the Customers' data.
Sources of data
We receive data when you interact with our App and use its functionality, depending on your actions and chosen settings of the App.
We may also (although we do not necessarily do so) receive data from third parties. It depends on your settings and the features you use.
Lawful basis for processing
To process data subjects’ personal data, we rely on the following lawful basis
- performance of the contract — for the processing of personal data necessary for the negotiating on, conclusion, and performance of a contract with data subjects;
- legitimate interest — for the processing necessary for the development of our services and reasonable for data subjects;
- consent — for additional processing for specific purposes.
Store Owners’ data
Source of data
Description of the data
Reasons for processing
Legal basis
Shopify.
Date and time of the installation.
To analyse Store Owners for marketing purposes.
Legitimate interest.
Store name.
To start providing appropriate App services after your request.
Performance of the contract.
Store location.
To improve our App.
Legitimate interest.
Email.
To identify Store Owners.
Performance of the contract.
Phone number.
Performance of the contract.
Full name.
Performance of the contract.
From Team support chat.
The content of messages.
To provide informational support.
Performance of the contract.
Wishlist settings.
Listing product.
To provide wishlists functionality and product analytics.
Performance of the contract.
Product tags.
Performance of the contract.
Rewards settings.
Discount codes and promotion.
To provide rewards functionality.
Performance of the contract.
Gift card data.
Performance of the contract.
Shopify plans.
Performance of the contract.
Price rules.
Performance of the contract.
Notification Center settings.
Marketing events.
To provide notification functionality.
Performance of the contract.
Manage App settings.
Theme, script tags in online store.
To provide App functionality.
Performance of the contract.
Data storage
Data that is processed based on the legitimate interest
Stored during the use of the App and cleared from backups 7 days after the deletion of the App
Data that is processed based on the performance of the contract
Customers’ data
Source of data
Description
Reasons for processing
Legal basis
Provided by the Store Owner.
Cookies.
To provide App features and functionality regarding reviews, rewards, wishlists, instagram galleries, social logins and product analytics.
Performance of the contract.
Full name.
Performance of the contract.
Email.
Performance of the contract.
Phone number.
Performance of the contract.
Geolocation.
Performance of the contract.
Address.
Performance of the contract.
Browser and operating system.
Performance of the contract.
IP address.
Performance of the contract.
Content of Customers reviews.
Performance of the contract.
Order details.
Performance of the contract.
Data storage
Data that is processed based on the performance of the contract
Stored during the use of the App and cleared from backups 7 days after the deletion of the App
Data received from third parties
We may receive some personal data from third parties.
The amount of data collected, the purposes, and the legal basis for processing is determined by the respective privacy documents of these parties:
Third parties
Description
Google Analytics
We use these tools for statistics and analytics.
Shopify
We use Shopify app store as a platform to propose and provide our services.
Facebook
We use Facebook for authorization functionality in the App.
Google
We use Google for authorization functionality in the App.
Amazon
We use Amazon for authorization functionality in the App.
Instagram
We use Instagram to enable instagram functionality in the App.
ChatWoot
We use ChatWoot for serving customer inquiries.
Customer.io
We use Customer.io to educate and onboard merchants in the application.
Mixpanel
We use Mixpanel to analyse how our users interact with the application.
Other services
We may use various tools and services for marketing and other purposes. To get a detailed list of the tools,
contact us.
Data sharing with third parties
We use personal data on the basis of the performance of the contract to provide services.
We share data subjects’ data with the service providers and contractors in the scope we need to provide services and technical and customer support, who, for example, help us:
- operate, develop, and improve the features and functionality of our App;
- provide you with their services;
- complete your’ payment transactions;
- fulfil your support requests;
- communicate with you as described elsewhere in this Privacy Notice.
Also, we can share data subjects’ data on the following grounds: consent, compliance with the law, and legitimate interest.
Details
We share data subjects’ data on the following grounds:
1. Performance of a contract.
We may transfer data subjects’ data to our contractors and partners for contractual purposes.
2. Consent.
We may transfer data subjects’ personal data based on your explicit consent.
3. Compliance with the law.
We may disclose data subjects’ personal data to third parties to the extent that it is necessary:
- to comply with a government request, court order, or applicable law;
- to prevent unlawful use of our App or policies;
- to protect against claims of third parties;
- to help prevent or investigate fraud.
4. Transfer to third parties.
We may transfer data subjects’ personal data to third parties based on a data processing agreement, subject to the application of technical and organisational measures to protect data subjects’ personal data. We may share data with certain companies, consultants and contractors hired to provide certain services on our behalf.
Please note! We will ask for data subjects’ consent if the transfer of data is not part of the contract.
Data transfer outside the European Economic Area
The personal data we collect is stored on servers in the Amazon Web Services (AWS). The data is stored in the USA by default, but we may need to process the data subjects’ personal data in another country. We also share some data with our service providers in the Kyrgyz Republic.
There is no adequate decision by the European Commission regarding neither the USA nor the Kyrgyz Republic. This means that the USA and the Kyrgyz Republic are not deemed to provide an adequate level of protection for data subjects’ personal data. We use adopted Standard Contractual Clauses based on legislation assessments for data protection during transfer and storage.
You can read more detailed measures to protect data subjects’ personal data here and in our Data Transfer Agreement.
However, if a data transfer is required to perform a contract or provide services to you we have the right to do so without your consent.
Data protection
We apply a variety of security measures appropriate to the risks.
Organisational measures
Staff training
Internal policies and instructions
Non-disclosure agreements (NDA)
Transfer protection
Physical measures
Video monitoring
Signalling
Limited access to premises
(biometric identification)
Round the clock security
(security agency)
Technical measures
Two-factor authentication
Backups
Firewalls
Encryption technologies
Data subjects rights
The Customers shall exercise their privacy rights through the communication with the controller of their data, which is the corresponding Store Owner.
Store Owners, as the data subjects, have the following rights:
European Economic Area and United Kingdom residents
You, as a data subject, have the right to interact with your data directly or through a request to us. This section describes these rights and how you can exercise them:
The right
Description
Right to access.
You can request an explanation of the processing of your personal data.
Right to rectification.
You can change the data if it is inaccurate or incomplete.
Right to erasure.
You can send us a request to delete your personal data from our systems. We will remove it within 48 hours from our systems and 7 days to delete all backups.
Right to restrict the processing.
You may partially or completely prohibit us from processing your personal data.
Right to data portability.
You can request all the data you provided to us and request to transfer data to another controller.
Right to object.
You may object to the processing of your personal data.
Right to withdraw consent.
You can withdraw consent at any time.
Right to file a complaint.
If your request was not satisfied, you could file a complaint to the regulatory body.
If you are:
European Economic Area resident – you can submit a complaint to your local Data Protection Authority. You may find it
here.
United States residents
You, as data subjects, have some special privacy rights. To use them, please contact us.
Please note! Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request, with the right to postpone it for 30 days more.
If your complaint was not satisfied, you can file a complaint with the Federal Trade Commission.
Your rights vary depending on the laws that apply to you, but may include:
Right
Description
Area
Right to access.
You can request an explanation of the processing of your personal data.
- California;
- Virginia;
- Ohio;
- Colorado;
- Nevada;
- Massachusetts;
- Minnesota;
- New York;
- North Carolina;
- Pennsylvania;
- Delaware;
- Utah.
Right to rectification.
You can change the data if it is inaccurate or incomplete.
- California;
- Virginia;
- Colorado;
- Nevada;
- Delaware;
- Massachusetts;
- Minnesota;
- New York;
- North Carolina;
Right to deletion.
You can send us a request to delete your personal data from our systems. We will remove it within 48 hours from our systems and 7 days to delete all backups.
- California;
- Virginia;
- Ohio;
- Colorado;
- Massachusetts;
- Minnesota;
- New York;
- North Carolina;
- Pennsylvania;
- Utah.
Right to restriction.
You may partially or completely prohibit us from processing your personal data.
- California;
- Massachusetts;
Right to portability.
You can request all the data you provided to us and request to transfer data to
another controller.
- California;
- Virginia;
- Ohio;
- Colorado;
- Massachusetts;
- Utah.
- Minnesota;
- New York;
- North Carolina;
Right to Opt-Out.
The right to prohibit the sharing or selling of your data.
- California;
- Virginia;
- Ohio;
- Colorado;
- Nevada;
- Massachusetts;
- Minnesota;
- New York;
- North Carolina;
- Pennsylvania;
- Delaware;
- Colorado;
- Utah.
Right Against Automated Decision Making.
You have the right not to be subject to a decision based solely on automated means if the decision produces legal effects concerning you or significantly affects you in a similar way.
- California;
- Massachusetts;
- Virginia;
- Colorado;
- Minnesota;
- New York;
- North Carolina;
Right to lodge a complaint.
If your request was not satisfied, you can file a complaint to the regulatory body.
By default.
Note: Some states do not have their own privacy laws. The rights of residents of such states are governed by U.S. federal law. If your state is not on the list, please
contact us.
Do-not-track requests
California residents, as data subjects, using our App may request that we do not automatically gather and track information pertaining to data subject online browsing movements across the Internet.
Such requests are typically made through web browser settings that control signals or other mechanisms that allow consumers to exercise choice regarding collecting personal data about an individual consumer's online activities over time and across third-party websites or online services.
We currently do not have the ability to honour these requests. We may modify this Privacy Notice as our abilities change.
Canada residents
You, as data subjects, have privacy rights prescribed by Canada federal and provincial privacy laws.
If you want to get additional information, please contact us by filling a request.
If your complaint was not satisfied, you can file a complaint to the Office of the Privacy Commissioner of Canada.
Privacy Notice updating
The Privacy Notice and the relationships falling under its effect are regulated by General Data Protection Regulation for EU citizens, General Data Protection Regulation United Kingdom for UK citizens, Canadian and provincial laws for Canada citizens and United States laws for US citizens.
Existing laws and requirements for processing personal data are subject to change. In this case, we will publish a new version of the Privacy Notice in the App.
If significant material changes are made to our App that may affect your privacy and confidentiality, we will notify you by displaying information in the App and ask for your consent if necessary.
About us
Name
LLC “Growave”
Registration number
168692-3308-OOO
Address
The Kyrgyz Republic, Chui region, Kok-Zhar village, Kuyukov street 11/4
Email
support@growave.io – for general issues
privacy@growave.io – for privacy issues
Phone number