GDPR Compliance | NativeProof - Shopify Product Reviews App

Important Notice: NativeProof is a third-party application and is not affiliated with, endorsed by, or sponsored by Shopify Inc. Shopify is a registered trademark of Shopify Inc.

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations processing personal data of individuals located in the European Union (EU) and European Economic Area (EEA), regardless of where the organization is based.

NativeProof is committed to GDPR compliance and protecting the privacy rights of all users. This page explains how we comply with GDPR requirements and how you can exercise your data protection rights.

Our Commitment: We are committed to transparency in our data processing practices and to responding to all valid data subject requests within the legally required timeframes.

2. Our Role Under GDPR

2.1 Data Controller vs. Data Processor

Under GDPR, NativeProof operates in two capacities:

Role	Context	Responsibilities
Data Controller	Merchant account data, app usage analytics	We determine purposes and means of processing
Data Processor	Customer review data submitted on merchant stores	We process on behalf of and under instruction of merchants

2.2 Merchant Responsibilities

When merchants use NativeProof to collect reviews from their customers, the merchant acts as the Data Controller for that customer data. Merchants are responsible for:

Providing appropriate privacy notices to their customers
Obtaining necessary consents for review collection
Responding to data subject requests from their customers
Ensuring lawful processing of customer data

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process personal data based on the following lawful bases:

Processing Activity	Legal Basis	GDPR Article
Providing the Service to merchants	Contract performance	Article 6(1)(b)
Processing customer reviews	Legitimate interests / Consent	Article 6(1)(f) / 6(1)(a)
Fraud prevention and security	Legitimate interests	Article 6(1)(f)
Verified buyer detection	Legitimate interests	Article 6(1)(f)
Legal compliance	Legal obligation	Article 6(1)(c)
Service improvement and analytics	Legitimate interests	Article 6(1)(f)

Legitimate Interest Assessment: Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override the fundamental rights and freedoms of data subjects. You may request details of our legitimate interest assessments.

4. Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data:

Right of Access

Request a copy of all personal data we hold about you (Article 15)

Right to Rectification

Request correction of inaccurate or incomplete data (Article 16)

Right to Erasure

Request deletion of your personal data ("right to be forgotten") (Article 17)

Right to Restrict Processing

Request limitation of how we process your data (Article 18)

Right to Data Portability

Receive your data in a portable, machine-readable format (Article 20)

Right to Object

Object to processing based on legitimate interests or for marketing (Article 21)

Right to Withdraw Consent

Withdraw consent at any time for consent-based processing (Article 7)

Right to Lodge a Complaint

File a complaint with your local supervisory authority (Article 77)

5. Data We Process

5.1 Categories of Personal Data

Category	Examples	Retention Period
Identity Data	Display name, reviewer name	Until deletion request or account termination
Contact Data	Email address (hashed), shop email	Until deletion request or account termination
Content Data	Review text, ratings, photos, videos	Until deletion request or account termination
Technical Data	IP address, browser type, device info	90 days
Transaction Data	Order verification status (no financial data)	Until deletion request

5.2 Special Category Data

We do NOT intentionally collect or process special category data (sensitive personal data) such as:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health data
Sexual orientation

Privacy by Design: Customer email addresses are hashed using SHA-256 with a per-shop salt before storage. We cannot reverse this hash to recover the original email address, providing an additional layer of privacy protection.

6. Shopify GDPR Webhooks

As a Shopify application, NativeProof implements and responds to all mandatory GDPR webhooks required by Shopify:

1. Customer Data Request

POST /webhooks/gdpr/customers/data_request

When a customer requests their data from a merchant, we receive this webhook and compile all personal data associated with that customer within 30 days.

2. Customer Data Erasure (Redaction)

POST /webhooks/gdpr/customers/redact

When a customer requests deletion of their data from a merchant, we receive this webhook and permanently delete all associated personal data within 30 days.

3. Shop Data Erasure

POST /webhooks/gdpr/shop/redact

When a merchant uninstalls the app, we receive this webhook and delete all shop and customer data associated with that store within 48 hours of the request (up to 30 days for complete removal including backups).

Response Time: We are committed to responding to all GDPR data requests within the legally required 30-day timeframe. Complex requests may require additional verification to protect against unauthorized access.

7. How to Submit Data Requests

7.1 For End Users (Store Customers)

If you are a customer who submitted a review on a Shopify store using NativeProof:

Primary Contact: Contact the Shopify store where you submitted your review. The merchant is the Data Controller and can process your request or forward it to us.
Direct Contact: If you cannot reach the merchant, contact us directly at privacy@aispree.cloud with:
- Your name and email address used for the review
- The Shopify store name/URL where you submitted the review
- Your specific request (access, deletion, correction, etc.)

7.2 For Merchants

Merchants can submit data requests for their own account data:

Log into the NativeProof dashboard
Navigate to Settings > Data & Privacy
Use the data export or deletion request features
Or contact us at privacy@aispree.cloud

7.3 Verification Requirements

To protect against unauthorized access, we may require verification of your identity before processing requests. This may include:

Verification of the email address associated with your review or account
Additional information to confirm your identity
For merchants: verification through your Shopify store admin

7.4 Response Timeframe

We will acknowledge your request within 72 hours and complete processing within 30 days. If additional time is required due to complexity, we will notify you of the extension (up to 60 days total) as permitted by GDPR.

8. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32):

8.1 Technical Measures

Encryption in Transit: TLS 1.3 for all data transmission
Encryption at Rest: AES-256 for sensitive data (access tokens, credentials)
Pseudonymization: SHA-256 hashing with per-shop salts for email addresses
Access Controls: Role-based access with multi-factor authentication
Webhook Verification: HMAC-SHA256 signature validation for all Shopify webhooks
Automated Backups: Encrypted backups with secure storage
Intrusion Detection: Monitoring and alerting for suspicious activity

8.2 Organizational Measures

Regular security training for all personnel
Data protection policies and procedures
Incident response plan for data breaches
Regular security audits and assessments
Vendor due diligence for third-party processors

8.3 Breach Notification

In the event of a personal data breach, we will:

Notify the relevant supervisory authority within 72 hours (where required)
Notify affected merchants without undue delay
Document the breach and remediation steps taken
Notify affected individuals if the breach poses high risk to their rights

9. International Data Transfers

As an international service, personal data may be transferred to and processed in countries outside the EU/EEA, including the United States.

9.1 Transfer Safeguards

For transfers to countries without an adequacy decision from the European Commission, we rely on:

Standard Contractual Clauses (SCCs): EU Commission-approved contractual clauses
Supplementary Measures: Additional technical and organizational safeguards
Transfer Impact Assessments: Evaluation of third-country legal frameworks

9.2 Data Storage Locations

Primary Database: United States (with SCCs in place)
Storefront Data: Shopify's global infrastructure (via Metaobjects)
Video Content: Cloudflare global network (with DPA)

Request Copy of Safeguards: You may request a copy of the Standard Contractual Clauses or other transfer mechanisms we use by contacting us at privacy@aispree.cloud.

10. Data Processing Agreement

For merchants who require a formal Data Processing Agreement (DPA) under GDPR Article 28, we offer:

10.1 Standard DPA

Our standard Terms of Service include data processing terms that comply with Article 28 requirements. This covers:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data and categories of data subjects
Obligations and rights of the controller
Sub-processor authorization and requirements
Security measures and breach notification
Assistance with data subject rights and DPIAs
Data deletion and return requirements
Audit rights

10.2 Custom DPA Requests

Enterprise merchants requiring a custom Data Processing Agreement can contact us at privacy@aispree.cloud to discuss requirements.

10.3 Sub-processors

We use the following categories of sub-processors:

Cloud infrastructure providers (hosting, databases)
Email service providers (review request emails)
Video hosting services (video review storage)
Analytics providers (service usage metrics)

A current list of sub-processors is available upon request. We will notify merchants of any intended changes to sub-processors.

11. Contact Information

For GDPR-related inquiries, data subject requests, or complaints:

Privacy Team

Email: privacy@aispree.cloud

Subject Line: GDPR Request - [Your Request Type]

Data Protection Officer (DPO)

Email: dpo@aispree.cloud

Response Time: We aim to acknowledge all GDPR inquiries within 72 hours and complete requests within 30 days.

11.1 Supervisory Authority

If you are not satisfied with our response to your GDPR request, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU/EEA supervisory authorities is available at:

European Data Protection Board - Members

Related Documents:

Privacy Policy - Full details on data collection and use
Terms of Service - Service terms and conditions
Help Center - General support and FAQs

Third-Party Notice: NativeProof is an independent third-party application and is not affiliated with, endorsed by, or sponsored by Shopify Inc. "Shopify" and the Shopify logo are registered trademarks of Shopify Inc.

Return to Homepage