Shoptank Privacy Policy

Last Updated: 16 July 2025

1. Introduction

This Privacy Policy explains how Shoptank ("we", "us", "our") collects, uses, processes, and protects your personal data when you use our platform and services. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant privacy legislation.
Controller Information:

• Company Name: Shoptank
• Email: [email protected]

2. Legal Basis for Processing

We process personal data only when we have a valid legal basis under Article 6 of the GDPR:

• Consent (Article 6(1)(a)): When you explicitly agree to processing for specific purposes
• Contract (Article 6(1)(b)): To perform our contract with you or take pre-contractual steps
• Legal Obligation (Article 6(1)(c)): To comply with legal requirements (e.g., AML, tax obligations)
• Legitimate Interests (Article 6(1)(f)): For our legitimate business interests, balanced against your rights
• Vital Interests (Article 6(1)(d)): To protect someone's life or physical safety
• Public Task (Article 6(1)(e)): When processing is necessary for public interest tasks

For each processing activity, we will clearly identify the applicable legal basis.

3. What Personal Data We Collect

3.1 Information You Provide Directly

Account Information:

• Name, email address, business name
• Shopify store details and credentials
• Contact information and business address
• Payment and billing information

Token Creation Data:

• Token specifications and metadata
• Business use case descriptions
• Customer engagement preferences

Communications:

• Support inquiries and correspondence
• Feedback and survey responses
• Marketing communication preferences

3.2 Information Collected Automatically

Technical Data:

• IP address and geolocation data
• Device information (browser, operating system)
• Usage analytics and platform interaction data
• Cookies and similar tracking technologies

Transaction Data:

• Wallet addresses and blockchain interactions
• Token creation and management activities
• Platform usage patterns and performance metrics

3.3 Information from Third Parties

Shopify Integration:

• Store data, customer information, order history
• Product catalogs and inventory data
• Sales analytics and performance metrics

Blockchain Networks:

• Public transaction records
• Token ownership and transfer data
• Smart contract interactions

4. How We Use Your Personal Data

We use your personal data for the following purposes:

4.1 Service Provision (Legal basis: Contract)

• Creating and managing your account
• Enabling token creation and management
• Processing payments and transactions
• Providing customer support

4.2 Legal Compliance (Legal basis: Legal obligation)

• Anti-money laundering (AML) checks
• Know Your Customer (KYC) verification
• Tax reporting and record keeping
• Regulatory compliance and reporting

4.3 Platform Improvement (Legal basis: Legitimate interests)

• Analytics and usage monitoring
• Security and fraud prevention
• Platform optimization and development
• Research and development

4.4 Marketing (Legal basis: Consent or legitimate interests)

• Product updates and announcements
• Educational content and resources
• Promotional offers (with consent)
• Customer satisfaction surveys

5. How We Share Your Personal Data

5.1 Service Providers

We share data with trusted third-party service providers who assist us in:

• Cloud hosting and infrastructure (AWS, Google Cloud)
• Payment processing (Stripe, other payment providers)
• Analytics and monitoring (anonymized data only)
• Customer support platforms
• Security and fraud prevention services

5.2 Legal Requirements

We may disclose personal data when required by law:

• Compliance with legal processes or court orders
• Cooperation with regulatory investigations
• Prevention of fraud or criminal activity
• Protection of our legal rights and interests

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction, subject to appropriate safeguards.

5.4 Blockchain Networks

Token creation and transactions are recorded on public blockchains, which are decentralized networks outside our control. This data becomes publicly accessible and immutable.

6. International Data Transfers

We may transfer your personal data outside the European Economic Area (EEA) to:

• Cloud service providers in secure jurisdictions
• Group companies and service providers globally
• Blockchain networks operating internationally

Transfer Safeguards:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules where applicable
• Other appropriate safeguards as required by law

7. Data Retention

We retain personal data only as long as necessary for the purposes collected:

7.1 Retention Periods

• Account data: Until account deletion plus 7 years for legal compliance
• Transaction records: 7 years for tax and regulatory purposes
• Communications: 3 years unless longer retention is required
• Technical logs: 12 months unless required for security investigations
• Marketing data: Until consent is withdrawn or legitimate interests no longer apply

7.2 Blockchain Data

Data recorded on public blockchains cannot be deleted due to the immutable nature of blockchain technology. This includes token creation records and transaction history.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

Request confirmation of what personal data we process and obtain a copy.

8.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure (Article 17)

Request deletion of personal data where:

• No longer necessary for original purposes
• You withdraw consent and no other legal basis exists
• Data has been unlawfully processed
• Required for legal compliance

Note: Blockchain data cannot be erased due to technical constraints.

8.4 Right to Restrict Processing (Article 18)

Request limitation of processing while we verify accuracy or assess legitimate interests.

8.5 Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format.

8.6 Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing.

8.7 Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects.

8.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time.

9. How to Exercise Your Rights

To exercise your rights, contact us at:

• Email: [email protected]
• Subject line: "Data Protection Request"

Required Information:

• Your full name and email address
• Specific right you wish to exercise
• Description of your request
• Proof of identity (if required)

Response Time:We will respond within 1 month of receiving your request. For complex requests, this may be extended by 2 months with notification.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

Strictly Necessary Cookies:

• Authentication and session management
• Security and fraud prevention
• Core platform functionality

Analytics Cookies:

• Usage statistics and performance monitoring
• Error tracking and debugging
• Feature usage analysis

Functional Cookies:

• User preferences and settings
• Language and region settings
• Customization features

Marketing Cookies (with consent):

• Conversion tracking
• Retargeting (where permitted)
• Campaign effectiveness measurement

10.2 Cookie Management

You can control cookies through:

• Browser settings and preferences
• Our cookie consent banner
• Third-party opt-out tools
• Industry preference centers

Third-Party Cookies:

• Google Analytics (with IP anonymization)
• Marketing platforms (with consent)
• Social media plugins (with consent)

11. Data Security

We implement appropriate technical and organizational measures:

11.1 Technical Safeguards

• Encryption in transit and at rest
• Secure authentication and access controls
• Regular security testing and monitoring
• Incident response procedures

11.2 Organizational Measures

• Staff training on data protection
• Regular security assessments
• Vendor security requirements
• Privacy by design principles

11.3 Data Breach Notification

In case of a personal data breach:

• We will notify supervisory authorities within 72 hours where required
• Affected individuals will be notified without undue delay if high risk
• We will document all breaches regardless of notification requirements

12. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
Parents or guardians who believe their child has provided personal data should contact us immediately.

13. Third-Party Links and Services

Our platform may contain links to third-party websites or integrate with external services. This Privacy Policy does not apply to third-party services. We encourage you to review their privacy policies.
Key Third-Party Integrations:

• Shopify (governed by Shopify's privacy policy)
• Payment processors (governed by their policies)
• Blockchain networks (public and decentralized)

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

• Changes in applicable laws
• Platform updates and new features
• Business practice changes
• Regulatory guidance

Notification of Changes:

• Email notification for material changes
• Prominent notice on our platform
• Updated version date at the top of this policy
• Continued use constitutes acceptance of changes

15. Supervisory Authority Rights

You have the right to lodge a complaint with a data protection supervisory authority if you believe we have violated data protection laws.
EU Supervisory Authorities:

• Your local data protection authority
• Irish Data Protection Commission (our lead supervisory authority)
• European Data Protection Board for cross-border matters

16. Contact Information

Data Protection Inquiries:

• Email: [email protected]

General Support:

• Email: [email protected]
• Response time: Within 7-working days

17. Special Provisions for Different Jurisdictions

17.1 European Union

This policy complies with GDPR requirements. EU residents have all rights outlined in this policy.

17.2 United Kingdom

UK residents have equivalent rights under UK GDPR and the Data Protection Act 2018.

17.3 Other Jurisdictions

Users in other jurisdictions may have additional rights under local laws, which we will respect where applicable.

Effective Date: This Privacy Policy is effective as of the date stated above.
Language: This policy is available in multiple languages. In case of conflicts, the English version prevails except where local law requires otherwise.
By using our platform, you acknowledge that you have read and understood this Privacy Policy and agree to our data processing practices as described herein.