GDPR

Deducto is committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR) for all users located in the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK).

This page explains how we uphold GDPR principles, what data we process, your rights, and how you can exercise them.

1. Who This Applies To

This GDPR statement applies to:

  • Visitors to the Deducto website (deducto.io)

  • Users of the Deducto app installed on Shopify stores

  • Users with Deducto accounts

  • Individuals who contact Deducto for support, sales, or information

  • Enterprise customers and their representatives

If you are located outside the EU/EEA/UK, Deducto still handles your data responsibly, but specific GDPR rights may vary depending on local regulations.

1.1. Roles: Data Controller vs. Data Processor

Under the GDPR, Deducto operates in two distinct capacities depending on the data being processed:

  • Deducto as a Data Controller: We act as a Controller for the personal data of our Merchants (e.g., your account email, billing address, and contact details). We determine the purpose and means of this processing to manage our business relationship with you.
  • Deducto as a Data Processor: We act as a Processor for the Customer Data (e.g., order history, cart contents, and customer identifiers) that you allow us to access via the Shopify API. You, the Merchant, are the Data Controller of this information. We process this data solely on your behalf and in accordance with your instructions (including your configuration of the App) and our Data Processing Addendum (DPA).

Note to Merchants: As the Data Controller for your customers’ data, you are responsible for ensuring you have a valid legal basis (such as consent or contract) to process their data via third-party apps like Deducto.

2. Data We Collect

Deducto collects only the minimum data necessary to operate our services. This may include:

2.1 Website Visitors

  • IP address (anonymised where possible)

  • Device and browser information

  • Pages visited

  • Cookie preferences

  • Form submissions

2.2 App Users (Shopify Merchants)

When you install the Deducto app, Shopify provides access to certain store data necessary for the app to function. This may include:

  • Product and variant data

  • Collections, tags, and metadata

  • Order and discount information

  • Customer data (limited to what Shopify permissions allow)

  • Store settings, currency, and locale

  • Promotion configuration and usage logs

2.3 Communications and Support

If you contact us, we may collect:

  • Name

  • Email address

  • Store URL

  • Message content

  • Any attachments or context you provide

We do not collect more data than required to support your request.

2.4 Shopify Mandatory Webhooks

Deducto fully supports Shopify’s mandatory privacy webhooks. When a Merchant or a Customer requests data deletion via the Shopify platform, Deducto automatically receives and processes these requests to ensure data is erased from our systems in accordance with Shopify’s ecosystem requirements and GDPR timelines.

3. How We Use Your Data

We use data in the following ways:

3.1 To Provide the Service

  • Apply promotions and logic you configure

  • Execute discount rules

  • Manage coupons

  • Sync with your Shopify store

  • Ensure correct functionality of features

3.2 To Improve the Service

  • Troubleshooting and bug fixing

  • Analytics (aggregated and anonymous where possible)

  • Feature development

3.3 For Security

  • Detecting errors or suspicious activity

  • Ensuring platform stability

  • Protecting against unauthorised access

  • Compliance with applicable laws

  • Respond to lawful requests from authorities

We do not sell or trade data with third parties.

Under GDPR, we process data based on one or more lawful grounds:

  • Performance of a contract (providing the Deducto service you installed)

  • Legitimate interests (improving service reliability, security, performance)

  • Consent (cookies, marketing communications)

  • Compliance with legal obligations

Where consent is used, you may withdraw it at any time.

5. Your GDPR Rights

You have the following rights under GDPR. You may exercise any of them by contacting us or using the request form below.

5.1 Right to Access

You may request a copy of the personal data we hold about you.

5.2 Right to Rectification

You may request correction of inaccurate or incomplete data.

5.3 Right to Erasure (“Right to Be Forgotten”)

You may ask us to delete your personal data where:

  • It is no longer needed

  • You withdraw consent

  • You object to processing

  • Required by law

5.4 Right to Restrict Processing

You may request that we limit how your data is used.

5.5 Right to Data Portability

You may request your data in a structured, machine-readable format.

5.6 Right to Object

You may object to processing based on legitimate interests or to direct marketing.

5.7 Right Not to Be Subject to Automated Decision-Making

Deducto does not use automated decision-making that produces legal or significant effects on individuals.

6. Data Retention

We retain personal data only as long as necessary to:

  • Provide the Service

  • Comply with legal obligations

  • Maintain security and operational logs

App-related operational data (such as promotion logs) may be retained for debugging and compliance unless deletion is requested or required.

7. International Data Transfers

Deducto may process data in jurisdictions outside the EU/EEA.

Where data is transferred internationally, we use one or more of the following:

  • 2021 Standard Contractual Clauses (SCCs)

  • Adequacy decisions

  • Audited third-party processors with compliant protections

All transfers are handled in accordance with GDPR requirements.

8. Third-Party Processors

We may use third-party services for:

  • Hosting

  • Analytics

  • Error tracking

  • Communication

  • Customer support

  • Shopify integrations

Each third-party processor is vetted for data protection compliance.

We will notify Merchants of any new sub-processors via Email/In-App Notice 30 days prior to authorisation.

9. Data Security

We implement technical and organisational measures including:

  • Secure encrypted connections (HTTPS)

  • Access controls and authentication

  • Data minimisation principles

  • Logging and audit trails

  • Regular review of systems and permissions

No system is perfectly secure, but Deducto follows industry best practices.

10. How to Exercise Your Rights

You can submit a GDPR request at any time.

Contact Us: https://deducto.io/contact/

We will respond within the timeframes required by GDPR (typically 30 days).

11. Our Data Protection Contact

If you have questions about how your data is handled:

Data Protection Contact Contact Us: https://deducto.io/contact/

12. Complaints

If you believe your rights have been violated, you may contact:

  • Your local Data Protection Authority

  • The supervisory authority in the jurisdiction where Deducto is established

We encourage you to contact us first so we can resolve the issue promptly.

13. Updates to This GDPR Statement

We may update this page to reflect legal requirements, operational changes, or service improvements. The “Last Updated” date will change accordingly.

Continued use of Deducto indicates acceptance of the updated statement.