Bannerfly — Privacy Policy Last Updated: April 27, 2026 This Privacy Policy explains how Bannerfly ("we", "us", "our") collects, uses, stores, and shares data when you install or use the Bannerfly application ("App") on your Shopify-powered store. It also describes the rights available to you and how to exercise them. By installing or continuing to use the App, you acknowledge that you have read and understood this policy. --- 1. WHO WE ARE AND OUR ROLE Bannerfly is operated as a Shopify application. The App provides a Shopify theme extension that allows merchants to display custom promotional banners on their storefront. In the context of data protection law: - The Shopify merchant (store owner) who installs the App is the DATA CONTROLLER in respect of their customers' personal data. - Bannerfly acts as a DATA PROCESSOR only to the extent we handle any personal data on behalf of the merchant to operate the App. The App is designed to minimise data collection. It does not read, store, or process your customers' personal data (such as customer names, email addresses, or purchase history). The App's core function — rendering a banner on your storefront — operates entirely within your Shopify theme and does not require access to customer records. --- 2. DATA WE COLLECT AND PROCESS The App collects and processes only the following categories of data: a) Store metadata — your Shopify shop domain and basic store configuration data, used solely to authenticate your App session and associate your banner settings with your store. This is the minimum data required for any Shopify embedded app to function. b) Banner configuration data — the banner content, styling preferences, and display rules you configure within the App. This data is stored to persist your settings across sessions. c) Merchant account data — your Shopify account identifier and basic account information provided by Shopify during the OAuth installation flow, used to identify your account and manage your subscription. d) App usage and session data — technical data collected when you use the App's admin dashboard, including IP addresses, browser type, pages visited within the dashboard, and timestamps. This data is collected via server logs and third-party analytics tools described in Section 5. The App does NOT access, read, or store your customers' personal data, order data, or product data. We do NOT collect payment information. All billing is managed by Shopify and governed by Shopify's own privacy policy. --- 3. LEGAL BASIS FOR PROCESSING (GDPR) If you are located in the European Economic Area or the United Kingdom, we process personal data on the following legal bases: - Contractual necessity (Article 6(1)(b)): Processing store metadata and banner configuration is necessary to deliver the banner service you have contracted us to provide. - Legitimate interests (Article 6(1)(f)): We process technical usage data to maintain and improve the App, prevent fraud, and ensure security. Our legitimate interests do not override your fundamental rights. - Legal obligation (Article 6(1)(c)): We may process data when required to comply with applicable law or a valid legal order. - Consent (Article 6(1)(a)): Where we use analytics cookies or similar tracking technologies that require consent, we rely on your consent, which you may withdraw at any time. --- 4. HOW WE USE THE DATA We use the data described above exclusively to: - Operate the App and deliver the banner theme extension functionality. - Store and apply your banner configuration preferences. - Authenticate your store and manage your App session and subscription. - Maintain the security and integrity of the App. - Communicate with you regarding the App (service updates, important notices). - Improve App performance based on aggregated, anonymised usage patterns. We do NOT sell personal data. We do NOT use any data collected through the App for advertising or profiling purposes unrelated to operating the App. --- 5. THIRD-PARTY SUB-PROCESSORS To provide the App, we may share data with the following categories of sub-processors: a) Analytics and monitoring tools — we use the following tools on the App admin dashboard to understand usage and improve the service: - Smartlook (Smartlook.com, s.r.o.) — session recording of the admin dashboard; data may be processed in the EU and internationally under applicable safeguards. Smartlook does not have access to your storefront customers' data. b) Infrastructure and hosting providers — we use cloud infrastructure providers to host the App and its database. These providers are bound by data processing agreements and process data only as instructed. c) Shopify — the App operates within the Shopify platform. Shopify independently processes data as described in Shopify's Privacy Policy (shopify.com/legal/privacy). All sub-processors are required to implement appropriate technical and organisational security measures. --- 6. STOREFRONT BANNER AND YOUR CUSTOMERS The banner rendered on your storefront by the App's theme extension is a client-side component injected into your Shopify theme. It does not transmit your customers' data to our servers. We do not collect, receive, or process any personal data belonging to your store's visitors or customers through the banner component. You, as the merchant, are solely responsible for: - Ensuring the content of your banners complies with applicable advertising and consumer protection laws in all jurisdictions in which your store operates. - Informing your customers, where legally required, of any cookies or tracking technologies present on your storefront. Note that the App's banner component itself does not set cookies or track individual visitors. --- 7. INTERNATIONAL DATA TRANSFERS We operate internationally and some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including: - Standard Contractual Clauses (SCCs) approved by the European Commission. - Adequacy decisions where applicable. You may request a copy of the applicable transfer mechanism by contacting us at app.helpua.contact@gmail.com. --- 8. DATA RETENTION We retain data only for as long as necessary to fulfil the purposes described in this policy: - Store metadata and banner configuration: retained for as long as your store has the App installed. Upon uninstallation, data associated with your store is deleted or anonymised within 30 days, unless we are required by law to retain it longer. - Technical and usage logs: retained for up to 12 months, then deleted. - Billing records: retained for up to 7 years to comply with applicable tax and accounting obligations (processed by Shopify, not by us). --- 9. DATA SECURITY We implement appropriate technical and organisational measures to protect data against unauthorised access, loss, or disclosure, including: - Encrypted data transmission (TLS/HTTPS). - Access controls limiting data access to authorised personnel only. - Regular security reviews of our infrastructure. No system is completely secure. In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify affected parties and relevant supervisory authorities as required by applicable law. --- 10. YOUR RIGHTS Depending on your location, you may have the following rights regarding your personal data: European Economic Area and United Kingdom (GDPR / UK GDPR): - Right of access — to obtain a copy of the data we hold about you. - Right to rectification — to correct inaccurate data. - Right to erasure — to request deletion of your data where there is no legitimate reason to continue processing it. - Right to restriction — to limit how we process your data in certain circumstances. - Right to data portability — to receive your data in a structured, machine-readable format. - Right to object — to processing based on legitimate interests. - Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. - Right to lodge a complaint — you have the right to lodge a complaint with your local data protection supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU). California (CCPA / CPRA): - Right to know what personal information we collect, use, and disclose. - Right to delete personal information we hold about you. - Right to opt out of the sale or sharing of personal information. We do NOT sell or share personal information as defined by the CCPA. - Right to non-discrimination for exercising your privacy rights. To exercise any of these rights, contact us at app.helpua.contact@gmail.com. We will respond within 30 days (or within the timeframe required by applicable law). --- 11. COOKIES AND TRACKING TECHNOLOGIES The App admin dashboard uses cookies and similar technologies for: - Essential functionality (session management, security, authentication). - Analytics and performance monitoring of the dashboard (Smartlook). The App's storefront banner component does not itself set cookies or tracking technologies on your store visitors. Where required by law, we will request your consent before placing non-essential cookies on the admin dashboard. You may withdraw consent or manage cookie preferences through your browser settings. --- 12. CHILDREN'S PRIVACY The App is intended solely for use by businesses and their authorised personnel. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately at app.helpua.contact@gmail.com. --- 13. CHANGES TO THIS POLICY We may update this policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this document and notify you via the App dashboard or email. Your continued use of the App after the effective date of the updated policy constitutes your acceptance of the changes. --- 14. CONTACT AND DATA PROTECTION ENQUIRIES For any questions, concerns, or data-related requests under this policy: Email: app.helpua.contact@gmail.com We aim to respond to all enquiries within 30 days.