Privacy Policy

This privacy policy provides information on the type, scope, and purposes of the processing of personal data in connection with the use of the Shopify app “Recently Viewed Products” (hereinafter “App”).

1. Controller

Lukas Zimmermann
Clara-Schumann-Str. 15, 74889 Sinsheim, Germany
E-mail: lukastz@icloud.com

2. Categories of Data Processed

• Shop data (shop domain, app installation status, subscribed app plan)
• Authentication and session data (Shopify OAuth token, session ID, scopes, expiry time)
• Usage data in the app’s admin interface (interactions, pseudonymized via analytics tool)
• Storefront data in the end customer’s browser (product handles & metadata in localStorage)

3. Purposes of Processing

• Provision of app functionality (display of “recently viewed products” in the shop)
• Authentication and session management
• Subscription/billing management (if via Shopify Billing/API)
• Compliance with legal requests (e.g. GDPR webhooks)
• Product improvement and stability (pseudonymous usage analytics)

4. Legal Bases

• Art. 6 (1) (b) GDPR (performance of contract, provision of the app)
• Art. 6 (1) (f) GDPR (legitimate interests, e.g. security, error analysis, product improvement)
• Art. 6 (1) (c) GDPR (legal obligations, e.g. responses to GDPR requests)

5. Processing Activities in Detail

5.1 Shopify Admin App (OAuth & Sessions)

During installation and login, access tokens are generated via Shopify OAuth. The app stores a session with shop domain, token, validity, and granted scopes in a database. These data are necessary for operating the app. After uninstallation, related session data are automatically deleted via the uninstall webhook.

5.2 Storefront Feature “Recently Viewed”

The “recently viewed” list is maintained exclusively in the end customer’s browser (localStorage under the key “rv_products”). The app does not receive these data server-side; no transfer to the app server takes place. Optionally, product details may be loaded client-side from the shop theme (e.g. /products/{handle}.js).

5.3 Analytics (PostHog)

To improve the app we use PostHog (EU host). Pseudonymous usage data within the app’s admin interface are processed. User profiles are only maintained for identified users. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in product improvement). Further information can be found in the PostHog privacy policy: https://posthog.com/privacy.

6. Recipients

• Shopify as platform provider (Shopify Inc., Shopify International Ltd.)
• PostHog as analytics provider (EU data center)
• Hosting/infrastructure providers (EU/EEA), as required

7. Transfers to Third Countries

Where service providers outside the EU/EEA are used, data are transferred on the basis of appropriate safeguards (e.g. EU Standard Contractual Clauses). PostHog is used with an EU host.

8. Storage Period

• Sessions/tokens: until app uninstallation or until token expiry/rotation
• Storefront localStorage (end customers): until deleted by the browser/user
• Analytics data: according to the provider’s retention periods, anonymized/shortened where required

9. Data Subject Rights

You have the right of access, rectification, erasure, restriction of processing, data portability, and to object to processing, where the legal requirements are met. You also have the right to lodge a complaint with a competent supervisory authority.

10. Obligation to Provide Data

Providing the data mentioned in Section 5.1 is necessary for using the app. Without these data, the app cannot function.

11. Contact

Please direct any privacy inquiries to: lukastz@icloud.com

Last updated: 2025-08-26