Privacy Policy

1. Introduction

Instant Art Kit ("we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application and related services.

This policy applies to all users of Instant Art Kit, including Shopify merchants who install our app and their customers who use the diamond painting preview functionality.

By using our service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our service.

2. Data Controller & Processor Roles

2.1 When We Are a Data Controller: For information about Shopify merchants (store owners) who install our app, we act as a data controller and determine how personal data is processed. This includes your account information, store data, and communications with us.

2.2 When We Are a Data Processor: For end-customer data, including photos and images uploaded by your customers for diamond painting previews, Instant Art Kit acts solely as a data processor on behalf of the merchant. We process this data only according to your instructions and for the purpose of providing our service. The merchant remains the data controller for all customer data.

2.3 Merchant Responsibilities (Important): As a merchant using our service, you are the data controller for your customers' personal data. This means you are legally responsible for:

• Obtaining valid consent: You must obtain appropriate consent from your customers before they upload photos or personal images to our service
• Providing privacy notices: You must inform your customers about how their photos will be processed, including that a third-party service (Instant Art Kit) will process their images
• Establishing a lawful basis: You must have a lawful basis (consent, contract performance, or legitimate interest) for collecting and processing your customers' personal data
• Responding to data subject requests: You are responsible for handling your customers' privacy rights requests. We will assist you in fulfilling these requests upon your instruction
• Compliance with applicable laws: You must comply with all applicable data protection laws, including GDPR (if processing EU/EEA/UK data), CCPA, and other relevant regulations

2.4 Data Processing Agreement: A Data Processing Agreement (DPA) governing our role as your data processor is available for merchants who process personal data of EU/EEA/UK individuals. The DPA complies with GDPR Article 28 and includes Standard Contractual Clauses for international data transfers.

3. Information We Collect

3.1 Information You Provide Directly:

• Account Information: When you install our Shopify app, we receive your Shopify store domain, shop name, and contact email from Shopify's OAuth flow
• Support Communications: When you contact us for support, we collect your name, email address, and the content of your messages
• Payment Information: Billing is handled by Shopify; we do not directly collect or store credit card information

3.2 Information Collected Automatically:

• Shopify API Data: Product information (IDs, titles, variants), order data (IDs, line items, order numbers), customer metadata (for linking orders to accounts, no PII stored)
• OAuth Tokens: Access tokens from Shopify's OAuth system (encrypted at rest and never exposed)
• Usage Data: Information about how you use the app, features accessed, and performance metrics
• Technical Data: IP addresses, browser types, device information, and log data for security and troubleshooting

3.3 Customer-Uploaded Content:

• Photos: Images uploaded by your customers through UploadCare's widget for diamond painting preview generation
• Generated Files: Diamond painting previews, patterns, color charts, and production files we create from customer photos
• Metadata: File names, upload timestamps, and processing parameters

Note: Customer photos are initially processed through UploadCare (a third-party service) before being transferred to our Azure storage. See Section 7 for details on third-party services.

4. How We Use Your Information

We process personal data for the following purposes based on our legitimate interests, contractual necessity, or your consent:

4.1 Service Delivery:

• Provide diamond painting preview generation services
• Process and generate production-ready files (patterns, PDFs, Excel charts)
• Synchronize product and order data from your Shopify store
• Store and deliver generated files to you

4.2 Account Management:

• Authenticate and manage your account access
• Process billing and payments (via Shopify)
• Send service-related notifications and updates

4.3 Support & Communication:

• Respond to your inquiries and provide customer support
• Send important service announcements and updates
• Notify you of policy changes

4.4 Security & Fraud Prevention:

• Detect and prevent security incidents, fraud, and abuse
• Monitor system performance and troubleshoot technical issues
• Comply with legal obligations and protect legal rights

4.5 Improvement & Analytics:

• Analyze usage patterns to improve our service
• Develop new features and functionality
• Monitor service performance and reliability

We do not sell your personal information to third parties.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our services under our Terms of Service (service delivery, account management, billing)
• Legitimate Interests: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement, analytics) provided these do not override your rights
• Legal Obligation: Processing required to comply with laws, regulations, and legal processes
• Consent: Where you have provided explicit consent (which you may withdraw at any time)

6. Data Sharing & Disclosure

We share personal data only in the following circumstances:

6.1 Service Providers: We share data with third-party service providers who perform services on our behalf:

• UploadCare: Processes customer photo uploads (see Section 7.1)
• Microsoft Azure: Hosts our infrastructure and stores generated files (see Section 7.3)
• Shopify: Our platform integration partner (see Section 7.2)

6.2 Legal Requirements: We may disclose information if required by law or legal process, including:

• In response to valid legal requests from authorities
• To enforce our Terms of Service or other agreements
• To protect our rights, property, or safety, or that of others
• In connection with fraud prevention or security investigations

6.3 Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of such changes.

6.4 With Your Consent: We may share information for other purposes with your explicit consent.

7. Third-Party Services

7.1 UploadCare:

Customer photos are uploaded and initially processed through UploadCare's file upload service. UploadCare has its own privacy practices governed by their Privacy Policy (https://uploadcare.com/about/privacy-policy/).

• UploadCare may collect IP addresses and technical data from end-users who upload files
• Files are temporarily stored on UploadCare's CDN before being transferred to our Azure storage
• UploadCare is GDPR-compliant and participates in the EU-U.S. Data Privacy Framework

7.2 Shopify:

Our service integrates with Shopify's platform. Shopify's Privacy Policy (https://www.shopify.com/legal/privacy) governs data collected by Shopify.

• We access Shopify data via their API based on permissions you grant during installation
• Billing and payment processing is handled entirely by Shopify
• OAuth tokens are issued by Shopify and encrypted by us

7.3 Microsoft Azure:

Generated files, previews, and application data are stored on Microsoft Azure cloud infrastructure. Microsoft's Privacy Statement (https://privacy.microsoft.com/privacystatement) applies to this storage.

• Data is stored in Azure regions with appropriate data residency compliance
• Azure provides encryption at rest and in transit
• Microsoft complies with GDPR, Privacy Shield, and other frameworks

Important: These third parties have their own privacy policies and data handling practices. We are not responsible for their privacy practices or security measures.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate.

8.1 EEA/UK/Swiss Data Transfers:

For data transferred from the EEA, UK, or Switzerland to countries not deemed to provide adequate protection:

• We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
• Our service providers (UploadCare, Microsoft) comply with GDPR requirements and participate in recognized data transfer frameworks
• We implement appropriate technical and organizational safeguards

8.2 Data Processing Agreement: For merchants processing personal data of EU/EEA, UK, or Swiss individuals, we offer a Data Processing Agreement (DPA) that:

• Complies with GDPR Article 28 requirements
• Incorporates the European Commission's Standard Contractual Clauses (SCCs) for international data transfers
• Includes the UK International Data Transfer Addendum where applicable
• Specifies our obligations as your data processor

View the full Data Processing Agreement or contact us at support@instantartkit.com for a signed copy.

9. Data Retention

We retain personal data for as long as necessary to provide our services and fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

9.1 Active Accounts:

• Account and store data: Retained while your account is active
• Customer photos and generated files: Retained as long as needed for order fulfillment and your business operations
• Transaction records: Retained for accounting and legal compliance (typically 7 years)

9.2 Deleted Accounts:

• When you uninstall our app, we delete your data within 30 days
• Backup copies may persist for up to 90 days in our backup systems
• We may retain anonymized, aggregated data indefinitely for analytics
• Data required for legal, accounting, or security purposes may be retained longer

9.3 Manual Deletion Requests: You can request earlier deletion of your data by contacting us (see Section 12).

10. Data Security

We implement appropriate technical and organizational security measures to protect your personal data:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access controls limit who can access personal data
• Authentication: OAuth tokens are encrypted and securely stored
• Infrastructure Security: Hosted on secure Microsoft Azure infrastructure with regular security updates
• Monitoring: Automated monitoring and logging for security incidents
• Incident Response: Documented procedures for security breach response

No Absolute Security: While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Breach Notification: In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law (within 72 hours for GDPR-covered breaches).

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

11.1 GDPR Rights (EEA, UK, Switzerland):

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

11.2 CCPA Rights (California Residents):

• Right to Know: Request disclosure of personal information collected, used, or shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (note: we do not sell personal information)
• Right to Non-Discrimination: Not be discriminated against for exercising your rights

11.3 How to Exercise Your Rights:

To exercise any of these rights, submit a request by emailing us at support@instantartkit.com with the subject line "Privacy Rights Request." Please include:

• Your name and the email address associated with your account
• Your Shopify store domain (if you are a merchant)
• A clear description of which right(s) you wish to exercise
• Any additional information that helps us locate your data

Response Timeframe: We will acknowledge your request within 5 business days and provide a substantive response within 30 days. If your request is complex or we receive a high volume of requests, we may extend this period by up to 60 additional days, in which case we will notify you of the extension and the reasons for it.

• We may request additional information to verify your identity before processing your request
• There is no fee for making a request, but we may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests

Limitations: Some rights may be limited by law or if processing is necessary for compliance, legal claims, or public interest.

12. Cookies & Tracking Technologies

We use cookies and similar tracking technologies primarily for analytics purposes to understand how our service is used and to improve user experience.

12.1 Types of Cookies We Use:

• Essential Cookies: Required for authentication and core service functionality
• Analytics Cookies: Help us understand how users interact with our service (see Section 12.2)
• Security Cookies: Used to detect fraud and protect user accounts

12.2 Analytics Services:

We use the following analytics services to understand usage patterns and improve our service:

• Google Analytics: Collects anonymized usage data to help us understand how users navigate and use our service. Google's privacy policy applies: https://policies.google.com/privacy
• Microsoft Clarity: Provides session recordings and heatmaps to help us improve user experience. Microsoft's privacy statement applies: https://privacy.microsoft.com/privacystatement

12.3 What We Do NOT Use Cookies For:

• We do not use cookies for advertising purposes
• We do not engage in cross-site tracking
• We do not sell or share cookie data with third parties for marketing purposes

12.4 Third-Party Cookies:

• Shopify may set cookies when you use our app within their admin interface
• UploadCare may set cookies for file upload functionality

12.5 Managing Cookies: You can control cookies through your browser settings. Note that disabling certain cookies may affect service functionality. You can also opt out of Google Analytics using Google's opt-out browser add-on.

13. Children's Privacy

Our service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at support@instantartkit.com. We will delete such information promptly.

Merchant Responsibility: If you are a merchant, you must ensure that customer photos uploaded to our service comply with applicable laws regarding children's data (e.g., COPPA in the US, GDPR's enhanced protections for children).

14. California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes.

We do not share personal information with third parties for their direct marketing purposes.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

15.1 Notification of Changes:

• We will update the "Last updated" date at the top of this policy
• For material changes, we will notify you via email or through a prominent notice in the app
• We will provide at least 30 days notice before material changes take effect

15.2 Your Acceptance: Continued use of our service after changes become effective constitutes acceptance of the updated policy.

We encourage you to review this policy periodically to stay informed about how we protect your information.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

EU/EEA Data Protection Inquiries:

For users in the European Economic Area, you have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

17. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling.

Specifically:

• We do not use your personal data to make automated decisions that produce legal effects or similarly significantly affect you
• We do not engage in profiling to evaluate personal aspects such as performance, economic situation, health, preferences, interests, reliability, behavior, location, or movements
• Our diamond painting image processing is purely technical transformation of images into patterns - it does not involve analysis of personal characteristics or decision-making about individuals

If we ever introduce automated decision-making features in the future, we will update this policy and provide you with information about the logic involved, as well as the significance and envisaged consequences of such processing.

18. Additional Information

18.1 Do Not Track: Our service does not currently respond to "Do Not Track" (DNT) browser signals, as there is no industry standard for DNT compliance.

18.2 Data Processing Agreement: A GDPR-compliant Data Processing Agreement (DPA) is available for merchants processing personal data of EU/EEA, UK, or Swiss individuals. See Section 8.2 for details.