Services Work Contact
EN SK

Privacy Policy

Quick Order B2B Grid · Effective March 16, 2026

1. About Us

romiva s. r. o.
Gorkého 1342/21, 974 01 Banská Bystrica, Slovak Republic
IČO: 51698609 | DIČ: 2120753921
Email: support@fancystudio.digital
Website: fancystudio.digital

We are established in the European Union and process all data in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

2. What Information We Collect

2.1 Information Collected Through Shopify APIs

When a merchant installs the App, we access the following data through Shopify's APIs:

Data Type Shopify API Scope Purpose
Product catalog (titles, descriptions, SKUs, barcodes, prices, images, variants, tags, vendor, product type) read_products Display products in the quick order grid
Inventory quantities read_inventory Show stock availability in the grid
Customer ID (numeric identifier only) read_customers Associate saved order templates with logged-in customers

We do NOT access or store: customer names, email addresses, phone numbers, or physical addresses; payment or billing information of merchants' customers; order history or order details; customer browsing behavior or analytics outside the App.

2.2 Information Collected Directly from Merchants

  • App settings and preferences — grid configuration, column visibility, styling options, feature toggles, and other customization choices made in the App admin dashboard.
  • Billing status — subscription plan name, status, and trial information (managed entirely by Shopify; we cache only the active/inactive status for App functionality).

2.3 Information Collected from Merchants' Customers

  • Saved order templates — when a logged-in customer saves an order template, we store their Shopify customer ID (numeric identifier) and the saved order data (product IDs, variant IDs, quantities, and a user-provided template name).
  • Guest saved orders — for customers who are not logged in, saved order templates are stored exclusively in the customer's browser (localStorage) and are never transmitted to our servers.

2.4 Cookies and Tracking Technologies

The App does not use cookies, web beacons, pixels, or any other tracking technologies on merchants' storefronts. We do not track customer browsing behavior, navigation patterns, or any activity outside the App.

2.5 Automated Logs

Our hosting infrastructure (Fly.io) generates standard server access logs that may include IP addresses, request timestamps, and HTTP request metadata. These logs are used solely for debugging and security monitoring and are automatically purged within 30 days.

3. How We Use the Information

We use the collected information exclusively for the following purposes:

  • Providing App functionality — displaying the product grid, managing saved order templates, showing inventory availability, and processing grid settings.
  • Maintaining and improving the App — diagnosing technical issues, monitoring performance, and ensuring service reliability.
  • Billing verification — confirming active subscription status to provide App access.

We do not use collected information for advertising, marketing, profiling, selling or renting data to third parties, training machine learning models, or any purpose unrelated to App functionality.

4. How We Share Information

We do not sell, rent, trade, or otherwise share merchant or customer personal data with third parties for their own purposes.

We may share information only in the following limited circumstances:

  • Service providers — our hosting provider (Fly.io, operated in the EU — Frankfurt region) processes data on our behalf to deliver the App. They are bound by data processing agreements and may not use the data for any other purpose.
  • Legal obligations — we may disclose information if required by law, regulation, legal process, or governmental request.
  • Business transfers — in the event of a merger, acquisition, or sale of assets, data may be transferred as part of the transaction, subject to the same privacy protections.

5. Data Storage and Retention

5.1 Where Data Is Stored

All App data is stored on servers operated by Fly.io in the Frankfurt, Germany (EU) region. Data does not leave the European Economic Area.

5.2 How Long We Retain Data

Data Type Retention Period
App settings Until merchant uninstalls the App
Saved order templates Until the customer or merchant deletes them, or until merchant uninstalls the App
Billing status cache Until merchant uninstalls the App
Session data Until session expires or merchant uninstalls the App
Server logs Automatically purged within 30 days

5.3 Data Deletion on Uninstall

When a merchant uninstalls the App, we receive a shop/redact webhook from Shopify within 48 hours. Upon receiving this webhook, we permanently delete all data associated with that merchant's store, including:

  • All app settings and configuration
  • All saved order templates (for all customers of that store)
  • Billing status records
  • Session and authentication data

No merchant or customer data is retained after uninstallation.

6. Data Security

We implement appropriate technical and organizational measures to protect data, including:

  • Encryption in transit — all data transmitted between the App, Shopify, and the merchant's browser uses TLS/HTTPS encryption.
  • Authentication — all App Proxy requests are verified using Shopify's HMAC signature verification. Admin access requires Shopify OAuth authentication with session tokens.
  • Input validation — all user inputs are sanitized to prevent injection attacks (XSS, SQL injection, path traversal).
  • Access control — saved order data is scoped by both shop identifier and customer ID, preventing cross-tenant or cross-customer data access.
  • Minimal data collection — we collect only the minimum data necessary for App functionality.

7. Your Rights

7.1 Rights Under GDPR (EEA/UK Residents)

If you are located in the European Economic Area or the United Kingdom, you have the following rights:

  1. Right of access — request a copy of the personal data we hold about you.
  2. Right to rectification — request correction of inaccurate personal data.
  3. Right to erasure — request deletion of your personal data.
  4. Right to restriction — request that we limit how we process your personal data.
  5. Right to data portability — receive your personal data in a structured, machine-readable format.
  6. Right to object — object to the processing of your personal data.
  7. Right to lodge a complaint — file a complaint with your local data protection authority.

Legal basis for processing:

  • Contractual necessity (Article 6(1)(b) GDPR) — processing is necessary to provide the App's services as agreed upon installation.
  • Legitimate interest (Article 6(1)(f) GDPR) — processing server logs for security and debugging purposes.

7.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used.
  • Request deletion of your personal information.
  • Opt out of the sale of personal information — we do not sell personal information.
  • Non-discrimination for exercising your privacy rights.

7.3 How Merchants' Customers Can Exercise Their Rights

Merchants' customers who wish to exercise their data rights should contact the merchant (store owner) directly. The merchant can then submit a data request through Shopify, which will trigger our compliance webhooks:

  • Data access requests — Shopify sends a customers/data_request webhook, and we identify and provide all stored data for that customer.
  • Data deletion requests — Shopify sends a customers/redact webhook, and we permanently delete all saved order templates and associated data for that customer within 30 days.

7.4 How Merchants Can Exercise Their Rights

Merchants can contact us directly at support@fancystudio.digital to exercise any of their data rights. We will respond within 30 days.

8. Children's Privacy

The App is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

9. Third-Party Services

The App uses the following third-party libraries on the merchant's storefront. These libraries are loaded from CDNs and do not collect or transmit any personal data:

  • AG Grid Community — data grid component (loaded from app server)
  • SheetJS — Excel export functionality (loaded from CDN on demand)
  • jsPDF — PDF export functionality (loaded from CDN on demand)
  • Quagga2 — barcode scanning via camera (loaded from CDN on demand; camera access requires explicit user permission and video data is processed locally in the browser only)

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify merchants through the App or via email. The "Last Updated" date at the top of this policy indicates when the latest revision was made.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

romiva s. r. o.
Gorkého 1342/21, 974 01 Banská Bystrica, Slovak Republic
Email: support@fancystudio.digital
Website: fancystudio.digital

For data protection inquiries, please include "Privacy" or "GDPR" in the subject line of your email. We will respond to all legitimate requests within 30 days.

12. Supervisory Authority

If you are located in the European Union and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local data protection authority. For residents of the Slovak Republic, the supervisory authority is:

Úrad na ochranu osobných údajov Slovenskej republiky
Hraničná 12, 820 07 Bratislava 27, Slovak Republic
dataprotection.gov.sk