Privacy Policy

This Privacy Policy explains how SMALLROCKS STUDIO LTD ("we", "us", "our") handles personal data in connection with the Gibbond application for Shopify (the "App") and the website at which you are reading this (the "Site"). It is written to meet the transparency requirements of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Shopify App Store requirements.

1. Who we are

The data controller for the purposes described in this policy is:

SMALLROCKS STUDIO LTD
Registered in England & Wales, company no. 17261473
128 City Road, London, EC1V 2NX, United Kingdom
Data protection contact: privacy@smallrocks.studio

2. Our two roles

We process personal data in two distinct capacities:

• As a controller — for the account, billing and support data of the Shopify merchants who install the App, and for visitors to this Site.
• As a processor — for the personal data of a merchant's own customers that the App handles on the merchant's behalf. For that data the merchant is the controller and our processing is governed by our Data Processing Addendum.

3. What we collect and why

Merchant (account) data — we are controller

End-customer data — we are processor (merchant is controller)

When the App runs your loyalty program it processes, strictly on your instructions, the following data about your customers:

• Shopify customer identifier and email address
• Points balances and the immutable point events tied to each paid order
• Order amounts used to calculate earned points (after discounts, before tax by default)
• Loyalty tier membership and reward redemptions / single-use discount codes

We do not receive payment card numbers, and we do not use end-customer data for our own purposes, profiling, or advertising.

Site visitors, cookies and tracking

We keep tracking to the minimum needed to run the service:

• Essential cookies — used by this Site to remember your chosen language and serve pages, and by the embedded App to maintain your authenticated Shopify session. They are required for the service to work and cannot be switched off.
• Fonts — this Site loads typefaces from Google Fonts, which may receive your IP address to deliver the font files.
• No advertising or cross-site tracking — we do not use advertising cookies, third-party analytics or cross-site trackers, and we do not build advertising profiles. Because we do not track you across sites, there is nothing to disable via a "Do Not Track" signal.

4. Who we share data with (sub-processors)

We do not sell personal data. We share it only with the infrastructure providers needed to run the service:

The authoritative, maintained list of sub-processors lives in our Data Processing Addendum.

5. International transfers

Our application and database are hosted within the EU. Where data is transferred outside the UK/EEA (for example to Shopify in Canada), the transfer relies on an adequacy decision or on Standard Contractual Clauses / the UK International Data Transfer Addendum.

6. How long we keep data

Merchant account data and the loyalty data of your customers are retained for as long as the App is installed. When you uninstall the App, or when Shopify sends a shop/redact request (normally 48 hours after uninstall), we delete the associated data. We honour Shopify customers/redact requests by deleting the identified customer's data within 30 days. You can also erase all program data at any time from the App's Reset all data control.

7. Your rights

Under the UK/EU GDPR you have the right to access, rectify, erase, restrict, port and object to the processing of your personal data, and to lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office, ico.org.uk). If you are an end customer of a store using Gibbond, please direct requests to that store (the controller); we will assist them as their processor. For merchant-account or Site data, contact us at privacy@smallrocks.studio.

Residents of the United States (including California). We do not "sell" or "share" personal information as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) or comparable state laws, and we do not process it for cross-context behavioural advertising. Where applicable, you have the right to know what we hold about you, to request its deletion, and not to be discriminated against for exercising these rights. Contact us at the address below to make a request.

8. Communications

We may send you service and transactional messages about your account, billing, security and material changes to the App. These are necessary to provide the service and cannot be opted out of while the App is installed. Any optional product or marketing emails are separate: we send them only where permitted, and every such message includes an unsubscribe link. You can also opt out at any time by emailing privacy@smallrocks.studio.

9. Security

Access tokens and data are stored on access-controlled, EU-hosted infrastructure; containers run with least-privilege settings, traffic is served over TLS, and access to production systems is restricted. No system is perfectly secure, but we maintain technical and organisational measures appropriate to the risk.

10. Changes

We may update this policy as the App evolves. Material changes will be reflected by the "Last updated" date above and, where appropriate, notified to merchants in-app.

11. Contact

Questions about this policy or our data practices: privacy@smallrocks.studio.