We care deeply about the privacy of our customers and partners. Therefore, we have invested a significant effort to study and implement controls and measures according to General Data Protection Regulation (GDPR) regulation which are described in this Privacy Notice.
We also process Personal Data in accordance with the spirit of the California Consumer Privacy Act of 2018 (CCPA) to achieve its primary goal of respecting consumers’ right to protect their personal data. Although we don’t even qualify as a company which has to comply with this regulation, stated requirements ring well with our own values, so we have implemented them.
This Privacy Notice describes the practices and purposes of personal data processing by ITissible (also “we”, “us”, “our”) acting as data controller in respect to App Users and / or representatives of App Users, Partners and / or representatives of Partners, Visitors and Candidates (each – “Data Subject”) as well as acting as data processor in respect to personal data of App User when providing Matrixify services. It also prescribes how Data Subject may exercise its rights.
Definitions
| Term | Explanation |
|---|---|
| ITissible | ITissible, SIA – company incorporated under the laws of Latvia, with all its subcontractors. In GDPR terms – acting as data controller in respect to the processing of personal data of Data Subjects; acting as data processor in respect to the processing of personal data provided and owned by the App User when providing Matrixify services. |
| Matrixify | The Shopify app with its related websites and services, owned by ITissible. |
| The App | The Matrixify app, called “Matrixify” on the Shopify AppStore. |
| Visitor | A visitor of our web resources which may or may not be the app user. |
| App User | A person who uses The App while it is installed on their Shopify store. In GDPR terms the App User is the Data Controller in respect to personal data it provides to Matrixify. |
| Partner | Any service provider, subcontractor or affiliated partner or a 3rd party. |
| Candidates | Persons/ applicants who are being considered for a job at ITissible or have expressed their interest in working at ITissible. |
| Data Subject | Visitors, App Users and Partners or their representatives, Candidates. |
| Support | Matrixify Support. Contact information can be found on the Contact Us page. |
| Shopify | E-commerce platform for online stores, available on: www.shopify.com |
| Data Controller, Data Processor, Data Subject, Personal Data, Processing, Supervisory Authority and other terms not defined shall have the same meaning as in the GDPR. | |
| The definitions of: Data Controller includes “Business”, Data Processor includes “Service Provider”, Data Subject includes “Consumer”, Personal Data includes “Personal Information”, in each case as defined under CCPA. | |
General Principles
- We process only the data that is necessary for predetermined purposes such as to make The App function and be able to provide high-quality service.
- The processing of personal data is carried out only if there is legitimate legal basis for it.
- By respecting our client privacy, we do not track Visitors on an individual level without legitimate reasons to do so. Meaning – we keep only aggregated and anonymized visitor tracking on Google Analytics, and log of particular user actions inside The App for security reasons when the App User has identified itself by authenticating into The App through their Shopify Admin.
- We don’t sell any personal data.
- We don’t share any personal data to 3rd parties unless there is a legal basis for that, such as, if it is approved by the App User.
- Where ITissible is acting as data controller, the Data Subjects have the right to know what specific personal data is processed about them and for what reason, which is also described in this document.
- In situations stipulated by the applicable laws, the Data Subjects have certain rights in respect to their personal data processing, such as right to access information, right to rectification, right to object to the processing, right to be forgotten and others. Data Subjects may request the fulfilment of their rights by contacting the Support; however, please note that data subjects’ rights are not absolute, meaning, they can be fulfilled only in situations allowed by the applicable laws, such as the GDPR.
Data Subjects
We are processing or storing the personal data of the following parties:
- Web Page Visitors: visitors of the web pages and other resources related to Matrixify.
- App Users: persons and Shopify stores that have installed The App, hosted on https://app.matrixify.app resource. Where the App User is a legal person, we are processing personal data of App User’s representatives.
- Partners: any 3rd parties like service providers or subcontractors. Where the Partner is a legal person, we are processing personal data of Patner’s representatives.
- Candidates: persons/ applicants who are being considered for a job at ITissible or have expressed their interest in working at ITissible.
The data itself which is being processed by The App as requested by App Users (e.g. Shopify Customers data or Orders data), cannot be considered as Data Subjects because ITissible doesn’t control the contents of that data and does not decide on the means of processing said data. This is strictly under the control of the App Users themselves who are considered as data controllers in this context.
Processed and Stored Data by each Data Subject and Resource
We process or store the following data about each of the Data Subject, for each resource:
Subject: Web Page Visitor
Resource: “Matrixify” App page on Shopify App Store
| Stored / Processed Data | Purpose | Service Provider | Legal Basis |
|---|---|---|---|
| Analytics tracking | To analyze the traffic sources for usage statistics in an aggregated and anonymized way. | Google Analytics | Anonymised data processing does not require legal basis |
Resource: https://matrixify.app web page
| Stored / Processed Data | Purpose | Service Provider | Legal Basis |
|---|---|---|---|
| Analytics tracking | To analyze the traffic sources for informative usage statistics, including IP address geolocation data, browser, visited pages, and other data Google Analytics can track – in an aggregated and anonymized way. | Google Analytics | Anonymised data processing does not require legal basis |
| Contact data | To subscribe to Matrixify newsletter | MailChimp | Consent |
Resource: “Matrixify” App
| Stored / Processed Data | Purpose | Service Provider | Legal Basis |
|---|---|---|---|
| Analytics tracking | To analyze the app usage and app loading speed to improve user experience. | Google Analytics | Anonymised data processing does not require legal basis |
| Analytics tracking |
To improve app speed and quality. | Sentry | Anonymised data processing does not require legal basis |
Resource: Support Channels
| Stored / Processed Data | Purpose | Service Provider | Legal Basis |
|---|---|---|---|
| Contact data and communication history | To recognize an existing customer and continue a support conversation based on earlier history and context. | Zendesk | Legitimate interests to ensure seamless customer experience and to ensure communication with customers related to the service |
| Contact data and communication history | To recognize an existing customer and continue a support conversation based on earlier history and context. | Slack | |
| Contact data and communication history | To recognize an existing customer and continue a support conversation based on earlier history and context. |
Subject: App User
Resource: Matrixify App
| Stored / Processed Data | Purpose | Service Provider | Legal Basis |
|---|---|---|---|
| Analytics tracking | To analyze the aggregated usage statistics of The App – in an aggregated and anonymized way. | Google Analytics | Anonymised data processing does not require legal basis |
| Contact information | To send periodic e-mails with news updates to e-mails who opted in for that. | MailChimp | Consent |
| Contact information and store information | Shopify provides the statistics about the stores who installed The App and their payment history. | Shopify Partner Account | Legitimate interest to receive information about the use of our services.
Processing of payment data is necessary for the compliance with law. |
| Alerts about important events | Notify about system monitoring events, installs, uninstalls, or any other significant events that might require immediate action or would allow improving service quality. | Slack | Legitimate interest to ensure security of service or improve service quality |
| Imported & exported data files | Imported and exported data files are stored on Amazon AWS, US regions.
The app users need historical uploaded, imported, import results, and exported files for the purpose to review the history and use any of the historical files to analyze their actions or restore previously exported files – as a backup restore procedure. Matrixify employees may look at the imported or exported file when solving an issue for the App User – when the App User raises an issue by contacting Support or proactively when our monitoring system issues an alert that App User has repeated problems with the specific import or export. |
Amazon Web Services | Based on data processing agreement (Art. 28 of the GDPR) concluded with the App User. |
| App User e-mails, settings, import/export job history | To show to the App User their own import and export job history. E-mails – to be able to send the e-mail notifications, which are configured in the Settings inside The App. | Amazon Web Services | Legitimate interest to provide status of requested services to the customer |
| E-mail correspondence | To exchange e-mail messages. | Google Gmail for Business | Legitimate interest to ensure communication with customer |
| Technical data as IP addresses | To ensure security of the App and to detect and address technical issues. | N/A | Legitimate interest to protect the integrity and security of the App |
Subject: Partner
| Stored / Processed Data | Purpose | Service Provider | Legal Basis |
|---|---|---|---|
| E-mail correspondence | To exchange e-mail messages. | Google Gmail for Business | Legitimate interest to carry out agreement concluded with the Partner and to ensure communication with the Partner. Where the Partner is a natural person (data subject), the legal basis for personal data processing is to conclude and carry out the agreement concluded with the Data Subject. |
| Contact information, names and positions of representatives | Be able to contact the partner and recognize them when received contact from them. | Google Drive | |
| Payment transactions | Send and receive payments to and from Partners. | PayPal | |
| Accounting | Do financial accounting according to Latvia legislation and accounting standards. | AAT Finance | Processing required by law |
Subject: Candidate
| Stored / Processed Data | Purpose | Service Provider | Legal Basis |
|---|---|---|---|
| Name, surname, contact information | Be able to contact the Candidate | – | Legitimate interest to evaluate the provided information, organize the interview process and provide evidence that substantiates the legal course of the recruitment process. |
| E-mail correspondence | To exchange e-mail messages. | Google Gmail for Business | |
| Work experience, education, other CV information, test results, etc. | To evaluate Candidate’s suitability for the open employment position | – |
Sharing Data With 3rd Parties
We may share Data Subjects’ personal data with persons who are authorized by us and to our cooperation partners, which help us to ensure our services and may also act as our data processors, such as IT service providers (including, but not limited to e-mail service providers, website maintenance services, server providers or maintainers, etc), marketing service providers, payments service providers and others.
Additionally, we may share Data Subjects’ personal data in following situations:
- After receiving a substantiated request in accordance with procedures of applicable law, we may share Data Subjects’ personal data to persons authorized by law (e.g., investigation authorities).
- When necessary to protect our legal interests (e.g., when a person is infringing our interests) we may share the personal data with courts, bailiffs or other relevant state institutions.
- If necessary, to our partners such as auditors, lawyers and other specialists or consultants, financial institutions, insurers; also, on a need to know basis, personal data may be shared with our shareholders, financiers and potential buyers of our business or part of it.
- To payment service providers to the extent necessary to make or receive payments.
- To other ITissible group companies for administrative purposes.
We will not share Data Subjects’ personal data with third parties if there will not be a legitimate purpose and legal basis for that.
In certain situations when we are cooperating with third parties (e.g., by using financial service providers) in addition to this Privacy Notice, the privacy policies of respective third parties may also be applicable to Data Subjects’ personal data processing. We are encouraging Data Subjects to familiarize with respective privacy policies. However, we do not take any liability for their content.
Data Access Boundaries
The data of one App User or the Shopify store is not shared with another App User or the Shopify store.
The App functions within the boundaries of one store where it is installed.
The App of one store can import the data from the other Shopify store when the App User deliberately uses the exported data file from one store and imports it into the other. The App access to the Shopify store data is always initiated, configured or scheduled by the App User.
Retention of Data
The personal data of Data Subjects will be retained only for as long as necessary for the purposes set out in this Privacy Notice unless there is a requirement to continue processing of personal data for a longer period of time in accordance with applicable laws, for example for accounting purposes. Personal data shall also be retained for the period of applicable statute of limitation for the protection of our legal interests against potential claims.
App User’s and Partners data related to the provided or received services may be retained for up to 10 years from the end of the year in which the service has been received / provided for our accounting purposes or longer if required for the protection against potential claims.
Customer support data may be retained for up to 5 years or until required for the protection against potential claims.
All imported and exported data history files processed by the App as requested by App Users are deleted automatically within the one month from the moment the App is uninstalled or from the moment the App User requests the deletion of respective data. The respective data is stored for one month in order for the ITissible to be able to exercise a defense against possible legal claims on the functionality of the App. Where the claim is raised, the necessary data will be stored and processed until the claim is resolved.
The personal data of Candidates may be retained for up to six months after the respective selection for vacancy has been concluded. In case Candidate has provided its consent to store and process Candidate’s personal data for any future vacancies, we may process personal data for up to 2 years.
Where Data Subject has provided its consent for personal data processing or has requested the fulfilment of data subject’s rights, such request and related information (incl. the provided answers) may be retained for up to 5 years.
Data Security
Matrixify implements and is continuously improving reasonable measures to protect data that is processed or stored.
Matrixify website and The App communication channel over the web are encrypted using SSL certificates.
The App infrastructure is protected with strong and unique passwords, where possible – using the Public Key Infrastructure solutions.
Access to employee workstations is protected with strong passwords or in some cases with fingerprint readers.
Destroyed data is not recoverable.
In an incident when a data breach has happened despite the efforts to prevent that, ITissible will inform all affected Data Subjects about the fact of such an incident and about the content of what particular data was compromised, if such breach is likely to result in high risk to the rights and freedoms to the data subject. Information will be sent no later than 72 hours after the data breach has been detected.
Personal Data Transfer Outside EU/EEA
Some of our cooperation partners are located outside the European Economic Area, thus Data Subjects’ personal data may also be processed outside the European Economic Area member states (in third countries).
The transfer of personal data to third countries will be subject to appropriate safeguards (such as standard data protection clauses adopted by the European Commission, Business Corporate Rules or adequacy decisions adopted by the European Commission). For more information about the applied safeguards and where to obtain copies of them (if any) please see below or contact our Support.
Service Providers: Subprocessors and Subcontractors
List of all the Service Providers, Subprocessors, and Subcontractors and applicable safeguards where personal data may be transferred to a third country (outside European Economic Area).
Listed Service names are used above in this document to refer to entries in this table.
When ITissible is processing personal data acting as data processor in the context of providing the Matrixify service to the App User, the ITissible is using following service providers who will be acting as personal data subprocessors in relation to the App User: Amazon Web Services. For the use of respective subprocessors, the App User has provided his general consent within the Data Processing Addendum.
Please know that for the provision of Matrixify service the ITissible will receive personal data from and / or provide personal data to the Shopify platform.
E-mail and Mass Mailing
By installing The App or contacting ITissible team, the Data Subject will receive the following e-mails from ITissible:
- Replies to Data Subject’s e-mail messages.
- Proactive personal e-mails to Data Subject when the feature or fix which was requested by the Data Subject, is implemented – with the goal to inform privately that this feature is ready and the promise made by ITissible was delivered.
Automated and mass mailing is sent to Data Subjects only according to the following opt-in or opt-out principle:
- Opt-out (assume consent to receive by default – based on legitimate interest to inform App Users about the status of requested jobs, thus ensuring the security): Automated e-mail messages about the events within The App, like started, failed or finished jobs.
App Users can change those settings in The App “Settings” section, or unsubscribe by clicking on the “Unsubscribe” link in any of the received e-mails, or by asking Support. - Opt-in (don’t assume consent by default): Periodic e-mail of the overall Matrixify newest features and general updates. That e-mail is sent not more frequently than once per month.
Subscribers can unsubscribe from those e-mails by pressing the “Unsubscribe” link in any of the received e-mails.
Subject Rights
In accordance with the GDPR, Data Subjects have certain rights in respect to their personal data processing. In situations stipulated by the GDPR, Data Subjects have the following rights:
Right To Access
When building the Matrixify, the architecture is designed with self-service as one of the main values. That means that most of the Data Subject’s data is accessible in a self-service way by the Data Subject themselves. If there is still a part of data that the Data Subject needs access to, and which is not accessible by the self-service, the Data Subject can request this data from the Support.
Right to Erasure
Every Data Subject has the right to remove their data from any of the ITissible controlled resources, as far as it is allowed by legal or accounting limitations. Any personal data can be removed by sending a request to the Support. Data will be removed as far as acceptable by the legal, accounting and security requirements.
All imported and exported data history files are deleted automatically when The App is uninstalled.
Right to rectification
Every Data Subject has the right to correct any inaccurate personal data concerning him. Data Subject can correct his personal data in the App or by contacting Support.
Right to restriction of processing
Every Data Subject has the right to require us to stop the processing of its personal data other than for the purposes of the storage. However, please know that we may continue to process Data Subject’s personal data where there is legitimate purpose for us to do so.
Right to data portability
In situations provided by the applicable law, the Data Subject has a right to request that its personal data is provided in a structured, commonly used and machine-readable format. Data Subject also has a right to request that we transfer that personal data to the other party, where it is feasible.
Right to object
Where personal data is processed based on our legitimate interests, Data Subject has a right to object to its personal data processing. At any time, Data Subject may object to the processing of its personal data for direct marketing purposes.
Where the Data Subject’s personal data is processed based on the Data Subject’s consent the Data Subject may withdraw its consent. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
If not otherwise indicated in this Privacy Notice, to request the fulfilment of data subject’s rights, please contact us via Support. Please note that for the fulfilment of data subject’s rights, we may be required to process additional personal data and may request Data Subject’s identification. For persons, whose personal data are processed by the App User through the App, please contact the App User for the fulfilment of your data subject’s rights.
In situations when Data Subject is not satisfied with our data processing activities, Data Subject always have a right to submit a complaint to Latvian Data State Inspectorate (e-mail: [email protected]; website: www.dvi.gov.lv) or Data Subject’s national data protection authority (contact details of national data protection authorities may be found in the following website: https://edpb.europa.eu/about-edpb/board/members_en).
Jurisdiction and Contact Information
Matrixify is the product of ITissible, SIA which is the limited liability company registered in Latvia with registration number 50103772541.
- Legal address: ITissible, SIA. Kaivas iela 35B, Riga, LV-1021, Latvia.
- Contact e-mail: [email protected]
Any dispute arising from this Privacy Notice shall be subject to the exclusive jurisdiction of the competent courts of Latvia. The governing law is the legislation of Latvia.
Changes
ITissible retains the right to change and update this document occasionally, and review it at least once per year. If you continue using The App, then you also agree to comply with all the further versions of this document.
Effective: May 25, 2018
Last update: March 31, 2023
