Privacy Policy

Effective date: 16 June 2026 · Previous version: 5 March 2026

Summary: Aserta Ltd provides a Shopify app that scans product description text for compliance workflows. We process merchant account data as a data controller and product audit data as a data processor on your instructions. We do not store your customers’ order or profile data, payment card details, or product images for auditing.

1. Who we are

This Privacy Policy describes how Aserta Ltd (“Aserta”, “we”, “us”, “our”) processes personal data when you:

Controller: Aserta Ltd, Eldridge Gardens, Romsey, Hampshire, United Kingdom.

Privacy contact: support@getaserta.com
Data protection contact: dpo@getaserta.com

We process personal data in accordance with the UK GDPR, the Data Protection Act 2018, and other applicable privacy laws.

2. Roles: controller and processor

Data protection law distinguishes between organisations that decide why and how data is processed (controllers) and those that process data on another party’s instructions (processors).

When Aserta is the controller

We act as data controller for personal data we need to operate the app and our relationship with you, including:

When Aserta is the processor

When you use the app to audit products, we process product catalogue text and related product metadata on your instructions to provide the compliance service. For that processing, you are the data controller and Aserta is your data processor.

Our Data Processing Agreement (DPA) governs that processor processing and is available at https://getaserta.com/data-processing-agreement.html.

Shopify’s role

Shopify operates the commerce platform and, in relation to its own services, acts as an independent controller (or processor, depending on context). Shopify billing for app subscriptions is handled through Shopify’s systems; we do not receive or store your payment card details.

3. Personal data we collect

3.1 Shopify app — merchant account data (controller)

When you install the app, we receive and store:

We do not currently store your Shopify account email address, staff user profiles, or localization settings in our application database.

3.2 Shopify app — product data (processor)

To run compliance audits, we access (via the Shopify API) and process:

We do not use product images for compliance auditing. Product descriptions are generally not personal data unless they identify a natural person.

3.3 End-customer data

Aserta is designed for merchant product pages, not buyer profiles. We do not intentionally collect or store your customers’ names, emails, order history, or payment information. Shopify may send mandatory GDPR webhooks (see Section 9); we implement these endpoints but typically have no customer personal data to delete.

3.4 Website (getaserta.com)

When you visit our marketing site, we may process:

We do not use advertising pixels or third-party marketing trackers on getaserta.com. The public website does not require a Shopify login.

4. How we use personal data

We use personal data only as needed to:

We do not sell, rent, or trade your data. We do not use product catalogue data for advertising or unrelated analytics.

We do not currently send automated marketing or compliance alert emails from the app. If we introduce email notifications in future, we will update this policy and our Subprocessors page before doing so.

5. Lawful bases (UK GDPR)

Depending on the processing activity, we rely on:

6. Sharing and subprocessors

We share personal data only with service providers that help us run Aserta, under appropriate contractual safeguards:

A current list, locations, and functions are published at https://getaserta.com/subprocessors.html. We will give merchants reasonable notice before engaging a new subprocessor that processes personal data on their behalf.

We may also disclose information if required by law, regulation, court order, or valid request from a public authority.

7. International transfers

Our application database is hosted in the United States (Render). Where personal data is transferred outside the UK, we use appropriate safeguards, which may include:

Details are set out in our DPA. Contact dpo@getaserta.com if you need a copy of relevant transfer terms.

8. Retention

While the app is installed

When you uninstall the app

Backups and logs

Support emails

Emails you send us are kept only as long as needed to resolve your enquiry and meet legal or accounting requirements, then deleted or anonymised.

9. Shopify mandatory GDPR webhooks

Shopify requires apps to expose endpoints for customer data requests and redaction, and shop redaction after uninstall. We implement:

Because Aserta does not routinely store your buyers’ personal data, these webhooks typically require no additional action beyond confirming we hold no relevant customer records. If any customer personal data were present in our systems, we would delete it within a reasonable period and document the action.

10. Automated processing

Aserta applies rule-based checks to product descriptions and may assign statuses such as Compliant or Needs Review, or apply formatting and warning blocks when you use compliance update features.

These outputs are automated assistance for merchants — they are not legal advice and do not produce binding legal or similarly significant effects on your customers. You remain responsible for product listings, labels, and regulatory compliance.

11. Your rights

If UK GDPR applies to our processing of your personal data as controller, you have the right to:

To exercise these rights, email support@getaserta.com with Data Subject Access Request in the subject line. We respond within one month, unless an extension is permitted by law.

If your request relates to product data we process as your processor, we may direct you to your own organisation’s privacy process or assist you under the DPA.

12. Security

We use reasonable technical and organisational measures appropriate to the nature of the data we process, including:

Security measures at our hosting provider (including encryption at rest, where enabled for our database tier) are described by that provider’s documentation and agreements.

No method of transmission or storage is completely secure. If you believe there has been a security incident affecting Aserta, contact support@getaserta.com immediately.

13. Personal data breaches

If we become aware of a personal data breach affecting data we control, we will:

14. Cookies and similar technologies

Shopify embedded app: Session mechanisms in the Shopify Admin are used to keep you signed in while using the app. These are necessary for the app to function.

getaserta.com: Our marketing site does not use non-essential marketing cookies. Hosting providers may process minimal technical data in server logs.

15. California privacy rights (CCPA/CPRA)

If you are a California resident, you may have additional rights regarding personal information, including the right to know, delete, and correct personal information, and to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioural advertising).

Submit requests to support@getaserta.com with CCPA Request in the subject line.

16. Children

Aserta is a business-to-business service. We do not knowingly collect personal data from anyone under 18. Contact us if you believe we have inadvertently done so.

17. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. Where appropriate, we will also notify merchants through the app or Shopify partner communications. Continued use of the service after the effective date constitutes acceptance of the updated policy. If you disagree, you may uninstall the app.

18. Contact

General privacy: support@getaserta.com
Data protection: dpo@getaserta.com
Postal address: Aserta Ltd, Eldridge Gardens, Romsey, Hampshire, United Kingdom

Related documents:
Data Processing Agreement · Subprocessors · Terms of Service