Summary: Aserta Ltd provides a Shopify app that scans product description text for compliance workflows. We process merchant account data as a data controller and product audit data as a data processor on your instructions. We do not store your customers’ order or profile data, payment card details, or product images for auditing.
This Privacy Policy describes how Aserta Ltd (“Aserta”, “we”, “us”, “our”) processes personal data when you:
Controller: Aserta Ltd, Eldridge Gardens, Romsey, Hampshire, United Kingdom.
Privacy contact: support@getaserta.com
Data protection contact: dpo@getaserta.com
We process personal data in accordance with the UK GDPR, the Data Protection Act 2018, and other applicable privacy laws.
Data protection law distinguishes between organisations that decide why and how data is processed (controllers) and those that process data on another party’s instructions (processors).
We act as data controller for personal data we need to operate the app and our relationship with you, including:
When you use the app to audit products, we process product catalogue text and related product metadata on your instructions to provide the compliance service. For that processing, you are the data controller and Aserta is your data processor.
Our Data Processing Agreement (DPA) governs that processor processing and is available at https://getaserta.com/data-processing-agreement.html.
Shopify operates the commerce platform and, in relation to its own services, acts as an independent controller (or processor, depending on context). Shopify billing for app subscriptions is handled through Shopify’s systems; we do not receive or store your payment card details.
When you install the app, we receive and store:
We do not currently store your Shopify account email address, staff user profiles, or localization settings in our application database.
To run compliance audits, we access (via the Shopify API) and process:
aserta_app.compliance_audit).We do not use product images for compliance auditing. Product descriptions are generally not personal data unless they identify a natural person.
Aserta is designed for merchant product pages, not buyer profiles. We do not intentionally collect or store your customers’ names, emails, order history, or payment information. Shopify may send mandatory GDPR webhooks (see Section 9); we implement these endpoints but typically have no customer personal data to delete.
When you visit our marketing site, we may process:
We do not use advertising pixels or third-party marketing trackers on getaserta.com. The public website does not require a Shopify login.
We use personal data only as needed to:
We do not sell, rent, or trade your data. We do not use product catalogue data for advertising or unrelated analytics.
We do not currently send automated marketing or compliance alert emails from the app. If we introduce email notifications in future, we will update this policy and our Subprocessors page before doing so.
Depending on the processing activity, we rely on:
We share personal data only with service providers that help us run Aserta, under appropriate contractual safeguards:
A current list, locations, and functions are published at https://getaserta.com/subprocessors.html. We will give merchants reasonable notice before engaging a new subprocessor that processes personal data on their behalf.
We may also disclose information if required by law, regulation, court order, or valid request from a public authority.
Our application database is hosted in the United States (Render). Where personal data is transferred outside the UK, we use appropriate safeguards, which may include:
Details are set out in our DPA. Contact dpo@getaserta.com if you need a copy of relevant transfer terms.
Emails you send us are kept only as long as needed to resolve your enquiry and meet legal or accounting requirements, then deleted or anonymised.
Shopify requires apps to expose endpoints for customer data requests and redaction, and shop redaction after uninstall. We implement:
customers/data_requestcustomers/redactshop/redactBecause Aserta does not routinely store your buyers’ personal data, these webhooks typically require no additional action beyond confirming we hold no relevant customer records. If any customer personal data were present in our systems, we would delete it within a reasonable period and document the action.
Aserta applies rule-based checks to product descriptions and may assign statuses such as Compliant or Needs Review, or apply formatting and warning blocks when you use compliance update features.
These outputs are automated assistance for merchants — they are not legal advice and do not produce binding legal or similarly significant effects on your customers. You remain responsible for product listings, labels, and regulatory compliance.
If UK GDPR applies to our processing of your personal data as controller, you have the right to:
To exercise these rights, email support@getaserta.com with Data Subject Access Request in the subject line. We respond within one month, unless an extension is permitted by law.
If your request relates to product data we process as your processor, we may direct you to your own organisation’s privacy process or assist you under the DPA.
We use reasonable technical and organisational measures appropriate to the nature of the data we process, including:
Security measures at our hosting provider (including encryption at rest, where enabled for our database tier) are described by that provider’s documentation and agreements.
No method of transmission or storage is completely secure. If you believe there has been a security incident affecting Aserta, contact support@getaserta.com immediately.
If we become aware of a personal data breach affecting data we control, we will:
Shopify embedded app: Session mechanisms in the Shopify Admin are used to keep you signed in while using the app. These are necessary for the app to function.
getaserta.com: Our marketing site does not use non-essential marketing cookies. Hosting providers may process minimal technical data in server logs.
If you are a California resident, you may have additional rights regarding personal information, including the right to know, delete, and correct personal information, and to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioural advertising).
Submit requests to support@getaserta.com with CCPA Request in the subject line.
Aserta is a business-to-business service. We do not knowingly collect personal data from anyone under 18. Contact us if you believe we have inadvertently done so.
We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. Where appropriate, we will also notify merchants through the app or Shopify partner communications. Continued use of the service after the effective date constitutes acceptance of the updated policy. If you disagree, you may uninstall the app.
General privacy: support@getaserta.com
Data protection: dpo@getaserta.com
Postal address: Aserta Ltd, Eldridge Gardens, Romsey, Hampshire, United Kingdom
Related documents:
Data Processing Agreement ·
Subprocessors ·
Terms of Service