Privacy Policy

Effective Date: March 5, 2026

1. Introduction

Welcome to Aserta. Aserta Ltd ("we", "our", or "us"), located at Eldridge Gardens, Romsey, Hampshire, United Kingdom, is committed to protecting the privacy and security of the merchants who use our Shopify application and website (getaserta.com). This Privacy Policy explains how we collect, use, and safeguard your data in compliance with the UK GDPR, Data Protection Act 2018, and other applicable privacy laws.

2. Information We Collect

When you install the Aserta app, we are granted access to specific information from your Shopify account required to provide our service:

• Store Information: Store domain name, store email address, and localization settings (country, language, currency).
• Product Data: Product titles, descriptions, tags, images, and metafields used for compliance auditing.
• Subscription Information: Which regulatory modules you subscribe to, subscription dates, and billing history.
• Usage Data: Information about your interaction with the app dashboard, audit actions, and compliance report generation.
• Authentication Data: OAuth tokens and session identifiers for API access to your Shopify store.

3. How We Use Your Information

We use the collected data strictly to operate and improve the Aserta compliance engine. Specifically, we use your data to:

• Perform automated ingredient audits on your product descriptions
• Apply text formatting (bolding, warnings) to ingredient lists
• Generate compliance audit trails and store them in Shopify metafields
• Create compliance reports and audit documentation
• Monitor app performance and troubleshoot technical issues
• Send you important notifications about your subscription, compliance alerts, or service updates

We do NOT use your product data for: Marketing, analytics (beyond app performance), resale, or any purpose other than providing the compliance audit service.

4. Data Sharing and Disclosure

We do not sell, rent, lease, or trade your data to third parties. We only share information with:

• Render: Our cloud hosting provider. Render hosts our application and database infrastructure.
• Shopify: We process data on your behalf as your data processor. Shopify is the data controller for store information.

Legal Requirements: We may disclose your information if required by law, court order, or government request. We will attempt to provide you with notice of such disclosure unless legally prohibited.

Subprocessors: A current list of our subprocessors is available at: https://getaserta.com/subprocessors. We will notify you of any new subprocessors before processing your data with them.

5. Data Retention

While the app is installed on your store:

• Store authentication tokens and API credentials are retained for authentication
• Product metadata and audit results are retained to provide the service
• Usage data and module subscription information are retained to manage your account

After you uninstall the app:

• Active database records are deleted within 30 days of uninstall
• Backup copies may be retained for up to 90 days for disaster recovery purposes only
• Encrypted compliance audit logs may be retained for 1 year to address potential disputes or legal inquiries
• After the retention period, all data is securely deleted and not retained for any other purpose

Upon GDPR data subject requests: Personal data is deleted within 30 days, except where legal obligations require longer retention (e.g., tax, accounting, or fraud investigation).

6. Your Data Rights (GDPR and Data Protection Act 2018)

As a UK-based company, we comply with the UK GDPR and the Data Protection Act 2018. You have the right to:

• Right of access: Request a copy of the personal data we hold about you
• Right to correction: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to restrict processing: Request that we limit how we process your data
• Right to data portability: Request your data in a portable, machine-readable format
• Right to object: Object to the processing of your data on certain grounds
• Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects

To exercise these rights, contact us at support@getaserta.com with "Data Subject Access Request" in the subject line. We will respond within 30 days.

7. Data Processor Information

If you are a data controller under GDPR, Aserta acts as your data processor for product data and compliance audits. A formal Data Processing Agreement (DPA) is available upon request. Please contact us at dpo@getaserta.com to request a DPA or discuss data protection compliance.

8. Data Subject Requests & Shopify Compliance Webhooks

When a merchant's customer requests data deletion or exercises GDPR rights, Shopify notifies us via webhook. Upon receiving such requests, we:

• Acknowledge the request within 24 hours
• Delete all personal data associated with that customer within 30 days
• Confirm deletion to the merchant through their Shopify admin dashboard
• Maintain audit logs of the deletion for legal compliance and disputes

We do not retain customer data for marketing, analytics, or any purpose beyond providing the compliance audit service.

9. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: TLS 1.2 or higher for all data in transit
• Encryption at rest: AES-256 encryption for sensitive data stored in our database
• Access controls: Role-based access control and authentication for all systems
• Regular security audits: Penetration testing and vulnerability assessments
• Incident response: Documented procedures with breach notification within 72 hours of discovery
• Secure hosting: Render provides DDoS protection, WAF (Web Application Firewall), and intrusion detection
• Employee access: Restricted to authorized personnel on a need-to-know basis

Disclaimer: While we use reasonable security measures, no security system is 100% secure. You use the Service at your own risk. If you believe there has been a security breach, please contact us immediately at support@getaserta.com.

10. Cookies & Tracking

Session Cookies: The Aserta app uses session cookies to maintain your authentication state within the Shopify Admin. These cookies are necessary for the app to function and are deleted when your session ends.

Analytics: We may use Shopify's built-in analytics to monitor app performance and usage patterns. No personally identifiable information is shared with external analytics providers.

Tracking: We do not use third-party tracking, advertising pixels, or marketing cookies. Your data is not tracked across websites or shared with advertising networks.

11. International Data Transfers

Your data is processed on servers located in the United States (Render hosting). By using Aserta, you consent to the transfer of your data outside the UK. We comply with GDPR requirements for international transfers through:

• Shopify Data Transfer Addendum (DTA): Our relationship with Shopify is governed by their DTA
• Standard Contractual Clauses (SCCs): We rely on SCCs as approved by the UK supervisory authority for data transfers to the US

If you have concerns about data transfers, please contact us at dpo@getaserta.com.

12. Children's Privacy

The Aserta service is designed for business-to-business use only. We do not knowingly collect personal data from individuals under 18 years of age. If we discover that we have collected data from a minor, we will delete it immediately. If you believe we have inadvertently collected data from a minor, please contact us at support@getaserta.com.

13. Breach Notification

In the event of a data breach, we will:

• Notify affected users within 72 hours (as required by GDPR)
• Provide details of the breach, the data affected, and recommended actions
• Notify the UK Information Commissioner's Office (ICO) if the breach poses a high risk to user rights
• Maintain detailed records of the incident and our response

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email or through the Aserta app dashboard at least 30 days before taking effect. Your continued use of the Service after notice constitutes acceptance of the updated policy. If you do not agree to changes, you may uninstall the app.

15. Third-Party Links

The Aserta app may contain links to third-party websites (e.g., regulatory resources, Shopify help). We are not responsible for the privacy practices of external sites. We encourage you to review their privacy policies independently.

16. Your California Privacy Rights (CCPA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including:

• Right to know what personal data is collected
• Right to delete personal data (with exceptions)
• Right to opt-out of "sales" of personal data (though we do not sell data)
• Right not to be discriminated against for exercising your rights

To exercise CCPA rights, contact us at support@getaserta.com with "CCPA Request" in the subject line.

17. Contact Us & Data Subject Requests

General Privacy Inquiries:

• Email: support@getaserta.com

Data Protection Officer (DPO):

• Email: dpo@getaserta.com

Postal Address:

• Aserta Ltd
  Eldridge Gardens
  Romsey, Hampshire
  United Kingdom

For GDPR requests: Include "Data Subject Access Request" in the subject line. We will respond within 30 days.