Privacy Policy

Effective Date: August 11, 2025 • Version 1.1 • Last Updated: August 28, 2025

Table of Contents

1. Who We Are

"ArtyBench", "we", "us", or "our" refers to the operator of the ArtyBench Shopify App.

Legal Entity: [INSERT YOUR COMPANY LEGAL NAME]

Registered Address: [INSERT YOUR COMPANY ADDRESS]

Contact: support@artybench.com

For merchant account data, we act as a data controller. For end-customer personal data that merchants process through the App, we act as a data processor on the merchant's behalf.

Data Processing Agreement: Available upon request at support@artybench.com for merchants requiring formal processor agreements.

2. Scope

This Policy explains how we collect, use, disclose, and protect information when you:

  • Install or use ArtyBench with your Shopify store
  • Access our web dashboards
  • Connect optional integrations
  • Interact with our support team

3. Data We Collect

3.1 From Shopify APIs (Merchant Installation)

Shop Data:

  • Shop domain, name, owner email
  • Plan details, locale, currency, timezone
  • Permissions and API scopes granted

Catalog Data:

  • Products, variants, images, media
  • Collections, tags, metafields
  • SEO fields (titles, descriptions)
  • Inventory metadata

Order & Review Metadata (Optional):

  • Limited order attributes and review summaries only if you enable features requiring them (e.g., audit signals, intent coverage, review app integrations)

App Configuration:

  • Feature flags, settings, templates
  • Audit results, generated recommendations

Shopify Integration Points:

  • Webhook subscriptions we maintain
  • Shopify Flow configurations (if applicable)
  • API scopes requested: [read_products, write_products, read_themes, write_themes, read_script_tags, write_script_tags]

3.2 From You (Merchant/Teammates)

  • Account details (name, email)
  • Support requests and feedback
  • Usage and diagnostic logs (timestamps, API responses, error traces)

3.3 From Optional Integrations (Only If Connected)

Analytics Providers (e.g., Google Analytics):

  • Metrics and dimensions you authorize for correlation with audit signals

Review Providers (e.g., Yotpo, Judge.me, Stamped):

  • Rating counts, snippets, and related product identifiers

3.4 Cookies & Device Information

Merchant Dashboard Cookies (Essential Only):

  • Session management tokens (authentication state)
  • User preferences (dashboard settings)
  • Security tokens (CSRF protection)

These essential cookies are required for the dashboard to function. We do not use tracking or advertising cookies. We do not collect storefront visitor data unless you explicitly enable a storefront feature that requires it.

4. How We Use Data

  • Provide the App: Run audits, generate recommendations, render dashboards, operate background jobs
  • Improve & Secure: Troubleshoot issues, prevent abuse, measure performance, develop new features
  • Support & Communication: Respond to tickets, send transactional notices (e.g., install/uninstall, feature updates)
  • Compliance: Honor data subject requests and legal obligations
  • Marketing (Opt-in Only): With your consent, send product updates and newsletters (unsubscribe available at any time)

We do not sell personal information and we do not share it for cross-context behavioral advertising.

6. International Transfers

ArtyBench's primary infrastructure is in the United States (primarily AWS us-east-1). We and our service providers may process data in the United States and other countries.

For transfers from the EEA/UK/Switzerland to countries without an adequacy decision, we use appropriate safeguards including:

  • EU Standard Contractual Clauses (2021/914)
  • UK International Data Transfer Addendum
  • Swiss-approved SCCs
  • Supplementary measures: encryption in transit/at rest, least-privilege access, data minimization

Where providers participate in the EU–US Data Privacy Framework, we may rely on that program for U.S. transfers.

Current Subprocessors: See our live subprocessor list at https://artybench.com/legal/subprocessors

7. Data Sharing

We disclose data only to:

  • Service Providers (Processors): Hosting, storage, background jobs, email delivery, error monitoring, analytics—bound by contracts to process data solely under our instructions
  • Legal & Safety: If required by law or to protect rights, security, and integrity

We do not rent or sell personal data.

8. Data Retention & Deletion

  • Merchant/Shop & Configuration Data: Kept while your account is active. After uninstall or termination, deletion begins within 30 days and completes within a reasonable period (subject to limited backup retention)
  • Audit Outputs & Recommendations: Retained during active use and deleted per above schedule
  • Logs/Diagnostics: Up to 12 months unless needed for security investigations
  • Backups: Encrypted and automatically purged on rolling cycles (typically 30–45 days)

You may request deletion or export at any time (see Section 13). Upon app uninstallation, we receive a webhook and schedule data deletion automatically.

9. Shopify GDPR Webhooks & Data Subject Requests

We fully support Shopify's privacy webhooks and honor merchant rights:

  • shop/redact: Upon uninstallation or request, we delete shop-related data (subject to lawful retention needs)

Note: Our app focuses on product visibility analysis and does not process customer personal data or order information.

Where we act as processor, we help merchants fulfill access, correction, portability, and deletion requests.

10. Automated Processing

We use automated systems to analyze your catalog data and generate optimization recommendations. These processes:

  • Analyze product descriptions, images, and metadata for quality signals
  • Generate SEO and conversion optimization suggestions
  • Identify potential catalog improvements

These automated processes do not involve automated decision-making with legal or similarly significant effects.

11. Security

Technical Measures:

  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest for databases and backups
  • Web Application Firewall (WAF) protection

Organizational Measures:

  • Role-based access control with least privilege principles
  • Multi-factor authentication (MFA) for all administrative access
  • Comprehensive audit logging
  • Secure development lifecycle with dependency monitoring
  • Regular security reviews and penetration testing

While no method of transmission or storage is 100% secure, we maintain controls aligned with industry best practices for SaaS applications and Shopify apps.

12. Your Privacy Choices

  • Dashboard Settings: Control optional features and integrations
  • Marketing Opt-out: Unsubscribe via email link or by contacting us
  • Cookie Management: Disable non-essential cookies in your browser (some features may not work)
  • Integration Management: Connect or disconnect third-party services at any time

13. Your Rights

Depending on your location, you may have rights to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data
  • Restrict processing
  • Object to certain processing
  • Port your data to another service

California Residents: Additional rights under CPRA including rights to know, delete, and non-discrimination.

To exercise your rights, contact support@artybench.com. We may need to verify your identity and the scope of your request.

14. Children's Privacy

The App is for business use and not directed to children. We do not knowingly collect personal information from anyone under 16 (or 13 in the U.S.). If you believe a child has provided data, contact us immediately to request deletion.

15. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified via:

  • Email to your registered address
  • In-app notification banner
  • Update notice on our website

Version History:

  • v1.1 (August 28, 2025): Enhanced automated processing disclosure, added DPA availability
  • v1.0 (August 11, 2025): Initial version

16. Contact Us

Questions, Requests, or Complaints:

Email: support@artybench.com

Address: [INSERT YOUR COMPANY ADDRESS]

Data Protection Authorities:

EEA residents may contact their local supervisory authority. Contact details available at: https://edpb.europa.eu/about-edpb/board/members_en

Appendix A – Subprocessor Summary

SubprocessorPurposeLocationData Categories
Vercel, Inc.App hosting, edge networkUnited StatesApplication data, logs
AWS (Amazon Web Services)Infrastructure (us-east-1)United StatesAll encrypted data
SupabaseDatabase, authenticationUnited StatesMerchant data, catalog
InngestBackground jobs, workflowsUnited StatesEvent payloads, job data

Full Details: Visit https://artybench.com/legal/subprocessors for complete subprocessor information including transfer safeguards and DPAs.

This privacy policy was last reviewed and updated on August 11, 2025. For questions about this policy or our privacy practices, please contact support@artybench.com.