Browse viaGlamour's Data Protection Agreement
PRIVACY AND DATA PROTECTION AGREEMENT
This Privacy and Data Protection Agreement ("Agreement") sets forth the terms and conditions under which [viaGlamour] ("Company") collects, uses, and shares personal data from customers who use the Company's online store and related services ("Services"). By using the Services, you acknowledge that you have read, understood, and agree to the terms of this Agreement.
At viaGlamour, we take data protection seriously and are committed to complying with all relevant laws and regulations, including the Shopify data protection policies. We have implemented the following measures to ensure the security and confidentiality of our customers' data:
- We encrypt all data backups to prevent unauthorized access.
- We maintain strict separation between our test and production environments to prevent personal data from production from leaking into less secure environments.
- We have implemented a data loss prevention strategy that includes technical controls, policies, and standards to protect against the possibility of data being extracted for nefarious purposes.
- We limit staff access to protected customer data and require strong passwords for staff accounts.
- We keep an access log to protected customer data and review it regularly to assess the effectiveness of our security controls.
- We have implemented a security incident response policy that outlines the steps we take in the event of a security incident or data breach. This includes incident severity scales, roles and responsibilities, escalation paths, evidence collection, and required actions.
- We are committed to protecting our customers' data and will continue to review and update our data protection measures as necessary to ensure the highest level of security. If you have any questions about our data protection policies, please do not hesitate to contact us.
Personal Data Collection
The Company may collect personal data from customers in a variety of ways, including but not limited to the following:
The Company may use personal data collected from customers for the following purposes:
To provide, maintain, and improve the Services
To process and fulfill orders and transactions
To communicate with customers and respond to inquiries
To personalize and improve the customer experience
To comply with legal and regulatory requirements
Personal Data Sharing
The Company may share personal data with third parties for the following purposes:
To process and fulfill orders and transactions, including with payment processors and shipping carriers
To provide the Services, including with hosting and IT service providers
To comply with legal and regulatory requirements, including with law enforcement and government agencies
To protect the rights, property, and safety of the Company and its customers
Personal Data Security
The Company takes reasonable precautions to protect personal data from loss, misuse, and unauthorized access or disclosure. However, no online system is completely secure and the Company cannot guarantee the security of personal data.
Personal Data Retention
The Company will retain personal data for as long as necessary to fulfill the purposes outlined in this Agreement, or as required by law.
Customers have the following rights in relation to their personal data:
The right to access and request a copy of their personal data The right to correct or update their personal data The right to object to or restrict the processing of their personal data The right to request the deletion of their personal data The right to withdraw consent to the processing of their personal data Customers may exercise these rights by contacting the Company at [contact information].
Changes to this Agreement
The Company reserves the right to update this Agreement from time to time. Any changes to this Agreement will be posted on the Company's website and will become effective upon posting. Customers are encouraged to review this Agreement periodically for any updates.
Data Protection Practices
Minimal Data Process
To "process only the minimum personal data required to provide app functionality to merchants," viaGlamour only collects and uses personal data in a way that is limited to the purpose for which it was collected. This means that the app should only collect the minimum amount of personal data necessary to provide the desired functionality to merchants, and should not collect or use personal data for any other purposes.
Here are some examples of how we minimize the amount of personal data it processes:
Identify the specific features and functions that are being offered to merchants, and determine which personal data is necessary to provide those features and functions. For example, if the app is providing a payment processing service, it may need to collect personal data such as name, address, and payment information in order to process transactions.
Collect personal data directly from merchants rather than from third parties. This helps to ensure that the data being collected is accurate and up-to-date, and reduces the risk of collecting unnecessary or irrelevant data. When viaGlamour ships customer orders we're only being provided the information directly from Shopify's Fulfillment Requests.
Implement security measures to protect personal data from unauthorized access or misuse. This can include measures such as encrypting personal data, implementing secure authentication protocols, and regularly monitoring for and addressing security vulnerabilities. viaGlamour stores all of the customer data exclusively on Shopify with MFA enterprise logins to prevent unauthorized misuse.
By following these best practices, an app can effectively process only the minimum personal data required to provide app functionality to merchants, while still providing a high-quality and useful service.
Inform merchants what personal data you process and your reason for processing it.
Limit your processing of personal data to the stated purposes.
viaGlamour does not save irrelevant information from customer orders that isn't directly used for shipping. For example, viaGlamour could use the first and last name of a customer order to purchase postage but ignore irrelevant details like the billing address which isn't used for neither postage purchases or the completion of deliveries.
Where applicable, respect and apply customer consent decisions.
viaGlamour receives GDPR requests from merchants and merchant customers through the mandatory webhooks.
Respect and apply customer decisions to opt out of any data sharing such as a ‘data sale’ or similar concepts.
viaGlamour does not engage with sales of any customer data.
viaGlamour not not engage with automated decision-making services that may try to ingest customer data.
Apply retention periods to make sure that personal data isn’t kept for longer than needed.
viaGlamour removes customer information after one year from the date it's been shipped. This information helps viaGlamour fight fraudulent disputes if any occur between shipping carriers and merchant storefronts.
Encrypt data at rest and in transit.
viaGlamour doesn't transit information unencrypted outside of Shopify. All customer information is received and stored on Shopify.
Encrypt your data backups.
viaGlamour doesn't create data backups that aren't already managed by Shopify which are all encrypted by default.
Keep test and production data separate.
viaGlamour maintains different authentication, users, and staff permissions for testing and production apps.
Data loss prevention strategies
viaGlamour maintains a data loss prevention strategy in the access of staff that can export or control customer data.
Limit staff access to protected customer data.
viaGlamour staff are granted limited view access to customer data to fulfill orders.
Require strong passwords for staff accounts.
viaGlamour uses Shopify's MFA to secure staff accounts.
Keep an access log to protected customer data.
viaGlamour uses Shopify Logs to maintain data trails of staff members accessing shipping data.
SECURITY INCIDENT RESPONSE POLICY
The purpose of this policy is to establish a framework for responding to security incidents that may affect the organization's systems, networks, and data.
This policy applies to all systems, networks, and data owned or controlled by the organization. It covers incidents involving unauthorized access, data breaches, malware, phishing attacks, and any other security-related events.
The [Security Incident Response Team] ("SIRT") is responsible for coordinating the organization's response to security incidents. The SIRT will be led by the [Security Incident Response Team Lead] and will include representatives from [IT, Legal, Human Resources, Communications, and other relevant departments].
Incident identification: Incidents will be identified through a variety of sources, including but not limited to security alerts, user reports, and monitoring of systems and networks.
Incident containment: The SIRT will take immediate action to contain the incident and prevent further damage or loss. This may include disconnecting affected systems, disabling user accounts, and implementing other appropriate measures.
Incident investigation: The SIRT will conduct a thorough investigation to determine the cause of the incident and the extent of the damage.
Incident notification: The SIRT will notify relevant stakeholders, including management, legal counsel, and any regulatory bodies as required by law.
Incident resolution: The SIRT will develop and implement a plan to resolve the incident and restore affected systems and data.
Post-incident review: The SIRT will conduct a review of the incident to identify any weaknesses or vulnerabilities that may have contributed to the incident and implement measures to prevent similar incidents from occurring in the future.