Privacy Policy

Last updated: March 2026

1. Introduction

GPSR Compliance Hub ("the App") is developed by Swedish Developer ("we", "us"). This privacy policy explains how the App handles data when installed on a Shopify store.

2. Data we collect from merchants

When you install GPSR Compliance Hub and use the App, we store the following data on our servers:

• Shop domain (to identify your store)
• Manufacturer details entered by the merchant: company name, trade name, postal address, email, phone, website, and country
• EU Authorised Representative and importer details: company name, role type, postal address, email, phone, and country
• Per-product GPSR data: product identifiers (batch number, serial number, model number, product type), CE marking status, safety warnings, safety instructions, and merchant role
• Compliance scores and sync status per product
• App configuration and current subscription plan
• Audit log entries (Business plan only): records of create, update, delete, and export actions

3. Data collected from store visitors

GPSR Compliance Hub does NOT collect any personal data from your store visitors. The App writes product safety data to Shopify metafields, which are then read by the storefront widget — entirely within Shopify's infrastructure. No visitor data is processed or stored by this App.

4. Shopify API access

The App uses the Shopify GraphQL Admin API (scope: read_products) to:

• Read product information to link GPSR data to products
• Write product safety data to Shopify metafields and metaobjects
• Create metaobject definitions for manufacturer and responsible person data

The App does not read customer data, orders, or financial information.

5. Theme App Extension

The App includes a Liquid theme extension ("GPSR Widget") that displays product safety information on product pages. This widget reads Shopify metafields written by the App — it does not collect or transmit any visitor data. All rendering is done server-side by Shopify's CDN.

6. Data location

All App data is stored on servers located within the European Union (Fly.io, PostgreSQL via Neon.tech).

7. Data retention

• Manufacturer, responsible person, and product GPSR data: Retained while the App is installed.
• Audit logs (Business plan): Retained while the App is installed.
• On uninstallation: All merchant data (ShopSettings, Manufacturer, ResponsiblePerson, ProductGpsrData, AuditLog) is permanently deleted. App-owned metafields and metaobjects are automatically removed by Shopify.

8. GDPR compliance

We process merchant data as a Data Processor under GDPR. Merchants remain the Data Controller for their store and their customers. The App handles GDPR mandatory webhooks:

• customers/data_request: Logged to our system. The App does not store customer personal data.
• customers/redact: Any audit log entries associated with customer actions are deleted.
• shop/redact: All merchant data is permanently deleted within 48 hours.

9. Contact

For questions about this privacy policy or data handling:

• Email: support@swedev.eu
• Website: https://swedev.eu