Privacy Policy

Last updated: 09/03/2026

Data Controller

Responsible: Juan Luis Salvador Valdivieso. Tax ID (NIF): 52528906B. Trade name: ApisDom. Address: Calle Goya, CP 03560, Campello, Alicante, Spain. Phone: +34 919 93 28 02.

Legal contact: legales@apisdom.com

Data We Collect

From Shopify (Sales Data)

Data source: OAuth 2.0 integration

Data types:

  • Order history (dates, quantities, amounts)
  • Product identifiers within orders (SKU, productId)
  • Revenue patterns (daily aggregated amounts)

Data we do NOT collect:

  • Customer names, emails, addresses
  • Shipping information
  • Payment data
  • Personal data of end customers

Technical Data (Security and Fraud Prevention)

  • IP address (for rate limiting and DDoS protection)
  • Access logs (API calls with timestamp)
  • Credit consumption logs (audit)

Optional Data (user choice)

  • Email (for billing receipts via Shopify Billing)
  • Time zone (for localisation)
  • Language preference

Legal Basis for Processing

GDPR compliance (Article 6)

Data processor: ApisDom (engine based on Amazon Chronos-2)

Storage location: Firebase (Google Cloud europe-west4, Netherlands). Prediction engine: ApisDom (apisdom.com)

Sub-processors: ApisDom (Chronos-2 prediction engine), Google Cloud (Firebase Firestore, App Hosting), Upstash (Redis cache)

Encryption: AES 256-bit at rest + TLS 1.3 in transit

Purpose of Data Processing

Primary purpose:

  • Generate demand predictions using the Amazon Chronos-2 ML model
  • Provide inventory optimisation recommendations
  • Track credit consumption

Secondary purposes:

  • Prevent fraud and security threats
  • Improve service accuracy and performance
  • Comply with legal obligations

Data Retention

Active Account

Sales data: Stored encrypted in Firebase Firestore while the app is installed

Retention period: 24 months (sufficient to learn seasonality)

Access: Only by the Chronos-2 engine during prediction generation

Account Deletion

Deactivation: User uninstalls app. Data marked for deletion

Anonymisation: Upon uninstall notification, all personal data is deleted within a maximum of 7 business days

Deletion: On uninstall, Shopify sends a notification and all data is irreversibly deleted within a maximum of 7 business days

Verification: Deletion confirmation sent to the merchant's email

Your Rights (Articles 15-22 GDPR)

Right of Access (Art. 15)Request a copy of all your data

Right of Rectification (Art. 16)Request correction of inaccurate data

Right to Erasure (Art. 17 - Right to be forgotten)

Automatic: Uninstall app. Data deleted within 7 business days upon receiving the Shopify notification

Manual: Contact legales@apisdom.com

Right to Data Portability (Art. 20)Request your data in a machine-readable format (CSV/JSON)

Right to Object (Art. 21)Object to processing based on legitimate interest

Data Transfers (Outside the EU)

AWS Processing: The ApisDom prediction engine, based on Amazon Chronos-2 technology, processes the sales data sent by the application

Safeguard: AWS Standard Contractual Clauses (SCC)

Google Firestore: Firestore nodes in europe-west4 (Netherlands). Redis cache (Upstash) in eu-west-1 (Ireland)

Safeguard: Google Data Processing Amendment (DPA)

International Data Transfers

If the user is in California (CCPA)

Your rights: Same as GDPR (access, deletion, objection)

If the user is in Canada (PIPEDA)

Your rights: Access, rectification, deletion

AI Transparency Statement (2026 Compliance)

Model used: Amazon Chronos-2

Classification: Time series prediction (unsupervised learning)

Model training data: General public time series data (NOT your store data). Your data is used ONLY to generate predictions, not to train the model

Bias mitigation: The model architecture is demographic-agnostic

Explainability: We show confidence intervals (MAPE) for each prediction

Human Control: 100%. The user always makes the final decision

Security Measures

  • AES 256-bit encryption at rest
  • TLS 1.3 encryption in transit
  • HMAC signature verification on all Shopify webhooks
  • Rate limiting (100 requests/minute per store)
  • Regular penetration testing
  • Zero-knowledge architecture (we cannot see Shopify tokens; Firebase handles decryption)

Cookies and Tracking

Cookies used:

__session: Shopify App Bridge session

forecast_locale: Language preference (local storage)

forecast_theme: Dark/light mode preference (local storage)

Third-party cookies: None (we do not use Google Analytics, Mixpanel, or similar services)

Tracking:

  • No pixel tracking
  • No IP logging (only for rate limiting)
  • No user behaviour analytics

Changes to the Privacy Policy

We may update this policy periodically

Material changes will be notified by email (optional)

Continued use constitutes acceptance of the new terms

Security Breaches

In the event of a security breach:

GDPR: We will notify the relevant supervisory authority within 72 hours

We will notify you immediately

Incident report available at legales@apisdom.com

Contact and Data Protection Officer

Privacy team: legales@apisdom.com

Legal team: legales@apisdom.com. Phone: +34 919 93 28 02

Data Protection Officer: Juan Luis Salvador Valdivieso. legales@apisdom.com

Response time: Within 10 business days