Privacy Policy – BundleSuite App for Shopify Stores

Last Updated: 1/07/2025

This Privacy Policy outlines how ‘BundleSuite’ (referred to as “we,” “us,” or “our”) collects, uses, maintains, and discloses information collected from users of the ‘BundleSuite’ application (“App”). This policy applies to the App and all products and services offered by ‘BundleSuite’.

1. Introduction

This document serves to inform users about the policies regarding the collection, use, and disclosure of personal information when the ‘BundleSuite’ App is utilized, and the choices associated with that data. The commitment to protecting user privacy is paramount.

The ‘BundleSuite’ App is a Shopify application specifically designed to empower merchants in creating and managing diverse product bundles. Its functionalities encompass a range of bundling options, including Build Your Own Box (BYOB) / Mix & Match, Standard Combo (Fixed), Advanced Combo (Infinite Options), Volume Discounts (Quantity Breaks), and Upsell Bundles (Frequently Bought Together / Complete the Look). The developer’s name and address will be specified in the final published policy.

The explicit statement of the App’s purpose and the developer’s commitment to privacy at the outset establishes a foundational tone of transparency and trust. This initial clarity provides context for why data is collected, enabling users to better understand the necessity and scope of data collection. By clearly defining the App’s functionalities and bundling features upfront, the scope of data that needs to be collected is implicitly limited. This proactive approach addresses potential concerns about over-collection and reinforces the principle of data minimization, a core tenet of modern privacy regulations such as the GDPR. This positioning helps establish BundleSuite as a responsible data handler from the very beginning.

2. Data Controller

The roles and responsibilities concerning data handling are clearly delineated within the operational framework of BundleSuite. For data directly collected from merchants, such as Shopify store information (e.g., store URL, store name, contact email associated with the Shopify account), app usage data, and support inquiries, BundleSuite operates as the Data Controller. In this capacity, BundleSuite determines the purposes and means of processing this data.

Conversely, for transactional data processed from end customers who interact with bundles on a merchant’s storefront, BundleSuite functions as a Data Processor on behalf of the merchant. The merchant, in this scenario, remains the primary Data Controller for their end customers’ Personally Identifiable Information (PII). This distinction is critical for legal compliance and liability management.¹ Data privacy laws, such as GDPR, assign specific responsibilities to “Controllers” and “Processors,” and misidentifying these roles can lead to significant legal non-compliance and liability. By explicitly stating that BundleSuite acts as a Processor for end-customer transactional data and does not directly collect or store their PII, the App significantly reduces its direct legal burden and compliance obligations related to end-customer PII. The primary responsibility for managing end-customer PII thus remains with the merchant, which also helps manage merchant expectations regarding their own compliance duties. This nuanced distinction serves as a crucial risk mitigation strategy.

3. Information We Collect

The information collected by BundleSuite is categorized based on the source and nature of the data, ensuring transparency regarding data practices.³

Information Collected from Merchants (Store Owners)

From Shopify store owners who install and use the App, the following information is collected:

Shopify Store Information: This includes the Shopify store URL, store name, and the contact email associated with the Shopify account. This data is essential for the App’s installation, proper identification within the Shopify ecosystem, and for facilitating necessary communications with the merchant.
App Usage Data: Information pertaining to how the App is utilized is collected. This encompasses details such as the specific features used, configurations of product bundles, discount settings applied, choices regarding bundle placement on the storefront, and general analytics on the adoption of various App features. This data is vital for understanding user interaction and identifying areas for performance improvement and feature optimization.
Billing Information: It is explicitly stated that billing for BundleSuite subscriptions is handled securely and exclusively via Shopify’s billing API. BundleSuite does not directly collect or store any billing information (such as credit card details) from merchants. The App merely receives confirmation of subscription status from Shopify. This approach to billing is a powerful privacy and security statement. By not collecting billing information directly, BundleSuite significantly reduces its compliance burden (e.g., avoiding the need for PCI DSS compliance for credit card data), minimizes the attack surface for sensitive financial data, and simplifies its overall data security requirements. This practice builds substantial trust with merchants, as they are assured that their sensitive financial data is managed by Shopify, a large and secure platform, rather than by a third-party app. This also contributes to reduced operational overhead and legal risk for BundleSuite related to handling payment card data.
Support Inquiries: Any communication data generated through support channels, such as chat interactions, emails, or support tickets, is collected. This includes the content of messages exchanged and any contact details provided by the merchant during these interactions.

Information Processed from End Customers (Shoppers on Merchant’s Store)

BundleSuite primarily processes transactional data related to bundle interactions occurring on the merchant’s storefront. This includes:

Products selected by the customer for a Build Your Own Box (BYOB) bundle.
Quantities of items chosen for volume discounts.
Products added to the cart via upsell blocks.

It is critically important to state that BundleSuite does NOT directly collect or store personal identifiable information (PII) of end customers, such as names, email addresses, or shipping addresses, from the merchant’s store. This sensitive customer data remains securely within the Shopify platform and is managed solely by the merchant. This explicit disclaimer that BundleSuite does not directly collect or store PII of end customers is a fundamental legal and strategic differentiator. By avoiding the direct collection of end-customer PII, BundleSuite drastically reduces its exposure to direct consumer privacy complaints and regulatory fines (e.g., under GDPR or CCPA) related to that data. This simplifies BundleSuite’s data mapping, impact assessments, and overall compliance framework, making the App significantly more attractive to privacy-conscious merchants. This deliberate design choice represents a substantial mitigation of legal risk.

4. How We Use the Information We Collect

The information collected by BundleSuite is utilized for specific, defined purposes, ensuring that data processing aligns with the App’s functionalities and business objectives.³ The primary uses include:

To Provide and Operate Core Functionalities: The collected data is essential for enabling the fundamental features of the BundleSuite App, such as the creation, management, and display of product bundles, as well as the application of various discount settings.
To Improve and Optimize the App’s Performance and Features: Usage data is analyzed to understand how merchants interact with the App. This analysis informs efforts to enhance user experience, refine existing features, and develop new functionalities that meet user needs and improve the App’s overall effectiveness.
To Provide Customer Support and Respond to Inquiries: Communication data from support inquiries is used to address technical issues, answer questions, and facilitate effective communication between merchants and the BundleSuite support team.
For Internal Analytics and Research: Data is used for internal analytical purposes and research to gain insights into App performance and user behavior. A key principle observed here is the emphasis on anonymization and aggregation wherever possible. This practice ensures that insights are derived without identifying individual merchants, thus strengthening the privacy posture. This proactive measure reduces the scope of data subject rights requests for analytics data and helps mitigate regulatory scrutiny, while still allowing for valuable business insights without compromising individual privacy.
To Comply with Legal Obligations: Information may be used as necessary to fulfill legal requirements, resolve potential disputes, and enforce the terms of our agreements.

5. How We Share Information

BundleSuite shares information only when necessary for the operation of the App, to provide requested services, or when legally compelled to do so. Transparency in data sharing practices is a core commitment.²

With Shopify: Information is shared with Shopify as necessary for seamless App integration and functionality. This includes using Shopify’s APIs for purposes such as confirming subscription status, accessing product data relevant to bundles, and facilitating order processing for bundled products. This sharing is also conducted in compliance with Shopify’s platform policies.
With Third-Party Service Providers: Trusted third-party companies and individuals are engaged to facilitate the App’s operation, provide services on our behalf, perform App-related services, or assist in analyzing App usage. These providers may include:

Cloud hosting providers (e.g., AWS, Google Cloud) for secure data storage and infrastructure.
Analytics tools (e.g., Google Analytics, Mixpanel) for understanding App performance and user behavior, with efforts made to ensure data is anonymized where possible.
Customer support platforms (e.g., Zendesk, Intercom) to manage and respond to merchant inquiries.
These third parties are granted access to information strictly to perform their designated tasks on behalf of BundleSuite and are contractually obligated not to disclose or use the information for any other purpose. The requirement for “strict data processing agreements and confidentiality” with these third-party service providers is a critical legal safeguard.1 By mandating Data Processing Agreements (DPAs) and confidentiality clauses, BundleSuite legally obligates its service providers to adhere to the same data protection standards that BundleSuite itself upholds. This extends BundleSuite’s privacy commitments throughout its supply chain, significantly mitigating its vicarious liability for data incidents caused by third parties. This practice demonstrates due diligence and is often a regulatory requirement, particularly under frameworks like GDPR Article 28.
In Response to Legal Requests or to Protect Rights: Information may be disclosed where required by law or subpoena. Disclosure may also occur if there is a good-faith belief that such action is necessary to comply with legal obligations, respond to reasonable requests from law enforcement, or to protect the security or integrity of the App and its associated rights.

6. Data Retention

BundleSuite maintains a clear policy regarding the retention of collected information. Data is retained only for as long as necessary to fulfill the specific purposes for which it was collected.⁴ These purposes include the ongoing provision of the App’s services, facilitating internal analytics, offering customer support, and complying with various legal obligations.

Upon the termination of a merchant’s BundleSuite account, the data will be promptly deleted or anonymized within a reasonable timeframe. Exceptions to this deletion policy apply if retention is mandated by law (e.g., for tax or audit purposes) or if it is necessary for legitimate business purposes, such as resolving disputes or enforcing the terms of our agreements.¹ A clear data retention policy serves not only as a compliance requirement but also as a vital risk management tool. By defining specific retention periods and committing to the deletion or anonymization of data, BundleSuite minimizes its data footprint. This practice reduces the scope of potential data breaches, lowers the long-term costs associated with data storage, and streamlines compliance with “right to be forgotten” requests, thereby proactively managing both legal and operational risks.

7. Your Rights (Data Subject Rights)

In accordance with applicable data protection laws, including principles derived from the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), merchants, as data subjects, are afforded specific rights regarding their personal information.³ These rights empower individuals with greater control over their data:

Right to Access: Merchants have the right to request a copy of the personal data that BundleSuite holds about them.
Right to Rectification: Merchants may request the correction of any inaccurate or incomplete personal data.
Right to Erasure (“Right to be Forgotten”): Under certain conditions, merchants can request the deletion of their personal data.
Right to Restrict Processing: Merchants have the right to request the restriction of processing of their personal data under specific circumstances.
Right to Data Portability: Merchants can request the transfer of their personal data to another organization or directly to themselves, where technically feasible and under certain conditions.
Right to Object to Processing: Merchants have the right to object to BundleSuite’s processing of their personal data under specific conditions, particularly where processing is based on legitimate interests.
Right to Withdraw Consent: Where the processing of personal data is based on consent, merchants have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise these rights, merchants are provided with clear instructions, typically by contacting BundleSuite’s support email. It is important to note that BundleSuite may need to verify the identity of the requesting party before responding to such requests.⁴ This identity verification process is a crucial security measure. It prevents unauthorized individuals from accessing or tampering with a merchant’s data, thereby protecting the merchant’s privacy and BundleSuite’s data integrity. This practice mitigates potential legal liability that could arise from a security breach or data loss due to fraudulent requests, serving as a necessary practical step for robust privacy compliance.

8. Data Security

BundleSuite is deeply committed to protecting the security and integrity of the information entrusted to it. Appropriate technical and organizational measures are implemented to safeguard data from unauthorized access, alteration, disclosure, or destruction.¹ These comprehensive security measures include:

Industry-standard encryption techniques: Data is protected both in transit (during transmission) and at rest (when stored) using robust encryption methods.
Secure server infrastructure and data center facilities: The underlying infrastructure is designed and maintained with high-security standards to prevent physical and digital breaches.
Regular security audits and vulnerability assessments: Proactive and continuous evaluation of security measures is undertaken. This commitment to regular audits and assessments is more than just a checklist item; it represents a proactive security posture. It enables BundleSuite to identify and remediate vulnerabilities before they can be exploited, significantly reducing the likelihood and potential impact of data breaches. This practice also strengthens BundleSuite’s legal defense in the unlikely event of a breach, demonstrating due diligence and a steadfast commitment to protecting data, which in turn builds greater trust with merchants.
Strict access controls and internal policies: Access to data is limited to authorized personnel only, enforced through rigorous internal policies and technical controls.
Adherence to relevant industry standards and best practices: BundleSuite follows established industry guidelines and best practices for data security to ensure a high level of protection.

In the unlikely event of a data breach, BundleSuite is committed to complying with all applicable breach notification laws and will inform affected parties as required.²

9. Children’s Privacy

The ‘BundleSuite’ App is not intended for, nor does BundleSuite knowingly collect personal information from, children under the age of 13. This policy is in alignment with regulations such as the Children’s Online Privacy Protection Act (COPPA) in the USA.³

Should BundleSuite become aware that personal information has been collected from a child under 13 without verifiable parental consent, immediate steps will be taken to remove that information from its servers. Including a children’s privacy clause, even if the App is not directly targeted at children, is a crucial legal protective measure. This clause provides a clear legal disclaimer, limiting BundleSuite’s liability under child privacy laws if a minor’s data is unintentionally encountered through a merchant’s store. It establishes that BundleSuite does not intend to process such data, thereby shifting the responsibility for ensuring age appropriateness to the merchant. This is a standard but essential approach to compliance, acting as a safeguard.

10. Changes to This Privacy Policy

BundleSuite reserves the right to update this Privacy Policy periodically. Any changes will be communicated by posting the new Privacy Policy on this page and updating the “Last Updated” date prominently at the top of the policy.³

For material changes, users will be informed via email and/or a prominent notice within the App itself, prior to the changes becoming effective. The “effective date” at the top of the Privacy Policy will also be updated accordingly. Users are advised to review this Privacy Policy periodically to stay informed of any changes.

11. Contact Us

For any questions regarding this Privacy Policy, please contact BundleSuite through the following channels:

By email: hello@bundlesuiteapp.com
By visiting this page on our website: https://bundlesuiteapp.com/