Operator: ATLAS ECOMMERCE PTY LTD (ABN: [UPDATE MY ABN])

1. Introduction

This Privacy Policy describes how ATLAS ECOMMERCE PTY LTD ("we," "us," or "our"), a proprietary limited company registered in Queensland, Australia, collects, uses, protects, and discloses your personal information when you install or use any of our Shopify applications (collectively, the "Apps") in connection with your Shopify-supported store.

We are committed to protecting merchant privacy and complying with applicable global data protection regulations, including the Australian Privacy Act 1988 (Cth), the General Data Protection Regulation (GDPR) (EU/UK), PIPEDA (Canada), and comprehensive United States privacy laws (including the CCPA/CPRA and the 2026 mandates in Indiana, Kentucky, and Rhode Island).

By installing and using our Apps, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

To provide our services, we access the following categories of information via Shopify's secure APIs upon your authorisation during the installation of any of our Apps:

• Merchant Account Data: Your name, email address, store domain, and physical address. This is used strictly for billing coordination, account management, and providing technical support.

• Store Content & Structure: Depending on the specific App installed, this may include product titles, handles, tags, collection metadata, inventory levels, and theme block configurations. This data is strictly required for the Apps to deliver their core functionalities (such as generating SEO architectures, syndicating product feeds, or optimising conversion elements) and display them correctly via Shopify App Blocks.

• App Interaction Logs: Data regarding how you interact with our App dashboards (e.g., rule creation, configuration saves, and sync frequency) to optimize system performance, monitor capacity, and troubleshoot errors.

Important Note on Customer Data (PII): Our Apps are primarily designed as merchant-facing structural, catalog, and marketing utilities. Unless explicitly stated otherwise within a specific App’s interface, we do not collect, process, track, or store any personal information belonging to your store's end-customers (e.g., shopper names, addresses, IP addresses, or payment details). Our data processing is generally limited exclusively to store structural and catalog data.

3. Legal Basis for Processing (GDPR & UK GDPR)

For users located in the European Economic Area (EEA) or the United Kingdom, our legal bases for collecting and using the personal information described above depend on the specific context:

• Performance of a Contract: Processing is necessary to operate our Apps, fullfill our Terms of Service, and provide the functionality you requested upon installation.

• Legitimate Interests: We process diagnostic and usage data to maintain the security, stability, and performance of our infrastructure.

• Legal Obligation: Processing necessary to comply with our legal and financial reporting obligations.

4. Data Sub-Processors, Hosting, and International Transfers

We utilize high-security, industry-standard third-party infrastructure to operate our Apps. Your data is primarily processed and stored in the United States.

We share data only with the following essential sub-processors:

• Shopify Inc.: Provides the core API infrastructure, merchant authentication (OAuth), and billing services.

• Render (GCP): Application runtime and primary database hosting (PostgreSQL), operating securely on Google Cloud Platform (GCP) infrastructure.

International Transfers: As an Australian company utilising US-based cloud infrastructure, we ensure that any transfer of personal data outside your jurisdiction is protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable under GDPR, ensuring your data receives an adequate level of protection.

5. Data Security

We implement robust technical and organisational measures to protect your data. All communication between Shopify, your browser, and our servers is encrypted in transit using HTTPS/TLS. Database information is encrypted at rest. We limit database access to authorised personnel strictly for development and support purposes.

6. Data Retention & Mandatory Shopify Webhooks

We retain your configuration data and rules for as long as the respective App remains installed on your store. We strictly adhere to Shopify’s data retention and privacy webhook mandates:

• Immediate Deletion: When you manually delete configurations or rules within any of our App dashboards, the associated data is permanently purged from our database immediately.

• Customers/Data Request & Customers/Redact: For our Apps that do not store shopper PII, inbound requests for customer data or redaction will be met with automated compliance confirmations via the webhook, as no applicable data exists on our servers to provide or destroy.

• Shop/Redact (App Uninstallation): Upon receiving the mandatory shop/redact webhook from Shopify (triggered 48 hours after you uninstall an App), we permanently and automatically delete all associated merchant account records, rules, and store data specific to that App from our databases within 30 days.

7. Your Privacy Rights & Global Compliance

Depending on your applicable jurisdiction, you are entitled to the following rights regarding your data:

• Access & Correction: You may request a copy of the data we hold about you or request corrections to your account information.

• The Right to Erasure: You may request the total deletion of your data. The most immediate and thorough way to exercise this right is to uninstall the App from your Shopify admin, which triggers our automated deletion protocol.

• US State Law Compliance (CCPA/CPRA & 2026 Mandates): We operate as a "Service Provider." We do not, and will not, "sell" or "share" your personal information for cross-context behavioural advertising. Residents of regulated US states (including CA, RI, KY, and IN) may exercise their data rights or request further clarification by contacting us directly.

8. Changes to this Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices, new application releases, or regulatory requirements. We will notify you of any material changes by updating the "Effective Date" at the top of this policy and, where required, communicating directly via the email address associated with your Shopify account.

9. Contact Us

For inquiries, data access requests, or to exercise your rights under the Australian Privacy Act, GDPR, or applicable state laws, please contact our privacy team:

ATLAS ECOMMERCE PTY LTD Email: support@atlasecomm.com.au Location: Queensland, Australia