GDPR Compliance
Last updated: May 28, 2026
This page documents how Findable for Shopify meets its GDPR obligations as a data processor to Shopify merchants in the EU, UK, and other jurisdictions with comparable frameworks. For the full data inventory, see our privacy policy. Questions: support@usefindable.ai.
Roles
The merchant (your Shopify store) is the controller of merchant data. Ziguru LLC, operating Findable for Shopify, is the processor. We process the data you authorize us to access via Shopify OAuth scopes, for the sole purpose of delivering the App's functionality.
Lawful bases (GDPR Art. 6)
- Contract performance: reading your catalog and blog, generating articles, publishing them, billing.
- Legitimate interest: product analytics, error monitoring, fraud prevention.
- Legal obligation: tax record retention, GDPR webhook responses.
We don't rely on consent for any data we collect from the merchant; everything is necessary for the service. We never process end-customer (your shoppers') data.
Data subject rights
Merchants in scope of GDPR have these rights, exercisable by emailing support@usefindable.ai with the request and your shop domain:
- Access: a copy of the data we hold about your shop, in JSON, within 30 days.
- Rectification: correct any inaccurate data; most of it is mirrored from your Shopify store and updating it there propagates here.
- Erasure: uninstall the App and Shopify fires the
shop/redactwebhook 48 hours later; we delete everything on receipt. - Portability: export generated articles directly from your Shopify blog (they live there as Shopify-native articles).
- Restriction or objection: request a pause of analytics or error monitoring processing (we'll honor it for legitimate-interest activities).
- Complaint: lodge with your local data protection authority. EU directory at edpb.europa.eu. UK: ico.org.uk.
GDPR webhooks (Shopify mandatory)
We implement all three Shopify GDPR webhooks:
| Webhook | When Shopify fires it | What we do |
|---|---|---|
customers/data_request | A customer of yours requests their data | We don't hold customer data; we email the shop owner a confirmation noting this. |
customers/redact | A customer of yours requests deletion | We don't hold customer data; we treat this as a safety net and confirm no records exist. |
shop/redact | 48 hours after uninstall | We acknowledge the webhook within Shopify's 48-hour window and complete deletion within 30 days (typically same-day). |
Sub-processors
See the sub-processors table in our privacy policy for the full list. All are US-based or operate global edge networks that include the US.
International transfers
For merchants in the EU, UK, or jurisdictions with comparable cross-border transfer rules, we rely on Standard Contractual Clauses (SCCs) with each sub-processor where adequacy decisions don't apply, and the EU-US Data Privacy Framework where the sub-processor self-certifies. SCC copies available on request via support@usefindable.ai.
Security
- All data in transit over HTTPS / TLS 1.2+.
- Shopify access tokens encrypted at rest.
- Database access restricted to backend services; no human reads production data without an explicit audit-logged reason.
- Payment data never touches our systems; Shopify Billing handles all transactions.
- Quarterly review of access controls, dependency vulnerabilities, and incident response procedures.
Breach notification
If we discover a personal data breach likely to result in risk to the merchant, we notify the affected shop owner and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Art. 33-34.
Data Processing Addendum (DPA)
If your organization requires a signed DPA, email support@usefindable.ai with your shop domain. We provide a DPA that incorporates the European Commission's Standard Contractual Clauses (2021/914) as the transfer mechanism.
Contact
GDPR-related questions, DPA requests, or rights requests: support@usefindable.ai. Ziguru LLC, 1021 E Lincolnway, Cheyenne, WY 82001, USA.