Privacy Policy
1. About This Policy
This Privacy Policy explains how VaultifyUK Labs ("VaultifyUK Labs", "we", "us", "our") collects, uses, stores, and shares information when you access or use any of our Services.
"Services" means any software application, SaaS platform, API, website, integration, developer tool, or other product or service operated or published by VaultifyUK Labs, whether accessed directly or through a third-party platform such as the Shopify App Store.
This Policy applies to all of our Services unless a specific Service has a supplementary privacy notice, in which case both this Policy and that notice apply together.
2. Who We Are and How to Contact Us
VaultifyUK Labs is a software publisher and technology services company.
VaultifyUK Labs is operated by VaultifyUK Limited.
Company Number: 16878679 Registered Office: Unimix House Abbey Road, Unit 53c, London, England, NW10 7TR
Data Controller: VaultifyUK Limited (trading as VaultifyUK Labs) Email: privacy@labs.vaultifyuk.co.uk
For the purposes of UK data protection law, VaultifyUK Labs is the data controller for personal information we collect and process in our own right. Where we process personal data on your behalf (for example, data from your connected platform account), we act as a data processor — see Section 6.
3. Information We Collect
The categories of information we collect depend on which Services you use. We collect information you provide directly to us, information generated automatically through your use of our Services, and information received from third-party platforms you connect to our Services.
3.1 Account Information
Information you provide when registering for or signing in to a Service, such as your name, email address, business name, and authentication credentials. Where a Service is accessed through a third-party platform (such as Shopify), we may receive account identifiers and authentication tokens from that platform.
3.2 Store and Platform Information
For Services that integrate with third-party platforms, we may receive information about your connected account, including store or organisation domain, platform-assigned identifiers, plan information, installed scopes, and platform-level configuration.
3.3 Product and Catalogue Information
Some of our Services require access to data held in your connected platform account in order to function. For example, some Services may process Shopify product and collection data in order to provide automation or merchandising functionality. We access such data only to the extent necessary to deliver the Service you have subscribed to.
3.4 Configuration Information
Settings, rules, preferences, configurations, and customisations you create within our Services.
3.5 Usage Information
Information about how you interact with our Services, including features used, actions taken, pages and screens visited, session duration, and event logs.
3.6 Diagnostic Information
Technical information generated during the operation of our Services, including error reports, exception traces, performance metrics, queue metrics, and system logs. This information is used to identify and resolve issues and to improve reliability.
3.7 Billing Information
Subscription tier, billing period, payment history, and billing contact details. Where payment is processed through a third-party platform (such as the Shopify billing system) or a payment processor, we receive confirmation of payment but do not store full payment card numbers. Card data is handled directly by the relevant platform or payment processor.
3.8 Support Communications
The content of messages, attachments, and any other information you provide when you contact us for support or account assistance.
3.9 Technical and Device Information
IP addresses, browser type and version, operating system, referring URLs, and similar technical data collected when you visit our websites or interact with our Services over the internet. This information may be collected through server logs, cookies, or similar technologies.
4. How We Use Your Information
We use the information we collect to:
- Provide and operate our Services — delivering the features and functionality you have subscribed to, including processing platform data on your behalf where a Service requires it
- Manage your account — account creation, authentication, access control, and subscription management
- Process payments — billing, invoicing, and handling subscription changes
- Communicate with you — service notifications, billing communications, responses to support requests, security alerts, and material updates about our Services
- Improve our Services — analysing usage patterns, diagnosing errors, monitoring performance, and developing new features and products
- Ensure security and prevent abuse — detecting and investigating unauthorised access, fraud, and policy violations
- Comply with legal obligations — meeting our obligations under applicable law, including data protection, financial, and tax law
5. Legal Basis for Processing (UK GDPR)
Where UK data protection law applies, we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Providing the Services you have subscribed to | Performance of a contract (Article 6(1)(b)) |
| Processing platform data on your behalf | Performance of a contract (Article 6(1)(b)) |
| Billing and subscription management | Performance of a contract (Article 6(1)(b)) |
| Account security and authentication | Performance of a contract (Article 6(1)(b)) |
| Improving and securing our Services | Legitimate interests (Article 6(1)(f)) |
| Fraud prevention and abuse detection | Legitimate interests (Article 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
| Marketing communications (where applicable) | Consent (Article 6(1)(a)) |
Where we rely on legitimate interests, you have the right to object to that processing. Please see Section 10 (Your Rights).
6. Data We Process on Your Behalf
When you use a Service that accesses or processes data from a third-party platform account (such as a Shopify store), you are the data controller for the personal data of your customers and end users within that account. We process such data only as a data processor, acting on your instructions to the extent necessary to deliver the Service.
In this capacity, we:
- process data only for the purposes set out in these Terms and our Terms of Service
- do not use your customers' personal data for our own marketing or commercial purposes
- implement appropriate technical and organisational security measures
- assist you in meeting your own data protection obligations, including responding to data subject requests where the data is within our control
If you require a Data Processing Agreement (DPA) — for example, to evidence your own GDPR compliance — please contact us at privacy@labs.vaultifyuk.co.uk.
7. Platform Data Deletion Obligations
Where our Services integrate with third-party platforms, we are subject to data deletion obligations imposed by those platforms in addition to our obligations under applicable law.
For Shopify applications specifically:
- When a merchant uninstalls an application, we delete or anonymise all data associated with that merchant's store within 30 days of receipt of the platform's shop redaction notification, unless a longer retention period is required by applicable law.
- When we receive a customer data erasure request through the platform's mandatory webhook mechanism, we delete or anonymise the relevant customer data from our systems within 30 days of receipt of that request, unless a longer retention period is required by applicable law.
- When we receive a customer data access request through the platform's mandatory webhook mechanism, we identify and make available all personal data we hold about that customer.
These obligations are in addition to, and do not limit, your rights under Section 10.
8. Sharing Your Information
We do not sell your personal information.
We may share information with:
Service providers and sub-processors. Third-party companies we use to operate our Services and business, such as cloud hosting providers, database providers, monitoring and logging services, email delivery providers, and payment processors. These parties process information only on our behalf, under our instructions, and are bound by confidentiality and security obligations. A current list of sub-processors used to provide our Services is available at labs.vaultifyuk.co.uk/subprocessors.
Third-party platform operators. Where a Service integrates with a third-party platform (such as Shopify), information is exchanged with that platform as required to operate the integration and to comply with the platform's policies.
Legal and regulatory authorities. Where we are required to disclose information by applicable law, a court order, or a regulatory obligation, or where we believe disclosure is necessary to protect rights, safety, or property.
Business transfers. In connection with a merger, acquisition, restructuring, or sale of assets, subject to confidentiality obligations. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.
We require all third parties to whom we disclose personal data to implement appropriate security measures and to use the data only for the purposes for which it was disclosed.
9. Data Retention
We retain your information for as long as is necessary to:
- maintain your account and deliver the Services you have subscribed to
- meet our legal, regulatory, financial, and contractual obligations
- resolve disputes and enforce our agreements
When you close your account or we terminate your access to a Service, we will delete or anonymise your personal information within 30 days, subject to any overriding legal obligation to retain it. Certain records, such as billing history and transactional records, may be retained for longer periods to comply with financial and tax law.
Where we process data as a processor on behalf of a third-party platform's merchant (see Section 7), the relevant retention period is governed by the platform's data deletion schedule as well as our own obligations.
10. Your Rights
Under UK data protection law, you have the following rights:
Right of access. You may request a copy of the personal information we hold about you.
Right to rectification. You may request correction of personal information that is inaccurate or incomplete.
Right to erasure. You may request deletion of your personal information in certain circumstances, including where it is no longer necessary for the purposes for which it was collected.
Right to restriction. You may request that we restrict processing of your personal information in certain circumstances.
Right to data portability. You may request that we provide your personal information in a structured, commonly used, machine-readable format, or that we transmit it directly to another controller where technically feasible.
Right to object. You may object to processing based on legitimate interests, including profiling. You may also object to direct marketing at any time.
Right to withdraw consent. Where we rely on your consent to process personal information, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us at privacy@labs.vaultifyuk.co.uk. We will respond within one calendar month of receiving your request. We may need to verify your identity before processing a request.
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Website: ico.org.uk Helpline: 0303 123 1113
11. International Transfers
Our Services are primarily hosted within the United Kingdom and/or the European Economic Area. Where we transfer personal data to countries that do not benefit from a UK adequacy decision, we ensure that appropriate safeguards are in place, such as the use of International Data Transfer Agreements (IDTAs) or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
12. Security
We implement appropriate technical and organisational measures designed to protect your personal information against unauthorised access, accidental loss, destruction, or alteration. These measures include access controls, encryption of data in transit, and regular security review of our systems and practices.
No method of electronic transmission or storage is completely secure. In the event of a personal data breach that is likely to result in risk to individuals, we will notify the ICO and, where required, the affected individuals within the timeframes required by law.
13. Cookies and Similar Technologies
Our websites and some of our Services use cookies and similar technologies for purposes such as authentication and session management. Where required by law, we obtain your consent before placing non-essential cookies.
Our Cookie Notice sets out the specific cookies we use, their purposes, and how to manage them: labs.vaultifyuk.co.uk/cookies.
14. Links to Third-Party Services
Our Services may include links to third-party websites or integrate with third-party platforms. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you interact with.
15. Children
Our Services are not directed at individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without appropriate consent, we will delete it promptly. If you believe this has occurred, contact us at privacy@labs.vaultifyuk.co.uk.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our Services, our data practices, or applicable law. When we make material changes, we will notify you by email or by posting a notice within the relevant Service before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent revision.
Continued use of our Services after the effective date of a revised Policy constitutes your acceptance of the changes.
17. Contact and Data Protection Enquiries
For questions about this Policy, to exercise your data subject rights, or to request a Data Processing Agreement:
VaultifyUK Labs Email: privacy@labs.vaultifyuk.co.uk