Privacy Policy – PROGUS

1. Data Controller and Collection of Personal Data

Progus sp. z o.o., with its registered office at ul. Sklepowa 27, 97-500 Radomsko, Poland, registered in the Polish National Court Register (KRS) under number 0001078024, NIP 7722434496, share capital PLN 10,000.00 (hereinafter "PROGUS"), is the controller responsible for processing personal data related to the use of our Services and website functionalities. We collect data provided by users as well as data automatically gathered during the use of our Services, in accordance with:

• Regulation (EU) 2016/679 (GDPR)
• The California Consumer Privacy Act (CCPA)
• Nevada state regulations

2. Contact Information

All inquiries regarding this Privacy Policy or your data rights should be directed to:
[email protected]

We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR. All data-protection matters can be addressed to the contact above.

3. Purposes and Legal Grounds for Personal Data Processing

We may process your personal data for the following purposes:

A. Use of Services:
We process data to perform a contract (Art. 6(1)(b) GDPR), to comply with legal obligations (Art. 6(1)(c) GDPR), to protect our legitimate interests, and to pursue claims.

B. Contact (Chat/Email):
We process data to respond to your inquiries based on our legitimate interests (Art. 6(1)(f) GDPR) and, where your inquiry concerns entering into or performing a contract, to take steps at your request prior to entering into a contract and to perform it (Art. 6(1)(b) GDPR).

C. Marketing and Newsletter:
We send newsletters and electronic (email/SMS) marketing communications on the basis of your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time by unsubscribing, without affecting the lawfulness of processing carried out before withdrawal. We may also process data for direct marketing of our own similar products and services based on our legitimate interests (Art. 6(1)(f) GDPR), to which you may object at any time.

D. Social Media:
We process data for communication and marketing purposes (Art. 6(1)(f) GDPR) – your name (or pseudonym) and photo will be visible.

E. Job Applications:
We process recruitment data; providing such data is voluntary but often necessary.

4. Types of Data Processing

We may collect and process various forms of personal data based on the functionalities you utilize:

A. Services: If you access and use our Services, we will process your identification data, including your name, surname, country and email address.

We may also automatically collect information, including:

• Usage and log information, encompassing data on your activity, log files, diagnostic, crash, website, and performance logs and reports.
• Subscription information.
• Location information, such as location name, location address, latitude and longitude, and location contact details: email, phone, fax.

B. Contacting Us: When contacting us via our contact form (chat) or email, we will process your identification data, such as your name and email address, along with any other data you provide.

C. Marketing and Newsletter: Your email address will be processed if you subscribe to our newsletter or consent to marketing of our services.

D. Social Media: When you interact with our social media profiles, we may process personal data posted on your profile and other data related to our use of social media functionality.

E. Job Applications: In the case of job applications, we may process your personal data in accordance with the Labour Code and other specific laws as required by legal provisions.

5. Right to Object

Users have the right, at any time, to object to the processing of their data based on legitimate interests or for marketing purposes. In such cases, we will cease processing unless overriding grounds exist (e.g., pursuing claims).

6. Data Retention

We retain data as follows:

• For the duration of the account service, until the account is deleted by the user, or until the service (application) is uninstalled.
• During the term of contracts and as required by legal obligations.
• For the duration of pursuing claims.
• Until an objection is raised or the legitimate interests expire.
• As part of dispute resolution, marketing activities, social interactions, and the recruitment process (up to 48 months or until consent is withdrawn).
• Technical logs: Retained for 8 days.

7. Data recipients

Data may be transferred to service providers supporting our activities, such as:

• Web hosting providers (for websites and services)
• Data storage entities
• ICT service providers
• Social media providers (e.g., Meta Platforms Ireland Limited, X Corp. (formerly Twitter, Inc.), Google LLC)
• IT companies, law firms, auditors, and other entities that are legally required to receive data.

We use third-party services, including Heroku (Salesforce), Amazon Web Services (AWS), Fly.io, and Cloudflare, to host, secure, and deliver our applications. These services may process personal data, such as IP addresses and location information, on our behalf. For more information about how these providers handle data, please refer to their respective privacy policies: Heroku Privacy Policy, AWS Privacy Policy, Fly.io Privacy Policy, and Cloudflare Privacy Policy.

We use Gleap, a third-party customer support platform, to provide live chat functionality and assist you with your inquiries. When you use the chat feature, Gleap may process personal data, such as your name, email address, and the content of your messages. This data is processed in accordance with Gleap's privacy policy, which you can find here: Gleap Privacy Policy.

We use Brevo (Sendinblue) as our email and customer-relationship (CRM) platform. Across our website and applications we may synchronise contact details of account owners and users (such as the email address, name, and basic app-usage information) to Brevo in order to send service-related and product communications and to manage our mailing lists, based on our legitimate interests or your consent where required. You can unsubscribe at any time. More information is available in the Brevo Privacy Policy.

Some of the service providers we use (including Heroku, Amazon Web Services, Cloudflare, Gleap, OpenAI, fal.ai, Klaviyo, and MSG91) are based outside the European Economic Area (EEA), including in the United States and India. In such cases, the transfer of personal data is conducted in accordance with the requirements of the GDPR, based on the European Commission’s Standard Contractual Clauses (SCCs) or under the EU–US Data Privacy Framework (DPF) for certified entities, ensuring an adequate level of data protection.

8. Your Rights as a Data Subject

Users have the right to:

• Obtain information regarding data processing
• Access their data
• Rectify inaccurate or incomplete data
• Request deletion of data ("right to be forgotten"), subject to exceptions
• Restrict processing
• Request data portability
• Object to data processing (including for marketing purposes)
• Withdraw consent (without affecting the lawfulness of previous processing)
• Lodge a complaint with a data protection authority
• Request explanation and human intervention in the case of automated decision-making

We provide these services free of charge unless the requests are manifestly unfounded.

9. Information on Data Transfers Outside of the EEA

Although most data is processed within the EEA, some data may be transferred to the USA or other countries outside the EEA, in accordance with the GDPR and subject to appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), the EU–US Data Privacy Framework, or an adequacy decision. You may lodge a complaint regarding the processing of your personal data with a supervisory authority — in Poland, the President of the Personal Data Protection Office (UODO) — or with the authority in your country of residence.

10. Automated Decision-Making, Including Profiling

Some of our applications use automated processing and artificial intelligence to generate content and suggestions (for example product images, subscription-plan suggestions, and upsell or cross-sell recommendations). These features assist merchants and do not make decisions that produce legal or similarly significant effects concerning an individual within the meaning of Article 22 GDPR. We may also use cookie-based profiling for analytics and marketing, subject to your consent where required. Where any solely automated decision producing legal or similarly significant effects is ever made, you have the right to obtain human intervention, to express your point of view, and to contest the decision.

11. Security of Your Personal Data

We implement measures to protect data against loss, destruction, unauthorized access, or disclosure; however, no method of transmission or storage guarantees 100% security. We act in accordance with EU and USA regulations.

We ensure data security through encryption:

• Data transmitted is encrypted using the SSL/TLS protocol.
• Data stored in our database is encrypted using the AES-256 algorithm.

We have also implemented Data Loss Prevention (DLP) strategies by:

• Monitoring data flow,
• Limiting access – only a minimal group of employees have access,
• Logging – every access to personal data is recorded,
• Conducting periodic employee training.

To further ensure the security of data stored in our database, we regularly perform backups. These backups are securely stored and may be used to restore data in the event of a system failure. Backups are retained for a specified period, and only authorized personnel have access to them.

12. Cookies

We use cookies to:

• Provide and secure our Services (web/desktop)
• Enhance user experience, personalization, and FAQ analysis
• Remember user preferences (e.g., language)
• Distinguish mobile users from desktop users
• Display advertisements, offers, and promotions

We use essential, preference, statistical, marketing, and unclassified cookies. Blocking cookies may affect the functionality of the site. Removal instructions are available for popular browsers (Firefox, Opera, Internet Explorer, Chrome, Safari).

We use Cookiebot by Usercentrics to collect, manage, and document cookie consents and consent withdrawals. Consent preferences can be changed or withdrawn at any time via the cookie settings available on our website. More information about Cookiebot and Usercentrics is available here: Cookiebot Privacy Policy.

Subject to the user’s consent where required, we use Google Tag Manager to manage measurement tags, Google Analytics 4 to measure website and application usage (including page views, interactions, and conversions), and Google Ads to measure campaign performance and conversions and, where permitted, support advertising features. These tools may process data such as cookie identifiers, device/browser information, IP address, approximate location, pages visited, and conversion events. Where applicable, analytics and marketing cookies are activated only in accordance with the user’s consent choices collected through Cookiebot. More information about how Google processes data is available here: Google Privacy Policy and How Google uses information from sites and apps.

13. Information and Notice for California Residents

This section covers the collection, use, disclosure, and sale of personal data of California consumers in accordance with the CCPA and the California Privacy Rights Act. It relates to data from the previous calendar year and is updated annually.

• We do not sell personal information for money. On our website, advertising and analytics technologies (such as Google Ads, Google Analytics, and the Meta Pixel) load only after you opt in through our Cookiebot consent banner, which blocks them until you consent; if you do not consent, no related "sharing" for cross-context behavioral advertising takes place. In the Progus COD application, conversion tracking (Meta, TikTok, and Google Ads) operates only where the merchant enables it. Where the CPRA applies to us, California residents may opt out of any such "sharing" using the "Do Not Sell or Share My Personal Information" control on our website, and we honor recognized opt-out preference signals (such as the Global Privacy Control) where we are required to do so.
• We do not use or disclose sensitive personal information (SPI) for purposes that would trigger the right to limit its use under the CPRA.
• Data may be used for the business and commercial purposes described in this Policy.

Users have the right to access, rectify, delete, and port their data. Please direct requests to:
PROGUS, Sklepowa 27, Radomsko, Poland (Attn: CCPA Request).

14. Nevada Residents

Nevada law allows customers to "opt out" of the sale of certain personal information, known as "covered information." We do not sell covered information as defined in the law, and we have no plans to change this practice. If you wish to be notified if we change this practice, you can email us and provide your name, Nevada resident address, and email address. We will contact you if there are any changes, and you can complete your opt-out at that time. If your contact information changes, please contact us to update it. We may share your data for different purposes as explained in this Privacy Policy, which are separate from your opt-out request.

15. Links to Other Sites

Our website and applications may contain links to, or integrations with, third-party websites and services that we do not control (for example Shopify, payment providers, social media, and the providers listed in this Policy). This Privacy Policy does not apply to those third parties, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policy of any third-party website or service you use.

16. Children's Privacy

Our Services are directed to businesses and are not intended for children. We do not knowingly collect personal data from children under the age of 16 (or the lower minimum age of digital consent that may apply in your country, which in some jurisdictions is 13). If we learn that we have collected such data without the consent of a parent or legal guardian, we will take steps to delete it.

17. Changes to this Privacy Policy

This Privacy Policy may be updated periodically. Changes will be communicated by publishing a new version on the website, with the last updated date clearly indicated at the beginning of the document.

18. Incident Response and Data Breach Notification

We have implemented an internal Incident Response Policy to promptly detect, investigate, and mitigate security incidents.

In the event of a personal data breach that poses a risk to your rights or freedoms, we will:

• Immediately work to contain and eliminate the threat,
• Assess the impact and affected data,
• Notify the competent supervisory authority (for example, the Polish Personal Data Protection Office) within 72 hours if required by applicable law,
• Inform affected users without undue delay when the breach may result in a high risk to their rights and freedoms,
• Document the incident and the actions taken.

For security incidents not involving personal data, we will still investigate and take remediation measures to protect the Services and user accounts.

---

The above provisions apply to the progus.com website and to all services and applications offered by PROGUS SP. Z O.O. The following provisions apply exclusively to the specified services/applications.

Application-Specific Provisions

Merchant data and end-customer (shopper) data

Our applications are distributed mainly through the Shopify App Store, the Wix App Market, and WordPress.org. For the personal data of the merchants who install and use our applications (for example the account owner's name, email address, store domain, and billing details), PROGUS acts as the data controller.

Where an application processes the personal data of the merchant's own customers or store visitors (for example order, delivery, contact, or phone data), PROGUS acts as a data processor (sub-processor) and processes that data only on behalf of, and under the instructions of, the merchant, who remains the controller of that data. This processing is also governed by the data processing terms agreed with the merchant and by the relevant platform's terms (including, for Shopify apps, the Shopify API License and Terms of Use and Shopify's Protected Customer Data requirements).

Legal basis when we act as a processor. Where PROGUS acts as a processor, the legal basis for processing a shopper's personal data is determined by the merchant as controller — typically the performance of the merchant's contract with the shopper (Art. 6(1)(b) GDPR) and the legitimate interests of the merchant and PROGUS in operating, securing, and preventing fraud in the service (Art. 6(1)(f) GDPR). Transactional messages such as the OTP verification SMS are sent as a necessary part of providing the requested service and are not marketing communications.

Shopify platform and data deletion

Our Shopify applications run on Shopify's infrastructure and access store data through Shopify's APIs, limited to the permissions (scopes) you grant when installing the app. We comply with Shopify's Protected Customer Data requirements and process Shopify's mandatory privacy/compliance webhooks (customers/data_request, customers/redact, and shop/redact). When you uninstall an application, or when we receive a verified data-deletion or data-access request through Shopify, we delete, redact, or provide the related personal data we hold, except where we are required to retain it by law. For more information, see the Shopify Privacy Policy.

Progus Affiliate Program

1. Purpose of Data Collection in the Affiliate Program

We operate an affiliate program (“Progus Partners”) that allows participants to earn commissions for referring new users to our products and services.

When a visitor clicks on an affiliate link, we may store small text files (cookies) in their browser to identify the referring partner. These cookies typically contain a unique partner ID and are used solely for tracking referrals and attributing commissions.

The data processed in connection with the affiliate program may include:

• Partner identification details (e.g., name, email address, partner ID).
• Referral and click statistics.
• Payout and payment details.

We process this data for the purpose of managing the affiliate program, calculating commissions, preventing fraud, and fulfilling contractual obligations with partners.

Affiliate tracking cookies are stored for a limited time (up to 45 days) unless the user manually deletes them earlier.

All data related to the affiliate program is processed by Progus sp. z o.o., in accordance with this Privacy Policy and applicable data protection laws (including the GDPR).

Progus Store Locator

1. Purpose of Data Collection in the Application

Progus Store Locator is an application for locating stores that enables the presentation of physical store locations on a map and their management. We use personal data collected from you and your customers to:

• Provide and operate the Service and the Application
• Communicate with you
• Optimize or improve the Application
• Provide you with information about our products or services

Your personal data is not sold or shared with anyone unless required by law.

2. Types of Personal Data Collected

Personal data includes, but is not limited to, information such as first name, last name, country, website URL, and email address. We may also automatically collect information, including:

Usage Data and Logs: Details about your activity, log files, diagnostics, failure reports, and performance data related to the website.

Location Information:

• Location name
• Location address
• Latitude and longitude of the location
• Opening hours
• Contact details (email, phone, fax)
• Social media links
• The location's website URL
• Tags, tag categories, and group names
• Location photos
• Translations of location data into other languages
• Appearance data for map markers
• Custom data fields created by the user

Customer Search Information on the Map: When a user searches for nearby locations on the map, the application may determine the user’s approximate location using either the browser’s geolocation feature (upon user consent) or IP-based geolocation. The application may process approximate geographic coordinates (latitude and longitude) or the address provided by the user to display nearby stores or service points. These data are used solely for the purpose of showing locations near the user or searched address. They are not combined with any personally identifiable information (such as IP address, user ID, or account data) and are not stored longer than necessary to provide the search result. IP-based geolocation data are processed in a generalized form (e.g., rounded coordinates or city-level accuracy) to prevent user identification.

Application Operation Data: History of location imports, connection data for file synchronization (e.g., Google Sheets), application settings, login sessions, and subscription data.

Our application allows you to search for and view the locations of businesses on a map. When you enter an address, it is sent to third-party services (Google Maps API or TomTom) to retrieve geographic coordinates (latitude and longitude). These services may process the address data in accordance with their own privacy policies. We store the coordinates to display the locations on the map and improve the functionality of the application. For more information about how these providers handle data, please refer to their respective privacy policies: Google Privacy Policy and TomTom Privacy Policy.

Payment Data:

Depending on the platform you use, payment processing may be handled by different providers:

For users of the application outside of Shopify and WIX:

• To process payments and manage subscriptions, we use an external payment provider — Paddle.
• Payment data (including the credit card number and billing address) is processed by Paddle and is subject to their privacy policy.
• Our application may retrieve and display some payment details (e.g., the last four digits of the card, billing address, and payment history) solely to enable users to manage their subscription plan.
• We do not store full credit card data or any other payment information on our servers.

Paddle Privacy Policy

For users of the application on Shopify:

All payment processing is handled directly by Shopify, with payment data processed according to Shopify's privacy policy and payment terms.

Shopify Privacy Policy

For users of the application on WIX:

All payment processing is conducted on the WIX side, with payment data processed by WIX according to their privacy policy.

Wix Privacy Policy

Progus COD Form & OTP SMS

1. Purpose of Data Collection in the Application

Progus COD Form & OTP SMS is a Shopify application that provides a Cash on Delivery (COD) order form, optional phone-number verification by SMS one-time password (OTP), and management of the visibility and limits of the COD payment method. We use personal data collected from you (the merchant) and from your store's customers to:

• Provide the COD order form: process the data a customer enters at checkout to create and manage their order.
• Verify phone numbers (OTP): when OTP verification is enabled, send a one-time code by SMS to the customer's phone number and confirm that the customer controls that number, in order to reduce fake and fraudulent COD orders.
• Prevent fraud and abuse: detect and block repeat fraudulent or abusive orders.
• Manage COD availability and limits: for stores on the free plan, count COD orders to enforce plan limits and, where configured, automatically disable the COD method and notify the store administrator when a limit is exceeded.
• Conversion tracking (optional): where the merchant enables it, forward order and conversion events to advertising and analytics platforms the merchant has connected.

By installing the application, you consent to the access and processing of the relevant Shopify data in accordance with this policy. Personal data is not sold.

2. Types of Personal Data Collected

Merchant data: identifying data such as your email address, account owner name, and store domain, together with subscription and usage/log information (activity, diagnostics, failure reports, and performance data).

Customer (shopper) data submitted in the COD form: first and last name, phone number, delivery address (street, city, postal code, country), and order contents (products, quantities, and totals).

Phone verification (OTP) data: to deliver the SMS code and to enforce sending limits and prevent abuse, we process the customer's phone number and country/calling code and log SMS events (such as send status, approximate destination metadata, and timestamps). SMS messages are delivered through our SMS gateway provider, MSG91, to which the destination phone number is transmitted solely to send the message. See the MSG91 Privacy Policy. OTP verification sessions are retained for up to 7 days and SMS event logs for up to 60 days, after which they are automatically deleted.

Fraud-prevention data: to detect repeat fraudulent or abusive orders we store irreversibly hashed identifiers (such as a hashed email address and hashed phone number) together with order-blocking events. We use hashing so that the raw identifiers are not retained for this purpose.

Order analysis: basic order information such as the order ID and selected payment method, processed to apply COD rules and limits. Orders you receive are stored in your Shopify store; we do not retain shopper order data beyond what is needed to provide the service.

Conversion tracking (merchant-controlled): where the merchant enables it, the application can forward order and conversion events to advertising and analytics platforms connected by the merchant, including Meta (Facebook) Pixel and Conversions API, TikTok, and Google Ads. This processing is configured and controlled by the merchant and is subject to those platforms' own privacy policies.

Payments: payment processing on Shopify is handled by Shopify in accordance with the Shopify Privacy Policy.

3. Relationship with the General Policy

All other rules regarding the legal basis for processing, data retention periods, security, and data sharing are defined in the general section of this privacy policy (sections 3, 6, 7, 11) and in the "Application-Specific Provisions" above, and apply equally to this application.

Progus Subscriptions

1. Purpose of Data Collection in the Application

Progus Subscriptions is a Shopify application that enables merchants to offer recurring subscription plans, manage subscription contracts, and give customers a portal to manage their subscriptions (for example to skip, pause, swap products, or update delivery). We use personal data collected from you and your store's customers to provide and operate the application, process recurring orders, communicate with you, and improve the service. Personal data is not sold.

2. Types of Personal Data Collected

Merchant data: email address, account owner name, store domain, subscription/billing status for the app, and usage and log information.

Subscription and customer data: subscription plan and contract details (intervals, discounts, plan names), the products and variants included, delivery schedules, and the related customer order records and customer email address. Recurring billing and payment are processed by Shopify; we do not store full payment-card data.

AI plan generator: to suggest subscription plans, the application may send store catalog data (such as product titles and attributes) to our AI provider, OpenAI, which processes it to generate suggestions. See the OpenAI Privacy Policy.

Klaviyo integration (optional): if the merchant connects Klaviyo, the application syncs subscription-related events and the associated customer email address to the merchant's own Klaviyo account, on the merchant's instruction, so that the merchant can send subscription communications. See the Klaviyo Privacy Policy.

3. Relationship with the General Policy

All other rules regarding the legal basis for processing, data retention periods, security, and data sharing are defined in the general section of this privacy policy (sections 3, 6, 7, 11) and in the "Application-Specific Provisions" above, and apply equally to this application.

Progus Trust Badges & Icons

1. Purpose of Data Collection in the Application

Progus Trust Badges & Icons is a Shopify application that lets merchants display trust badges, payment-method icons, and guarantee symbols on their storefront. The application is configuration-only and does not collect the personal data of store visitors for its own purposes; to the extent its content is served from our servers, limited technical data (such as IP address) may be processed transiently in server logs to deliver and secure the feature. Badges and icons are displayed without identifying shoppers.

2. Types of Personal Data Collected

Merchant data: email address, store domain, the application's display and customization settings, and usage and log information. Beyond the limited technical data described above, no customer (shopper) personal data is collected by this application for its own purposes.

3. Relationship with the General Policy

All other rules regarding the legal basis for processing, data retention periods, security, and data sharing are defined in the general section of this privacy policy (sections 3, 6, 7, 11) and in the "Application-Specific Provisions" above, and apply equally to this application.

Progus AI Studio

1. Purpose of Data Collection in the Application

Progus AI Studio is a Shopify application that uses artificial intelligence to generate product image variants (for example clean-background, studio, or lifestyle images) from a merchant's product photos and save them to the store's media library. The application processes the merchant's product content and does not collect the personal data of store visitors. Personal data is not sold.

2. Types of Personal Data Collected

Merchant data: email address, store domain, subscription/usage information, and usage and log data.

Product content: the product images and related product metadata you choose to process, together with the generated images. To generate images, this content is transmitted to and processed by our AI image-generation providers, OpenAI and fal.ai, and generated images may be stored using Amazon Web Services (AWS). See the OpenAI Privacy Policy, the fal.ai Privacy Policy, and the AWS Privacy Policy.

3. Relationship with the General Policy

All other rules regarding the legal basis for processing, data retention periods, security, and data sharing are defined in the general section of this privacy policy (sections 3, 6, 7, 11) and in the "Application-Specific Provisions" above, and apply equally to this application.

Progus Sticky Add to Cart Bar

1. Purpose of Data Collection in the Application

Progus Sticky Add to Cart Bar is a Shopify application that displays a persistent "add to cart" bar on product pages to improve conversion. The application works with product and storefront information and does not collect the personal data of store visitors for its own purposes; to the extent its content is served from our servers, limited technical data (such as IP address) may be processed transiently in server logs to deliver and secure the feature. Personal data is not sold.

2. Types of Personal Data Collected

Merchant data: email address, store domain, the application's display and customization settings, and usage and log information. The bar uses product information (such as title, price, and image) and the visitor's cart on their own device; beyond the limited technical data described above, no customer (shopper) personal data is collected by this application for its own purposes.

3. Relationship with the General Policy

All other rules regarding the legal basis for processing, data retention periods, security, and data sharing are defined in the general section of this privacy policy (sections 3, 6, 7, 11) and in the "Application-Specific Provisions" above, and apply equally to this application.

Progus Upsell AI

1. Purpose of Data Collection in the Application

Progus Upsell AI is a Shopify application that provides AI-driven upsell and cross-sell product recommendations at different stages of the shopping journey. We use data collected from the store to generate relevant product recommendations, operate and improve the application, and communicate with you. Personal data is not sold.

2. Types of Personal Data Collected

Merchant data: email address, store domain, subscription/usage information, and usage and log data.

Catalog and order data for recommendations: product and catalog information, cart contents, and order data used to generate recommendations. To produce recommendations, relevant catalog and order information may be transmitted to and processed by our AI provider, OpenAI. See the OpenAI Privacy Policy. This application does not process payment-card data.

3. Relationship with the General Policy

All other rules regarding the legal basis for processing, data retention periods, security, and data sharing are defined in the general section of this privacy policy (sections 3, 6, 7, 11) and in the "Application-Specific Provisions" above, and apply equally to this application.

InPost by Progus

1. Purpose of Data Collection in the Application

InPost by Progus is a Shopify application that lets a store's customers select an InPost parcel locker or pickup point during checkout and helps merchants generate shipping labels for InPost deliveries. We use personal data collected from you and your store's customers to provide locker selection, create shipments and labels, and enable delivery and tracking. Personal data is not sold.

2. Types of Personal Data Collected

Merchant data: email address, store domain, subscription/usage information, and usage and log data.

Customer (shopper) and shipment data: the selected parcel locker or pickup point, and the delivery details needed to create a shipment and label, which may include the customer's name, delivery/contact address, phone number, email address, and order/parcel information.

InPost carrier services: to display pickup points and to create shipments, labels, and tracking, the relevant data is transmitted to and processed by InPost (operated by InPost / Easypack) through its ShipX and points APIs. See the InPost Privacy Policy.

Map for locker selection: the parcel-locker selection map is provided using the Google Maps API, which may process technical data such as IP address and approximate location to render the map. See the Google Privacy Policy.

3. Relationship with the General Policy

All other rules regarding the legal basis for processing, data retention periods, security, and data sharing are defined in the general section of this privacy policy (sections 3, 6, 7, 11) and in the "Application-Specific Provisions" above, and apply equally to this application.