Optizio Policy Documents

Privacy Policy - Cues

Effective Date: 3rd March 2026 Last Updated: 3rd March 2026

1. Introduction

Optizio Ltd (“we,” “us,” or “our”) operates the Cues Shopify application (“App”). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our App.

Company Information:

• Company Name: Optizio Ltd
• Address: 124 City Road, London, EC1V 2NX, United Kingdom
• Data Protection Officer: David Spanton
• Contact: support@optiz.io

2. Information We Collect

2.1 Merchant Information

When you install and use our App, we collect:

• Store Information: Store name, store ID, URL, Shopify plan, and country
• User Information: Names and email addresses of store staff who interact with the App’s admin interface
• Configuration Data: Cue definitions including trigger conditions, action content, capture field labels, and surface assignments stored as Shopify metaobjects

2.2 Automatically Collected Information

• Technical Information: System information, app usage data, and performance metrics
• Usage Events: Cue creation, update, and deletion events for analytics and billing purposes

2.3 Information We Do Not Collect

• We do not collect personal data from your customers (end-users)
• We do not store or process credit card information
• We do not collect order data, customer data, or checkout information
• We do not collect unnecessary personal information beyond what is required for app functionality

3. How We Use Your Information

3.1 Primary Uses

We use the collected information for:

• App Functionality: Providing and maintaining cue configuration, trigger evaluation, and action delivery on POS devices
• Support Services: Responding to your inquiries and providing technical support
• Product Updates: Communicating important app updates and new features
• Analytics: Understanding app performance and usage patterns to improve our services
• Billing: Tracking usage events for subscription and billing purposes

3.2 Legal Basis for Processing

We rely on different legal bases depending on jurisdiction:

• GDPR (EU/UK): Primarily legitimate interest for app functionality and business operations; contract performance where processing is necessary to fulfill our agreement with you
• Consent-based jurisdictions (Brazil LGPD, India DPDP, South Korea PIPA): Explicit consent obtained during app installation and configuration
• US State Laws: Legitimate interest for app functionality, with consent obtained where required by specific state requirements
• Other jurisdictions: Appropriate legal basis as required by local privacy laws

3.3 Consent Management

For jurisdictions requiring explicit consent, we:

• Obtain clear, informed consent during app installation and setup
• Provide easy mechanisms to withdraw consent through app settings or email
• Maintain records of consent and withdrawal for compliance purposes
• Re-obtain consent when required by law or when expanding data processing activities
• Honor consent withdrawal by ceasing relevant processing activities

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

We share information with the following trusted third-party services:

Cloudflare

• Purpose: Application hosting, session storage, and caching for app functionality
• Data Shared: Technical and configuration data necessary for app operation
• Compliance: GDPR compliant with appropriate data processing agreements

Mantle

• Purpose: Business operations platform for billing, subscription management, and usage analytics
• Data Shared: Store information and usage events (cue creation, update, and deletion)
• Compliance: Operates under a Data Processing Addendum

4.2 Shopify Integration

We share data with Shopify only as required for app functionality and in accordance with Shopify’s Partner Program requirements. Cue configuration data is stored as Shopify metaobjects within your store.

4.3 What We Don’t Share

• We do not sell, rent, or trade your personal information
• We do not share your data with advertisers or marketing companies
• We do not provide your information to third parties except as described in this policy

5. Data Security

We implement comprehensive security measures to protect your information:

• Encryption: All sensitive data is encrypted both at rest and in transit using industry-standard encryption (AES-256)
• Access Controls: Access to data is granted based on job roles and the principle of least privilege
• Authentication: Multi-factor authentication (MFA) is required for all critical systems
• Regular Updates: We maintain up-to-date software and security patches
• Monitoring: Continuous monitoring for security threats and incidents
• Compliance: We follow Shopify’s secure app development guidelines and maintain comprehensive security policies

For detailed information about our security practices, please refer to our Information Security Policy.

6. Data Retention

6.1 Retention Periods

We automatically delete data according to these schedules:

• App Configuration/Session Data: On app uninstall (automatic deletion)
• Cue Configuration Data: Stored as Shopify metaobjects within your store; removed when you delete them or uninstall the app
• Usage Events: Retained for billing and analytics purposes for the duration of your subscription
• Support Data: 3 years after last interaction

These retention periods comply with data minimization principles and are designed to meet the requirements of all applicable privacy laws.

6.2 Data Deletion

Upon request or at the end of retention periods, we will permanently delete your information from our systems and instruct our third-party service providers to do the same.

6.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify relevant supervisory authorities within 72 hours where required by law
• Notify affected individuals without undue delay
• Provide clear information about the nature of the breach and steps being taken
• Comply with jurisdiction-specific notification requirements (GDPR, US state laws, PIPEDA, etc.)
• Follow New York SHIELD Act requirements for data security and breach notification

7. Your Rights and Choices

7.1 General Rights

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to our processing of your personal information

7.2 GDPR Rights (EU/UK Users)

If you are located in the EU or UK, you have additional rights under GDPR:

• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interest
• Right to withdraw consent where processing is based on consent

7.3 US State Privacy Rights

California (CCPA/CPRA): If you are a California resident, you have rights under the California Consumer Privacy Act:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

Virginia (VCDPA): If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act:

• Right to access, correct, and delete personal information
• Right to opt-out of targeted advertising and profiling
• Right to non-discrimination for exercising your privacy rights

Colorado (CPA): If you are a Colorado resident, you have rights under the Colorado Privacy Act:

• Right to access, correct, and delete personal information
• Right to opt-out of targeted advertising and profiling
• Right to data portability

Connecticut (CTDPA): If you are a Connecticut resident, you have rights under the Connecticut Data Privacy Act:

• Right to access, correct, and delete personal information
• Right to opt-out of targeted advertising and profiling
• Right to data portability

Utah (UCPA): If you are a Utah resident, you have rights under the Utah Consumer Privacy Act:

• Right to access and delete personal information
• Right to opt-out of targeted advertising
• Right to non-discrimination for exercising your privacy rights

7.4 US Federal Privacy Laws

COPPA (Children’s Online Privacy Protection Act): See Section 9 for our children’s privacy practices and age-appropriate data handling.

7.5 How to Exercise Your Rights

To exercise any of these rights:

1. Through Shopify: Use Shopify’s built-in data request mechanisms
2. Email Us: Contact support@optiz.io
3. Response Time: We typically respond within 2 business days

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

• EU/UK: We comply with GDPR requirements for international transfers
• Third-Party Services: Our service providers (Cloudflare, Mantle) maintain appropriate data protection agreements and comply with applicable privacy laws
• Safeguards: We ensure adequate protection through contractual obligations and compliance certifications

9. Children’s Privacy

Our App is not intended for use by individuals under the applicable age of digital consent. We do not knowingly collect personal information from children under the relevant age threshold:

• GDPR (EU/UK): 16 years (or lower age set by member state law)
• COPPA (USA): 13 years
• PIPEDA (Canada): 13 years
• South Korea: 14 years
• Other jurisdictions: As required by local law

If you believe we have inadvertently collected information from a child under the applicable age, please contact us immediately and we will take steps to remove such information.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will update the “Last Updated” date at the top of this policy
• For significant changes, we will notify you via email (if provided) or through in-app notifications
• We will provide at least 30 days advance notice of material changes
• Continued use of the App after changes constitutes acceptance of the updated policy

11. Compliance with Local Laws

11.1 Primary Jurisdictions

This Privacy Policy is designed to comply with privacy laws in multiple jurisdictions, including:

• GDPR (European Union and United Kingdom)
• US State Privacy Laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA)
• US Federal Laws (COPPA, New York SHIELD Act)
• PIPEDA (Canada)

11.2 Additional Jurisdictions

If you have questions about how local privacy laws apply to your use of our App, please contact us.

12. Contact Information

For questions about this Privacy Policy or to exercise your privacy rights:

Data Protection Officer: David Spanton Email: support@optiz.io Address: Optizio Ltd, 124 City Road, London, EC1V 2NX, United Kingdom

For GDPR-related inquiries in the EU/UK: You also have the right to lodge a complaint with your local data protection authority.

For CCPA-related inquiries in California: You may contact the California Attorney General’s office regarding privacy concerns.

---

This Privacy Policy is effective as of the 3rd March 2026 and governs your use of the Cues Shopify application.