Seaside StudioContact
Easy Omnibus — EU Lowest Price

Easy Omnibus — EU Lowest PriceShopify app

Privacy Policy

Last updated 2026-04-28

Effective 2026-04-28.

Introduction

This Privacy Policy explains how Seaside Studio Ltd. ("we", "us", "our") collects, uses, stores, and shares information when you ("merchant", "you") install and use the Easy Omnibus — EU Lowest Price Shopify app (the "App"), and when end-customers of your Shopify store interact with App-rendered content on your storefront.

We act as a data processor on behalf of merchants for the limited personal data described under "Information about your end-customers", and as a data controller for the merchant account information described under "Information we collect from merchants".

This Policy is designed to comply with:

  • The EU General Data Protection Regulation (GDPR)
  • The UK GDPR and Data Protection Act 2018
  • Shopify's Protected Customer Data and App Store privacy requirements

Who we are

Data controller: Seaside Studio Ltd. Address: Shipka St. 18, office 203, Varna, Bulgaria Contact / Data Protection enquiries: seaside@seasideapps.co

If you have any questions about this Policy or how we handle your data, please email seaside@seasideapps.co.

Information we collect from merchants

When you install and use the App, we collect the following information about your Shopify store and the person who installed it.

Shop and account data (from Shopify)

  • Shop domain (e.g. your-store.myshopify.com)
  • Shop ID, shop owner name, primary email, country, currency, and timezone
  • Shopify access token used to call the Shopify Admin API on your behalf
  • Subscription status, plan name, Shopify subscription/usage charge IDs, and trial dates

Product, variant, and market data

  • Product, variant, and Shopify Markets metadata required to track prices (titles, IDs, prices, compare-at prices, currencies, market settings)
  • Historical price snapshots (variant ID, market, price, compare-at price, timestamp) used to compute the lowest price over the last 30 days

App usage and technical data

  • Pages and actions used inside the App (e.g. plan selection, market toggling)
  • Background job and webhook logs (timestamps, status, error details)
  • Standard request metadata such as IP address and user-agent on calls to our APIs

We do not collect payment card numbers. All billing is processed by Shopify via the Shopify AppSubscription and Usage Charge APIs.

Information about your end-customers

The App is designed to minimise processing of personal data about your customers.

  • The on-storefront price block displays publicly available product price history. Rendering it does not require us to collect personal data about the visitor.
  • Standard server logs (IP address, user-agent) may briefly be recorded when a storefront visitor's browser fetches price-history data from our API, in order to operate and secure the service.
  • We do not receive customer names, addresses, payment data, or order data, and we do not set marketing or advertising cookies on your storefront.

If we ever receive personal data about your customers (for example, via Shopify's customers/data_request or customers/redact webhooks), we act as a data processor on your behalf and only use the data to respond to that request.

How we use the information

We use the information described above to:

  • Provide, operate, and maintain the App and its features (price tracking, price-history badge, market tracking)
  • Authenticate your shop via Shopify OAuth and call the Shopify Admin API on your behalf
  • Compute and display the lowest 30-day price required by the EU Omnibus Directive
  • Manage subscriptions, trials, and usage charges via Shopify's billing APIs
  • Send service emails (e.g. installation confirmation, billing notifications, important changes to the App)
  • Provide customer support and respond to your enquiries
  • Detect, prevent, and investigate fraud, abuse, and security incidents
  • Comply with our legal obligations (e.g. tax, accounting, data subject requests)
  • Improve the App through aggregated, non-identifying usage analysis

We do not sell your data, and we do not use it for advertising or to train third-party machine-learning models.

Legal bases for processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the App and process your subscription
  • Legitimate interests (Art. 6(1)(f)) — to secure the App, prevent abuse, debug issues, and improve the service, where these interests are not overridden by your rights
  • Legal obligation (Art. 6(1)(c)) — to respond to lawful requests, keep accounting records, and comply with data-subject rights
  • Consent (Art. 6(1)(a)) — where we ask you to opt in to optional communications; you can withdraw consent at any time

When processing customer personal data on your behalf, we do so as a processor under your instructions, and you are the controller responsible for establishing the legal basis.

How we share information (sub-processors)

We share data only with the following categories of recipients, and only to the extent necessary to operate the App:

| Sub-processor | Purpose | Location | | --- | --- | --- | | Shopify Inc. | Hosting platform, OAuth, Admin API, billing | Canada / global | | Gadget (Gadget Inc.) | Application hosting, managed PostgreSQL database, background jobs | United States | | Resend (Resend, Inc.) | Transactional email delivery | United States |

We require all sub-processors to provide adequate safeguards consistent with GDPR, including signing data processing agreements and, where relevant, EU Standard Contractual Clauses.

We may also disclose information when legally required (e.g. court order, regulator request) or to protect our rights, users, or the public.

We do not sell personal data to third parties.

International data transfers

Your data may be processed outside the European Economic Area (EEA) and the United Kingdom, including in the United States and Canada, where our hosting providers operate. Where data is transferred out of the EEA/UK, we rely on appropriate safeguards such as:

  • EU Standard Contractual Clauses (and the UK addendum) with our sub-processors
  • The EU-US Data Privacy Framework where the recipient is certified
  • Other lawful transfer mechanisms permitted under Art. 46 GDPR

Copies of the relevant transfer mechanisms are available on request from seaside@seasideapps.co.

Data retention

| Data category | Retention | | --- | --- | | Shop account & subscription data | While the App is installed, plus up to 90 days after uninstall to handle re-installs and accounting | | Price history (priceChange records) | 30 days rolling, then automatically deleted by our cleanup job (priceChangeCleanup) | | Webhook & application logs | Up to 90 days for debugging and security | | Billing records (invoice metadata) | Retained for the period required by tax law (typically 6–10 years) | | Support correspondence | Up to 24 months after the issue is resolved |

When you uninstall the App, or upon receipt of Shopify's shop/redact webhook (sent ~48 hours after uninstall, or 7 days for shops with no orders, per Shopify's policy), we delete or anonymise your shop's personal data within the timeframe required by Shopify's Protected Customer Data rules.

Your rights

If GDPR or UK GDPR applies to you, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with your supervisory authority (e.g. your national Data Protection Authority)

To exercise any of these rights, email seaside@seasideapps.co. We will respond within one month.

If you are an end-customer of a merchant using the App, please contact the merchant directly first; they are the controller of their customer data, and we will assist them in fulfilling your request.

Shopify customer-data requests

To comply with Shopify's mandatory privacy webhooks, we handle the following:

  • customers/data_request — When a customer requests their data, we forward the request to the merchant. As described above, we do not store identifiable customer data, so there is typically nothing for us to return.
  • customers/redact — We confirm that no customer-identifying records exist in our systems, and delete any incidental log entries that reference the customer where applicable.
  • shop/redact — Within 30 days of receipt, we delete all personal data associated with the uninstalled shop, including price history, shop account data, and any cached Shopify access tokens.

Security

We apply industry-standard measures to protect your data, including:

  • TLS encryption in transit
  • Encryption at rest for the managed database (provided by Gadget)
  • Tenant isolation: every record is scoped to a shopifyShop tenant and cross-shop access is blocked at the framework level
  • Principle of least privilege for application roles (shopify-app-users, unauthenticated, system-admin)
  • Limited Shopify scopes — we request only read_products, write_products, read_markets, and read_themes
  • Audit logging of administrative actions
  • Regular dependency and security updates

No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you without undue delay and within the 72-hour window required by GDPR where applicable.

Cookies and tracking

The merchant-facing App is embedded in the Shopify Admin and uses only the cookies and storage required for authentication and session management (set by Shopify App Bridge and our own session). We do not use third-party advertising or analytics cookies in the merchant App.

The storefront price block does not set cookies and does not load third-party tracking scripts.

Children's data

The App is intended for business use by Shopify merchants and is not directed at children under the age of 16. We do not knowingly collect personal data from children.

Changes to this policy

We may update this Policy from time to time to reflect changes in the App, in law, or in our practices. The "Last updated" date above will always reflect the latest version. Material changes will be communicated by email to the shop owner and/or via an in-App notice at least 14 days before they take effect.

Contact us

For any privacy-related questions, requests, or complaints:

Seaside Studio Ltd. Shipka St. 18, office 203, Varna, Bulgaria Email: seaside@seasideapps.co

You also have the right to contact your local data protection authority. A list of EU/EEA authorities is available at edpb.europa.eu/about-edpb/board/members_en. UK users can contact the ICO at ico.org.uk.