Privacy Policy — YesPersonalized

§ 01

Who we are

YesPersonalized ("we", "our", "us") provides a Shopify application that enables Print-on-Demand merchants to offer personalized products to their customers. Our app URL is yespersonalised.com.

For the purposes of data protection law, we act as a data processoron behalf of merchants (data controllers) when processing their customers' personal data.

§ 02

Personal data we process

We process the minimum personal data required to deliver our service:

Merchant data — collected when you install the app

Shop domain — to identify your store and route requests
Shopify access token — stored AES-256-GCM encrypted; used to call the Shopify API on your behalf
Billing plan status — to enforce subscription limits

Customer data — collected when your customers personalise a product

Personalisation inputs — text entered by customers (names, messages) and images uploaded by customers
Shopify Product & Variant GIDs — to link the personalisation to the correct product
Shopify Order ID / Line Item ID — received via webhook when an order is placed, used solely to generate and deliver the print-ready artwork file

We do not collect customer names, email addresses, postal addresses, payment details, or any other identifiers beyond what is listed above.

§ 03

Purposes and legal basis

Data	Purpose	Legal basis
Shop domain & access token	Authenticate API calls, deliver core app functionality	Contract performance (merchant ToS)
Customer personalisation inputs & uploads	Generate print-ready artwork files per order	Contract performance (merchant–customer sale)
Order / line-item IDs	Match artwork to the correct order for fulfilment	Contract performance (merchant ToS)
Billing plan status	Enforce subscription entitlements	Contract performance (merchant ToS)

We do not use personal data for any purpose other than those listed above.

§ 04

Data sharing and sub-processors

We share personal data only with the following sub-processors, and only to the extent necessary:

Cloudflare R2 — object storage for uploaded images and generated artwork files (EU/US, Cloudflare DPA)
Shopify — we receive webhook events from Shopify containing order data
Hosting provider — our application is hosted on infrastructure that processes data in transit

We do not sell personal data to third parties.

§ 05

Consent

We maintain a Data Processing Agreement (DPA) with all merchants who install the app, incorporated by reference into our Terms of Service. By installing the app, merchants agree to our Terms of Service and this Privacy Policy.

Customers interact with our widget on merchant storefronts. Merchants are responsible for obtaining any required customer consent under their applicable laws (e.g. GDPR, CCPA) before enabling our widget on their storefront.

We do not use customer personal data for automated decision-making that produces legal or similarly significant effects on individuals.

We do not sell customer personal data. We respect and apply any opt-out signals communicated to us by merchants in accordance with applicable law.

§ 06

Data retention

We retain personal data only as long as necessary for the stated purpose:

Personalisation session data & uploaded images — retained for 90 days after the associated order is fulfilled or cancelled, then permanently deleted
Generated artwork files — retained for 12 months after order fulfilment to support merchant re-downloads, then permanently deleted
Merchant account data (shop domain, encrypted token, billing status) — retained for the duration of the merchant's subscription, then deleted within 30 days of app uninstallation
Order IDs — retained only as long as the associated artwork file exists

§ 07

Security

Encryption in transit — all communication between our app, Shopify, and end users is over HTTPS/TLS
Encryption at rest — Shopify access tokens are encrypted using AES-256-GCM before storage; uploaded files and artwork are stored in encrypted object storage
Access control — all data is partitioned by shop ID; no merchant can access another merchant's data
HMAC verification — all incoming Shopify webhooks are verified using HMAC-SHA256 before processing

§ 08

GDPR — merchant and customer rights

We support Shopify's mandatory GDPR webhook topics. When Shopify sends us a data request or erasure request on behalf of a customer, we process it as follows:

customers/data_request — we provide merchants with an export of any personal data we hold linked to the identified customer
customers/redact — we permanently delete all personal data linked to the identified customer within 30 days
shop/redact — we permanently delete all data associated with the merchant's shop within 30 days of receiving this request

If you are a merchant and wish to exercise your own rights (access, rectification, erasure, portability), contact us at yp-privacy@allthe.com.

§ 09

Changes to this policy

We may update this policy from time to time. We will notify merchants of material changes via email or an in-app notice at least 14 days before the changes take effect. Continued use of the app after that date constitutes acceptance of the updated policy.

§ 10

Contact

For any privacy-related questions or requests, contact us at yp-privacy@allthe.com.

— That's the policy, in full. Anything unclear? The address above gets a reply from a human.

Privacy, plainly written.