This policy describes how Zedinga Retention Suite (the "Service") collects, processes, stores and shares customer data. It is drafted to satisfy GDPR Art. 13/14 and Türkiye's KVKK obligations.
1. Data Controller
Zedinga [entity type, trade registry number, address]
- email: contact@zedinga.com
- DPO / KVKK representative: [name and contact]
2. Categories of Personal Data Processed
The Service processes data belonging to three groups of data subjects:
2.1. Merchant (Customer / data controller)
- Name, email, store name, store domain
- Shopify access token (offline) — required for the Service to function
- Billing data (via Shopify Billing API; we do not see your card details)
2.2. Merchant's end customers
Data received from Shopify:
- Name, email, phone (if present)
- Order history (order ID, products, amount, date)
- Address (for shipping; not actively used by us)
- Marketing consent state
Data we generate:
- Loyalty point ledger (per-order +N points, date, source)
- Tier level (Bronze/Silver/Gold/Platinum)
- Email send history (per-email status: sent/skipped/failed/bounced)
- Email preferences (welcome, review_request, cart_abandoned, vip_upgrade toggles)
- Review content and photos (if displayed by the merchant)
2.3. Marketing site visitors (zedinga.com)
- IP address (security logs only, 30 days)
- Cookies (mandatory authentication cookies + analytics cookies — see Section 9)
- Analytics: Google Analytics 4 — IP addresses are processed in-memory on Google servers and not logged; a hashed cookie is used as a persistent client identifier. Legal basis for aggregate traffic measurement is legitimate interest (GDPR Art. 6(1)(f)). No advertising, remarketing or cross-site profiling. EU visitors only have GA4 loaded after explicit cookie banner consent (consent-before-load).
3. Purpose and Legal Basis (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Performance of the Service contract with the merchant | Contract — Art. 6(1)(b) |
| Sending email to the merchant's end customers | Consent collected by the merchant — Art. 6(1)(a) |
| Loyalty point calculation, tier management | Contract — Art. 6(1)(b) |
| Fraud prevention, security logs | Legitimate interest — Art. 6(1)(f) |
| Legal obligations (KVKK, tax) | Legal obligation — Art. 6(1)(c) |
Where consent is absent, the Service automatically refuses to send (marketing_consent_off skip).
4. Retention Periods
| Data type | Period |
|---|---|
| All data tied to an active store | Duration of the contract |
| After store termination — personal data | 60 days (recovery window) |
| Loyalty ledger after termination | Customer-identifying fields are deleted within 60 days; ledger rows with customer_id set to null are retained for the legal accounting period (10 years under TR tax law; EU member-state equivalents) for the audit chain |
| GDPR audit log | 5 years (compliance requirement) |
| Email suppression list (hard bounce / spam complaint) | Indefinite — legitimate interest (Art. 6(1)(f)) and protection of other data subjects' Art. 21 right to object. Override: if the user gives explicit consent under a new merchant, suppression can be removed manually (contact@zedinga.com). |
| Server logs | 30 days |
5. Sub-processors
The Service relies on the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Compute hosting | US (Frankfurt available) |
| Supabase Inc. | Postgres database | EU (Frankfurt) |
| Inngest Inc. | Workflow orchestration | US |
| Resend, Inc. | Email delivery | US |
| Shopify Inc. | Auth, webhooks, billing | US/CA |
| Anthropic, PBC | LLM-based review moderation (Pro plan opt-in) — review text, title and customer email are sent to Claude Haiku; the verdict + reason are written to review_moderation_results; raw responses are not retained (only diagnostics: model id, response id, stop reason, token counts) | US |
| Sentry GmbH | Error tracking (PII-scrubbed) — server-side errors; src/lib/sentry-scrub.ts redacts email/customer-id/IP/Authorization header before capture | US (EU host opt available) |
Cross-border transfers: Standard Contractual Clauses (SCC) are used for transfers to the US. Per Schrems II and EDPB Recommendations 01/2020 a Transfer Impact Assessment (TIA) has been performed; technical measures include in-transit and at-rest encryption and provider-blind key management (where applicable). Shopify's own DPA (shopify.com/legal/dpa) is accepted directly by the merchant.
This list is updated on this page when it changes; DPA URLs for current sub-processors are available on request from contact@zedinga.com. Third parties only process your data on our instructions; data is never sold or shared for advertising.
6. Data Subject Rights (GDPR Art. 15-22 / KVKK Art. 11)
- Right of access (Art. 15): Data subject requests are processed asynchronously via Inngest; the legal upper bound is 30 days (KVKK Art. 13/2 and GDPR Art. 12(3)). End customers should first contact the merchant; the merchant forwards the request to us via the Shopify
customers/data_requestwebhook, and the result is written to a Storage bucket as JSON. - Right to rectification (Art. 16): You may request correction of inaccurate data.
- Right to erasure (Art. 17): Personal data is anonymized;
customer_idin the loyalty ledger is set to null, preserving the audit chain. - Restriction of processing (Art. 18): Specific email flows (welcome, review_request, etc.) can be turned off via the preference center.
- Portability (Art. 20): Data is provided in machine-readable JSON.
- Right to object (Art. 21): Marketing emails can always be one-click unsubscribed (RFC 8058).
Requests: contact@zedinga.com
7. Automated Decision-Making and Profiling
The Service makes two kinds of automated decisions:
(a) Email send/skip decision — based on six deterministic gates (suppression, consent, idempotency, cooldown, spending cap, render). No profiling.
(b) Loyalty tier classification — assigns Bronze/Silver/Gold/Platinum tiers based on total points via deterministic rules. This qualifies as profiling under GDPR Art. 4(4), but produces no legal or similarly significant effects: it only affects the frequency/content of marketing communication and is therefore outside the scope of GDPR Art. 22. A data subject who prefers not to be tier-classified can disable the loyalty module from the preference center (Art. 21 right to object).
There is no LLM- or ML-based scoring; all decisions are based on transparent, auditable rules.
8. Security Measures
- Encryption at rest: Supabase Postgres default AES-256
- Encryption in transit: TLS 1.3 enforced, HSTS headers
- Multi-tenant isolation: Postgres Row Level Security (mandatory
store_idfilter on every table, on top of application-layer checks) - Access control: Service-role token only used by server-side functions; the anon key is RLS-bound on every query
- Audit logging: GDPR operations (data_request, customer_redact, shop_redact) recorded in a separate table
- Incident response: Personal-data breaches are notified to KVKK within 72 hours per Decision 2019/10 (24.01.2019), and to relevant EU DPAs within 72 hours per GDPR Art. 33 for EU data subjects.
9. Cookies
zedinga.com (marketing site):
- Mandatory cookies: authentication, session
- Analytics cookies: Google Analytics 4 (anonymous IP, no advertising ID) — EU visitors are asked for consent via cookie banner (ePrivacy Directive and KVKK notice obligations)
- No advertising or tracking cookies
Embedded Shopify Admin app (Service):Uses Shopify's own authentication mechanism (App Bridge). The Service does not set additional cookies nor run analytics.
10. Children's Data
The Service is not directed at persons under 18. We do not knowingly collect data from minors.
11. Policy Changes
When this policy is updated the "Last updated" date will change. Material changes are notified by email.
12. Right to Lodge a Complaint
- Türkiye: Personal Data Protection Authority (KVKK) — kvkk.gov.tr
- EU: Your country's Data Protection Authority
Contact: contact@zedinga.com — response within 30 days.