Privacy Policy — Subnotice

Controller: MINISAGE TECH LTD (company no. 17229324)
Registered office: 18 Crowthorp Road, Northampton, NN3 5DU
App: Subnotice
URL: https://subnotice.com/privacy
Version: 1.5 · 5 July 2026 — supersedes v1.4 (5 July 2026)
ICO registration: C1941625


1. Who we are

MINISAGE TECH LTD ("we", "us", "our") is the data controller for personal data we collect about merchants (Shopify store owners and their staff, and WordPress/WooCommerce site administrators) who install our app or plugin, Subnotice (the "App"). For the limited customer (subscriber) data described in §2.3, we act as processor on the merchant's instructions, not controller.

When we access your Shopify store's public policy pages to provide the audit service, we do so via the Shopify API with your authorisation. For WooCommerce, the free checker works on policy text you paste yourself — we never connect to your WordPress site to read it.


2. What personal data we collect

2.1 Merchant and staff data (we are controller)

When you install the App via Shopify OAuth, we receive and store:

Data Why
Shopify shop domain (*.myshopify.com) To identify your store across sessions
Shopify staff user ID, first name, last name, email address OAuth session management
App access token (encrypted) To read your shop's policy pages via Shopify API
Billing plan, billing status, App subscription ID To enforce plan limits and process billing
DPA acceptance timestamp and version To record your agreement under UK GDPR Art. 28
Report download count per day To apply free-plan daily export limits
Install date, uninstall date Compliance record-keeping

Lawful basis: Performance of a contract (providing the App and associated services) with the merchant entity; for staff users who are not themselves party to that contract, our legitimate interests in operating and securing the App (UK GDPR Art. 6(1)(f)).

2.1a WooCommerce merchant data — paid "Compliance Complete" tier (built, not yet released for purchase)

The free WooCommerce plugin checker stores nothing about you (§2.4). If and when the paid "Compliance Complete" tier is released for purchase, activating it will register your site with us and store:

Data Why
Your site's URL To identify your site across daily reminder runs
A hashed API token (the plaintext token is never stored by us) To authenticate your site's daily reminder requests
Declared jurisdiction (UK/US/EU) To apply the correct reminder-timing rules
Store admin reply-to email address Shown as the reply-to address on reminder emails sent to your customers

Lawful basis: Performance of a contract (providing the paid tier) once you purchase it.

2.2 Public policy page content (transient — not stored)

To provide the compliance audit, the App reads the text of your publicly visible Shopify policy pages (Privacy Policy, Terms of Service, Refund Policy, Subscription Policy) via the Shopify Admin GraphQL API. This text is processed in memory to generate your compliance score and checklist. We do not store the text of your policy pages on our servers.

2.3 Customer (subscriber) data we process on your behalf (we are processor)

This section applies to Shopify merchants today. For WooCommerce merchants on the paid "Compliance Complete" tier once released (§2.1a), customer name and email are used to send reminders but are not stored in our database after send — only the audit-trail fields below are retained (see §5).

To send pre-renewal reminder emails to your customers, we process:

Data Why Stored in our database?
Customer name and email address To address and send the reminder email, and to keep the merchant's subscription snapshot in sync with Shopify Yes — stored in our subscription snapshot table for the life of the subscription (§5); this corrects the prior version of this policy, which stated it was not stored
Subscription contract reference, product title To describe which subscription is renewing; contract reference kept as the audit-trail key Contract reference: yes. Product title: yes, as part of the same snapshot
Billing amount and currency (where available) Shown in the reminder for transparency Yes, as part of the same snapshot
Renewal date To time the reminder and state it in the email Yes, as part of the audit-trail record
Email delivery status (delivered / bounced) Proof-of-notice record for your audit trail — always recorded, no tracking pixel, not gated on any setting Yes
Email open status and open count Only if you enable it (App setting, off by default) and only once your sending domain is verified. This is an engagement signal only — it is not legal proof that the customer read the email, and it is never presented as such Yes, only if enabled

We do not store your customers' payment details or any special category personal data. We do keep, in our subscription snapshot table, the minimum needed to run the reminder service on your behalf: customer name and email address, contract reference, product title, renewal date, billing amount/currency, and email delivery status (§5). If a customer submits a GDPR erasure (customers/redact) request via Shopify, we redact their name and email from this table on receipt of that webhook.

Lawful basis: As processor, we process this data on your instructions as controller; you determine the lawful basis for sending pre-renewal notices to your own customers. Our processing is governed by the Data Processing Agreement (DPA) you accept via the in-App banner (Shopify) or in-plugin banner (WooCommerce paid tier) before customer-data features activate.

2.4 Website, free checker, and analytics


3. How we use your data

We do not sell personal data. We do not use personal data for direct marketing without your consent.


4. Sub-processors

We use the following third-party services to operate the App:

Sub-processor Service Location
Neon Tech Inc. PostgreSQL database (encrypted at rest) EU (Frankfurt region preferred)
Vercel Inc. Application + website hosting, serverless functions US (region per project config)
Resend Inc. Transactional reminder email delivery, delivery/open-event webhooks US
Shopify Inc. Platform OAuth, API, billing Canada / global (Shopify acts as independent controller for platform data)
Freemius Inc. WooCommerce plugin licensing/billing (paid tier only, once released) US

The same Neon/Vercel/Resend infrastructure serves the WooCommerce "Compliance Complete" tier once released — no separate sub-processor stack. We require each sub-processor to process personal data only as necessary to provide their service and to maintain appropriate security measures. Full list: https://subnotice.com/sub-processors

We will notify you at least 30 days before adding a new sub-processor that processes personal data, giving you the right to object on reasonable grounds.


5. Data retention

Data Retention period
Shopify session (access token, user details) While App is installed; deleted within 48 hours of uninstall
Shop record (billing, plan, DPA acceptance) While App is installed + 30 days after uninstall for legal record-keeping; billing records retained up to 7 years where UK tax/company law requires
Audit score data Not stored (computed on demand, discarded after request)
Customer subscription snapshot (§2.3) — customer name and email address, contract reference, product title, renewal date, billing amount/currency While the subscription contract is active; customer name/email deleted on cancellation-sync, on receipt of a customers/redact GDPR webhook for that customer, or on app uninstall — whichever happens first
Customer reminder audit trail (§2.3) — contract reference, renewal date, delivery/open status only While App is installed, as compliance evidence; deleted on uninstall along with all shop-keyed data (see below)
WooCommerce site record (§2.1a) — site URL, hashed token, jurisdiction, reply-to email While the paid tier is active on our servers; deleted on plugin uninstall via /api/woo/unregister (best-effort) or within 48 hours of a verified request to privacy@subnotice.com
WooCommerce reminder audit trail (§2.3, via the plugin) — subscription ID, renewal date, delivery/open status only (no customer name or email stored) Deleted with the WooCommerce site record above
Support correspondence 3 years from last contact

On uninstall, we process Shopify's shop/redact webhook and delete all shop-keyed personal data from production systems within 48 hours, and from backups within 30 days where technically feasible.

Consent gate (closed 05.07.2026): Before the paid WooCommerce tier processes any customer data, the merchant must accept the DPA via an in-plugin banner — enforced in code (WooSite.dpaAcceptedAt), not just in this policy. See DPA_TEMPLATE.md §7a.2 for detail. This was a real gap flagged in this session's legal review and closed the same session, not deferred to "before release."

Pre-release note: WooCommerce automated erasure on uninstall is implemented (/api/woo/unregister from uninstall.php, best-effort). Manual fallback remains via privacy@subnotice.com if the uninstall call fails.


6. Your rights

As a merchant (data subject), you have the right under UK GDPR to:

To exercise any right, contact us at privacy@subnotice.com or the support address below. We will respond within one calendar month.

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/


7. Security

We implement appropriate technical and organisational measures, including:

In the event of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware.


8. International transfers

Our hosting provider (Vercel) and email provider (Resend) operate in the United States. Transfers of personal data to the US are covered by the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses, as incorporated into each provider's data processing addendum — aligned with DPA §5.8 and SUB_PROCESSORS.md.

Our database provider (Neon) is configured to use the EU (Frankfurt) region where technically available, to keep merchant data within the UK/EEA where possible. Freemius (WooCommerce licensing, US) uses the same transfer mechanisms when the paid tier is released.


9. Changes to this policy

We will post any updates to this page with a new version date. For material changes (new categories of data, new processing purposes), we will provide notice in the App or by email at least 30 days before the change takes effect.


10. Contact

Privacy enquiries: privacy@subnotice.com
General support: support@subnotice.com
MINISAGE TECH LTD
18 Crowthorp Road, Northampton, NN3 5DU
United Kingdom


v1.5 — 5 July 2026 — MINISAGE TECH LTD