Privacy Policy — Subnotice
Controller: MINISAGE TECH LTD (company no. 17229324)
Registered office: 18 Crowthorp Road, Northampton, NN3 5DU
App: Subnotice
URL: https://subnotice.com/privacy
Version: 1.5 · 5 July 2026 — supersedes v1.4 (5 July 2026)
ICO registration: C1941625
1. Who we are
MINISAGE TECH LTD ("we", "us", "our") is the data controller for personal data we collect about merchants (Shopify store owners and their staff, and WordPress/WooCommerce site administrators) who install our app or plugin, Subnotice (the "App"). For the limited customer (subscriber) data described in §2.3, we act as processor on the merchant's instructions, not controller.
When we access your Shopify store's public policy pages to provide the audit service, we do so via the Shopify API with your authorisation. For WooCommerce, the free checker works on policy text you paste yourself — we never connect to your WordPress site to read it.
2. What personal data we collect
2.1 Merchant and staff data (we are controller)
When you install the App via Shopify OAuth, we receive and store:
| Data | Why |
|---|---|
Shopify shop domain (*.myshopify.com) |
To identify your store across sessions |
| Shopify staff user ID, first name, last name, email address | OAuth session management |
| App access token (encrypted) | To read your shop's policy pages via Shopify API |
| Billing plan, billing status, App subscription ID | To enforce plan limits and process billing |
| DPA acceptance timestamp and version | To record your agreement under UK GDPR Art. 28 |
| Report download count per day | To apply free-plan daily export limits |
| Install date, uninstall date | Compliance record-keeping |
Lawful basis: Performance of a contract (providing the App and associated services) with the merchant entity; for staff users who are not themselves party to that contract, our legitimate interests in operating and securing the App (UK GDPR Art. 6(1)(f)).
2.1a WooCommerce merchant data — paid "Compliance Complete" tier (built, not yet released for purchase)
The free WooCommerce plugin checker stores nothing about you (§2.4). If and when the paid "Compliance Complete" tier is released for purchase, activating it will register your site with us and store:
| Data | Why |
|---|---|
| Your site's URL | To identify your site across daily reminder runs |
| A hashed API token (the plaintext token is never stored by us) | To authenticate your site's daily reminder requests |
| Declared jurisdiction (UK/US/EU) | To apply the correct reminder-timing rules |
| Store admin reply-to email address | Shown as the reply-to address on reminder emails sent to your customers |
Lawful basis: Performance of a contract (providing the paid tier) once you purchase it.
2.2 Public policy page content (transient — not stored)
To provide the compliance audit, the App reads the text of your publicly visible Shopify policy pages (Privacy Policy, Terms of Service, Refund Policy, Subscription Policy) via the Shopify Admin GraphQL API. This text is processed in memory to generate your compliance score and checklist. We do not store the text of your policy pages on our servers.
2.3 Customer (subscriber) data we process on your behalf (we are processor)
This section applies to Shopify merchants today. For WooCommerce merchants on the paid "Compliance Complete" tier once released (§2.1a), customer name and email are used to send reminders but are not stored in our database after send — only the audit-trail fields below are retained (see §5).
To send pre-renewal reminder emails to your customers, we process:
| Data | Why | Stored in our database? |
|---|---|---|
| Customer name and email address | To address and send the reminder email, and to keep the merchant's subscription snapshot in sync with Shopify | Yes — stored in our subscription snapshot table for the life of the subscription (§5); this corrects the prior version of this policy, which stated it was not stored |
| Subscription contract reference, product title | To describe which subscription is renewing; contract reference kept as the audit-trail key | Contract reference: yes. Product title: yes, as part of the same snapshot |
| Billing amount and currency (where available) | Shown in the reminder for transparency | Yes, as part of the same snapshot |
| Renewal date | To time the reminder and state it in the email | Yes, as part of the audit-trail record |
| Email delivery status (delivered / bounced) | Proof-of-notice record for your audit trail — always recorded, no tracking pixel, not gated on any setting | Yes |
| Email open status and open count | Only if you enable it (App setting, off by default) and only once your sending domain is verified. This is an engagement signal only — it is not legal proof that the customer read the email, and it is never presented as such | Yes, only if enabled |
We do not store your customers' payment details or any special category personal data. We do keep, in our subscription snapshot table, the minimum needed to run the reminder service on your behalf: customer name and email address, contract reference, product title, renewal date, billing amount/currency, and email delivery status (§5). If a customer submits a GDPR erasure (customers/redact) request via Shopify, we redact their name and email from this table on receipt of that webhook.
Lawful basis: As processor, we process this data on your instructions as controller; you determine the lawful basis for sending pre-renewal notices to your own customers. Our processing is governed by the Data Processing Agreement (DPA) you accept via the in-App banner (Shopify) or in-plugin banner (WooCommerce paid tier) before customer-data features activate.
2.4 Website, free checker, and analytics
- subnotice.com and the free
/checkertool: policy text you paste into the checker is sent to our audit API, scored in memory, and not stored. No account, no cookies required to use it. - Analytics: our websites and App use Vercel Analytics, a cookie-less, aggregate analytics service. We do not run advertising trackers.
- Preferences: your light/dark theme choice is stored in your own browser (localStorage) and never sent to us.
3. How we use your data
- Provide and operate the App: authenticate your sessions, run policy audits, enforce billing plan limits.
- Improve the App: aggregate, anonymised usage metrics (no personal data shared externally for this purpose).
- Legal obligations: retain records as required by company and tax law.
- Fraud prevention and security: detect misuse of the App.
We do not sell personal data. We do not use personal data for direct marketing without your consent.
4. Sub-processors
We use the following third-party services to operate the App:
| Sub-processor | Service | Location |
|---|---|---|
| Neon Tech Inc. | PostgreSQL database (encrypted at rest) | EU (Frankfurt region preferred) |
| Vercel Inc. | Application + website hosting, serverless functions | US (region per project config) |
| Resend Inc. | Transactional reminder email delivery, delivery/open-event webhooks | US |
| Shopify Inc. | Platform OAuth, API, billing | Canada / global (Shopify acts as independent controller for platform data) |
| Freemius Inc. | WooCommerce plugin licensing/billing (paid tier only, once released) | US |
The same Neon/Vercel/Resend infrastructure serves the WooCommerce "Compliance Complete" tier once released — no separate sub-processor stack. We require each sub-processor to process personal data only as necessary to provide their service and to maintain appropriate security measures. Full list: https://subnotice.com/sub-processors
We will notify you at least 30 days before adding a new sub-processor that processes personal data, giving you the right to object on reasonable grounds.
5. Data retention
| Data | Retention period |
|---|---|
| Shopify session (access token, user details) | While App is installed; deleted within 48 hours of uninstall |
| Shop record (billing, plan, DPA acceptance) | While App is installed + 30 days after uninstall for legal record-keeping; billing records retained up to 7 years where UK tax/company law requires |
| Audit score data | Not stored (computed on demand, discarded after request) |
| Customer subscription snapshot (§2.3) — customer name and email address, contract reference, product title, renewal date, billing amount/currency | While the subscription contract is active; customer name/email deleted on cancellation-sync, on receipt of a customers/redact GDPR webhook for that customer, or on app uninstall — whichever happens first |
| Customer reminder audit trail (§2.3) — contract reference, renewal date, delivery/open status only | While App is installed, as compliance evidence; deleted on uninstall along with all shop-keyed data (see below) |
| WooCommerce site record (§2.1a) — site URL, hashed token, jurisdiction, reply-to email | While the paid tier is active on our servers; deleted on plugin uninstall via /api/woo/unregister (best-effort) or within 48 hours of a verified request to privacy@subnotice.com |
| WooCommerce reminder audit trail (§2.3, via the plugin) — subscription ID, renewal date, delivery/open status only (no customer name or email stored) | Deleted with the WooCommerce site record above |
| Support correspondence | 3 years from last contact |
On uninstall, we process Shopify's shop/redact webhook and delete all shop-keyed personal data from production systems within 48 hours, and from backups within 30 days where technically feasible.
Consent gate (closed 05.07.2026): Before the paid WooCommerce tier processes any customer data, the merchant must accept the DPA via an in-plugin banner — enforced in code (
WooSite.dpaAcceptedAt), not just in this policy. See DPA_TEMPLATE.md §7a.2 for detail. This was a real gap flagged in this session's legal review and closed the same session, not deferred to "before release."Pre-release note: WooCommerce automated erasure on uninstall is implemented (
/api/woo/unregisterfromuninstall.php, best-effort). Manual fallback remains via privacy@subnotice.com if the uninstall call fails.
6. Your rights
As a merchant (data subject), you have the right under UK GDPR to:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion (subject to legal retention obligations)
- Restriction — limit how we use your data in certain circumstances
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise any right, contact us at privacy@subnotice.com or the support address below. We will respond within one calendar month.
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/
7. Security
We implement appropriate technical and organisational measures, including:
- TLS 1.2+ for all data in transit
- Encrypted storage for access tokens and sensitive fields
- HMAC verification on all Shopify webhooks
- Access controls — least privilege; no shared production credentials
- Separate environments — no production customer data in development
In the event of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware.
8. International transfers
Our hosting provider (Vercel) and email provider (Resend) operate in the United States. Transfers of personal data to the US are covered by the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses, as incorporated into each provider's data processing addendum — aligned with DPA §5.8 and SUB_PROCESSORS.md.
Our database provider (Neon) is configured to use the EU (Frankfurt) region where technically available, to keep merchant data within the UK/EEA where possible. Freemius (WooCommerce licensing, US) uses the same transfer mechanisms when the paid tier is released.
9. Changes to this policy
We will post any updates to this page with a new version date. For material changes (new categories of data, new processing purposes), we will provide notice in the App or by email at least 30 days before the change takes effect.
10. Contact
Privacy enquiries: privacy@subnotice.com
General support: support@subnotice.com
MINISAGE TECH LTD
18 Crowthorp Road, Northampton, NN3 5DU
United Kingdom
v1.5 — 5 July 2026 — MINISAGE TECH LTD