CreditOps Privacy Policy

Last updated: July 10, 2026

CreditOps ("the app") is operated by Talivio Technology OÜ (registry code 16991406), Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia ("we", "us"). This policy explains what data CreditOps accesses when a merchant installs it on their Shopify store, why, and how it's handled.

1. Our role: processor for your customers' data

CreditOps is a business tool for merchants. The data it handles falls into two categories:

2. What we access and store

CreditOps reads and writes Shopify's native store credit data for your store. Specifically, via the Shopify Admin API, we access and keep a local copy of:

We do not access, request, or store payment card details, passwords, or any data beyond what's needed for the features above.

3. Why we store a local copy

Shopify does not provide a store-wide way to query all store credit accounts and transactions, nor webhooks for store credit changes. To power the liability report, expiry reminders, and refund-bonus automation, CreditOps periodically syncs a copy of your store's store credit accounts and transactions into its own database. This copy mirrors data Shopify already holds — it is not additional data collection.

4. How long we keep it

Data is kept for as long as the app is installed on your store, since the features depend on it. Deletion is handled automatically through Shopify's mandatory data-protection webhooks:

We keep a minimal log of each such request (shop domain, request type, and the request payload Shopify sent) as evidence that we complied with it. This log is retained separately so that it survives the deletion it documents, on the basis of our legitimate interest in demonstrating compliance (Article 6(1)(f) GDPR).

As a general rule, where we act as controller for your merchant data, we delete or anonymise your personal data within 90 days after your account is closed (that is, after you uninstall the app), unless a longer retention period is required by law. Accounting and invoicing records relating to your subscription are kept for seven years from the end of the relevant financial year, as required by the Estonian Accounting Act — this is a statutory exception to the deletion described above under Article 17(3)(b) GDPR. Backups are purged in the course of our ordinary backup rotation.

5. Who else sees it

We do not sell your data or share it with third parties for marketing. The parties who process data fall into two categories.

Processors (act on our behalf). These parties process data only on our instructions to run the service:

Independent controllers (act on their own account). These parties determine their own purposes for the data and are not our processors:

We do not use Stripe or any separate payment processor: all billing runs through Shopify. Should any of our sub-processors ever process data outside the EEA, that transfer would rely on an adequacy decision or the EU Standard Contractual Clauses; we will update this policy before introducing any such sub-processor.

6. Cookies

CreditOps runs embedded inside your Shopify admin and authenticates through Shopify-issued session tokens (App Bridge), not tracking cookies. We use only essential first-party cookies: a session cookie and a CSRF cookie that protect the app's forms against abuse. We do not use analytics or advertising cookies.

7. Security

Traffic is served over TLS and access to the app requires authentication through your Shopify admin. We keep an access log of when customer name/email is read from Shopify (during sync and bulk top-up lookups) so that access to that data is auditable. No system is perfectly secure, but we take reasonable measures to protect the data we hold; see our Security & Incident Response Policy for what we do if that's ever not enough.

8. Your rights

As the merchant, you control CreditOps' settings (expiry policy, refund bonus, language) at any time from within the app, and uninstalling it triggers the deletion described above. For the data we hold about you as a merchant, you can request access, correction, erasure, portability or restriction under the GDPR by contacting us. You may also lodge a complaint with a supervisory authority — for us that is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee), but you may contact the authority in your own country.

Your customers should address their data rights to you, the merchant; requests you relay through Shopify's data-protection webhooks are handled automatically as described above.

9. Changes to this policy

We may update this policy from time to time. The date at the top shows when it last changed; material changes will be communicated where appropriate.

10. Contact

Questions about this policy or your data: [email protected].

Talivio Technology OÜ (registry code 16991406), Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia. See also our Terms of Service.