Privacy Policy

Last updated: December 29, 2025

1. Introduction

Instant Art Kit ("we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application and related services.

This policy applies to all users of Instant Art Kit, including Shopify merchants who install our app and their customers who use the diamond painting preview functionality.

By using our service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our service.

2. Data Controller & Processor Roles

2.1 When We Are a Data Controller: For information about Shopify merchants (store owners) who install our app, we act as a data controller and determine how personal data is processed.

2.2 When We Are a Data Processor: For end-customer data (photos uploaded by your customers), we act as a data processor on behalf of the merchant. The merchant is the data controller and is responsible for obtaining necessary consents and complying with privacy laws.

2.3 Your Responsibilities as a Merchant: If you are a merchant using our service, you must ensure you have a lawful basis (consent, contract, legitimate interest) to collect and process your customers' personal data, including photos they upload.

3. Information We Collect

3.1 Information You Provide Directly:

  • Account Information: When you install our Shopify app, we receive your Shopify store domain, shop name, and contact email from Shopify's OAuth flow
  • Support Communications: When you contact us for support, we collect your name, email address, and the content of your messages
  • Payment Information: Billing is handled by Shopify; we do not directly collect or store credit card information

3.2 Information Collected Automatically:

  • Shopify API Data: Product information (IDs, titles, variants), order data (IDs, line items, order numbers), customer metadata (for linking orders to accounts, no PII stored)
  • OAuth Tokens: Access tokens from Shopify's OAuth system (encrypted at rest and never exposed)
  • Usage Data: Information about how you use the app, features accessed, and performance metrics
  • Technical Data: IP addresses, browser types, device information, and log data for security and troubleshooting

3.3 Customer-Uploaded Content:

  • Photos: Images uploaded by your customers through UploadCare's widget for diamond painting preview generation
  • Generated Files: Diamond painting previews, patterns, color charts, and production files we create from customer photos
  • Metadata: File names, upload timestamps, and processing parameters

Note: Customer photos are initially processed through UploadCare (a third-party service) before being transferred to our Azure storage. See Section 7 for details on third-party services.

4. How We Use Your Information

We process personal data for the following purposes based on our legitimate interests, contractual necessity, or your consent:

4.1 Service Delivery:

  • Provide diamond painting preview generation services
  • Process and generate production-ready files (patterns, PDFs, Excel charts)
  • Synchronize product and order data from your Shopify store
  • Store and deliver generated files to you

4.2 Account Management:

  • Authenticate and manage your account access
  • Process billing and payments (via Shopify)
  • Send service-related notifications and updates

4.3 Support & Communication:

  • Respond to your inquiries and provide customer support
  • Send important service announcements and updates
  • Notify you of policy changes

4.4 Security & Fraud Prevention:

  • Detect and prevent security incidents, fraud, and abuse
  • Monitor system performance and troubleshoot technical issues
  • Comply with legal obligations and protect legal rights

4.5 Improvement & Analytics:

  • Analyze usage patterns to improve our service
  • Develop new features and functionality
  • Monitor service performance and reliability

We do not sell your personal information to third parties.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our services under our Terms of Service (service delivery, account management, billing)
  • Legitimate Interests: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement, analytics) provided these do not override your rights
  • Legal Obligation: Processing required to comply with laws, regulations, and legal processes
  • Consent: Where you have provided explicit consent (which you may withdraw at any time)

6. Data Sharing & Disclosure

We share personal data only in the following circumstances:

6.1 Service Providers: We share data with third-party service providers who perform services on our behalf:

  • UploadCare: Processes customer photo uploads (see Section 7.1)
  • Microsoft Azure: Hosts our infrastructure and stores generated files (see Section 7.3)
  • Shopify: Our platform integration partner (see Section 7.2)

6.2 Legal Requirements: We may disclose information if required by law or legal process, including:

  • In response to valid legal requests from authorities
  • To enforce our Terms of Service or other agreements
  • To protect our rights, property, or safety, or that of others
  • In connection with fraud prevention or security investigations

6.3 Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of such changes.

6.4 With Your Consent: We may share information for other purposes with your explicit consent.

7. Third-Party Services

7.1 UploadCare:

Customer photos are uploaded and initially processed through UploadCare's file upload service. UploadCare has its own privacy practices governed by their Privacy Policy (https://uploadcare.com/about/privacy-policy/).

  • UploadCare may collect IP addresses and technical data from end-users who upload files
  • Files are temporarily stored on UploadCare's CDN before being transferred to our Azure storage
  • UploadCare is GDPR-compliant and participates in the EU-U.S. Data Privacy Framework

7.2 Shopify:

Our service integrates with Shopify's platform. Shopify's Privacy Policy (https://www.shopify.com/legal/privacy) governs data collected by Shopify.

  • We access Shopify data via their API based on permissions you grant during installation
  • Billing and payment processing is handled entirely by Shopify
  • OAuth tokens are issued by Shopify and encrypted by us

7.3 Microsoft Azure:

Generated files, previews, and application data are stored on Microsoft Azure cloud infrastructure. Microsoft's Privacy Statement (https://privacy.microsoft.com/privacystatement) applies to this storage.

  • Data is stored in Azure regions with appropriate data residency compliance
  • Azure provides encryption at rest and in transit
  • Microsoft complies with GDPR, Privacy Shield, and other frameworks

Important: These third parties have their own privacy policies and data handling practices. We are not responsible for their privacy practices or security measures.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate.

8.1 EEA/UK/Swiss Data Transfers:

For data transferred from the EEA, UK, or Switzerland to countries not deemed to provide adequate protection:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
  • Our service providers (UploadCare, Microsoft) comply with GDPR requirements and participate in recognized data transfer frameworks
  • We implement appropriate technical and organizational safeguards

8.2 Data Processing Agreement: A Data Processing Agreement (DPA) incorporating Standard Contractual Clauses is available upon request for merchants processing EEA/UK/Swiss customer data.

9. Data Retention

We retain personal data for as long as necessary to provide our services and fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

9.1 Active Accounts:

  • Account and store data: Retained while your account is active
  • Customer photos and generated files: Retained as long as needed for order fulfillment and your business operations
  • Transaction records: Retained for accounting and legal compliance (typically 7 years)

9.2 Deleted Accounts:

  • When you uninstall our app, we delete your data within 30 days
  • Backup copies may persist for up to 90 days in our backup systems
  • We may retain anonymized, aggregated data indefinitely for analytics
  • Data required for legal, accounting, or security purposes may be retained longer

9.3 Manual Deletion Requests: You can request earlier deletion of your data by contacting us (see Section 12).

10. Data Security

We implement appropriate technical and organizational security measures to protect your personal data:

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256)
  • Access Controls: Role-based access controls limit who can access personal data
  • Authentication: OAuth tokens are encrypted and securely stored
  • Infrastructure Security: Hosted on secure Microsoft Azure infrastructure with regular security updates
  • Monitoring: Automated monitoring and logging for security incidents
  • Incident Response: Documented procedures for security breach response

No Absolute Security: While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Breach Notification: In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law (within 72 hours for GDPR-covered breaches).

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

11.1 GDPR Rights (EEA, UK, Switzerland):

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
  • Right to Restrict Processing: Request limitation of how we process your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

11.2 CCPA Rights (California Residents):

  • Right to Know: Request disclosure of personal information collected, used, or shared
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale of personal information (note: we do not sell personal information)
  • Right to Non-Discrimination: Not be discriminated against for exercising your rights

11.3 How to Exercise Your Rights:

To exercise any of these rights, contact us at support@instantartkit.com with the subject line "Privacy Rights Request."

  • We will respond to verified requests within 30 days (may be extended by 60 days for complex requests)
  • We may request additional information to verify your identity
  • There is no fee for making a request, but we may charge for excessive or repetitive requests

Limitations: Some rights may be limited by law or if processing is necessary for compliance, legal claims, or public interest.

12. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to improve our service and user experience.

12.1 Types of Cookies We Use:

  • Essential Cookies: Required for authentication and core service functionality
  • Performance Cookies: Help us understand how users interact with our service
  • Security Cookies: Used to detect fraud and protect user accounts

12.2 Third-Party Cookies:

  • Shopify may set cookies when you use our app within their admin interface
  • UploadCare may set cookies for file upload functionality

12.3 Managing Cookies: You can control cookies through your browser settings. Note that disabling certain cookies may affect service functionality.

13. Children's Privacy

Our service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at support@instantartkit.com. We will delete such information promptly.

Merchant Responsibility: If you are a merchant, you must ensure that customer photos uploaded to our service comply with applicable laws regarding children's data (e.g., COPPA in the US, GDPR's enhanced protections for children).

14. California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes.

We do not share personal information with third parties for their direct marketing purposes.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

15.1 Notification of Changes:

  • We will update the "Last updated" date at the top of this policy
  • For material changes, we will notify you via email or through a prominent notice in the app
  • We will provide at least 30 days notice before material changes take effect

15.2 Your Acceptance: Continued use of our service after changes become effective constitutes acceptance of the updated policy.

We encourage you to review this policy periodically to stay informed about how we protect your information.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Instant Art Kit

Email: support@instantartkit.com

Privacy Requests: Please use subject line "Privacy Rights Request"

DPA Requests: Please use subject line "Data Processing Agreement Request"

EU/EEA Data Protection Inquiries:

For users in the European Economic Area, you have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

17. Additional Information

17.1 Do Not Track: Our service does not currently respond to "Do Not Track" (DNT) browser signals, as there is no industry standard for DNT compliance.

17.2 Automated Decision-Making: We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

17.3 Data Processing Agreement: Merchants who process personal data of EEA/UK/Swiss individuals can request our Data Processing Agreement (DPA), which includes Standard Contractual Clauses, by contacting us at support@instantartkit.com.