Information collected from Merchants
When you install our apps, we are automatically able to access certain types of information from your Shopify account: You can see the details here. We collect this information to provide you with our services; for example, to confirm your identity, contact you, provide customer support when you contact us, provide you with advertising and marketing.
Information collected from Merchants’ customers
For us to be able to provide you with our services and support, for you to better serve your customers, and to improve our services, BON collects some information of customer data that is stored in your Shopify Admin, including first name, last name, and email.
Information collected when you visit our Website
When you visit our website, we collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies installed on your device. We collect the information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, including how to disable them, visit allaboutcookies.org.
- “Log files” track actions occurring on the site, and collect data such as your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the site.
How we share information
We share your Personal Information with the following third parties to help us conduct our business and support our customers.
- We use Google Analytics to help us understand how our customers use our website, our apps. You can read more about how Google uses your Personal Information at google.com/intl/en/policies/privacy. You can also opt out of Google Analytics at tools.google.com/dlpage/gaoptout.
- We use CustomerIO for email marketing and to maintain our customer lists. You can read more about how CustomerIO uses your Personal Information at https://customer.io/privacy-policy.html
- We use Freshdesk to communicate with you and provide customer support when you contact us. You can read more about how Freshdesk uses your Personal Information at https://www.freshworks.com/privacy/
- We may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant, or other lawful requests for any information we receive, or to otherwise protect our rights.
- We may use your Personal Information to provide you with targeted advertisements or marketing communications we believe could be of interest to you. You can opt out of Facebook and Google targeted advertising at facebook.com/settings/?tab=ads and google.com/settings/ads/anonymous.
- Personal information may also be shared with a company that acquires our business, whether through merger, acquisition, bankruptcy, dissolution, reorganization, or other similar transaction or proceeding. If this happens, we will post a notice on our home page.
Smartify Apps processes and stores personal information using our server(s) based in the United States.
Use of Smartify Apps by Children
Smartify Apps is not intended for children. If you are under 13, you may use the site and services only with the supervision of your parents or guardian.
Smartify Apps understands that you have rights over your personal information, and takes reasonable steps to allow you to access, correct, amend, delete, port, or limit the use of your personal information. If you are a merchant and wish to exercise these rights, please contact us through [email protected]. We may require that you provide us with acceptable verification of your identity before providing access to such information.
If you are a merchant’s customer and wish to exercise these rights, please contact the merchants you interacted with directly — we serve as a processor on their behalf, and can only forward your request to them to allow them to respond.
Security incident response policy
The purpose of this policy is to provide a structured approach for detecting, reporting, assessing, and responding to security incidents in order to minimize the impact of incidents on the businesses’ operations, reputation, and assets.
Incident severity scales
- Level 1 (Low): Incidents that have minor impact and can be resolved quickly without causing significant damage.
- Level 2 (Moderate): Incidents that have a noticeable impact on the organization and require immediate attention to avoid further damage.
- Level 3 (High): Incidents that have a severe impact on the organization’s operations and require immediate action to contain and resolve the incident.
Roles and responsibilities
- Incident Response Team (IRT): The team responsible for responding to security incidents, consisting of IT staff, security personnel, and any other relevant stakeholders.
- Incident Coordinator: The individual responsible for managing the incident response process, including coordinating with the IRT and other stakeholders, assessing the severity of the incident, and ensuring that the response is effective.
- IT/Security Staff: Responsible for identifying, investigating, and resolving security incidents.
- Incident Reporting: All incidents must be reported to the Incident Response Team (IRT) as soon as they are identified. This can be done through a dedicated incident reporting system, an email address, or a phone number. The incident report should include a description of the incident, the impact it is having on the organization, and any relevant evidence.
- Initial Assessment:The IRT will conduct an initial assessment of the incident to determine its severity and impact. Based on this assessment, the IRT may decide to escalate the incident to a higher level.
- Level 1 Escalation: For low-level incidents, the IRT may be able to resolve the incident without escalating it further. This may involve implementing temporary fixes, applying security patches, or updating security policies.
- Level 2 Escalation: For moderate-level incidents, the IRT will escalate the incident to the Incident Coordinator. The Incident Coordinator will assess the incident and determine the appropriate response, which may involve involving additional resources or experts. The Incident Coordinator will also communicate with relevant stakeholders, such as management and legal, to keep them informed of the incident and any response actions.
- Level 3 Escalation: For high-level incidents, the IRT will escalate the incident to senior management or executive leadership. This may involve activating the organization’s emergency response plan or bringing in outside experts or consultants to assist with the response. The Incident Coordinator will continue to coordinate the response, but with additional oversight from senior management or executive leadership.
- Incident Identification: All employees will be trained to identify and report any security incidents as soon as they are detected. This includes reporting any suspicious activities, unauthorized access, data breaches, malware infections, and other security-related incidents.
- Incident Categorization: The IRT will conduct an initial assessment of the incident to determine its severity and impact. The incident will be categorized based on a predefined severity scale to determine the appropriate level of response.
- Incident Containment: The IRT will take immediate action to contain the incident to prevent further damage or loss of data. This may involve isolating affected systems, disabling network connections, or shutting down affected services.
- Incident Analysis: The IRT will analyze the incident to determine the root cause and identify any indicators of compromise. This may involve collecting and analyzing system logs, network traffic, and other relevant data.
- Incident Response: The IRT will develop a response plan based on the severity of the incident and the impact it is having on the organization. The response plan should include clear procedures for communication, coordination, and collaboration among the IRT members and other relevant stakeholders.
- Incident Recovery: The IRT will work to restore normal operations as soon as possible while ensuring the security of the systems and data. This may involve restoring from backups, patching vulnerabilities, or rebuilding systems.
- Incident Review: After the incident has been resolved, the IRT will conduct a post-incident review to identify any lessons learned or areas for improvement. This review will be used to update the organization’s security incident response policy and procedures to better prepare for future incidents.