Privacy Policy

Welcome to Smartify Apps Privacy Policy!

This Privacy Policy describes how we may collect and use personal data and the rights granted to our visitors, customers, and merchants regarding their respective data.

By accessing or using this website or any of our apps or services, you signify your approval of the terms set out in this Privacy Policy, and other terms and policies posted on our website. If you do not agree to this Privacy Policy, you must leave this website and discontinue all use of any of our Services.

We may update this Privacy Policy from time to time in order to reflect, for example, changes to our privacy practices or for other operational, legal, or regulatory reasons. If we make material changes to this Privacy Policy, we will give you notice of such changes by posting the revised policy on this Website, and where appropriate, by other means. By continuing to use our apps or this website or any of our services after these changes are posted, you agree to the revised policy.

Information collected from Merchants

When you install our apps, we are automatically able to access certain types of information from your Shopify account: You can see the details here. We collect this information to provide you with our services; for example, to confirm your identity, contact you, provide customer support when you contact us, provide you with advertising and marketing.

Information collected from Merchants’ customers

For us to be able to provide you with our services and support, for you to better serve your customers, and to improve our services, BON collects some information of customer data that is stored in your Shopify Admin, including first name, last name, and email. 

Information collected when you visit our Website

When you visit our website, we collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies installed on your device. We collect the information using the following technologies:

  • “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, including how to disable them, visit allaboutcookies.org.
  • “Log files” track actions occurring on the site, and collect data such as your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
  • “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the site.

How we share information

We share your Personal Information with the following third parties to help us conduct our business and support our customers.

  • We use Google Analytics to help us understand how our customers use our website, our apps. You can read more about how Google uses your Personal Information at google.com/intl/en/policies/privacy. You can also opt out of Google Analytics at tools.google.com/dlpage/gaoptout.
  • We use CustomerIO for email marketing and to maintain our customer lists. You can read more about how CustomerIO uses your Personal Information at https://customer.io/privacy-policy.html
  • We use Freshdesk to communicate with you and provide customer support when you contact us. You can read more about how Freshdesk  uses your Personal Information at https://www.freshworks.com/privacy/ 
  • We may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant, or other lawful requests for any information we receive, or to otherwise protect our rights.
  • We may use your Personal Information to provide you with targeted advertisements or marketing communications we believe could be of interest to you. You can opt out of Facebook and Google targeted advertising at facebook.com/settings/?tab=ads and google.com/settings/ads/anonymous.
  • Personal information may also be shared with a company that acquires our business, whether through merger, acquisition, bankruptcy, dissolution, reorganization, or other similar transaction or proceeding. If this happens, we will post a notice on our home page.

Cross-border transfer

Smartify Apps processes and stores personal information using our server(s) based in the United States.

If you are located outside of the United States, note that your personal information and other information that we collect through this website and our apps may be transferred to the United States. By accepting this Privacy Policy, using our apps or this website, or providing us with any personal information, you agree to the transfer of information to the United States.

Use of Smartify Apps by Children

Smartify Apps is not intended for children. If you are under 13, you may use the site and services only with the supervision of your parents or guardian.

Your Rights

Smartify Apps understands that you have rights over your personal information, and takes reasonable steps to allow you to access, correct, amend, delete, port, or limit the use of your personal information. If you are a merchant and wish to exercise these rights, please contact us through [email protected]. We may require that you provide us with acceptable verification of your identity before providing access to such information.

If you are a merchant’s customer and wish to exercise these rights, please contact the merchants you interacted with directly — we serve as a processor on their behalf, and can only forward your request to them to allow them to respond.

Retention

If you have any questions about your personal data or this Privacy Policy, or if you would like to file a complaint about how we process your personal data, please contact us by email at [email protected]. Your personal data and the stores’ data will be deleted within 48 hours after the app is uninstalled. If you wish to make a request to have your data removed immediately, either as a merchant of the platform or a buyer from a store, please contact us through [email protected]. We may require that you provide us with acceptable verification of your identity before providing access to such information.

Security incident response policy 

The purpose of this policy is to provide a structured approach for detecting, reporting, assessing, and responding to security incidents in order to minimize the impact of incidents on the businesses’ operations, reputation, and assets. 

 

Incident severity scales

  • Level 1 (Low): Incidents that have minor impact and can be resolved quickly without causing significant damage.
  • Level 2 (Moderate): Incidents that have a noticeable impact on the organization and require immediate attention to avoid further damage.
  • Level 3 (High): Incidents that have a severe impact on the organization’s operations and require immediate action to contain and resolve the incident.

 

Roles and responsibilities

  • Incident Response Team (IRT): The team responsible for responding to security incidents, consisting of IT staff, security personnel, and any other relevant stakeholders.
  • Incident Coordinator: The individual responsible for managing the incident response process, including coordinating with the IRT and other stakeholders, assessing the severity of the incident, and ensuring that the response is effective.
  • IT/Security Staff: Responsible for identifying, investigating, and resolving security incidents.

 

Escalation paths

  • Incident Reporting: All incidents must be reported to the Incident Response Team (IRT) as soon as they are identified. This can be done through a dedicated incident reporting system, an email address, or a phone number. The incident report should include a description of the incident, the impact it is having on the organization, and any relevant evidence.
  • Initial Assessment:The IRT will conduct an initial assessment of the incident to determine its severity and impact. Based on this assessment, the IRT may decide to escalate the incident to a higher level.
  • Level 1 Escalation: For low-level incidents, the IRT may be able to resolve the incident without escalating it further. This may involve implementing temporary fixes, applying security patches, or updating security policies.
  • Level 2 Escalation: For moderate-level incidents, the IRT will escalate the incident to the Incident Coordinator. The Incident Coordinator will assess the incident and determine the appropriate response, which may involve involving additional resources or experts. The Incident Coordinator will also communicate with relevant stakeholders, such as management and legal, to keep them informed of the incident and any response actions.
  • Level 3 Escalation: For high-level incidents, the IRT will escalate the incident to senior management or executive leadership. This may involve activating the organization’s emergency response plan or bringing in outside experts or consultants to assist with the response. The Incident Coordinator will continue to coordinate the response, but with additional oversight from senior management or executive leadership.

Evidence collection

As soon as an incident is detected or reported, all relevant systems, devices, and logs will be preserved to prevent any further modifications or deletions of data. This include collecting and preserving electronic data, such as system logs, network traffic, and application data.
 

Required actions

  • Incident Identification: All employees will be trained to identify and report any security incidents as soon as they are detected. This includes reporting any suspicious activities, unauthorized access, data breaches, malware infections, and other security-related incidents.
  • Incident Categorization: The IRT will conduct an initial assessment of the incident to determine its severity and impact. The incident will be categorized based on a predefined severity scale to determine the appropriate level of response.
  • Incident Containment: The IRT will take immediate action to contain the incident to prevent further damage or loss of data. This may involve isolating affected systems, disabling network connections, or shutting down affected services.
  • Incident Analysis: The IRT will analyze the incident to determine the root cause and identify any indicators of compromise. This may involve collecting and analyzing system logs, network traffic, and other relevant data.
  • Incident Response: The IRT will develop a response plan based on the severity of the incident and the impact it is having on the organization. The response plan should include clear procedures for communication, coordination, and collaboration among the IRT members and other relevant stakeholders.
  • Incident Recovery: The IRT will work to restore normal operations as soon as possible while ensuring the security of the systems and data. This may involve restoring from backups, patching vulnerabilities, or rebuilding systems.
  • Incident Review: After the incident has been resolved, the IRT will conduct a post-incident review to identify any lessons learned or areas for improvement. This review will be used to update the organization’s security incident response policy and procedures to better prepare for future incidents.

 

 

 

Contact information

If you have any questions about your personal data or this Privacy Policy, or if you would like to file a complaint about how we process your personal data, please contact us by email at [email protected]