Privacy Policy

Effective Date: October 9, 2025

1. Introduction

This Privacy Policy explains how Infinea Consulting Ltd ("we", "us", "our") collects, processes, and protects personal data when you access or use Cloudhooks (“Service”), in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Data Controller: Infinea Consulting Ltd ‍

Address: Andor utca 21/c fszt. 1., 1119 Budapest, Hungary ‍

Contact Email: support@cloudhooks.dev

Categories of Personal Data Collected

We collect and process the following categories of Personal Data:

• Account Data: Store information relayed by Shopify (store domain, store email address), installation and uninstallation dates.
• Usage Data: Number of actions run monthly.
• Settings and Preferences: notification email address, onboarding state and preferences, product updates notification, preserve data temporarily on uninstall.
• Cookies: identifiers necessary to facilitate authentication, session management, and account access.
• Browser and Device Information: IP address, browser type, operating system, and device identifiers pseudonymized for analytics, not linked to accounts or users.
• Notifications Status: logs of trial- and limit-related email communications.
• Communication Data: copies of customer correspondence, including email support requests.
• Customer-Uploaded Content: Hook code, environment variables, payloads from webhooks and external triggers, and webhooks metadata.
• Payment and Billing Information: subscription plan details, monthly payment data, account status.

4. Legal Bases for Processing

We process your personal data only when we have a valid legal basis under GDPR. The specific legal basis depends on the type of data and the purpose for which we process it:

Performance of a Contract

We process personal data when necessary to provide the Service to you and fulfill our contractual obligations. This includes:

• Creating and managing your account
• Providing webhook automation services through our background jobs and API
• Processing monthly charges and managing subscriptions
• Sending transactional emails related to your account and usage

Legitimate Interest

We process personal data based on our legitimate interests to operate, improve, and secure the Service, while ensuring these interests do not override your fundamental rights. This includes:

• Analyzing usage patterns to improve service performance and develop new features
• Preventing fraud and maintaining security
• Providing customer support and responding to inquiries
• Monitoring system performance and troubleshooting technical issues

Consent

We process personal data based on your explicit consent for:

• Sending marketing communications and promotional materials
• Using optional analytics cookies beyond those strictly necessary for service operation
• Any other processing activities where we specifically request your consent

Legal Obligation

We process personal data when necessary to comply with applicable laws and regulations, including:

• Maintaining financial records for tax and accounting purposes
• Responding to lawful requests from authorities
• Complying with data protection regulations and user rights requests

5. Sources of Personal Data

We collect personal data from various sources to provide and improve our Service. Understanding where your data comes from helps ensure transparency in our data processing activities:

Data You Provide Directly

We collect information that you voluntarily provide when using our Service:

• Registration information relayed by Shopify on sign-up form (email, shop URL)
• Account preferences and settings you configure within the Service
• Hook code, environment variables, payloads submitted via web interface or API
• Communications you send to us, including support requests and feedback

Data Collected Automatically

When you use our Service, we automatically collect certain information:

• Usage data including webhook event type, webhook payload, timestamps, and processing duration
• Technical information such as IP address, browser type, and operating system for analytics purposes
• Session data and authentication status through necessary cookies
• Service interaction patterns to understand how features are used

Data from Third-Party Sources

We receive limited data from integrated third-party services:

• Support ticket history and correspondence from HelpScout, our customer support platform
• Analytics data from Google Analytics regarding general usage patterns

6. Purposes of Processing

We process your personal data for specific, legitimate purposes necessary to provide our Service and meet our legal obligations. Each processing activity is linked to one or more of the legal bases outlined in Section 4:

Account Management

We process your personal data to create, maintain, and secure your user account. This includes verifying your identity, managing access credentials, maintaining your account settings, and ensuring the security of your account through features OAuth user management for secure login.

Service Provision

Our primary purpose for processing data is to deliver the core webhooks automation functionality you expect from our Service. This encompasses processing the webhook and external API requests through our webhook and external trigger API, running your hook code, communicating with external systems, and tracking usage to ensure you stay within your plan limits.

Customer Support

We process personal data to provide effective customer support and technical assistance. This includes responding to your inquiries and support tickets, troubleshooting technical issues you may encounter, providing guidance on using our Service effectively, and maintaining records of our communications to ensure consistent support.

Billing and Payments

For users on paid plans, we process data necessary for financial transactions and account management. This includes processing monthly charges through Shopify, managing plan upgrades and downgrades, and tracking usage for usage-based billing calculations.

Service Improvement

We analyze aggregated and anonymized usage data to enhance our Service performance and develop new features. This helps us understand how users interact with different features, identify areas for improvement and optimization, develop new functionalities based on user needs, and ensure the reliability and speed of our automations.

Communications

We process contact information to send you important communications about our Service. This includes transactional emails about your account status and usage, notifications about changes to our Service or policies, responses to your support requests, and, where you have provided consent, marketing communications about new features or offerings.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Our retention periods are designed to balance service functionality with data minimization principles:

Usage and Activity Data

Itemized webhook run logs containing detailed information about individual webhook requests, timestamps, payloads, metadata is retained up to 14 days, depending on the chosen plan. After this period, the logs are deleted. This allows you to review recent activity while ensuring we don't retain detailed operational data longer than necessary.

Aggregated usage data showing summary statistics, total usage counts, and general patterns is retained until account cancellation. This aggregated data helps us provide usage reports, billing summaries, and service analytics without maintaining individual transaction details.

Account Information

‍Core account data including store URL, store email address, notification email address, preferences, and settings is retained until account deletion. When you request account deletion, we initiate a process to remove your personal data from our active systems within 30 days, subject to any legal retention requirements.

Financial and Legal Records

Information about monthly charges are retained until account deletion. No billing records are generated or retained as they are handled by Shopify.

Third-Party Data Processors

Data shared with our third-party processors (listed in Section 8) is retained according to their respective Data Processing Agreements (DPAs). We ensure all processors comply with GDPR requirements and do not retain your data longer than necessary for providing their services to us.

Backup and Security

For security and disaster recovery purposes, some data may exist in backup systems for up to 90 days after deletion from primary systems. These backups are encrypted and access is strictly limited to recovery scenarios.

8. Processors and Third-Party Recipients

We engage carefully selected third-party service providers (processors and sub-processors) to assist us in providing the Service. These processors act on our behalf and under our instructions, processing personal data only as necessary to perform their specific functions. All processors are bound by Data Processing Agreements (DPAs) that ensure they comply with GDPR requirements and maintain appropriate security measures.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. The following categories of processors have access to your personal data solely to provide services to us:

• Shopify
  https://www.shopify.com/legal/dpa?utm_source=chatgpt.com
  ‍
• Hosting providers:
  • Heroku
    https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf
  • Digital Ocean
    https://www.digitalocean.com/legal/data-processing-agreement
• Email delivery tools:
  • ImprovMX
    https://improvmx-public-assets.s3.eu-west3.amazonaws.com/improvmx_dpa.pdf
  • Mailgun
    https://sinch.com/legal/terms-and-conditions/other-sinch-terms-conditions/data-protection-agreement/
  • MailerLite
    https://www.mailerlite.com/legal/data-processing-agreement
• Database providers:
  • MongoDB
    https://www.mongodb.com/legal/data-processing-agreement
• CRM system:
  • HelpScout
    https://www.helpscout.com/company/legal/dpa/
• Website CMS
  • WebFlow
    https://webflow.com/legal/dpa
• Analytics:
  • MixPanel
    https://mixpanel.com/legal/dpa
  • Google Analytics
    ‍https://www.google.com/analytics/terms/dpa/dataprocessingamendment_20200816.html

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), particularly the United States. We ensure all international transfers comply with GDPR requirements through appropriate safeguards.

Processors Operating Outside the EEA

Many of our processors listed in Section 8 operate from or store data in locations outside the EEA:

United States:

• Heroku (hosting infrastructure)
• Digital Ocean (hosting infrastructure)
• MongoDB Atlas (database services)
• HelpScout (customer support)
• WebFlow (website CMS)
• Mailgun (email delivery)

Mixed EU/International Infrastructure:

• Shopify
• MailerLite (Lithuanian company with global infrastructure)
• ImprovMX (email services)
• Google Analytics (analytics)
• MixPanel (analytics)

Safeguards for International Transfers

We protect your data during international transfers through:

1. Data Processing Agreements (DPAs): All processors sign DPAs containing Standard Contractual Clauses (SCCs) approved by the European Commission. Links to each processor's DPA are provided in Section 8 above.
2. Adequacy Decisions: For transfers to the UK, we rely on the European Commission's adequacy decision recognizing the UK's data protection framework as essentially equivalent to the EU's.
3. Technical Measures: All data transfers are encrypted in transit using industry-standard protocols (TLS 1.3 or higher).
4. Contractual Obligations: The DPAs referenced in Section 8 require all processors to maintain GDPR-equivalent protection levels regardless of their location.

Your Rights

You have the right to:

• Review the DPAs linked in Section 8 to understand the safeguards in place
• Request additional information about specific international transfers
• Lodge a complaint with your supervisory authority if you have concerns

For more information about international transfers, please contact us at support@cloudhooks.dev .

10. Data Subject Rights

Under GDPR, you have specific rights regarding your personal data. We are committed to facilitating the exercise of these rights in a transparent and timely manner.

Your Rights Explained

Right to Access (Article 15 GDPR)
You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it's processed. This includes the purposes of processing, categories of data, and recipients.

Right to Rectification (Article 16 GDPR)
If your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it. We will update your information promptly and notify any third parties who have received the incorrect data.

Right to Erasure - "Right to be Forgotten" (Article 17 GDPR)
You may request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent (where consent is the legal basis)
• You object to processing and no overriding legitimate grounds exist
• The data has been unlawfully processed

Note: We may retain certain data when required by law or for legitimate business purposes such as financial records.

Right to Restrict Processing (Article 18 GDPR)
You can request that we limit how we use your data while we verify its accuracy, assess your objection to processing, or if you need the data for legal claims even though we no longer require it.

Right to Data Portability (Article 20 GDPR)
For data you've provided to us that we process based on consent or contract, you have the right to receive it in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit it to another service provider.

Right to Object (Article 21 GDPR)
You may object to processing based on our legitimate interests or for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent
Where processing is based on your consent, you may withdraw it at any time. This won't affect the lawfulness of processing before withdrawal. You can withdraw consent for marketing communications through the unsubscribe link in emails or by contacting us.

Rights Regarding Automated Decision-Making
We do not currently use automated decision-making that produces legal or similarly significant effects. If this changes, we will update this policy and ensure appropriate safeguards are in place.

How to Exercise Your Rights

To exercise any of these rights:

1. Contact us at support@cloudhooks.dev with "Data Rights Request" in the subject line
2. Specify which right(s) you wish to exercise and provide relevant details
3. Verify your identity by providing your account email address and any additional information we may reasonably request
4. Receive confirmation that we've received your request within 48 hours

Our Response Commitment

• We will respond to your request without undue delay and within one month of receipt
• For complex requests, we may extend this by two additional months, but will inform you within the first month
• If we cannot fulfill your request, we will explain why and inform you of your right to complain
• We will not charge a fee unless requests are manifestly unfounded, excessive, or repetitive

Right to Lodge a Complaint

If you're unsatisfied with how we handle your request, you have the right to lodge a complaint with your supervisory authority (see Section 15 for details).

11. Cookies & Similar Technologies

We use cookies and similar technologies to enhance your experience, maintain security, and understand how our Service is used. This section explains what cookies we use, why we use them, and how you can manage your preferences.

What Are Cookies

Cookies are small text files placed on your device when you visit our website or use our Service. They help us recognize your browser, remember your preferences, and improve your experience. We also use similar technologies like local storage for comparable purposes.

Types of Cookies We Use

Analytics Cookies
We use Google Analytics and MixPanel to understand how users interact with our Service. These cookies collect:

• Pages visited and features used
• Time spent on different sections
• General location (country/city level)
• Browser and device type
• Referral source

This data is aggregated and anonymized.

Legal basis: Consent (you can opt out at any time)

Cookie Duration

• Persistent cookies: Remain for specified periods:
  • Analytics cookies: 2 years

Managing Your Cookie Preferences

You have several options for managing cookies:

1. Browser settings: Most browsers allow you to block or delete cookies. Note that blocking essential cookies will prevent you from using the Service.
2. Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on to prevent data collection.
3. Do Not Track: We respect Do Not Track browser signals for analytics cookies.

Third-Party Cookies

We use the following third-party services that may set cookies:

• Google Analytics: For usage analytics (see their privacy policy)
• MixPanel: For usage analytics (see their privacy policy)

We do not allow third-party advertising cookies on our Service.

Updates to Cookie Usage

We may update our cookie usage as we develop new features. Any significant changes will be communicated through an update to this Privacy Policy. For questions about our use of cookies, contact us at support@cloudhooks.dev .

12. Security Measures

We take the security of your personal data seriously and implement comprehensive technical and organizational measures to protect it against unauthorized access, accidental loss, destruction, or alteration.

Technical Security Measures

Encryption

• All data transmissions between your browser and our servers are encrypted using TLS 1.3 or higher
• Sensitive data at rest, including API keys and authentication tokens, is encrypted using AES-256 encryption
• Database connections use encrypted channels to prevent interception

Access Controls

• Regular access reviews and immediate revocation for terminated personnel
• API access secured through unique authentication tokens with configurable permissions

Infrastructure Security

• Hosted on secure cloud infrastructure with SOC 2 compliance (Heroku, Digital Ocean)
• Regular security patches and updates applied to all systems
• Isolated environments for production, staging, and development

Organizational Security Measures

Security Policies and Procedures

• Comprehensive information security policy reviewed annually
• Incident response plan for rapid containment of security events
• Vendor security assessments for all processors handling personal data

Monitoring and Logging

• Continuous monitoring of systems for suspicious activities
• Regular review of security logs and metrics

Data Protection Measures

• Regular automated backups with encryption and secure storage
• Disaster recovery procedures tested quarterly
• Secure data deletion procedures ensuring complete removal

Vulnerability Management

• Regular security assessments and penetration testing
• Automated vulnerability scanning of infrastructure and applications
• Responsible disclosure program for security researchers
• Prompt patching of identified vulnerabilities based on risk assessment

Incident Response

In the event of a personal data breach, we will:

1. Contain and assess the incident immediately
2. Notify affected users without undue delay where required
3. Report to supervisory authorities within 72 hours when mandatory
4. Document all breaches and remediation actions taken

Security Limitations

While we implement industry-leading security measures, no system can guarantee absolute protection. We continuously review and improve our security posture to address evolving threats. Users are encouraged to:

• Report any suspected security issues to support@cloudhooks.dev
• Keep their API keys confidential and rotate them regularly

For security concerns or to report vulnerabilities, please contact our security team directly at support@cloudhooks.dev .

13. Children's Privacy

Cloudhooks is a business service designed exclusively for professional and commercial use. As a Shopify app, we rely on Shopify's age verification and user management systems. We do not offer services to children and have implemented measures to prevent the collection of their personal data.

Age Restrictions

Our Service is available only to Shopify store owners and their authorized users. Shopify requires all account holders to be:

• At least 18 years of age (or the age of majority in their jurisdiction)
• Legally capable of entering into contracts

We do not independently verify age as we rely on Shopify's user verification processes. By installing Cloudhooks through the Shopify App Store, store owners confirm they meet Shopify's age and eligibility requirements.

Our Commitment

We do not knowingly collect, process, or store personal data from individuals under the age of 16. Since Cloudhooks can only be accessed through Shopify admin accounts, our Service is not directed at, marketed to, or intended for use by children. The nature of our Service - webhook automation for e-commerce - inherently targets adult business users.

If a Child Provides Personal Data

If we discover that we have inadvertently collected personal data from someone under 16, we will:

1. Immediately suspend the associated hooks
2. Delete all personal data related to that store within 48 hours
3. Notify Shopify of the action taken
4. Not retain any records beyond what is legally required

For Parents and Guardians

If you believe your child under 16 has somehow gained access to a Shopify store and used Cloudhooks:

• Contact us immediately at support@cloudhooks.dev with "Child Privacy Concern" in the subject line
• Provide the Shopify store domain where the access occurred
• We will promptly investigate and delete any data collected through unauthorized access

Verification

We rely entirely on Shopify's user verification and access control systems. Only users with valid Shopify admin credentials can install or access Cloudhooks. This approach ensures that:

• All users have already been verified by Shopify
• Access is limited to business account holders
• Children cannot independently install or use our Service

This approach balances privacy protection with the business-to-business nature of our Service, while recognizing that user verification is handled by Shopify's platform.

14. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in our data processing practices, legal requirements, or business operations. We are committed to keeping you informed about how we protect and process your personal data.

Types of Changes

Minor Changes

Minor changes include:

• Typographical corrections and clarifications
• Formatting improvements
• Updates to contact information
• Addition of newly integrated processors performing similar functions
• Clarifications that don't materially affect your rights

These changes will be made directly to the policy with an updated revision date.

Material Changes

Material changes include:

• New purposes for processing personal data
• Changes to data retention periods
• New categories of personal data collected
• Changes to your rights or how to exercise them
• Significant changes to international data transfers
• Changes to our legal bases for processing

Notification Procedures

For Minor Changes:

• Updates will be posted on our website at https://cloudhooks.dev
• The "Effective Date" at the top of the policy will be updated
• No additional notification will be provided

For Material Changes:

• We will notify you via email at least 30 days before the changes take effect
• A prominent notice will be posted on our Service dashboard
• The email will include:
  • A summary of key changes
  • The effective date of the new policy
  • A link to review the complete updated policy
  • Your options if you disagree with the changes

Your Rights Regarding Changes

When we make material changes:

• You have 30 days to review the changes before they take effect
• You may contact us with questions or concerns about the changes
• If you disagree with material changes, you may:
  • Export your data (see Section 10 - Data Subject Rights)
  • Close your account before the changes take effect
  • Continue using the Service, which constitutes acceptance of the new terms

Continued Use

By continuing to use Cloudhooks after privacy policy changes take effect, you acknowledge and agree to be bound by the updated policy. If you do not agree to material changes, you should discontinue use of the Service before the effective date.

Policy History

We maintain a record of material changes to this Privacy Policy. To request information about previous versions or specific changes, contact us at support@cloudhooks.dev .

Stay Informed

We encourage you to review this Privacy Policy periodically. The "Effective Date" at the top of this document will always reflect the date of the most recent version.

15. Contact Information & Complaints

We are committed to addressing your privacy concerns and facilitating the exercise of your rights under GDPR. This section provides comprehensive information on how to contact us and lodge complaints if necessary.

Primary Contact:

• Email: support@cloudhooks.dev
• Attention: Csaba Cserep, Chief Information Officer
• Company: Infinea Consulting Ltd
• Address: Andor utca 21/c fszt. 1., 1119 Budapest, Hungary

Types of Requests We Handle:

• Data subject rights requests (access, rectification, erasure, etc.)
• Privacy policy clarifications
• Data processing inquiries
• Security concerns or breach notifications
• Consent withdrawals
• Complaints about our data handling practices

Response Times

We strive to respond to all privacy-related communications promptly:

• Initial acknowledgment: Within 48 hours of receiving your request
• Substantive response: Within 30 days for standard requests
• Complex requests: We may extend by an additional 60 days with notice
• Urgent security matters: Within 24 hours

Language Support

We accept and respond to privacy requests in:

• English (primary language)
• Hungarian
• Other EU languages (we will make reasonable efforts to accommodate)

Lodging a Complaint with Supervisory Authorities

If you are dissatisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority.

Your Options for Filing Complaints:

You may file a complaint with the supervisory authority in:

1. Your country of habitual residence
2. Your place of work
3. The place where the alleged infringement occurred
4. Hungary (our location)

Hungarian Supervisory Authority:

• Name: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) / National Authority for Data Protection and Freedom of Information
• Address: 1055 Budapest, Falk Miksa utca 9-11
• Phone: +36 1 391 1400
• Email: ugyfelszolgalat@naih.hu
• Website: https://naih.hu

Finding Your Local Authority: For supervisory authorities in other EU member states, visit the European Data Protection Board website: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Escalation Process

If you're not satisfied with our initial response:

1. You may request escalation to senior management
2. We will review your concern within 10 business days
3. You will receive a final response from our Chief Information Officer
4. If still unsatisfied, we will provide information about external dispute resolution options

Data Protection Representation

As we are established in the EU (Hungary), we are not required to appoint a representative in other member states. However, we accept and process requests from data subjects throughout the EEA with equal diligence.

Keeping Records

We maintain records of all privacy-related requests and complaints for a minimum of three years to demonstrate compliance and improve our practices. These records are kept confidential and used only for compliance and service improvement purposes.