MobiLoud Shopify App Privacy Policy

Introduction

Through the MobiLoud Shopify App (“the App”), Fifty Pixels Ltd trading as “MobiLoud” provides Shopify merchants with tools to send push notifications and track orders from their mobile applications. This Privacy Policy explains how data is processed from both merchants and their customers when using the App.

By installing and using the App, merchants agree to this privacy policy. If merchants are also MobiLoud customers using mobiloud.com or other services, they additionally agree to the general Privacy Policy at mobiloud.com/privacy. MobiLoud’s Data Processing Agreement, available at mobiloud.com/dpa, governs MobiLoud’s obligations as a data processor under this policy. This App-specific privacy policy should be read in conjunction with the general Privacy Policy and DPA where applicable.

Roles and Responsibilities

In the context of data processing:

  • MobiLoud (Fifty Pixels Ltd) acts as the Data Processor, processing data on behalf of the merchant
  • The Shopify merchant acts as the Data Controller, determining the purposes and means of processing end-user data
  • End-users are the Data Subjects to whom the Personal Data refers

Merchant Data Collection

When merchants install and use the App, the following information is collected:

Account Information

  • Store owner’s name and email address
  • Store name and URL
  • Phone number (if provided)
  • Physical business address

Technical Information

  • OneSignal API credentials
  • App configuration settings
  • Store’s timezone and currency settings
  • Technical logs related to App usage

Usage Information

  • Features enabled/disabled
  • Notification settings and configurations
  • App installation and uninstallation events
  • Support and communication history

This information is used to:

  • Provide and maintain the App service
  • Send important updates and notifications
  • Provide technical support
  • Process payments and manage subscriptions
  • Improve service based on usage patterns

End-User Data Processing

When Processing Begins

End-user data is only processed when a merchant has installed the Shopify App AND:

  1. The merchant has enabled order and customer tagging features
  2. The merchant has configured OneSignal integration by providing valid API credentials and activating push notifications for order updates

What End-User Data Is Processed

When enabled, the following end-user data is processed:

  • Contact information (name, email address)
  • Order information (excluding payment data)
  • Device information (browser and operating system)
  • Location data (IP address)

The following is specifically NOT processed or accessed:

  • Payment or financial information
  • Credit card details
  • Detailed browsing history

How End-User Data Is Used

End-user data is processed solely for two specific purposes:

  1. Push Notifications: To enable automated order status notifications through OneSignal
  2. Order/User Tagging: To identify and tag orders and customers that come through the mobile app

Data Flow and Storage

Here is how end-user data is handled:

  1. Data is collected through the Shopify platform based on permissions granted during app installation
  2. When a relevant event occurs (such as an order status change), a Shopify webhook sends data to MobiLoud’s servers
  3. MobiLoud’s servers process this data in real-time and forward it to the merchant’s OneSignal account for push notification delivery, or back to Shopify via their API for tagging
  4. End-user data is NOT written to MobiLoud’s database. Data exists temporarily in job queues during processing and is automatically removed once the operation completes
  5. Production logging is configured at error level only, so end-user data is not logged during normal operations. In rare error conditions (e.g. a failed API call to Shopify or OneSignal), API responses containing end-user data may appear in logs, which are automatically rotated and deleted within 24 hours
  6. MobiLoud uses Sentry for error monitoring, configured with PII exclusion by default. On failure, log entries captured as breadcrumbs may briefly contain end-user data from error responses

What MobiLoud stores (not end-user PII):
- Merchant-level configuration: OneSignal API credentials (encrypted), notification templates, and feature flags
- Store settings: Shopify store domain and access tokens for API communication

Third-Party Services

The following third-party services are used for data processing and infrastructure:

Push Notification Service

OneSignal: For delivering push notifications
- Merchants must create and manage their own OneSignal account
- Data shared with OneSignal is subject to their privacy policy: https://onesignal.com/privacy_policy

Error Monitoring

Sentry (Functional Software, Inc.): For error monitoring and logging
- Configured with PII exclusion by default (send_default_pii = false)
- On error conditions, API responses containing end-user data may be captured as breadcrumbs
- Place of processing: US
- Privacy Policy: https://sentry.io/privacy/

Infrastructure and Hosting

Digital Ocean: For hosting the application servers that read from the Shopify API and send data to OneSignal or back to Shopify
- Place of processing: US
- Privacy Policy: https://www.digitalocean.com/legal/privacy-policy

Cloudflare: For routing traffic and hosting configuration files
- Cloudflare logs basic technical data (such as IP addresses and HTTP headers)
- This data is used solely for operation and maintenance purposes
- Place of processing: US
- Privacy Policy: https://www.cloudflare.com/privacypolicy/

International Data Transfers

MobiLoud’s infrastructure providers (Digital Ocean, Cloudflare) and the merchant’s push notification provider (OneSignal) are located in the United States. Where end-user data is transferred outside the United Kingdom or European Economic Area, MobiLoud relies on appropriate transfer mechanisms, including the UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs), in accordance with its Data Processing Agreement.

Data Security

Appropriate security measures are implemented to protect both merchant and end-user data during transmission, including:

  • Encrypted data transmission using industry-standard protocols
  • Secure API authentication
  • Regular security audits and updates

Sensitive Data

Merchants shall not configure the App to process special category data (as defined in Article 9 of the UK GDPR), such as data revealing racial or ethnic origin, health data, or biometric data. If a merchant’s use of the App requires processing special category data, prior written agreement with MobiLoud is required.

Merchant Responsibilities

As the data controller, merchants using the App are responsible for:

  • Obtaining appropriate consent from end-users for push notifications
  • Providing notice to end-users about data processing through the App
  • Managing their OneSignal account and related settings
  • Ensuring their privacy policy adequately covers the use of the App, OneSignal, and push notifications

GDPR Compliance

MobiLoud implements all mandatory Shopify GDPR webhooks:

  • Shop data redaction: Permanent deletion of all merchant-related records
  • Customer data deletion: Permanent deletion of any associated customer records
  • Customer data export: Export of any stored customer data on request

Since MobiLoud does not permanently store end-user personal data, these webhooks confirm deletion of any transient or associated records.

Data Subject Rights

End-users should contact the merchant (Shopify store) directly to:

  • Opt-out of push notifications
  • Request information about their data processing
  • Exercise any data subject rights

Merchants can contact MobiLoud directly to:

  • Access their account information
  • Update their personal information
  • Delete their account and associated data
  • Export their data

Changes to This Policy

This privacy policy may be updated from time to time. Merchants will be notified of any significant changes through the Shopify admin panel.

Legal Information

This privacy policy has been prepared based on provisions of multiple legislations, including:

  • Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation)
  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)

This policy shall be governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Contact Information

For questions about this privacy policy or data practices:

Fifty Pixels Ltd

209 High Road

N2 8AN

London, UK

Email: privacy@mobiloud.com

Last updated: March 16, 2026