Privacy Policy
Last updated: March 10, 2026
Controller
The controller for the processing of personal data on this website and in connection with the Gift Engine app is:
- Marco Kuhlkamp
- Wiesenweg 14a
- 6380 St. Johann in Tirol, Austria
- shopify.marcokuhlkamp@gmail.com
- UID: ATU79751813
Scope of this Privacy Policy
This Privacy Policy explains how we process personal data when:
- you visit our website,
- a merchant installs or uses our Shopify app Gift Engine,
- end customers use gift-related functions provided by the app in a merchant's Shopify store.
Where end customers use gift functions in a merchant's store, the respective merchant is generally the controller of the order and customer data stored in that store. In that context, we typically act as a processor or service provider on behalf of the merchant insofar as we technically enable the gift functionality.
Categories of Data We Process
a) Website visitors and app users
When merchants use the app or access connected services, we may process the following categories of data:
- shop domain and store identifier,
- merchant contact data provided by Shopify, in particular store name and store email address,
- store profile data such as primary domain, currency, billing country and Shopify plan information,
- subscription and billing data, including subscription status, plan name, interval, price, capped usage amounts and billing timestamps,
- technical authentication and session data, including Shopify-issued session information and access tokens required to operate the embedded app,
- app configuration data, such as gift product settings, style settings, labels, placeholders and other merchant-defined configuration values,
- merchant-defined translation content,
- usage records relating to gift-wrapping billing, for example order ID, number of gift-wrapping items, product titles, quantities, prices and calculated usage fees,
- communication data where we send operational emails such as onboarding or service-related messages to merchants.
b) End customers in merchant stores
When an end customer uses gift features in a merchant's Shopify store, the app may write gift-related information into the merchant's Shopify cart or order data. Depending on the merchant's setup, this may include:
- gift recipient name,
- gift sender name,
- gift note or message,
- selected gift bag color or gift-wrapping option,
- technical association data required to connect gift items to the relevant order item.
Based on the current implementation, these gift-message fields are primarily stored in the merchant's Shopify environment rather than in our own backend database.
Purposes of Processing
We process personal data for the following purposes:
- to provide, operate and secure the app,
- to authenticate merchants and maintain app sessions,
- to create, manage and bill app subscriptions,
- to store and deliver merchant-defined app settings and translations,
- to enable gift-related cart and order functions in merchant stores,
- to send operational or service-related communications to merchants,
- to comply with legal obligations, including data protection and tax or accounting obligations,
- to detect, prevent and investigate misuse, fraud or security incidents.
Legal Bases Under Article 6 GDPR
Where we act as controller, we process personal data on the following legal bases:
- Article 6(1)(b) GDPR, where processing is necessary for the performance of a contract or to take steps prior to entering into a contract, especially for providing the app to merchants,
- Article 6(1)(c) GDPR, where processing is necessary to comply with legal obligations,
- Article 6(1)(f) GDPR, where processing is necessary for our legitimate interests, in particular maintaining app security, preventing abuse, ensuring reliable operation and documenting billing-related usage,
- Article 6(1)(a) GDPR, if consent is required in an individual case.
Where we process end-customer data on behalf of a merchant, the relevant merchant determines the legal basis and we process such data under the merchant's instructions, subject to the applicable data processing agreement.
Recipients and Processors
We may disclose personal data to the following categories of recipients where necessary:
- Shopify, insofar as the app is technically integrated with the Shopify platform and merchant stores,
- Amazon Web Services, which we use for hosting and backend infrastructure, including services such as compute, database, email delivery and workflow processing,
- service providers that support us in the secure operation, maintenance and communication of the app,
- public authorities or courts where we are legally obliged to disclose data.
Our backend infrastructure is hosted in the EU region eu-central-1.
International Data Transfers
Our own backend hosting is configured in the EU. However, because the app is integrated with Shopify and may involve external service providers, personal data may in individual cases be processed outside the European Economic Area.
Where personal data is transferred to a third country without an adequacy decision, we ensure that appropriate safeguards are in place, in particular the use of the European Commission's Standard Contractual Clauses and, where necessary, supplementary protective measures.
Retention Periods
We retain personal data only for as long as necessary for the relevant purposes and as long as statutory retention obligations require.
In particular:
- technical session data is retained for the duration of the relevant session or app installation, or until deletion or expiry,
- merchant account, configuration, billing and usage data is retained for as long as the merchant relationship exists and thereafter only as long as necessary for legal, accounting, security or enforcement purposes,
- gift-message content entered by end customers is generally retained within the merchant's Shopify environment according to the merchant's own retention rules,
- where legal obligations require longer retention, the relevant data may be stored for the legally required period.
Cookies, Tokens and Similar Technologies
We do not currently use separate marketing or analytics trackers in the inspected application source.
However, when the app is used in the Shopify admin environment or in connection with Shopify authentication, technically necessary identifiers, headers, tokens or comparable technologies may be processed in order to authenticate users, maintain secure sessions and ensure the functionality of the embedded app.
Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, alteration or disclosure. These measures include access controls, signed request verification, authenticated session handling and hosting within secured cloud infrastructure.
Data Subject Rights
If we act as controller for your personal data, you have the following rights under the GDPR, subject to the statutory requirements:
- right of access under Article 15 GDPR,
- right to rectification under Article 16 GDPR,
- right to erasure under Article 17 GDPR,
- right to restriction of processing under Article 18 GDPR,
- right to data portability under Article 20 GDPR,
- right to object under Article 21 GDPR,
- right to withdraw consent at any time, where processing is based on consent,
- right to lodge a complaint with a competent supervisory authority.
If you are an end customer of a merchant store and your request concerns order or customer data in that store, you should generally contact the respective merchant first, as that merchant is usually the controller for that data.
No Automated Decision-Making
We do not carry out automated decision-making or profiling within the meaning of Article 22 GDPR that produces legal effects or similarly significantly affects individuals.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect legal, technical or operational changes. The current version published on our website shall apply.