1. Controller
The controller responsible for data processing under the General Data Protection Regulation (GDPR) is:

Suplify UG (haftungsbeschränkt)
Alte Weseler Straße 18
46569 Hünxe, Germany
Email: info@suplify.app

This privacy policy applies to the use of the website www.suplify.app and the Suplify app within the Shopify ecosystem.

2. General Information on Data Processing
Protecting your personal data is important to us. We process your data confidentially and in accordance with the applicable data protection laws, especially the GDPR and the German Telecommunications and Telemedia Data Protection Act (TDDDG).

3. Data Collection on the Website
When visiting our website, the web server automatically collects information transmitted by your browser (so-called server log files). This includes the browser type and version, the operating system used, the referrer URL, the hostname of the accessing device, and the time of the server request. The processing is based on Art. 6 (1) lit. f GDPR to ensure technical stability and security.

4. Cookies and Tracking Technologies
We use cookies and similar technologies on our website. Some are technically necessary for the operation of the site; others are used for statistical, functional, or marketing purposes. Consent for non-essential cookies is obtained via the Consentmo GDPR app (Shopify).

Meta Pixel: We use the Meta Pixel by Meta
Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. This tool enables us to track user behavior after they click on a Facebook or Instagram ad, helping us measure and optimize the performance of our ad campaigns. We act as joint controllers with Meta Platforms Ireland Ltd. under Art. 26 GDPR. The relevant agreement is available at: https://www.facebook.com/legal/controller_addendum
Meta’s privacy policy is available at: https://www.facebook.com/privacy/policy

Google Analytics 4: Used to analyze user behavior on our website. Provided by Google Ireland Ltd., with data also processed by Google LLC (USA). IP anonymization is enabled. Google is certified under the Data Privacy Framework (DPF). Processing only occurs with user consent.

Microsoft Clarity: Records anonymized session behavior to improve user experience. Provided by Microsoft Corporation (USA), which is certified under the DPF. Data is
anonymized and stored for a maximum of 12 months. Processing only occurs with user consent.

Wistia: On the welcome page inside the Suplify app, we embed a video from Wistia, Inc., 17 Tudor Street, Cambridge, MA 02139, USA. When the video is loaded, personal data such as your IP address and technical information (e.g., browser and device details) are transmitted to Wistia. Wistia also places cookies and similar tracking technologies to perform usage analytics. Processing occurs solely with your explicit consent under Art. 6 (1) lit. a GDPR in conjunction with § 25 TDDDG. Wistia is certified under the EU-US
Data Privacy Framework.
Further information: https://wistia.com/privacy
You can withdraw your consent at any time via the cookie banner or by deleting cookies in your browser settings.

5. Contacting Us via Website
When using our contact form or support chat, we process the personal data you provide (e.g., name, email address, message) to handle your inquiry. The legal basis is Art. 6 (1) lit. b GDPR (pre-contractual measures) or lit. f (legitimate interest in effective communication).

6. Use of the Suplify App (Shopify)
When installing and using the Suplify app, we process the following data of Shopify store owners: company name, business address, contact details, Shopify store domain, and billing information via the Shopify Billing API. This data is necessary for providing and billing the app. Legal basis: Art. 6 (1) lit. b GDPR.

7. Processing End Customer Data (via the App)
When using the app, Suplify also processes personal data of the end customers of the respective Shopify stores (e.g., name, address, phone number, order details) in order to forward orders to our production and logistics partner for manufacturing, packaging, and shipping. Suplify acts as the controller under Art. 4 (7) GDPR in
this regard.

8. Data Sharing with Third Parties and International Transfers
Personal data is only shared in accordance
with legal requirements and to fulfill contractual obligations. This
includes the following recipients:

• Manufacturing and fulfillment partners (EU)
  
• Hosting providers (EU)
  
• Payment processors (EU/USA with appropriate safeguards)
  
• Shipping providers (EU)
  
• Marketing and analytics services (only with consent, EU/USA with appropriate safeguards)
  
• Customer support tools (EU)

For providers based outside the EU (e.g., USA), data is transferred under the standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR or based on the EU-US Data Privacy Framework if the provider is certified.

9. Data Retention
We retain personal data only as long as necessary for the respective purposes or as required by law. Contact data is deleted once the request is resolved. Data relevant for tax or commercial law is stored for 6 or 10 years in accordance with §§ 147 AO and 257 HGB.

10. Data Subject Rights
You have the right to request access to your data (Art. 15 GDPR), rectification (Art.
16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing (Art. 21). If you have given consent to processing, you may withdraw it at any time with future effect. You also have the right to lodge a complaint with a data protection authority under Art. 77 GDPR.

11 a. Data Security
We implement appropriate
technical and organizational security measures to protect your
personal data against manipulation, loss, destruction, or unauthorized access. Our website and app use SSL encryption.

11 b. Security Incidents and Data Breaches
We maintain a documented Security Incident Response Policy that governs the detection, containment, investigation, and notification of security incidents. If a confirmed breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data (“Data Breach”), we will:

1. Detect & Assess – Immediately identify the incident and
   assess risks to the confidentiality, integrity, and availability of
   the data concerned.
2. Contain & Remediate – Take prompt actions to limit
   impact and restore system security.
3. Notify Supervisory Authority – Where legally required,
   report the breach without undue delay and, in any event, within 72
   hours of becoming aware of it, in accordance with Art. 33 GDPR.
4. Inform Affected Individuals – Notify data subjects without
   undue delay if the breach is likely to result in a high risk to
   their rights and freedoms (Art. 34 GDPR).
5. Document & Prevent – Log every incident and response
   step, and implement corrective measures to prevent recurrence.
6. Contact – Questions regarding security incidents can be
   directed to info@suplify.app.

12. Updates to this Privacy Policy
We reserve the right to update this privacy policy at any time. The current version is always available on our website.