Privacy Policy
Privacy that respects what is yours
Plain language about what Arbyn collects, why, how long we keep it, and the rights you and your shoppers have over it, written for store owners and for the shoppers they serve.
Last updated: July 7, 2026
01.Introduction and scope
The short version: Arbyn is an AI customer support and sales agent that a Shopify store owner installs on their store, and this policy explains what personal information moves through Arbyn, why, and what you can do about it. It is written to be read by a busy founder or store owner, so each section opens with a plain sentence and then gives the full legal detail underneath.
Arbyn is operated by ONDUTYOPS LLC, a limited liability company formed in the State of Delaware, United States, doing business as Arbyn and operating the website and service at arbyn.app ("Arbyn", "we", "us", "our"). This Privacy Policy describes how we collect, use, disclose, retain, secure, and transfer personal information in connection with the Arbyn service, the arbyn.app marketing website, the Arbyn dashboard, and the embedded chat widget and connected support channels through which Arbyn operates. It should be read together with our Terms of Service, our GDPR page, our Subprocessors page, and, for store owners subject to European or United Kingdom data protection law, our Data Processing Addendum.
This policy has global reach because Arbyn serves store owners and shoppers in many countries. It is written United States first, because ONDUTYOPS LLC is a United States company, and it then layers on the specific disclosures required by the laws of the European Economic Area, the United Kingdom, Switzerland, Canada, Australia, Brazil, and other jurisdictions. Where a specific law grants a right or imposes a duty that goes beyond the general description in the early sections, the later state-specific and country-specific sections control for the people that law protects.
A few things are true throughout this document and worth stating once at the top. We do not sell personal information and we do not share it for cross-context behavioral advertising. We do not use your data, your shoppers' data, or your conversations to train Arbyn's models or any third party's foundation models. We disclose every subprocessor that touches your data by name on our Subprocessors page, and we give at least 30 days advance notice before adding a new one. These are commitments, not marketing, and the rest of this policy explains exactly how each one works.
This policy is not legal advice to you and does not create rights beyond those granted by applicable law. If you are a store owner, you remain responsible for your own privacy notices to your shoppers and for the lawful basis on which you direct Arbyn to process their data, as described in the roles section below.
02.Who this policy covers
The short version: this policy covers two different groups of people, the store owners who install Arbyn, and the end shoppers those store owners serve, and the rights and routing differ between them.
The first group is store owners. A store owner is the person or business that installs Arbyn from the Shopify App Store, connects a Shopify store, configures Arbyn, and pays for it (or uses the free Starter plan). When we talk about "you" in this policy, we usually mean a store owner. For a store owner's own account and configuration data, Arbyn decides the purposes and means of processing, so Arbyn is the controller and deals with store owners directly on their rights.
The second group is end shoppers. An end shopper is a customer of a store owner who contacts that store through a channel Arbyn operates, for example email, live chat, or a social direct message, or whose order and customer record Arbyn reads in order to answer a question or take an authorized action. For end shopper personal information, the store owner is the controller and Arbyn is only a processor acting on the store owner's documented instructions. This distinction matters a great deal for how rights requests are routed, and the roles section and the rights sections explain it in full.
A note on terminology. We use "store owners" and "you" for our customers and we never call them "store owners". We use "end shoppers" or "shoppers" for their customers. We use "personal information" and "personal data" interchangeably to mean information that identifies, relates to, describes, or could reasonably be linked to a particular person or household, as those terms are defined under the California Consumer Privacy Act, the General Data Protection Regulation, and the other laws referenced in this policy.
This policy does not govern Shopify itself, the store owner's own website, or any third-party service a store owner connects on their own. Shopify's handling of your data is governed by Shopify's own terms and privacy policy, and a store owner's website and its cookie banner are the store owner's responsibility as the controller of that site.
03.Our two roles: controller and processor
The short version: for your own account data Arbyn is the business in charge (a controller), and for your shoppers' data Arbyn is a hired hand acting only on your instructions (a processor or service provider), and that single distinction drives everything else in this policy.
For the personal information of your shoppers that flows through Arbyn, which includes their message content, the orders and customer records they reference, and technical metadata such as IP address, browser, and locale, you the store owner are the controller and Arbyn (ONDUTYOPS LLC) is the processor. Under the California Consumer Privacy Act as amended by the California Privacy Rights Act, Arbyn is a "service provider". Under the Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other state consumer privacy laws, and under the General Data Protection Regulation, the United Kingdom GDPR, and Brazil's LGPD, Arbyn is a "processor" or "store owner". In every one of those roles, Arbyn processes shopper personal information only to perform the contracted services, only on your documented instructions, and never for its own independent purposes.
For the account data we collect about you when you install and use Arbyn, which includes your store name, owner email address, billing account information, and the OAuth permission scopes you grant, Arbyn is the controller (a "business" under the CCPA and a "controller" under the state and European laws). In that role we decide why and how that limited set of data is processed, we set the lawful basis, and we answer your rights requests about it directly.
Because we are a service provider and processor for shopper data, there are things we commit not to do with it. Arbyn does not sell or share shopper personal information, does not retain, use, or disclose it for any purpose other than performing the services or as otherwise permitted by the CCPA, and does not combine it with personal information received from other sources except as the CCPA allows. Arbyn certifies that it understands these restrictions and will comply with them. The detailed contractual terms that satisfy the CCPA's service-provider requirements and the GDPR's Article 28 processor requirements live in our Data Processing Addendum, which is offered to every store owner, rather than being restated in full here.
The most important practical consequence of this split is request routing. Because the store owner is the controller of shopper data, an end shopper's request to access, correct, delete, or otherwise act on their data is directed to and fulfilled by the store owner, with Arbyn assisting. Arbyn will not act on shopper personal information without the store owner's authority. By contrast, a store owner's request about their own account data is handled by Arbyn directly. The rights sections below explain exactly how to submit each kind of request.
04.Notice at collection
The short version: this section is the California "notice at collection", a summary you are entitled to at or before the moment we collect your information, listing what we collect, why, whether we sell or share it (we do not), and how long we keep it.
At or before the point of collection, we collect the following categories of personal information for the following purposes. Identifiers and California customer records, such as store name, owner email, billing account, account identifiers, and shopper IP address, are collected to create and secure your account, to deliver the service, and to bill you. Commercial information, such as orders, line items, fulfillment, shipping, product catalog, inventory, pricing, and purchase history, is collected to let Arbyn answer shopper questions and take authorized actions. Internet or other electronic network activity, such as browser, locale, and interactions with the chat widget and dashboard, is collected to operate, secure, and improve the service. Approximate geolocation inferred from IP and locale, but never precise geolocation, is collected for security, fraud prevention, and localization. Limited inferences drawn to improve reply quality are generated and used only for your individual store.
For every category listed above, the answer to "do you sell or share this" is no. We do not sell personal information and we do not share it for cross-context behavioral advertising, as those terms are defined by the CCPA, and we do not process it for targeted advertising or sale under any other state law. There is no category of personal information that we sell or share.
Retention is stated by category rather than as a vague "as long as necessary". Account data is retained while your account is active. Your entire store's data is deleted after uninstall through Shopify's shop/redact process, described in the retention section. An individual shopper's data is deleted within 30 days of a Shopify customers/redact request. Conversation history is retained for 24 months by default and can be shortened by you. Operational logs and backups are purged on a defined cycle. The retention section below gives the full detail and the exact triggers.
This notice at collection is a summary. The sections that follow, in particular the categories, sources, purposes, sensitive information, disclosure, and retention sections, are the complete disclosures, and they control if there is any ambiguity in this summary. We provide this notice through the arbyn.app website, at the point where a store owner installs Arbyn, and by reference in the store owner's own privacy notice to their shoppers.
05.Categories of personal information we collect
The short version: here is everything Arbyn collects, grouped the way you experience it (from you, from your Shopify store, and from your shoppers) and then mapped to the formal statutory categories that United States privacy laws use.
From store owners, when you install Arbyn from the Shopify App Store, we receive your Shopify store name, your owner email address, your billing account information (handled through Shopify, as described below), and the specific permission scopes you grant during the OAuth install flow. As you use the dashboard we also collect account identifiers, your configuration choices (such as escalation rules, refund ceilings, and action toggles), and technical logs of your interactions with the dashboard.
From your Shopify store, and only within the scopes you grant, Arbyn reads order history, line items, fulfillment status, and shipping details; customer records, including email, name, and order association; your product catalog, inventory, and pricing; and your store policies, shipping zones, and Markets configuration. Arbyn also reads customer support conversations from the channels you connect, which can include email, chat, and social direct messages. Arbyn reads this data live from Shopify to answer a question or take an action and does not keep long-term duplicate copies of your commerce catalog.
From end shoppers, when a shopper interacts with Arbyn through one of your connected support channels, Arbyn processes the content of their messages, basic technical metadata such as IP address, browser, and locale, and any order the shopper references. Arbyn does not ask shoppers for more than they volunteer in the normal course of a support or sales conversation.
Mapped to the CCPA's statutory categories, the above is: identifiers (store owner name, owner email, account identifiers, and shopper IP address); California customer records (name, contact details, and billing account); commercial information (orders, line items, fulfillment, shipping, product catalog, inventory, pricing, and purchase history); internet or other electronic network activity (browser, locale, and interactions with the chat widget and dashboard); geolocation data that is approximate only, inferred from IP and locale, and expressly not precise geolocation; and inferences, which are limited and used only to improve replies for that individual store. Arbyn does not collect biometric information, and Arbyn does not intentionally collect protected-classification characteristics such as race, religion, or health status. The sensitive information section explains how we handle the rare case where a shopper volunteers sensitive details in a free-text message.
06.Sources of the personal information we collect
The short version: your information reaches Arbyn from four places, from you at install, from Shopify's API under the scopes you grant, from your shoppers through the channels you connect, and automatically from the devices people use.
The first source is you, the store owner, at and after installation. You provide your store name, owner email, and billing relationship when you install Arbyn, and you provide configuration data and instructions as you set up and operate the service.
The second source is the Shopify Admin API. Under the OAuth scopes you grant on the Shopify install screen, Arbyn reads commerce and customer data from your Shopify store, including orders, fulfillment, customer records, product catalog, inventory, pricing, policies, and Markets configuration. Arbyn requests only the minimum scopes it needs, and the exact scope set is displayed on the Shopify install screen and reviewed before every release.
The third source is your end shoppers, through the connected support channels. When a shopper emails your support address, opens the chat widget, or sends a social direct message that routes to Arbyn, the shopper is the origin of their message content and of any details they choose to share, including the order they are asking about. Under the European transparency rules, we note that Arbyn generally receives shopper data from you and from Shopify rather than directly from the shopper, and the categories are the order and fulfillment records, customer records, product catalog, inventory, pricing, store policies, Markets configuration, and support conversations described above.
The fourth source is automatic collection from devices. When a person interacts with the arbyn.app website, the dashboard, or the chat widget, we automatically collect technical metadata such as IP address, browser type, and locale through standard web mechanisms, described further in the cookies section. We do not collect precise geolocation, and we do not build advertising profiles from this data.
07.How and why we use personal information
The short version: we use personal information only to run Arbyn for you, to keep it secure, to bill it, and to improve the replies for your specific store, and for the account data we control we rely on defined legal bases under European law.
For business and commercial purposes under United States law, we use personal information to deliver AI support and sales replies in your store's voice; to execute the Shopify actions you have authorized, such as refunds, address changes, cancellations, and returns; to provide analytics and reporting in your dashboard, such as resolution rates, customer satisfaction, and revenue attribution; to secure the service and prevent fraud and abuse; to bill you through Shopify; and to improve reply quality, scoped to your individual store. We expressly do not process personal information for cross-context behavioral advertising, and we do not process it to build or enrich advertising profiles.
For store owners and shoppers protected by the General Data Protection Regulation and the United Kingdom GDPR, we identify a lawful basis, but only for the account data for which Arbyn is itself the controller. For that account data we rely on: performance of our contract with you under Article 6(1)(b) to provide the service; our legitimate interests under Article 6(1)(f) for security, fraud prevention, service analytics, and communicating with existing store owners; legal obligation under Article 6(1)(c) for tax and billing records; and consent under Article 6(1)(a) for optional marketing emails and non-essential cookies, which you can withdraw at any time. Where we rely on legitimate interests, the specific interest is keeping the service secure, preventing abuse, or improving reply quality for your store, and we have carried out a balancing test that is available on request.
For your shoppers' data, Arbyn does not choose the lawful basis. You, as the controller, are responsible for establishing and documenting a lawful basis under Article 6, which for customer support is typically performance of a contract or legitimate interests, and Arbyn processes that data solely on your documented instructions. Arbyn will inform you if, in our view, an instruction from you appears to infringe applicable data protection law.
We practice data minimization. We collect and retain only what is reasonably necessary and proportionate to the purposes above, we do not request Shopify scopes or protected customer fields we do not use, and we limit retention as described in the retention section. Colorado and Connecticut, among others, require that collection and retention be limited to what is reasonably necessary, and we apply that standard everywhere.
08.AI and LLM processing, and our no-training commitment
The short version: Arbyn is an AI agent, the language-model inference that drafts replies runs under a strict zero-retention agreement, and neither Arbyn nor its inference provider trains any model on your data or your shoppers' data.
Arbyn works by taking an inbound support or sales message, pulling the relevant Shopify context live (such as the order, customer history, fulfillment status, and your store policies), and sending that message and context to a large language model for inference so a reply can be drafted in your store's voice. The reply is then sent, and any Shopify action you authorized is executed and written to your Shopify order timeline. The model inputs are the shopper's message and the order context needed to answer it.
The inference runs on open-source and open-weight models (for example Llama, Mixtral, Qwen, DeepSeek, and similar) hosted by our inference subprocessor, Deep Infra, under a zero-retention, no-training agreement. Under that arrangement, the inputs Arbyn sends for inference are not retained by the model provider after the response is returned, are not logged for training, and are not shared. Your data is never used to train Arbyn's models or any third party's foundation models, and we never use one store owner's data to train models that serve any other store owner.
Every representation in this section is meant to be literally true and is stated conservatively for that reason. The zero-retention and no-training commitment applies to the language-model inference path with Deep Infra. It does not mean that no subprocessor ever retains anything, because other subprocessors legitimately retain limited operational data to do their jobs. For example, our email subprocessors retain delivery logs per their policies, our CDN caches static assets, and our hosting provider stores data at rest. The subprocessors section describes what each one does.
A derived artifact worth naming is your store's voice fingerprint, which Arbyn builds to make replies sound like you. That fingerprint is a derived feature representation used to style replies for your store, not a store of raw shopper messages, and it is deleted with the rest of your store's data on uninstall.
09.Automated decision-making and human oversight
The short version: Arbyn can draft and send replies and take store actions you authorize, you control how much autonomy it has, and where a solely automated decision would significantly affect a shopper, a human can review, change, or reverse it.
Arbyn uses AI to draft and, where you enable it, send support and sales replies, and to carry out actions you authorize, such as refunds, cancellations, address changes, and returns. You decide the level of autonomy through your configuration, including confidence thresholds, escalation rules, refund ceilings, and per-action, per-day, and per-channel limits. Arbyn executes only the actions you have enabled and only within the limits you set, and a single dashboard toggle can pause every channel instantly.
Under Article 22 of the GDPR and the UK GDPR, individuals have rights in relation to decisions based solely on automated processing that produce legal or similarly significant effects. Where an Arbyn outcome would be based solely on automated processing and would have such an effect on a shopper, meaningful human involvement is available: a human can review the decision, intervene on it, express a point of view, and contest or reverse it. Because the store owner is the controller of shopper data, a shopper asks the store owner for human review, and the store owner (with Arbyn's assistance) provides it. The logic in general terms is that Arbyn matches an incoming request to your store's policies and the relevant order context and proposes a reply or action within the limits you configured, and the significance is that an action such as a refund or cancellation changes the shopper's order.
Several United States state laws address profiling in furtherance of decisions that produce legal or similarly significant effects, and give consumers a right to opt out of it in Virginia, Colorado, Connecticut, Texas, Oregon, and Montana (not Utah), while California addresses automated decision-making through the California Privacy Protection Agency's rulemaking. Arbyn does not conduct profiling for advertising or for its own decisions about shoppers; any automated action is taken on your behalf within your configuration, and the opt-out is exercised by the shopper through you as the controller.
Every action Arbyn takes on your store, including every refund, cancellation, address change, discount, and reply, is written to your Shopify order timeline, so there are no invisible automated actions and you retain a complete audit trail in the place you already look.
10.Sensitive personal information
The short version: Arbyn never asks for sensitive information, a shopper might occasionally volunteer some in a free-text message, and we do not use it to profile anyone or for any purpose other than doing the job you configured.
Arbyn does not solicit sensitive personal information as defined by the CCPA or special category data as defined by Article 9 of the GDPR, such as health, racial or ethnic origin, religious beliefs, precise geolocation, or biometric data, and we instruct store owners not to route such data through Arbyn. Because support conversations are free text, a shopper may occasionally include sensitive details on their own, for example mentioning a health reason for a return.
Where that happens, Arbyn processes the information only as your processor and only on your instructions, and does not use or disclose sensitive personal information to infer characteristics about a person or for any purpose other than providing the service. As a processor, Arbyn relies on you, the store owner and controller, to have any consent or Article 9 condition that the applicable law requires before sensitive data is processed. We design the product to discourage the submission of sensitive data where it can be avoided.
Under the CCPA, California residents have a right to limit the use and disclosure of their sensitive personal information. Because Arbyn only uses any incidentally collected sensitive information to provide the service you requested, and does not use it to infer characteristics, the CCPA's limitation right is effectively already honored, and there is no additional use to opt out of. Under the Virginia, Colorado, Connecticut, Oregon, and Montana laws, processing sensitive data generally requires opt-in consent, which the store owner as controller is responsible for obtaining; under Utah, the standard is notice and an opportunity to opt out rather than opt-in consent.
Arbyn does not sell sensitive personal information and does not sell biometric data. Because we do not sell either category, the exact-language sale notices that Texas and Florida require for such sales do not apply and are omitted. If our practices ever changed, we would add the required notices before any such sale.
11.How we disclose personal information, and our no-sale statement
The short version: we do not sell your data and we do not share it for advertising, and the only third parties that receive it are the subprocessors that help us run Arbyn, each under a contract that limits them to acting on our instructions.
We disclose personal information for business purposes to the categories of third parties described in the subprocessors section, namely our hosting and storage provider, our language-model inference provider, the Shopify platform and Shopify Billing, our transactional email providers, and our content-delivery and security provider. Each of these is a service provider or processor engaged under a contract that requires them to process data only on Arbyn's documented instructions and to protect it. Disclosing personal information to a service provider or processor under a compliant contract is not a "sale" and is not a "share" under the CCPA, and is not a sale or targeted advertising disclosure under the other state laws.
We state this plainly because the law requires it even where no opt-out link is then needed. Arbyn does not sell personal information, and does not share it for cross-context behavioral advertising, as those terms are defined by the CCPA. Arbyn does not process personal data for targeted advertising or for sale under the Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or other state consumer privacy laws. Arbyn does not disclose personal information to advertising networks or data brokers.
We may also disclose personal information where we are legally compelled to do so, for example in response to a valid subpoena, court order, or other lawful request, or where disclosure is necessary to protect the rights, safety, or property of Arbyn, our store owners, their shoppers, or the public, or in connection with a merger, acquisition, financing, or sale of assets, in which case any successor would remain bound by commitments at least as protective as those in this policy. Where Arbyn is a processor and receives a government request for shopper data, we will, unless legally prohibited, direct the request to the store owner as controller or notify the store owner so they can respond.
We do not offer any program that exchanges personal information for money or for a different price or level of service, so there is no data-for-value arrangement to disclose. If that ever changed, we would provide a full notice of financial incentive before launching it, as described in the state-specific section.
12.Subprocessors and service providers
The short version: seven named third parties help Arbyn run, each is listed publicly with what it processes and where, and we give you at least 30 days notice before adding a new one so you can object.
Our full and current subprocessor list is published at arbyn.app/subprocessors, which is the source of truth, and the list there always governs if it differs from the summary here. As of the current version of that page, the subprocessors are: Render (Render Services, Inc., United States) for application hosting, database, and background workers, processing all Arbyn application data at rest and in transit, with EU residency available on request; Deep Infra (Deep Infra, Inc., United States) for large language model inference under a zero-retention, no-training agreement, processing shopper message text and order context as inference inputs that are not retained and not used for training; Shopify (Shopify Inc., Canada) as the commerce platform and source of order, customer, catalog, and policy data that Arbyn reads via the Shopify API; Shopify Billing (via Shopify App charges, Canada) for subscription charges handled inside your Shopify admin, where no card details ever touch Arbyn; Resend (Resend, Inc., United States) for store-owner-facing transactional email such as escalations, weekly digests, and billing receipts; Postmark (ActiveCampaign LLC, United States) for forwarding and escalation emails from Arbyn to store owner inboxes, with delivery logs retained per Postmark's policy and not used for training; and Cloudflare (Cloudflare, Inc., United States, with a global edge) for DNS, content delivery, and DDoS protection, processing HTTPS traffic in transit and caching static assets only. That is seven subprocessors in total.
Each subprocessor is engaged under a written agreement that binds it to process personal data only on Arbyn's instructions, to keep it confidential, to apply appropriate security, and, where the subprocessor is outside the EEA or United Kingdom, to accept the transfer safeguards described in the international transfers section. Arbyn remains responsible to you for its subprocessors' performance of these obligations.
Before we add or replace a subprocessor, we give at least 30 days advance notice by emailing store owners on the notice list and updating the Subprocessors page. Any store owner on the notice list may object in writing during that period. If we cannot resolve a reasonable objection, you may terminate by uninstalling Arbyn, and your data is deleted as described in the retention section.
We keep the Subprocessors page and this policy in sync. If you are conducting vendor due diligence, treat the Subprocessors page as authoritative for the vendor list, hosting regions, and each vendor's own DPA and trust documentation, which are linked there.
13.International data transfers
The short version: Arbyn is hosted in the United States, so using it can involve transferring personal information across borders, and for people in Europe, the United Kingdom, and other regions we rely on recognized legal transfer mechanisms plus encryption.
Arbyn stores and processes personal information primarily in the United States. Render hosts the application and database in the United States (with EU residency available on request), Deep Infra runs inference in the United States, Resend and Postmark send transactional email from the United States, and Cloudflare operates a global edge network. Shopify and Shopify Billing are provided by a Canadian company that also hosts data globally. By using Arbyn, personal information may be transferred to, stored in, and accessed from countries other than the one a person is located in, including the United States and Canada.
For transfers of personal data from the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), using the controller-to-processor module for the transfer from an EEA store owner to Arbyn and the processor-to-processor module for onward transfers from Arbyn to its subprocessors, or on the EU-US Data Privacy Framework where the importer is certified under it. For transfers of United Kingdom personal data, we rely on the United Kingdom's International Data Transfer Agreement or the United Kingdom Addendum to the EU Standard Contractual Clauses, or the United Kingdom extension to the EU-US Data Privacy Framework where available. For Swiss personal data, we rely on the Swiss Standard Contractual Clauses or the Swiss-US Data Privacy Framework. We carry out a transfer risk assessment and apply supplementary measures, in particular encryption in transit and at rest, and a copy of the safeguards is available on request from privacy@arbyn.app.
For transfers of personal data of individuals in Brazil, we rely on a transfer mechanism recognized under Chapter V of the LGPD, such as the ANPD's Standard Contractual Clauses or equivalent contractual safeguards, and Arbyn remains responsible for the data after transfer. We do not claim that the United States is an adequate country under the law of any of these regions, and we do not rely on adequacy where none has been granted; instead we rely on the contractual and technical safeguards described here.
A pre-signed Data Processing Addendum that meets Article 28 of the GDPR and incorporates the applicable Standard Contractual Clauses and United Kingdom transfer tools is offered to every store owner, takes effect on installation for store owners in the EEA, the United Kingdom, and Switzerland, and is available from privacy@arbyn.app. Our GDPR page describes the European and United Kingdom framework in more detail.
15.Data retention and deletion
The short version: your account data lives while your account is active, uninstalling triggers permanent deletion of your whole store's data through Shopify, individual shopper deletions are honored within 30 days, and conversation history defaults to 24 months and can be shortened by you.
Store owner account data is retained for as long as your Arbyn account is active. When you uninstall Arbyn, Shopify sends Arbyn a shop/redact request 48 hours after the uninstall, and on receipt of that request Arbyn permanently erases all data it holds for your store, completing erasure within 48 hours of receiving the request and in all cases within the 30-day window Shopify allows. Deletion is permanent, with no soft-delete recovery window. We state the mechanism precisely because the Shopify request does not arrive until 48 hours after uninstall, so the erasure clock runs from the receipt of that request rather than from the moment of uninstall.
When an individual shopper's deletion is requested through your Shopify admin, Shopify sends Arbyn a customers/redact request (Shopify may delay sending this request if the shopper placed an order in the last six months), and Arbyn permanently deletes all data it holds for that shopper within 30 days of the request. This overrides the default conversation-retention window. Arbyn verifies the HMAC signature on every Shopify compliance webhook and rejects any request that fails verification.
Conversation history is retained for 24 months by default, so that Arbyn can learn from your past replies and answer consistently. You can shorten this retention window or request earlier deletion from your dashboard at any time. Because you control this setting, the 24-month period is a default we apply on your behalf as processor, not a fixed period we impose. Operational logs and encrypted backups are retained only for defined, limited periods needed for security, reliability, and audit, and are then purged on a defined cycle.
Where Arbyn is legally required to retain specific data, for example to meet a tax, accounting, or legal-hold obligation, it retains only that specific data, for only as long as the law requires, and deletes the remainder. Across all of this, Arbyn retains personal data only for as long as reasonably necessary and proportionate to the purposes described in this policy.
We keep our public documents consistent on these timelines, and the retention statements here, on the Subprocessors page, and in the Terms of Service are meant to describe the same lifecycle: permanent deletion of the store's data following uninstall through Shopify's shop/redact process, individual deletion within 30 days through customers/redact, and a 24-month default for conversation history that you can shorten.
16.How we secure your data
The short version: we encrypt data in transit and at rest, restrict and log who can touch it, run on certified infrastructure, and keep the language-model layer zero-retention, and we describe these controls honestly without claiming any system is perfectly secure.
Arbyn applies reasonable and appropriate technical and organizational measures to protect personal information. Personal data is encrypted in transit using TLS (version 1.2 or higher) and at rest using AES-256. API tokens are stored encrypted with rotating keys. Backups are encrypted, production and test data are kept separate, and access to production systems and to protected customer data is restricted to the necessary team on a least-privilege basis and is logged. We maintain a documented security incident response process and a one-click kill switch that pauses every channel instantly.
Arbyn runs on Render, which carries SOC 2 Type 2 and ISO 27001 at the infrastructure layer and runs annual third-party penetration tests, and our other subprocessors maintain their own certifications as listed on the Subprocessors page. As described above, the language-model inference layer operates under a zero-retention, no-training agreement with Deep Infra. Every action Arbyn takes on your store is written to your Shopify order timeline, giving you a continuous audit trail.
We are candid about Arbyn's own certification posture. Arbyn's own SOC 2 Type II audit is in progress and is not yet complete. We do not claim that Arbyn itself already holds SOC 2 or ISO 27001, and where those certifications appear in our materials they refer to the certifications held by our infrastructure and subprocessors, not by ONDUTYOPS LLC. When Arbyn achieves its own certification, we will update our public materials to say so.
No method of transmission or storage is completely secure, and we do not claim that the service is fully secure or that any data set is fully anonymized. What we commit to is a layered, documented security program, prompt response to incidents, and honest disclosure. If you have a security question, a vulnerability to report, or a security questionnaire for your legal team, contact security@arbyn.app.
17.Data breach notification
The short version: if there is a breach affecting shopper data we tell the store owner quickly so the store owner can meet its own legal deadline, and if a breach affects the account data we control we notify the authorities and affected people ourselves as required.
Where Arbyn is a processor and becomes aware of a personal data breach affecting your shoppers' data, we will notify you, the store owner, without undue delay after becoming aware, and as a contractual commitment we aim to notify you within 72 hours of becoming aware. Our notice will describe, to the extent known, the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed. As the controller, you are then responsible for any notification you must make to a supervisory authority (under the GDPR, generally within 72 hours) and to affected shoppers, and we will cooperate with and support that notification.
Where Arbyn is the controller, which is the case for your own account data, we carry the direct notification duties. Under the GDPR and the UK GDPR, we will notify the competent supervisory authority within 72 hours where a breach is likely to result in a risk to individuals, and we will notify affected individuals where the risk is high. Under United States and other laws, we will provide any legally required notifications to affected individuals and regulators without undue delay.
Our breach commitments are calibrated to the different privacy regimes we operate under. Under Canada's PIPEDA we apply the real-risk-of-significant-harm standard, under Australia we follow the Notifiable Data Breaches scheme, and under Brazil's LGPD we follow the ANPD's incident-communication rules. In every case, the store owner is our first point of contact for incidents affecting shopper data, and we assist the store owner in meeting its obligations.
We treat prompt, honest incident disclosure as a floor and a ceiling. If a security incident affects your data, we will not hide it, we will disclose it by email with the full known scope and our remediation steps, and we will keep you informed as our investigation develops.
18.Your privacy rights
The short version: depending on where you live and whether you are a store owner or a shopper, you have rights to see, correct, delete, port, and object to the use of your personal information, and this section lists them.
Under the General Data Protection Regulation and the United Kingdom GDPR, individuals have the right to be informed; the right of access (Article 15); the right to rectification (Article 16); the right to erasure, or "right to be forgotten" (Article 17); the right to restriction of processing (Article 18); the right to be notified about rectification, erasure, or restriction (Article 19); the right to data portability (Article 20); the right to object, including an absolute right to object to direct marketing (Article 21); rights in relation to automated individual decision-making and profiling (Article 22); the right to withdraw consent at any time, as easily as it was given (Article 7(3)); and the right to lodge a complaint with a supervisory authority (Article 77) and to a judicial remedy.
Under the California Consumer Privacy Act, as amended, and the other United States state consumer privacy laws, consumers have, depending on their state of residence: the right to know and access the categories and specific pieces of personal information collected, the sources, the business or commercial purposes, and the categories of third parties to whom it is disclosed; the right to delete personal information; the right to correct inaccurate personal information (in California, Virginia, Colorado, Connecticut, Texas, Oregon, and Montana, but not Utah); the right to data portability; the right to opt out of the sale of personal information; the right to opt out of sharing for cross-context behavioral advertising (California) or of processing for targeted advertising (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana); the right to opt out of profiling that produces legal or similarly significant effects (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, not Utah); the right to limit the use and disclosure of sensitive personal information (California); the right to opt in to processing of sensitive data (Virginia, Colorado, Connecticut, Oregon, Montana), while Utah uses notice and opt-out; the right to non-discrimination for exercising these rights; and the right to appeal a refusal (Virginia, Colorado, Connecticut, Texas, Oregon, Montana; Utah provides no appeal right). Oregon additionally gives the right to obtain a list of the specific third parties, not just the categories, to which personal data has been disclosed.
Rights vary by state, and where a right is not granted by a person's state law we do not misrepresent that it is. In particular, Utah does not provide a right to correct, a profiling opt-out, or an appeal right, and Utah treats sensitive data as notice-and-opt-out rather than opt-in. Oregon provides the broadest access to specific third-party names and a broader definition of sensitive data. We honor the rights each law actually grants.
For shoppers and store owners outside the United States and Europe, we honor the core rights of access, correction, deletion, objection or opt-out, restriction, and portability to the extent local law provides, together with the right to complain to a local supervisory authority. The Canada, Australia, Brazil, and other-jurisdictions section describes several of these regimes specifically, including Quebec Law 25, the Australian Privacy Principles, and the LGPD.
19.How to exercise your rights
The short version: store owners exercise most rights right in the dashboard or by emailing us, shoppers send their requests to the store they contacted (because that store is the controller), and we respond within the timelines the law requires.
For a store owner's own account data, for which Arbyn is the controller, you can exercise most rights directly from the Arbyn dashboard, and for anything the dashboard cannot handle you can email privacy@arbyn.app. Because Arbyn interacts with store owners online, an email address is a valid request method under the CCPA and the other laws. We verify your identity by reference to your account and, where appropriate, the email address on file, and we may ask for additional information to confirm identity where a request is sensitive.
For an end shopper's personal information, for which the store owner is the controller and Arbyn is a processor, the shopper should send access, correction, and deletion requests to the store owner whose store they contacted. The store owner can action most requests directly, including through Shopify's data request and redaction flows, and can email privacy@arbyn.app to forward or escalate a request, and Arbyn will assist. Arbyn does not independently act on shopper data without the store owner's authority, but under laws such as PIPEDA and the Australian Privacy Principles, which do not use the strict controller-and-processor split, Arbyn will act directly where the law places the obligation on us or where we hold the data as controller.
On timing, we respond to rights requests without undue delay. As a general commitment we aim to respond within 30 days. Where a specific law sets a different or extendable period, we follow it: the CCPA allows 45 days, extendable by a further 45 days with notice; the other United States state laws allow 45 days, extendable as each law permits; the GDPR and UK GDPR allow one month, extendable by two further months for complex requests with notice; and Brazil's LGPD requires an immediate response in simplified form or a full response within 15 days. The first request in any 12-month period is handled free of charge, and we will tell you if a request is manifestly unfounded or excessive such that a fee or refusal is permitted.
You may use an authorized agent to submit a rights request. We verify the agent's authority, for example through a signed permission or power of attorney, and we verify the identity of the consumer on whose behalf the agent acts. Where you exercise a privacy right, we will not deny you service, charge you a different price, or provide a different level or quality of service because you did so, except as permitted for a lawful, disclosed financial incentive, and we currently offer no such incentive.
20.United States state-specific disclosures
The short version: this section gathers the specific disclosures the individual state laws require, on top of the general disclosures above, so residents of California and the other states can see exactly how their law applies to Arbyn.
For California residents, this policy serves as the notice at collection and the full CCPA disclosure. The categories of personal information we collect, the sources, the business and commercial purposes, the categories of third parties to whom we disclose it, and the per-category retention are set out in the notice-at-collection, categories, sources, purposes, disclosure, and retention sections. We do not sell personal information and we do not share it for cross-context behavioral advertising, so there is no "Do Not Sell or Share My Personal Information" transaction to opt out of in the core service. We do not use or disclose sensitive personal information beyond providing the service, so the right to limit is effectively honored. We recognize the Global Privacy Control on our marketing site where the law requires it. California residents also have the rights to know, access, delete, correct, and to non-discrimination, as described in the rights section, and may contact the California Privacy Protection Agency and the California Attorney General.
For residents of Virginia, Colorado, Connecticut, Texas, Oregon, and Montana, we honor the rights to confirm and access, delete, correct, and port personal data, to opt out of sale and of processing for targeted advertising, and to opt out of profiling that produces legal or similarly significant effects, and we provide an appeal process. Because Arbyn does not sell data, does not conduct targeted advertising, and does not profile shoppers for its own decisions, there is generally nothing to opt out of in the core service, but we honor these rights where they apply and where we act as controller for account data. Colorado requires that withdrawing consent be as easy as giving it and prohibits dark patterns, and we design our consent flows accordingly. Oregon additionally lets residents request the specific names of third parties that received their data, which we will provide on a valid request. Texas's law has no revenue or volume threshold, so we treat Texas residents as in scope regardless of Arbyn's size.
For Utah residents, we honor the rights the Utah Consumer Privacy Act grants, which are the rights to confirm and access, delete, and port personal data, and to opt out of sale and of targeted advertising, together with notice and an opportunity to opt out of sensitive data processing. Utah does not provide a right to correct, a profiling opt-out, or an appeal right, and we do not represent otherwise.
For residents of the additional states whose consumer privacy laws take effect across 2025 and 2026, including Iowa, Delaware, New Jersey, Nebraska, New Hampshire, Minnesota, Tennessee, Maryland, and others, we honor the rights those laws grant as they come into force, generally including access, deletion, correction, portability, and opt-outs of sale, targeted advertising, and certain profiling, along with any appeal rights those laws provide. Several of these laws and Connecticut's amendments add specific protections for minors, described in the children's privacy section. Regardless of Arbyn's own size or whether Arbyn independently meets any state's applicability thresholds, we provide these disclosures as a matter of course, because our processor obligations flow from our contracts with store owners and because store owners rely on them during diligence.
22.EU and UK rights, roles, and the Data Processing Addendum
The short version: for people in Europe and the United Kingdom, Arbyn is a processor for shopper data and a controller for account data, we rely on Standard Contractual Clauses and the United Kingdom transfer tools for transfers, and a pre-signed Data Processing Addendum is available to every store owner.
For the personal data of your shoppers that flows through Arbyn, you the store owner are the controller and Arbyn is the processor acting only on your documented instructions, and for the account data we collect about you at install, Arbyn is the controller. Arbyn does not choose the lawful basis for your shoppers' data; you establish and document it under Article 6, typically performance of a contract or legitimate interests for customer support. For the account data Arbyn controls, we rely on contract, legitimate interests, legal obligation, and consent, as described in the how-and-why section. Special category data under Article 9 is never solicited, and where a shopper volunteers it in free text, Arbyn processes it only as your processor and you as controller are responsible for ensuring an Article 9 condition applies. We receive shopper and store data from you and from Shopify rather than directly from the shopper, satisfying the Article 14 source disclosure.
Individuals in the EEA and United Kingdom have the full set of GDPR and UK GDPR rights listed in the rights section, and can exercise them as described in the how-to-exercise section, with shoppers directing requests to the store owner as controller and store owners contacting privacy@arbyn.app. We respond within one month, extendable by two further months for complex requests with notice. You have the right to lodge a complaint with a supervisory authority: in the United Kingdom this is the Information Commissioner's Office (ico.org.uk), and in the EEA it is the authority in your country of residence, place of work, or where the issue arose.
Our Data Processing Addendum contains the full Article 28(3) processor undertakings, including that Arbyn processes personal data only on your documented instructions, ensures the confidentiality of authorized personnel, applies Article 32 security measures, engages subprocessors only under your general written authorization while remaining liable for them, assists you with data subject requests and with security, breach, and impact-assessment obligations under Articles 32 to 36, deletes or returns personal data at the end of the service, and makes available the information needed to demonstrate compliance and to allow audits. The DPA incorporates the applicable Standard Contractual Clauses and the United Kingdom International Data Transfer Addendum, is pre-signed, and takes effect on installation for store owners in the EEA, the United Kingdom, and Switzerland. It is available from privacy@arbyn.app.
International transfers rely on the mechanisms named in the international transfers section, supported by a transfer risk assessment and encryption. Arbyn maintains records of its processing activities under Article 30(2) and will provide reasonable assistance to support your data protection impact assessments under Article 35. This section is a summary for the policy, and the GDPR page and the DPA contain the operative European and United Kingdom detail.
23.Canada, Australia, Brazil, and other jurisdictions
The short version: wherever you and your shoppers are, we honor the equivalent local privacy rights, we use appropriate cross-border safeguards, and we name the regulator you can complain to, and this section calls out Canada, Australia, and Brazil specifically.
Arbyn stores and processes personal information primarily in the United States, with some processing in Canada through Shopify, so by using Arbyn a person's information may be transferred to, stored in, and accessed from countries outside their own. We remain accountable for personal information transferred to our subprocessors and use written data processing agreements and technical measures to require a comparable level of protection while the data is processed on our behalf. When personal information is handled by a service provider in another country, including the United States, it may be accessible to the courts, regulators, law enforcement, and national security authorities of that country under that country's laws, and we include this foreign-access notice for Canadian, Australian, and Brazilian individuals alike.
For Canada, under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Quebec's Law 25, you have the right to access the personal information we hold and to be told how it is used and disclosed, to have inaccurate information corrected, to withdraw consent subject to legal and contractual limits, to know the purposes of collection, and to challenge our compliance by contacting our privacy contact and, if unsatisfied, the Office of the Privacy Commissioner of Canada or the Commission d'acces a l'information du Quebec. Quebec Law 25 adds a right to data portability, a right to de-indexing, and a right to be informed of and submit observations on decisions made exclusively by automated means, and we honor these for Quebec residents. Because PIPEDA and the Australian Privacy Principles make every organization handling personal information directly accountable rather than using the strict controller-and-processor split, Arbyn will act directly for Canadian and Australian shoppers where the law places the obligation on us, and not merely route everything to the store owner.
For Australia, under the Privacy Act 1988 and the Australian Privacy Principles, you may request access to the personal information we hold (APP 12) and its correction (APP 13), you are notified of the matters around collection (APP 5), you may opt out of direct marketing (APP 7), and you may deal with us anonymously or by pseudonym where lawful and practicable (APP 2). We are likely to disclose personal information to overseas recipients located in the United States and Canada, and we take reasonable steps to ensure those recipients handle the information consistently with the Australian Privacy Principles. This policy contains the APP 1 required content, including the kinds of information we collect and hold, how we collect and hold it, the purposes, how to access and correct information, how to complain, and that information is likely to be disclosed overseas and to which countries. You may complain to us first and then to the Office of the Australian Information Commissioner. We are also preparing the automated-decision disclosures that Australia's reforms will require as they commence.
For Brazil, under the Lei Geral de Protecao de Dados (LGPD, Law No. 13,709/2018), Arbyn acts as an store owner (operador) processing on the store owner's documented instructions for shopper data, and as controller (controlador) for store owner account data. You have the Article 18 rights to confirmation of processing, access, correction, anonymization or blocking or deletion of unnecessary or non-compliant data, portability, deletion of data processed on consent, information about entities with which data has been shared, information about refusing consent and its consequences, and revocation of consent, and the Article 20 right to request review of decisions taken solely by automated means. We provide a confirmation of processing or access immediately in simplified form or within 15 days in full. International transfers of data of individuals in Brazil rely on an ANPD-recognized mechanism such as the Brazilian Standard Contractual Clauses, and we do not claim United States adequacy. You may petition the Autoridade Nacional de Protecao de Dados and consumer protection bodies. Our privacy contact also serves as the channel to reach our responsible person (encarregado), reachable at privacy@arbyn.app.
For all other jurisdictions, including the United Kingdom, Switzerland (revised FADP), New Zealand (Privacy Act 2020), South Africa (POPIA), Japan (APPI), South Korea (PIPA), Singapore (PDPA), India (Digital Personal Data Protection Act), and others, Arbyn honors the equivalent core rights of access, correction, deletion, objection or opt-out, restriction, and portability to the extent local law provides, uses appropriate cross-border safeguards, and supports the right to complain to a local supervisory authority. The core deletion and retention commitments, the no-sale commitment, and the zero-retention no-training inference commitment apply globally and jurisdiction-neutrally.
24.Children's privacy
The short version: Arbyn is a business tool that is not directed to children, we do not knowingly collect data from children under 13, and where a shopper is a known child we treat that data as sensitive and act only on the store owner's instructions.
Arbyn is a business-to-business tool intended for Shopify store owners, and it is not directed to children. We do not knowingly collect personal information from children under 13, and we do not knowingly sell or share the personal information of any consumer under 16. If we learn that we have collected personal information from a child under 13 without any required parental consent, we will delete it.
Because Arbyn operates support and sales channels on behalf of store owners, a shopper who contacts a store could in principle be a minor. Where the personal information of a known child under 13 is involved, we treat it as sensitive data, process it only on the store owner's documented instructions and with any parental consent the store owner is responsible for obtaining, and apply the same care and deletion practices described in this policy. Under United States law, the store owner as controller handles the child-specific obligations, including any verifiable parental consent required by the Children's Online Privacy Protection Act (COPPA) and its amended Rule.
For California and the growing number of states with minor-specific rules, affirmative opt-in consent is required before selling or sharing the personal information of consumers aged 13 to 16, and parental consent is required for consumers under 13. Because Arbyn does not sell or share personal information at all, these consent-to-sell requirements do not arise in practice. Several newer state laws and Connecticut's minors amendments add teen-specific limits on targeted advertising, sale, and profiling for consumers under 18 or under 17, and because Arbyn does not conduct targeted advertising, sale, or profiling for its own decisions, those limits are honored by our practices.
For the European Economic Area and the United Kingdom, the age of consent for information society services is 16 under the GDPR (member states may lower it, and it is 13 in the United Kingdom under the Data Protection Act 2018). Because shoppers could be minors, the store owner as controller is responsible for any child-specific obligations, including where relevant the United Kingdom Age Appropriate Design Code if the chat widget is likely to be accessed by children. Arbyn supports store owners in meeting these obligations but is not the party that obtains any required consent.
25.Government and law enforcement access
The short version: because your data is held in the United States and Canada, it can be subject to those countries' legal processes, and where we receive a government request for shopper data we route it to the store owner as the controller wherever we can.
Personal information handled by Arbyn and its subprocessors is stored primarily in the United States, with some processing in Canada through Shopify. As a result, that information may be accessible to the courts, regulators, law enforcement, and national security authorities of those countries under their laws. We include this notice because it is expected under Canadian privacy guidance and is good practice for Australia and Brazil as well, and none of these regimes treats the United States as adequate under its own law, which is why we rely on contractual safeguards and Standard Contractual Clauses rather than any claim of adequacy.
When Arbyn receives a government, court, or law enforcement request that seeks shopper personal data for which a store owner is the controller, we will, unless legally prohibited from doing so, decline to disclose the data directly and instead direct the request to the store owner or promptly notify the store owner so that the store owner as controller can respond. Where we are legally compelled to disclose, we will disclose only what is legally required and will seek to notify the store owner where the law permits.
For the account data for which Arbyn is the controller, we will respond to lawful requests ourselves, disclosing only what is legally required, and we will resist requests that are overbroad or legally deficient. We evaluate each request for legal validity before responding.
We do not provide any government with direct, unfettered, or bulk access to personal information, and we have no arrangement that gives any authority a back door into Arbyn systems. Any disclosure is made only in response to a specific, legally valid request and only to the extent the law requires.
26.Data protection assessments and our cooperation as a processor
The short version: as a processor we help store owners meet their own assessment and record-keeping duties, and we keep the records the law requires of us.
Where a store owner as controller must carry out a data protection impact assessment or an equivalent risk assessment before certain processing or transfers, for example under Article 35 of the GDPR, under Quebec Law 25 for cross-border transfers, or under the several United States state laws that require data protection assessments for higher-risk processing, Arbyn provides reasonable information and assistance to support that assessment. This includes information about the categories of data processed, the purposes, the subprocessors, the transfer mechanisms, and the security measures described in this policy.
Arbyn maintains records of its processing activities as a processor under Article 30(2) of the GDPR. The small-organization exemption does not apply, because Arbyn's processing of shopper data on behalf of store owners is not occasional, so we keep and maintain these records regardless of Arbyn's size.
Several state frameworks, in particular Colorado, impose detailed rules on consent, universal opt-out, and data protection assessments. We design our consent and opt-out mechanisms to meet these rules, including making withdrawal of consent as easy as giving it and avoiding dark patterns in consent and opt-out flows. Utah, by contrast, does not mandate a data protection assessment, and we do not represent that it does.
Store owners conducting vendor due diligence can request the information they need to complete their assessments, including our security documentation and DPA, from privacy@arbyn.app or security@arbyn.app. We aim to make this diligence straightforward for the lean teams that make up most of our store owners.
27.How to appeal and how to contact a regulator
The short version: if a rights request is refused you can appeal in most states, and if you are still unsatisfied you can contact your privacy regulator, and this section tells you how.
If Arbyn, for account data we control, or the store owner, for shopper data they control, declines a rights request, the individual may appeal within the period the applicable law provides. To appeal a decision about account data, email privacy@arbyn.app with the word "Appeal" and a description of the request and the decision, and we will review and respond within the timeframe the relevant law requires, explaining our reasoning. Under the Virginia, Colorado, Connecticut, Texas, Oregon, and Montana laws there is a statutory right to appeal, while Utah provides no appeal right, and we will tell you which applies.
If an appeal is denied, or at any time an individual believes their rights have not been honored, the individual may contact the appropriate regulator. California residents may contact the California Privacy Protection Agency and the California Attorney General. Residents of other United States states may contact their state Attorney General. Individuals in the United Kingdom may contact the Information Commissioner's Office, and individuals in the EEA may contact the supervisory authority in their country of residence, place of work, or where the issue arose.
Outside the United States and Europe, individuals may contact their local regulator, including the Office of the Privacy Commissioner of Canada (or, for Quebec, the Commission d'acces a l'information du Quebec), the Office of the Australian Information Commissioner, and the Autoridade Nacional de Protecao de Dados in Brazil, in addition to any local authority in their own country.
Because shopper data is controlled by the store owner, a shopper who is dissatisfied with how a store handled their request should raise it first with that store owner, who is the controller, and Arbyn will assist the store owner in resolving it. Nothing in this section limits any statutory right an individual has to complain to a regulator or to seek a judicial remedy.
28.Changes to this policy
The short version: we review this policy at least once a year, we give advance notice of material changes, and we will not quietly apply weaker terms to data we already collected without your consent.
We review and update this Privacy Policy at least every 12 months, and more often when our practices, our subprocessors, or the law change. When we make a material change, we will provide advance notice, for example by email to store owners or by a prominent notice on arbyn.app, before the change takes effect. The effective date and last-updated date at the top of this policy always reflect the current version.
We will not apply materially different, less protective terms to personal information we previously collected without the affirmative consent of the affected individual. This is both our commitment and a requirement of United States consumer-protection law, and it means we do not claim a right to make retroactive, materially adverse changes simply by posting a new version.
If you do not agree with a change to this policy, your remedy is to stop using Arbyn and, for a store owner, to uninstall it, which triggers the deletion of your store's data as described in the retention section. Continued use of Arbyn after a change takes effect indicates acceptance of the updated policy, subject to the consent requirement above for materially less protective changes to previously collected data.
We keep this policy consistent with our other public documents, including the Terms of Service, the GDPR page, and the Subprocessors page, and with what Arbyn declares in its Shopify App Store listing and Shopify Partner Dashboard. If you notice an inconsistency, please tell us at privacy@arbyn.app so we can correct it.
29.How to contact us, and our EU and UK representatives
The short version: for anything about your privacy or your data, email us, and if you are in Europe or the United Kingdom you can also reach our appointed representatives.
For privacy questions, complaints, or rights requests, contact us at privacy@arbyn.app. For security questions, security questionnaires, or vulnerability reports, contact us at security@arbyn.app. You can also reach us by mail at ONDUTYOPS LLC, Attn: Privacy Office. ONDUTYOPS LLC is a limited liability company formed in the State of Delaware, United States, and is the entity behind Arbyn and the controller of store owner account data. These are the canonical contact points for privacy and security matters, and each is monitored.
Our privacy contact point, including for the purposes of Brazil's LGPD responsible person (encarregado) and Canada's requirement to name a privacy officer, is reachable at privacy@arbyn.app. We have not appointed a formal Data Protection Officer under Article 37 of the GDPR, because Arbyn's core activities do not consist of large-scale regular and systematic monitoring or large-scale processing of special category data, and any such processing by Arbyn is incidental rather than a core activity. We therefore refer to this function as our Privacy Office rather than as a Data Protection Officer, to avoid implying obligations we have not undertaken.
Because ONDUTYOPS LLC is established in the United States and offers services to, and processes the personal data of, individuals in the European Economic Area and the United Kingdom, we are appointing representatives under Article 27 of the GDPR and Article 27 of the United Kingdom GDPR. Individuals in the EEA and the United Kingdom may contact our appointed representative in addition to, or instead of, contacting us. The name and postal address of our EU representative and of our United Kingdom representative are published on this page once appointment is complete and are available on request from privacy@arbyn.app in the meantime. An EEA or United Kingdom individual can always reach us directly at privacy@arbyn.app.
This policy is effective as of the effective date shown at the top and supersedes any prior version. If you have any question about how Arbyn handles personal information, or about anything in this policy, we would rather you ask than wonder, so please write to privacy@arbyn.app.