Last updated: 19.03.2026
Privacy Policy
1. Introduction
SelfServe ("we," "us," or "our") operates the SelfServe application (the "App") and the selfserve.app website (the "Website"). SelfServe is a Shopify embedded application that enables post-purchase order editing, order cancellation management, post-purchase upsell functionality, automated order tagging, and notification services for Shopify merchants ("Merchants") and their end customers ("End Customers").
This Privacy Policy explains how we collect, use, disclose, and protect information when you use our App, visit our Website, or interact with our services.
By installing the App, visiting the Website, or using our services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our services.
2. Information We Collect
Information from Merchants
When you install and configure the App, we collect:
Account information: Your Shopify store URL, store name, owner name, email address, and billing information as provided through the Shopify App Store billing system.
Configuration data: Your editing window settings, restriction rules (order tag and customer tag restrictions), upsell block configurations (product selections, discount settings, visibility rules), cancellation policy settings (automatic approval or manual queue), automated tagging rules, notification preferences, and custom CSS if applicable.
Support communications: Any messages, feedback, or files you send to our support team.
Information from End Customers
When End Customers interact with the SelfServe editing portal embedded on a Merchant's order status page, we process the following on behalf of the Merchant:
Order data: Order number, order status, line item details (product names, variants, SKUs, quantities, prices), shipping method, and order totals.
Personal information: Shipping address, billing address, email address, phone number, and customer name as needed to process order edits, address changes, and cancellations.
Payment adjustment data: Price difference calculations, refund amounts, and payment collection data required when an order edit changes the order total. Payment processing is handled by Shopify's payment infrastructure. We do not directly store credit card numbers or payment credentials.
Editing activity: A log of changes made (products swapped, quantities adjusted, addresses updated, cancellations requested) including timestamps.
Information Collected Automatically
From the App: Feature usage data, session duration, error logs, performance metrics, and App interaction events (e.g., which settings are configured, how often the editing portal is accessed).
From the Website: IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and general geographic location (city/country level). We collect this using cookies and similar technologies as described in our Cookie Policy at [selfserve.app/cookie-policy].
3. How We Use Information
We use the information we collect to:
Provide, operate, and maintain the App and its features, including processing order edits, cancellations, upsells, address changes, and shipping method updates on behalf of Merchants.
Sync all order changes with the Shopify platform in real time, including inventory adjustments, shipping recalculations, and payment difference collection or refund.
Automatically revert orders to their original state when an End Customer fails to complete a required payment within the configured timeout period (default: 15 minutes).
Apply automated order tags in Shopify based on Merchant configurations when End Customers make changes.
Send notifications to Merchants about order changes (items added, items removed, quantity changes, shipping changes, address changes, and cancellations).
Process billing and subscription payments for the App through the Shopify App Store billing system.
Provide customer support and respond to inquiries.
Analyze usage patterns to improve the App and Website, fix bugs, and develop new features.
Send Merchants product updates, feature announcements, and service-related communications. We do not send marketing emails to End Customers.
Comply with legal obligations, enforce our Terms of Service, and protect against fraud or abuse.
4. Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:
Contractual necessity: Processing Merchant account data and End Customer order data is necessary to perform our contract with Merchants (providing the App's services).
Legitimate interests: Analyzing usage data to improve our services, prevent fraud, and ensure security.
Consent: Where required, for non-essential cookies on our Website and for optional marketing communications.
Legal obligation: Where we are required to retain or disclose data by law.
5. Data Sharing
We do not sell, rent, or trade personal information.
We share information only in the following circumstances:
With Shopify: As required to operate as an embedded Shopify application. Order edits, cancellations, tag changes, and payment adjustments are synced through Shopify's APIs. Shopify's own privacy policy governs their handling of this data.
With payment processors: Billing for the App is handled through Shopify's App Store billing system. Payment adjustments for order edits (collecting additional payment or issuing refunds) are processed through Shopify's payment infrastructure.
With service providers: We use third-party service providers to help operate our business, including cloud hosting, error monitoring, analytics, and customer support tools. These providers are bound by contractual obligations to protect your data and may only process it for the purposes we specify.
With Merchants (regarding End Customer data): Merchants can view all End Customer editing activity through the SelfServe dashboard, activity logs, and automated order tags in their Shopify admin.
As required by law: We may disclose information in response to valid legal processes, court orders, government investigations, or to protect the rights, property, or safety of SelfServe, our users, or others.
In a business transfer: If SelfServe is acquired, merges with another company, or sells substantially all of its assets, user data may be transferred as part of that transaction. We will notify affected users before their data becomes subject to a different privacy policy.
6. Data Retention
Merchant account and configuration data: Retained for the duration of your App installation. When you uninstall the App, we delete your configuration data within 30 days. Billing records may be retained longer as required for accounting and tax purposes.
End Customer order data: Processed in real time and synced with Shopify. We do not independently store End Customer personal data beyond what is necessary to process the edit, typically no longer than 30 days after the editing window closes.
Activity logs and audit trails: Retained for 12 months to support Merchant operations (dispute resolution, chargeback defense, fulfillment review), then automatically deleted.
Website analytics data: Retained in anonymized or aggregated form. Individual session data is retained for up to 12 months.
Support communications: Retained for 24 months after the last interaction, then deleted.
7. Data Security
We implement industry-standard security measures to protect information from unauthorized access, disclosure, alteration, and destruction. These include:
Encryption in transit using TLS 1.2 or higher for all data transmitted between users, Shopify, and our servers.
Encryption at rest for stored data.
Role-based access controls limiting employee access to personal data on a need-to-know basis.
Regular security assessments and vulnerability testing.
Secure software development practices.
Incident response procedures for potential data breaches.
While we take reasonable steps to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data, subject to legal retention requirements.
Portability: Request a machine-readable copy of your data.
Restriction: Request that we restrict processing of your data in certain circumstances.
Objection: Object to processing based on legitimate interests.
Withdraw consent: Where processing is based on consent, withdraw that consent at any time.
Merchants: You can exercise these rights by contacting us at privacy@selfserve.app. You can also delete your data by uninstalling the App from your Shopify store.
End Customers: Because we process End Customer data on behalf of Merchants, End Customers should contact the Merchant (the store they purchased from) directly to exercise their rights. If an End Customer contacts us directly, we will direct them to the relevant Merchant or assist as appropriate.
9. GDPR Compliance
For users in the European Economic Area and the United Kingdom:
We act as a data processor on behalf of the Merchant (the data controller) when processing End Customer order data through the App.
We act as a data controller for Merchant account data and for Website visitor data.
We process data on the legal bases described in Section 4.
Merchants are responsible for ensuring they have a valid legal basis for processing their End Customers' data and for providing appropriate privacy notices to their End Customers.
We have implemented appropriate technical and organizational measures to ensure data protection by design and by default.
If you wish to raise a concern about our data practices, you have the right to lodge a complaint with your local data protection authority.
10. CCPA/CPRA Compliance
For California residents:
We do not sell personal information as defined by the California Consumer Privacy Act and the California Privacy Rights Act. We do not share personal information for cross-context behavioral advertising.
California residents have the right to: know what personal information we collect and how it is used; request deletion of personal information; opt out of the sale or sharing of personal information (not applicable as we do not sell or share); and not be discriminated against for exercising these rights.
To exercise your rights, contact us at privacy@selfserve.app or use the contact details in Section 15.
11. International Data Transfers
SelfServe operates primarily using cloud infrastructure located in [specify regions, e.g., the United States and the European Union]. If your data is transferred to a jurisdiction that does not provide an equivalent level of data protection as your home jurisdiction, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.
12. Children's Privacy
Our App and Website are not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.
13. Third-Party Links
Our Website may contain links to third-party websites, including the Shopify App Store, help documentation, and partner services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify Merchants of material changes via email or in-app notification at least 30 days before the changes take effect. For Website visitors, the updated policy will be posted on this page with a revised "Last updated" date. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
Grumspot Ltd. Email: business@grumspot.com Website: getselfserve.com Address: Akad. Boris Stefanov 4 St, Sofia, 1700, Bulgaria
For GDPR-related inquiries, you may also contact our Data Protection contact at: business@grumspot.com