Easy Subscription “Subscriptions consistently ranked No. 1 by Shopify”

Easy Subscription

Privacy and Data Protection Policy

This Privacy and Data Protection Policy (the “Policy”) outlines the practices and procedures implemented by IT-GEEKS (hereinafter referred to as “we,” “us,” or “our”) to ensure the protection of personal data collected and processed through our Easy Subscriptions App (the “App”) for Shopify merchants. This Policy reflects our commitment to comply with privacy and data protection rules and regulations and fulfill the requirements set forth by the Shopify Legal Team. By using our App, you (“merchant” or “you”) acknowledge and agree to the terms and conditions outlined in this Policy.

Processing Only Minimum Personal Data:

  • We will refrain from processing personal data that is not required for the delivery of our services through the App.
  • Personal data will not be stored or used for any secondary purposes unless explicitly agreed upon with the merchant or required by law.
Informing Merchants:
  • We will clearly inform merchants about the specific personal data we collect and process through the App and provide the reasons for processing such data.
  • To process subscription orders and display relevant information in the merchant’s dashboard, we will need the following personal data from customers: name, email address, billing address, and shipping address.
Limited Processing:
  • We will strictly limit our processing of personal data to the stated purposes of displaying subscription-related information in the merchant’s dashboard.
  • Personal data will not be used for any other purpose without explicit consent from the merchant.
Customer Consent:
  • If we require personal information for secondary purposes such as marketing, we will obtain direct consent from the customer or provide an opportunity to opt out.
  • Customers have the right to withdraw their consent for us to contact them or collect, use, or disclose their information at any time by contacting us at support@easysubscription.io.
Opt-Out of Data Sharing:
  • We commit to never making customer data available to any third-party vendors intentionally or accidentally.
  • We do not offer any services that result in public disclosure of customer data.
  • Customers who opt-in can withdraw their consent for continued collection, use, or disclosure of their information at any time.
Automated Decision-Making:
  • Currently, we do not use customer data for automated decision-making processes.
  • In the future, if our services change and involve automated decision-making, customers will have the option to opt out.
Privacy and Data Protection Agreements:
  • We will establish privacy and data protection agreements with merchants to ensure mutual understanding and compliance with privacy and data protection requirements.
Data Retention
  • Once the App is uninstalled, we will retain personal data for a maximum of three (3) days.
  • Personal data will be securely deleted and removed from all servers at the end of the retention period.
Data Encryption:
  • We will utilize Cryptography Extensions, specifically the OpenSSL function, to encrypt and decrypt data at rest and in transit.
  • This encryption will ensure the confidentiality and integrity of personal data.
Data Backup Encryption:
  • We will use Cryptography Extensions, specifically the OpenSSL function, to encrypt and decrypt data backups.
  • Encrypted data backups will be stored securely to prevent unauthorized access.
Separation of Test and Production Data :
  • Test and production data will be kept separate to ensure the security and integrity of both data sets.
Data Loss Prevention :

We have implemented a robust data loss prevention strategy which includes technical controls, policies, and standards to prevent any unauthorized data extraction.

  • Personal data will be stored on primary and secondary servers located in geographically different locations within the USA.
  • This redundancy will help prevent data loss in the event of a server failure or other unforeseen circumstances.
Limit Staff Access to Protected Customer Data :
  • We will implement strict access controls to ensure that only authorized staff members have access to protected customer data.
  • Access to customer data will be granted based on the principle of least privilege, ensuring that staff members only have access to data necessary for their specific roles and responsibilities.
  • We will regularly review and update staff access permissions to maintain data confidentiality and prevent unauthorized access.
Require Strong Passwords for Staff Accounts:
  • We have implemented a strong password verification mechanism for all staff accounts involved in handling protected customer data.
  • Staff members will be required to create complex passwords that meet specific criteria, including a combination of uppercase and lowercase letters, numbers, and special characters.
  • Additionally, we have enabled two-factor authentication (2FA) for staff accounts to provide an extra layer of security and prevent unauthorized access.
Keep an Access Log to Protected Customer Data:
  • We will maintain a detailed access log that records all instances of staff members accessing protected customer data.
  • The access log will include information such as the date, time, staff member’s identity, purpose of access, and any actions performed on the data.
  • The access log will be regularly monitored and reviewed to detect any unauthorized access attempts or suspicious activities.
Implement a Security Incident Response Policy:
  • We have developed a comprehensive security incident response policy to effectively address and manage any security incidents or breaches involving protected customer data.
  • The policy includes predefined procedures for identifying, containing, investigating, and mitigating security incidents.
  • We will promptly notify affected merchants and relevant authorities in the event of a security incident, as required by applicable laws and regulations.
  • Regular security drills and simulations will be conducted to test the effectiveness of our security incident response procedures and make necessary improvements.
  • Lessons learned from security incidents will be used to continuously enhance our security measures and minimize the risk of future incidents.