Skip to content
Install

Privacy policy

Effective Date: 2025-01-01
Last Updated: 2025-02-10
Version: 1.0

Executive Summary

This privacy policy explains how NPS.io collects, uses, and protects personal data through our customer satisfaction and Net Promoter Score (NPS) application for Shopify merchants. We are committed to protecting your privacy and handling your data transparently and securely in compliance with the General Data Protection Regulation (GDPR) and applicable Spanish laws.

Table of Contents

  1. Introduction
  2. Definitions
  3. Data Collection and Usage
  4. Legal Basis for Processing
  5. Data Retention and Deletion
  6. Security Measures
  7. Data Sharing and International Transfers
  8. Your Rights and Choices
  9. Children's Privacy
  10. Contact Information
  11. Policy Updates
  12. Subprocessors and Third Parties
  13. Compliance and Certifications
  14. Cookie Policy
  15. Data Breach Procedures

1. Introduction

NPS.io, located at C/ Estribor 44, 11039 Chiclana de la Frontera, Cádiz (Spain), provides a customer satisfaction and Net Promoter Score (NPS) survey solution for Shopify merchants. This privacy policy describes our practices regarding personal data collection, use, and protection.

Who We Are

We are a limited company (pending incorporation) based in Spain, providing customer feedback solutions through the Shopify platform. As a data processor, we handle personal data on behalf of our merchant clients (the data controllers) in accordance with their instructions and applicable data protection laws.

Scope of This Policy

This policy applies to:

  • Merchant users of our application
  • Their customers who receive and respond to surveys
  • Visitors to our website https://www.nps.io
  • Any individual whose personal data we process

2. Definitions

To ensure clarity, we define key terms used throughout this policy:

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Data Controller: The Shopify merchant who determines the purposes and means of processing personal data
  • Data Processor: NPS.io, processing data on behalf of the controller
  • NPS: Net Promoter Score, a customer loyalty metric
  • Survey Data: Responses, scores, and feedback provided through our platform
  • Shopify API: The interface through which we access merchant store data

3. Data Collection and Usage

Types of Personal Data We Collect

From Merchants

  • Store name and URL
  • Account administrator details (name, email, phone)
  • Authentication credentials
  • Payment information
  • Usage analytics
  • Communications and support history (processed via Hubspot)
  • Marketing preferences and opt-in status

From Customers (via Merchants)

  • Name and email address
  • Order information
  • Survey responses and NPS scores
  • Comments and feedback
  • Response timestamps
  • IP addresses (for security purposes only)

How We Collect Data

  1. Direct Collection
    • Merchant registration and account creation
    • Integration with Shopify API
    • Survey responses
  2. Automated Collection
    • Application usage analytics
    • Technical logging
    • Cookie data

Purpose of Data Collection

We collect and process data to:

  • Provide survey functionality
  • Generate analytics and reports
  • Improve our services
  • Ensure platform security
  • Comply with legal obligations

4. Legal Basis for Processing

We process personal data under the following legal bases:

  1. Contractual Necessity
    • To provide our services to merchants
    • To process survey responses
    • To generate reports and analytics
  2. Legitimate Interests
    • Service improvement and development
    • Security and fraud prevention
    • Analytics and business intelligence
  3. Legal Obligations
    • Tax and accounting requirements
    • Data protection law compliance
    • Law enforcement requests
  4. Consent
    • Marketing communications
    • Optional survey participation
    • Cookie usage

5. Data Retention and Deletion

Retention Periods

  • Merchant Account Data: Duration of service plus 3 months
  • Survey Responses: 24 months from collection
  • Technical Logs: 90 days
  • Analytics Data: 12 months in identifiable form

Data Minimization

We implement data minimization by:

  • Collecting only necessary data points
  • Automatically anonymizing non-essential identifiers
  • Regular data review and deletion
  • Implementing purpose-specific retention periods

Deletion Procedures

  • Automated deletion after retention period
  • Manual deletion upon request
  • Secure erasure verification
  • Backup data deletion within 30 days

6. Security Measures

Technical Security

  1. Encryption
    • TLS 1.3 for data in transit
    • AES-256 for data at rest
    • Encrypted backups
  2. Access Controls
    • Role-based access control (RBAC)
    • Multi-factor authentication
    • Regular access review
    • Audit logging
  3. Infrastructure Security
    • Regular security updates
    • Network segmentation
    • Firewall protection
    • Intrusion detection

Organizational Security

  1. Policies and Procedures
    • Information security policy
    • Incident response plan
    • Change management procedures
    • Regular security training
  2. Staff Controls
    • Background checks
    • Confidentiality agreements
    • Regular training
    • Access monitoring

7. Data Sharing and International Transfers

Third-Party Sharing

We share data with:

  • Shopify (platform provider)
  • Hubspot (CRM and merchant communications)
  • Email service providers
  • Analytics services
  • Cloud infrastructure providers

Special note regarding Hubspot: We use Hubspot as our primary customer relationship management system. Merchant contact information and communications are processed and stored within Hubspot's systems. Hubspot acts as a subprocessor and provides services from the United States under appropriate data transfer safeguards including Standard Contractual Clauses.

International Transfers

For transfers outside the EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Binding Corporate Rules
  • Data Processing Agreements

8. Your Rights and Choices

Data Subject Rights

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent

Exercise Your Rights

To exercise these rights:

  1. Email us at service@nps.io
  2. Use our online rights request form
  3. Contact your merchant directly (for customer data)

Response time: Within 30 days

9. Children's Privacy

We do not knowingly collect or process data from children under 16. If we discover such data, we will:

  1. Notify the merchant
  2. Delete the data immediately
  3. Implement additional verification if necessary

10. Contact Information

  • Privacy Inquiries: service@nps.io
  • Data Protection Officer: service@nps.io
  • EU Representative: service@nps.io
  • Postal Address:C/ Estribor 44, 11039 Chiclana de la Frontera, Cádiz (Spain)

11. Policy Updates

Update Process

  1. Regular review (minimum annually)
  2. Change notification via email
  3. 30-day notice for material changes
  4. Version history maintenance

Version History

  • Version 1.0 - 2025-01-01 - Initial policy

12. Subprocessors and Third Parties

Current Subprocessors

  1. Infrastructure
    • Cloud hosting providers
    • Email service providers
    • Analytics services
  2. Customer Relationship Management
    • Hubspot - for merchant account management and communications
    • Location: United States
    • Data Processing Agreement in place
    • Adequacy measures: Standard Contractual Clauses (SCCs)
  3. Support Services
    • Customer support platforms
    • Monitoring services
    • Payment processors

Subprocessor Management

  • Regular security assessments
  • Data Processing Agreements
  • Compliance monitoring
  • Change notification process

13. Compliance and Certifications

Regulatory Compliance

  • GDPR compliance
  • Spanish Data Protection Law
  • Shopify Partner Program requirements

Certifications and Standards

  • In progress

14. Cookie Policy

Essential Cookies

  • Session management
  • Security features
  • Platform functionality

Optional Cookies

  • Analytics
  • Performance monitoring
  • Feature optimization

Cookie Management

  • Cookie consent banner
  • Preference center
  • Opt-out mechanisms

15. Data Breach Procedures

Incident Response

  1. Detection and Classification
    • 24/7 monitoring
    • Severity assessment
    • Initial containment
  2. Notification Process
    • Merchant notification within 24 hours
    • Authority notification within 72 hours
    • Affected individual notification as required
  3. Resolution and Review
    • Incident investigation
    • Remediation measures
    • Process improvement
    • Documentation

Additional Information

Automated Decision-Making

We do not make automated decisions that produce legal effects or similarly significant impacts. Our NPS analysis and reporting tools:

  • Provide insights and recommendations
  • Allow human review and intervention
  • Include opt-out options

Cross-Border Considerations

For merchants and customers outside Spain, we:

  • Comply with local data protection laws
  • Implement appropriate transfer mechanisms
  • Provide region-specific disclosures
  • Monitor regulatory changes

Merchant Termination

Upon service termination:

  1. Data export option provided
  2. 30-day data access period
  3. Secure data deletion
  4. Deletion certificate issued

For questions about this policy, contact us at service@nps.io or visit https://www.nps.io.