Scribbly : Product Customizer Privacy Policy

Privacy Policy – Scribbly: Product Customizer

Effective Date: 20th May 2026

Welcome to Scribbly: Product Customizer ("Scribbly", "we", "our", or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you install, access, or use the Scribbly: Product Customizer application (the "App") and any related services (collectively, the "Services").

We are committed to complying with global data‑protection and privacy laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the Singapore Personal Data Protection Act (PDPA), the India Digital Personal Data Protection Act 2023 (DPDP Act), the Australian Privacy Act 1988, and other applicable regional legislation across the United States (US), Europe (EU & UK), and Asia‑Pacific (APAC).

If you have any questions or concerns, please contact us at apps@seventhtriangle.com

1. Who We Are

Scribbly: Product Customizer is a Shopify‑certified application developed and maintained by Seventh Triangle Consulting. We act as a data processor when processing information on behalf of Shopify merchants ("Merchants") and as a data controller for information we collect about visitors to our marketing site or prospective customers. When end‑customers ("Shoppers") of a Merchant interact with the Scribbly customisation widget on a storefront, the Merchant acts as the data controller for that Shopper's personal data, and we act as the data processor on the Merchant's behalf.

2. Information We Collect

Category

Examples

Source

Purpose

Merchant Account Data

Store name, store URL, contact email, Shopify plan, Shopify access tokens, locale & currency

Directly from Merchant via Shopify OAuth

• Provide, maintain & improve the App

• Authenticate API calls to Shopify on Merchant's behalf

Merchant Configuration Data

Product blueprints (product ID, title, image); print zone coordinates; allowed fonts, colours, and element types; personalisation fee settings; cart transform configuration; onboarding status and timestamps

Entered by Merchant via the App admin dashboard

• Deliver the customisation experience

• Maintain product configurations

Merchant Asset Uploads

Clipart images (PNG, JPEG, SVG) and custom font files (WOFF2) uploaded by the Merchant; file name, MIME type, file size, upload timestamp, Shopify File ID

Uploaded by Merchant via App dashboard; stored in Shopify Files (CDN)

• Display assets in the storefront customisation editor

Shopper Design Data

Design ID; text content, fonts used, colours chosen; element counts; design mode & format (PNG / SVG / PDF); preview image URL; personalisation fee charged; personalised flag

Generated by Shoppers interacting with the storefront customisation widget; stored in Shopify cart line‑item attributes and Shopify Files

• Attach design to cart/order

• Render personalised product preview

• Fulfil the Merchant's personalisation order

Merchant Usage Data

Customisation counts per blueprint, aggregate pricing analytics (average / max / total personalisation fees), blueprint activity timestamps, feature interactions in the admin dashboard

Automatically via in‑App events

• Operate & optimise functionality

• Product analytics & roadmap planning

• Fraud & abuse detection

Sensitive data: We do not intentionally collect or process special categories of personal data (e.g. health, biometric, or children's data). Payment and cardholder data is handled exclusively by Shopify's PCI‑DSS‑compliant infrastructure and never passes through our servers.

Shopify API scopes requested: The App requests the following Shopify permission scopes — read_products, write_products, read_files, write_files, read_cart_transforms, write_cart_transforms. These are used solely to enable product customisation features and are not used to access unrelated store data.

3. Cookies & Similar Technologies

We use necessary Shopify cookies and session storage to:

  • Authenticate Merchants into the App dashboard.
  • Store Shopify OAuth access tokens server‑side (SQLite / MongoDB) to make API calls on the Merchant's behalf.
  • Remember preferences via React Query in‑memory client‑side caching (no personal data persisted in browser storage beyond what Shopify App Bridge requires).

Where consent is required (e.g., under GDPR or ePrivacy Directive), we display a consent banner on first visit.

4. Legal Bases for Processing (GDPR/UK GDPR)

We rely on the following legal grounds:

  1. Contractual Necessity – to provide the Services you request by installing the App.
  2. Legitimate Interests – to improve and secure our Services, communicate with you, and prevent fraud.
  3. Consent – for optional cookies, marketing communications, and any processing that requires explicit consent.
  4. Legal Obligation – to comply with applicable law, tax, and accounting requirements.

5. How We Use Your Information

  • To deliver, operate, maintain, and update the App and its customisation features.
  • To authenticate Merchant access and secure their accounts via Shopify OAuth.
  • To render the storefront product customisation canvas and generate design preview files (PNG, SVG, PDF).
  • To attach Shopper design data and personalisation fees to cart line items during checkout via Shopify's Cart Transform API.
  • To store Merchant‑uploaded clipart and font assets and serve them through Shopify's CDN.
  • To provide the Merchant with analytics on blueprint performance and customisation activity.
  • To answer support requests and resolve issues.
  • To comply with legal obligations and enforce our Terms of Service.

6. How We Share Information

We do not sell personal data. We only share information:

  • Within Seventh Triangle Consulting and its subsidiaries on a need‑to‑know basis;
  • With Service Providers acting on our behalf under data‑processing agreements and appropriate safeguards, including: AWS (Lambda & API Gateway for hosting, S3 for staged file uploads) in the Mumbai (ap‑south‑1) region; MongoDB for blueprint, asset, and shop configuration storage; Shopify Files API & CDN for design preview and asset delivery;
  • With Shopify as required by the Shopify App Store Partner Program and API terms;
  • For Legal Reasons such as responding to lawful requests from regulators or to protect our rights, property, or users.

Where data is transferred outside the EEA/UK, we rely on approved transfer mechanisms such as Standard Contractual Clauses (SCCs) or an adequacy decision.

7. International Data Transfers

Our servers are hosted on Amazon Web Services (AWS) in the Mumbai (AP‑South‑1) region. Depending on your location, your personal data may be transferred to and processed in countries other than your own. We implement safeguards including:

  • ISO 27001‑certified AWS data centres.
  • Encryption in transit (TLS 1.2+) and at rest (AES‑256 via AWS KMS).
  • Standard Contractual Clauses (SCCs) where required for EEA/UK transfers.

Design preview files and Merchant‑uploaded assets are stored within Shopify's infrastructure and served via Shopify's global CDN. Please refer to Shopify's Privacy Policy for details on their data handling practices.

8. Data Subject & Consumer Rights

Depending on where you reside, you may have rights to:

  • Access, correct, or delete personal data;
  • Object to or restrict processing;
  • Data portability;
  • Opt‑out of marketing communications;
  • Withdraw consent at any time without affecting the lawfulness of prior processing;
  • Lodge a complaint with a supervisory authority (e.g., ICO in the UK, DPA in your EU member state, or local privacy regulator).

If you are a Shopper (end‑customer) of a Merchant store, please contact that Merchant directly — as the data controller for your information, the Merchant is responsible for fulfilling your data rights request. We will cooperate with Merchants to support such requests in our capacity as data processor.

To exercise these rights as a Merchant, email apps@seventhtriangle.com. We will respond within the deadlines mandated by applicable law (e.g., 30 days under GDPR).

We honour the following Shopify‑mandated privacy webhooks: customers/data_request, customers/redact, and shop/redact, to support data export and deletion workflows.

9. Security Measures

  • End‑to‑end TLS encryption (HTTPS) for all data in transit.
  • Encryption at rest using AWS KMS‑managed AES‑256 keys.
  • Principle of least privilege & role‑based access controls.
  • Shopify OAuth 2.0 for Merchant authentication; offline access tokens stored securely server‑side.
  • Regular vulnerability assessments and dependency audits.
  • Continuous monitoring, logging, and anomaly detection.

Although we implement industry‑standard safeguards, no system is 100 % secure. Please keep your Shopify credentials confidential and immediately notify us of any security incidents.

10. Data Retention

We retain Merchant account data, blueprint configurations, and uploaded assets for as long as your store has the App installed. Upon uninstallation, Shopify triggers a shop/redact webhook (typically 48 hours after uninstall), after which we delete or anonymise your store's data from our databases. Shopper design data stored in Shopify cart line‑item attributes and Shopify Files is subject to Shopify's own retention policies. We may retain anonymised, aggregated usage statistics (with no link to any individual or store) for longer periods for product analytics purposes.

11. Children's Privacy

Our Services are not directed to children under 16. We do not knowingly collect personal data from minors. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete such data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the revised version with an updated "Last Updated" date and, where required, provide notice (e.g., via the App dashboard or email). Continued use of the Services after such changes constitutes acceptance.

13. Contact Us

If you have any questions, requests, or complaints regarding this Privacy Policy or our privacy practices, please contact:

Privacy Team
Scribbly: Product Customizer / Seventh Triangle Consulting
Second Floor, The Berry Coworks, Plot No 15 Sector-142, Noida Uttar Pradesh – 201304
Email: apps@seventhtriangle.com
Data Protection Officer (EU/UK): Sushant Gupta, sushant@seventhtriangle.com

© 2025 Seventh Triangle Consulting. All rights reserved.