Privacy Policy

The controller responsible for data processing is:

Amboras Inc.
1111B S Governors Ave
STE 84587
Dover, DE 19904, United States
Email: contact@ecomcoder.com

We process your personal data based on the following legal grounds:

• Contractual necessity: Processing your account and store data is necessary to provide the product management service you have requested.
• Legitimate interest: Maintaining security and preventing abuse of our service.
• Legal obligations: Complying with applicable laws and regulations, including responding to data subject requests.

We use the following third-party services to operate Ecomcoder. Each service processes only the minimum data necessary for its function:

We do not use any analytics, advertising, or tracking services. We do not share your data with any parties beyond those listed above.

We implement appropriate technical and organizational measures to protect your personal data, including:

• All data is transmitted over HTTPS with TLS encryption
• Passwords are cryptographically hashed and never stored in plain text
• Shopify access tokens are stored securely and only accessible server-side
• Row-Level Security (RLS) policies in our database ensure users can only access their own data
• API endpoints require authentication via secure session tokens
• Backend services use environment-secured secret keys, never exposed to clients
• Webhook endpoints are authenticated by the Shopify framework

We retain your data for as long as your account is active:

• Account data (email, profile) is retained until you delete your account.
• Store connection data (Shopify URL, access token) is retained while your store is connected. If you uninstall the Shopify app, the access token is automatically revoked and nullified in our database via webhook.
• Product version history is retained while your account is active to support the version history and revert features.

When you disconnect your store or delete your account, associated data is removed from our systems. Automated backups may retain data for up to 30 days before deletion.

You can request deletion of your data at any time by contacting us at contact@ecomcoder.com.

Regardless of your location, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data and account.
• Data Portability: Request your data in a structured, machine-readable format.
• Restriction: Request restriction of processing of your personal data.
• Objection: Object to the processing of your personal data.

To exercise any of these rights, contact us at contact@ecomcoder.com.

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. Our lawful bases for processing are contractual necessity and legitimate interest, as described in Section 4.

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: Opt out of the sale or sharing of your personal information.
• Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

To exercise these rights, contact us at contact@ecomcoder.com or visit our Do Not Sell or Share My Personal Information page.

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of certain data processing activities. Contact us to exercise these rights.

To protect your privacy, we will verify your identity before processing rights requests. We may ask for additional information to confirm your identity. We will respond to verified requests within 45 days (or as required by applicable law).

In compliance with Shopify's requirements and GDPR regulations, we have implemented the following mandatory webhooks to handle data subject requests:

• Customer data request (customers/data_request): We do not store any customer personal data. When we receive a data request, we confirm that no customer data is held.
• Customer data erasure (customers/redact): We do not store any customer personal data, so there is no customer data to erase.
• Shop data erasure (shop/redact): Upon receiving a shop erasure request (e.g., after app uninstallation), we remove all associated store data, access tokens, and related records from our systems.

Additionally, when a merchant uninstalls our Shopify app, we automatically revoke and nullify the stored access token via the app/uninstalled webhook.