Privacy Policy

Last updated: October 22, 2024

1. Introduction and Scope

This Privacy Policy applies to PalSync's order tracking synchronization service ("Service") between Shopify and PayPal & other platforms. As a certified PayPal Partner processing sensitive merchant data, we adhere to stringent data protection standards and the latest privacy regulations.

2. Latest Regulatory Compliance

2.1 U.S. Federal and State Laws

  • American Data Privacy and Protection Act (ADPPA) compliance
  • State Privacy Laws compliance including:
    • California Privacy Rights Act (CPRA)
    • Virginia Consumer Data Protection Act (VCDPA)
    • Colorado Privacy Act (CPA)
    • Connecticut Data Privacy Act (CTDPA)
    • Utah Consumer Privacy Act (UCPA)
    • Oregon Consumer Privacy Act (OCPA)
    • Texas Data Privacy and Security Act (TDPSA)
    • Montana Consumer Data Privacy Act (MCDPA)

2.2 International Compliance

  • EU General Data Protection Regulation (GDPR)
  • UK General Data Protection Regulation (UK GDPR)
  • Brazil's Lei Geral de Proteção de Dados (LGPD)
  • China's Personal Information Protection Law (PIPL)
  • Canada's Consumer Privacy Protection Act (CPPA)
  • Australia's Privacy Act Amendment (2023)

3. Data Processing Specifics

3.1 Shopify Store Data Processing

    We process:

  • Store identification and authentication tokens
  • Order tracking numbers and shipping information
  • Courier service identifiers
  • Historical order data (up to 365 days)
  • Store performance metrics

3.2 PayPal Integration Data

    We process:

  • PayPal account authentication tokens
  • Transaction IDs
  • Tracking number synchronization status
  • Payment status information

3.3 Technical Data Collection

  • API call logs
  • Synchronization timestamps
  • Error logs and debugging information
  • Performance metrics
  • Service usage statistics

4. Dedicated Infrastructure and Security

4.1 Infrastructure Security

  • Individual synchronization clusters per client
  • End-to-end encryption for all data transfers
  • Regular penetration testing and security audits
  • Real-time security monitoring
  • Automated threat detection and prevention

4.2 Compliance Certifications

  • PCI DSS Level 1 compliance
  • SOC 2 Type II certification
  • ISO 27001 certification
  • NIST Cybersecurity Framework adherence
  • HIPAA compliance (where applicable)

5. Data Processing Agreements

5.1 Role Definition

  • We act as a Data Processor for Shopify store data
  • We maintain processor agreements with PayPal and Shopify
  • We act as a Data Controller for account and billing information

5.2 Sub-processors

    We maintain contracts with the following sub-processors:

  • Cloud hosting providers
  • Security monitoring services
  • Analytics platforms
  • Customer support systems

6. Specific Data Usage

6.1 Order Tracking Synchronization

  • Real-time synchronization of tracking numbers
  • Automated courier name matching
  • Historical order syncing (365-day limit)
  • Dispute prevention monitoring

6.2 Performance Optimization

  • Service reliability monitoring
  • Synchronization speed optimization
  • Error rate tracking
  • System performance analytics

7. Data Subject Rights Implementation

7.1 Rights Management Portal

    Users can exercise their rights through our dedicated portal:

  • Access all stored data
  • Export data in machine-readable format
  • Request data deletion
  • Modify consent settings
  • Update personal information

7.2 Response Timeframes

  • General requests: 15 days
  • GDPR requests: 30 days
  • CPRA requests: 45 days
  • Other jurisdictions: As required by law

8. Cross-Border Data Transfers

8.1 Data Transfer Mechanisms

  • EU-US Data Privacy Framework compliance
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • UK International Data Transfer Agreement (IDTA)

8.2 Data Localization Requirements

  • EU data stored in EU-based data centers
  • China data stored in mainland China
  • Russia data stored in Russia
  • Other jurisdictions as required by law

9. Incident Response and Notification

9.1 Breach Notification Timeframes

  • EU/UK: Within 72 hours
  • US State Laws: 30-60 days (varies by state)
  • Other jurisdictions: As required by law

9.2 Incident Response Procedure

  • Immediate containment measures
  • Root cause analysis
  • Affected party notification
  • Regulatory reporting
  • Remediation implementation

10. Special Data Processing Considerations

10.1 Automated Decision Making

  • No automated decision-making affecting legal rights
  • Manual review of all dispute-related processes
  • Option to request human intervention

10.2 Legitimate Business Interests

  • Fraud prevention
  • Service optimization
  • Security maintenance
  • Regulatory compliance
  • Dispute resolution

11. Data Retention and Deletion

11.1 Retention Periods

  • Active accounts: Service duration plus 90 days
  • Cancelled accounts: 90 days post-termination
  • Transaction records: 7 years (legal requirement)
  • Tracking information: 365 days
  • Security logs: 2 years

11.2 Deletion Procedures

  • Secure data wiping
  • Hardware destruction (when applicable)
  • Sub-processor notification
  • Deletion certification

12. Contact Information and DPO

Data Protection Officer:

Email: mike@palsync.com

Address: contact@palsync.com

For urgent privacy matters: privacy@palsync.com

13. Policy Updates

    We review and update this policy quarterly or as required by law. Users will be notified of material changes through:

  • Email notification
  • In-app alerts
  • Service dashboard notifications
  • Website announcements

Changes become effective 30 days after notification unless immediate implementation is required by law.

For any queries, reach out to us at mike@palsync.com
Solution
IntegrationsOrder-Tracking SyncDispute Management
Resources
BlogFAQ
Follow us
© 2024 PalSync. All rights reserved.
Privacy PolicyTerms of Service