Privacy Policy — UK Subscription Guard
Controller: MINISAGE TECH LTD (company no. 17229324)
Registered office: 18 Crowthorp Road, Northampton, NN3 5DU
App: UK Subscription Guard
URL: https://dmccaguard.co.uk/privacy
Version: 1.1 · 26 May 2026
ICO registration: C1941625
1. Who we are
MINISAGE TECH LTD ("we", "us", "our") is the data controller for personal data we collect about merchants (Shopify store owners and their staff) who install our app, UK Subscription Guard (the "App").
When we access your Shopify store's public policy pages to provide the audit service, we do so via the Shopify API with your authorisation. We do not store your customers' personal data in version 1 of the App.
2. What personal data we collect
2.1 Merchant and staff data (we are controller)
When you install the App via Shopify OAuth, we receive and store:
| Data | Why |
|---|---|
Shopify shop domain (*.myshopify.com) |
To identify your store across sessions |
| Shopify staff user ID, first name, last name, email address | OAuth session management |
| App access token (encrypted) | To read your shop's policy pages via Shopify API |
| Billing plan, billing status, App subscription ID | To enforce plan limits and process billing |
| DPA acceptance timestamp and version | To record your agreement under UK GDPR Art. 28 |
| Report download count per day | To apply free-plan daily export limits |
| Install date, uninstall date | Compliance record-keeping |
Lawful basis: Performance of a contract (providing the App and associated services).
2.2 Public policy page content (transient — not stored)
To provide the compliance audit, the App reads the text of your publicly visible Shopify policy pages (Privacy Policy, Terms of Service, Refund Policy, Subscription Policy) via the Shopify Admin GraphQL API. This text is processed in memory to generate your compliance score and checklist. We do not store the text of your policy pages on our servers.
2.3 What we do NOT collect in version 1
- Your customers' names, email addresses, or payment details
- Customer subscription contract data
- Any special category personal data
Future versions that add pre-renewal reminder emails will process customer email addresses on your behalf as processor (not controller). An updated DPA will be presented before those features are enabled.
3. How we use your data
- Provide and operate the App: authenticate your sessions, run policy audits, enforce billing plan limits.
- Improve the App: aggregate, anonymised usage metrics (no personal data shared externally for this purpose).
- Legal obligations: retain records as required by company and tax law.
- Fraud prevention and security: detect misuse of the App.
We do not sell personal data. We do not use personal data for direct marketing without your consent.
4. Sub-processors
We use the following third-party services to operate the App:
| Sub-processor | Service | Location |
|---|---|---|
| Neon Tech Inc. | PostgreSQL database (encrypted at rest) | EU (Frankfurt region preferred) |
| Render Services Inc. | Application hosting | US (Oregon) |
| Shopify Inc. | Platform OAuth, API, billing | Canada / global (Shopify acts as independent controller for platform data) |
We require each sub-processor to process personal data only as necessary to provide their service and to maintain appropriate security measures. Full list: https://dmccaguard.co.uk/sub-processors
We will notify you at least 30 days before adding a new sub-processor that processes personal data, giving you the right to object on reasonable grounds.
5. Data retention
| Data | Retention period |
|---|---|
| Shopify session (access token, user details) | While App is installed; deleted within 48 hours of uninstall |
| Shop record (billing, plan, DPA acceptance) | While App is installed + 30 days after uninstall for legal record-keeping |
| Audit score data | Not stored (computed on demand, discarded after request) |
| Support correspondence | 3 years from last contact |
On uninstall, we process Shopify's shop/redact webhook and delete all shop-keyed personal data from production systems within 48 hours, and from backups within 30 days where technically feasible.
6. Your rights
As a merchant (data subject), you have the right under UK GDPR to:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion (subject to legal retention obligations)
- Restriction — limit how we use your data in certain circumstances
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise any right, contact us at privacy@dmccaguard.co.uk or the support address below. We will respond within one calendar month.
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/
7. Security
We implement appropriate technical and organisational measures, including:
- TLS 1.2+ for all data in transit
- Encrypted storage for access tokens and sensitive fields
- HMAC verification on all Shopify webhooks
- Access controls — least privilege; no shared production credentials
- Separate environments — no production customer data in development
In the event of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware.
8. International transfers
Our hosting provider (Render) operates in the United States. Transfers of personal data to the US are covered by Standard Contractual Clauses (SCCs) as incorporated into Render's data processing addendum.
Our database provider (Neon) is configured to use the EU (Frankfurt) region where technically available, to keep merchant data within the UK/EEA where possible.
9. Changes to this policy
We will post any updates to this page with a new version date. For material changes (new categories of data, new processing purposes), we will provide notice in the App or by email at least 30 days before the change takes effect.
10. Contact
Privacy enquiries: privacy@dmccaguard.co.uk
General support: support@dmccaguard.co.uk
MINISAGE TECH LTD
18 Crowthorp Road, Northampton, NN3 5DU
United Kingdom
v1.1 — 26 May 2026 — MINISAGE TECH LTD — Not legal advice. Solicitor review recommended before publication.