MerchantWatch
Start free
Back to home
Legal

Privacy Policy

Last updated · 04 May 2026

This is a working draft GDPR-compliant privacy policy template. Replace the placeholders with your actual legal entity details and review with a lawyer before going live in production.

This privacy policy describes how [YOUR LEGAL ENTITY NAME] ("MerchantWatch", "we", "us") collects, uses, and protects personal data when you visit our website or use our services. We comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

The controller responsible for the processing of personal data on this site is:

[YOUR LEGAL ENTITY NAME]
[STREET + NUMBER]
[POSTAL CODE + CITY], Germany
E-Mail: privacy@merchantwatch.app

2. What data we collect

Account data

When you sign up, we collect: name, email address, organisation name, billing address, and (for paid plans) payment information processed by Stripe.

Usage data

We log how you interact with the product: pages visited, searches run, exports performed, alerts received, IP address, browser, device type. We use this for service operation, billing, security, and product improvement.

Shopify ecosystem data (the product)

Our database contains company data and public signals about Shopify storefronts (domain, brand info from public Impressum, tech stack detected from public storefront markup, traffic estimates, public legal markers). This is publicly observable information about businesses, not personal data about individuals. We do not collect, sell, or expose decision-maker contact information, personal email addresses, or LinkedIn profiles of shop owners.

Cookies & analytics

We use a minimal set of strictly-necessary cookies (session, CSRF, login). For analytics, we use [ANALYTICS PROVIDER — e.g. Plausible, Fathom, GA4], configured to be privacy-respecting. We do not use cross-site tracking cookies. See the cookie policy below for details.

3. Why we process your data (legal bases)

  • Contract performance (Art. 6(1)(b) GDPR) — to provide the service you signed up for: account creation, login, billing, customer support.
  • Legitimate interests (Art. 6(1)(f) GDPR) — to operate our service securely (security logging, fraud prevention) and to improve the product (anonymised usage analytics).
  • Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax, accounting, and other legal record-keeping obligations.
  • Consent (Art. 6(1)(a) GDPR) — for any optional processing where we explicitly ask, e.g. marketing emails. You can withdraw consent at any time.

4. Sharing data with third parties

We share data with carefully selected processors who help us operate the service. All processors are bound by Data Processing Agreements (Auftragsverarbeitung, Art. 28 GDPR):

  • Supabase (auth + database hosting) — [REGION — EU]
  • Stripe (payment processing) — Ireland / USA (Standard Contractual Clauses)
  • Vercel (web hosting) — [REGION — EU]
  • Postmark / Resend (transactional email) — [REGION]
  • [ANALYTICS PROVIDER] (privacy-friendly product analytics)

We do not sell personal data. We do not share data with advertising networks.

5. International transfers

Where a processor (e.g. Stripe) processes data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures as required by the GDPR.

6. How long we keep your data

  • Account data — for the duration of your account, plus 30 days after deletion to recover from accidental deletion.
  • Billing records — 10 years per German tax retention obligations (HGB / AO).
  • Usage logs — 90 days, unless required longer for security investigation.
  • Marketing emails — until you unsubscribe.

7. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you (Art. 15 GDPR)
  • Correct inaccurate data (Art. 16 GDPR)
  • Have your data erased, subject to legal retention obligations (Art. 17 GDPR)
  • Restrict processing (Art. 18 GDPR)
  • Receive your data in a portable format (Art. 20 GDPR)
  • Object to processing based on legitimate interests (Art. 21 GDPR)
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR). For users in Germany, the competent authority is the data-protection regulator of the state where you reside.

To exercise any of these rights, email privacy@merchantwatch.app. We respond within 30 days.

8. Cookie policy

Strictly necessary

Required for login, session persistence, and CSRF protection. These cannot be opted out of without breaking the site.

Analytics

We use a privacy-friendly analytics tool that does not set tracking cookies and aggregates page views without identifying individuals.

Marketing

None. We do not run remarketing or behavioural advertising cookies.

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is restricted to authorised personnel and audited. We follow industry-standard practices for credential management, backup, and incident response.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated via email and noted on this page. The "Last updated" date at the top reflects the most recent change.

Contact

Questions about this policy? Email privacy@merchantwatch.app.