PriceMux Privacy Policy

Effective Date: 2026-05-19 Controller for our own merchant-account data: Xynik LLC, 5474 Lake Howell Rd, Winter Park, FL 32792, USA. Contact: [email protected].

1. Scope

This Policy covers (a) merchant account data for which Xynik is controller (e.g., merchant admin email, billing identifiers from Shopify, in-app audit logs of merchant actions), and (b) end-shopper data processed on the merchant’s behalf, for which the merchant is controller and Xynik is processor under GDPR Art. 28 and analogous U.S./UK regimes.

2. What PriceMux Collects and Processes

From Shopify webhooks (orders/create):

OrderUsage row: one row per (shop, order) capturing orderId (Shopify order GID), hadDiscountFunctionFire (boolean — did the POS Discount Function fire on any line), and createdAt timestamp. Used for tier-enforcement counting; not joined back to any shopper. The Shopify order GID is an opaque reference to an order record held by Shopify (the controller); it is not a customer name, email, phone, address, or other customer identifier. When a merchant submits a customers/data_request webhook listing one or more of these order GIDs in orders_requested, PriceMux returns the matching OrderUsage rows in the response body so the merchant has the complete PriceMux-side dataset to forward to the data subject; when a merchant submits customers/redact with orders_to_redact, PriceMux deletes those rows.

From the embedded admin app: audit log of merchant admin actions inside app.pricemux.com.

What PriceMux explicitly does NOT process:

No customer name, email, phone, address, or shipping address
No full ZIP code (dropped at webhook handler)
No customerGid, no customer hash, no customer join key
No “sensitive personal information” within the meaning of Cal. Civ. Code §1798.140(ae)

Shopify Protected Customer Data level: Level 1 only (order-level fields). Level 2 is out of scope.

For merchant-account data we control: legitimate interests in operating the App and contract performance (Art. 6(1)(b) and 6(1)(f)).
For end-shopper data we process for the merchant: the merchant’s Art. 6(1)(b) contract performance with the shopper, on the merchant’s documented Art. 28 instructions.
We process no Art. 9 special-category data and perform no Art. 22 automated decision-making with legal effects on the data subject.

4. Retention

Raw per-order / per-fire rows: up to 13 months (12-month rolling window plus a reconciliation buffer of up to 30 days for billing-window disputes). Deleted thereafter by the automated retention worker.
Basis: GDPR Art. 5(1)(e) storage limitation; ICO storage-limitation guidance; Cal. Civ. Code §1798.100(a)(3).

5. Sub-processors and Cross-Border Transfers

PriceMux uses the sub-processors listed at our Sub-processor page (updated with at least 30 days’ prior notice of any addition or replacement, subject to the buffer described in the DPA §7). Transfers to sub-processors outside the EEA/UK are governed by:

EU SCCs Module 3 (processor-to-processor) per Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
UK International Data Transfer Addendum issued by the ICO under s.119A of the Data Protection Act 2018, VERSION B1.0, in force 21 March 2022.

The Shopify-originated data flow itself is governed by the Shopify DPA at shopify.com/legal/dpa, which incorporates the 2021 SCCs and the UK IDTA at the merchant–Shopify layer.

Because PriceMux is a processor with no customer-identifying data, end-shoppers should exercise rights through the merchant.

Right	EU/UK	California (CCPA/CPRA)	VA/CO/CT/UT/TX
Access	Art. 15 — via merchant	§1798.110 — via merchant	All — via merchant
Deletion	Art. 17 — via `customers/redact`	§1798.105 — via `customers/redact`	All — via merchant
Correction	Art. 16	§1798.106	VCDPA, CPA, CTDPA, TDPSA (not UCPA)
Portability	Art. 20 — N/A (no PII)	§1798.130 — N/A	N/A
Opt-out of sale/share	N/A — no sale or share	§1798.120 — N/A	Same — no sale or share
Sensitive PI limit	N/A	§1798.121 — N/A (none collected)	N/A
Opt-out of profiling/automated decisions	Art. 22 — N/A	N/A	VCDPA/CPA/CTDPA/TDPSA — N/A

7. Merchants Outside the EU/US

Canada (PIPEDA): We follow the ten Fair Information Principles.
Australia (Privacy Act 1988 / APPs): We manage personal information in accordance with APP 1 and APP 8 (cross-border disclosure).

8. Cookies and Tracking

The embedded app (app.pricemux.com) uses only strictly-necessary session/authentication cookies; it sets no tracking, analytics, or advertising cookies. The marketing site (pricemux.com) uses no analytics, advertising, or cross-site tracking cookies; it sets only the strictly-necessary cookies required by its built-in search feature.

9. Security

TLS 1.2+ in transit; AES-256 at rest; HMAC-verified webhooks; least-privilege internal access; audit logging. Detail in our Processor-level DPIA.

10. No Mandatory Data Protection Officer

Xynik has determined that the appointment of a Data Protection Officer is not required under GDPR Art. 37(1) because (a) we are not a public authority, (b) our core activities do not consist of regular and systematic monitoring of data subjects on a large scale (we process no customer-identifying data and no profiling with legal effects), and (c) we do not process Art. 9 special-category data or Art. 10 criminal-conviction data on a large scale. Privacy inquiries are monitored at [email protected].

Xynik is established in the United States and processes the personal data of EU and UK data subjects only indirectly, through Shopify merchants who themselves act as controllers under Art. 28. An EU/UK Representative will be designated as our EU/UK merchant footprint grows. Until then, EU/UK data subjects may direct inquiries to [email protected]; the merchant whose store originated the data remains the primary controller contact under Art. 28.

11. Changes to This Policy

We will provide at least 30 days’ notice of material changes via in-app banner and a “Last Updated” date in the header.

12. Contact

Xynik LLC, 5474 Lake Howell Rd, Winter Park, FL 32792, USA. Email: [email protected].