Privacy Policy

This Privacy Policy describes how Jewelry Studio Manager, operated by Moores Jewellers ("we," "us," or "our"), collects, uses, and protects information when you use our Shopify application and associated services (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you install Jewelry Studio Manager from the Shopify App Store or create an account, we collect:

• Your name and email address
• Your Shopify store domain and store information
• Business name and contact details
• Billing information (processed through Shopify's billing system)

1.2 Client Data

In the course of using the Service, you may store information about your clients, including:

• Client names, email addresses, and phone numbers
• Physical addresses
• Design preferences, ring sizes, metal and gemstone preferences
• Budget information and payment history
• Communication history and appointment records
• Commission details and project files

1.3 Shopify Data

With your authorization, we access certain data from your Shopify store:

• Customer records (names, emails, order history)
• Order and product information
• Store configuration and settings

We only access the Shopify data scopes necessary for the Service to function. You can review these scopes during the app installation process.

1.4 Automatically Collected Information

• Log data (IP address, browser type, pages visited, timestamps)
• Device information (operating system, screen resolution)
• Usage analytics (features used, session duration)

2. How We Use Your Information

We use the collected information to:

• Provide, maintain, and improve the Service
• Process and manage your commissions and client relationships
• Sync data between your Shopify store and the Service
• Send transactional emails (appointment reminders, commission updates)
• Provide customer support
• Generate aggregated, anonymized analytics to improve our product
• Comply with legal obligations

3. Data Storage and Security

We take the security of your data seriously and implement industry-standard measures:

• All data is encrypted in transit using TLS 1.2 or higher
• Sensitive data (such as Shopify access tokens) is encrypted at rest using AES-256-GCM
• Authentication tokens are stored in HttpOnly cookies only, preventing client-side JavaScript access
• We do not store passwords in plain text; all passwords are hashed using bcrypt
• Database access is restricted and monitored
• CSRF protection is implemented on all state-changing operations

4. Cookies

We use strictly necessary cookies to operate the Service:

• Authentication cookies: HttpOnly, secure cookies that maintain your session. These cannot be accessed by client-side scripts.
• CSRF tokens: Short-lived tokens (15-minute TTL) to protect against cross-site request forgery.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not sell or share cookie data with third parties.

5. Data Sharing

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

• Shopify: We exchange data with Shopify as necessary for app functionality and billing.
• Service providers: We may use trusted third-party services (e.g., email delivery, hosting) that process data on our behalf under strict data processing agreements.
• Legal requirements: We may disclose information if required by law, regulation, or legal process.
• Business transfers: In the event of a merger, acquisition, or sale, user data may be transferred as part of the business assets.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data is retained for the duration of your subscription
• Client data you store in the Service is retained until you delete it or close your account
• After account closure, we retain data for up to 30 days to allow for reactivation, after which it is permanently deleted
• Certain anonymized, aggregated data may be retained for analytics purposes
• We retain data as required by applicable law (e.g., billing records)

7. Your Rights (GDPR and Global Privacy)

Regardless of your location, we respect your data rights. You have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Data portability: Request your data in a machine-readable format
• Restriction: Request restriction of processing of your data
• Objection: Object to processing of your data
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at support@jewelrystudiomanager.com. We will respond within 30 days.

8. GDPR Compliance

For users in the European Economic Area (EEA), we process personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you requested
• Legitimate interests: Processing necessary for our legitimate business interests (e.g., improving the Service), provided these do not override your rights
• Legal obligation: Processing necessary to comply with applicable laws
• Consent: Where you have given explicit consent for specific processing

9. Shopify GDPR Webhooks

In compliance with Shopify's requirements, we handle mandatory GDPR webhooks:

• Customer data request: We provide all stored data for a specific customer upon request
• Customer data erasure: We delete all stored data for a specific customer
• Shop data erasure: We delete all data associated with a shop when the app is uninstalled

10. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete that information promptly.

11. International Data Transfers

Your data may be processed in countries other than your country of residence. When we transfer data internationally, we implement appropriate safeguards including standard contractual clauses and ensure an adequate level of data protection.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The "Effective date" at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: support@jewelrystudiomanager.com
• Company: Moores Jewellers

For GDPR-related inquiries, you may also contact your local data protection authority.