GDPR Compliance
Last updated: March 16, 2026
Our commitment to protecting your privacy rights under the General Data Protection Regulation.
1. Our Commitment to GDPR
OCS Engine ("we", "our", or "us") is fully committed to protecting the privacy rights of individuals in the European Union and the European Economic Area (EEA) in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We recognize that your personal data belongs to you, and we take our responsibility as a data processor and data controller seriously.
We have implemented comprehensive data protection practices across our organization to ensure that your personal data is collected, processed, stored, and transferred in full compliance with the GDPR and any applicable national data protection legislation. This includes ongoing staff training, regular audits, and continuous improvement of our security measures.
This page outlines how we comply with GDPR requirements, explains your rights as a data subject, and provides details about our data processing activities in connection with our Shopify applications and website (collectively, the "Services").
Our Promise: We believe in privacy by design and by default. We only collect and process personal data that is strictly necessary for the purposes outlined in this page and our Privacy Policy. We never sell your personal data to third parties.
2. Your Rights Under GDPR
Under the GDPR, you have a number of important rights regarding your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner. Below is a detailed explanation of each right:
Right of Access (Article 15)
You have the right to obtain confirmation as to whether your personal data is being processed, and if so, to request access to that data. We will provide you with a copy of your personal data, along with information about the purposes of processing, the categories of data concerned, recipients, retention periods, and your further rights. The first copy is provided free of charge; additional copies may incur a reasonable fee.
Right to Rectification (Article 16)
You have the right to request the correction of inaccurate personal data without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement. We will notify any third parties to whom your data has been disclosed of the rectification where possible.
Right to Erasure (Article 17)
Also known as the "right to be forgotten," you may request the deletion of your personal data when it is no longer necessary for the purpose it was collected, when you withdraw consent, when you object to processing and there are no overriding legitimate grounds, when the data has been unlawfully processed, or when erasure is required for compliance with a legal obligation. Certain exceptions may apply, such as when processing is necessary for legal claims or public interest.
Right to Restrict Processing (Article 18)
You have the right to request the restriction of processing of your personal data in certain circumstances: when you contest the accuracy of the data (for a period enabling us to verify accuracy), when the processing is unlawful and you oppose erasure, when we no longer need the data but you need it for legal claims, or when you have objected to processing pending verification of legitimate grounds. While restricted, we will only store the data and process it with your consent or for legal claims.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV). You also have the right to transmit that data to another controller without hindrance from us, where the processing is based on consent or a contract and is carried out by automated means. Where technically feasible, you may request that we transmit the data directly to another controller.
Right to Object (Article 21)
You have the right to object at any time to the processing of your personal data based on legitimate interests or for direct marketing purposes. If you object to processing for direct marketing, your data will no longer be processed for that purpose. For other objections based on legitimate interests, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
Right Not to be Subject to Automated Decisions (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. Where such processing is necessary for a contract or based on your explicit consent, we will implement suitable safeguards, including the right to obtain human intervention, to express your point of view, and to contest the decision.
Right to Withdraw Consent (Article 7)
Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. We make it as easy to withdraw consent as it was to give it. You can withdraw consent by contacting our Data Protection Officer or by using the unsubscribe mechanisms in our communications.
Right to Lodge a Complaint: If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement. You may also seek a judicial remedy.
3. Data Processing
We process personal data only when we have a clear and lawful basis to do so, and only for specified, explicit, and legitimate purposes. We adhere to the principles of data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability as required by the GDPR.
The categories of personal data we process, and the purposes for which we process them, are outlined below:
Account and Identity Data
Data collected when you create an account or install our Shopify applications:
- Name, email address, and contact details
- Shopify store name and URL
- Business name and address
- Account credentials (passwords stored in hashed form only)
Store and Operational Data
Data from your Shopify store necessary for our applications to function:
- Product, collection, and inventory information
- Order and transaction data
- Customer data (only as required for app functionality)
- Theme and configuration settings
Technical and Usage Data
Data collected automatically when you interact with our Services:
- IP address, browser type, and device information
- Pages visited, features used, and interaction patterns
- Session duration, referring URLs, and time stamps
- Cookies and similar tracking technologies
Communication Data
Data generated when you communicate with us:
- Support tickets and correspondence
- Feedback and survey responses
- Email communication preferences
Data Minimization: We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We regularly review the data we hold and delete anything that is no longer needed.
4. Lawful Basis for Processing
Under Article 6 of the GDPR, we must have a valid legal basis for processing your personal data. We rely on the following lawful bases depending on the specific context and purpose of the processing:
Consent (Article 6(1)(a))
Where you have given clear, affirmative consent for us to process your personal data for a specific purpose. This applies to marketing communications, non-essential cookies, and newsletter subscriptions. You can withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Performance of a Contract (Article 6(1)(b))
Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This is our primary basis for processing your data when you install and use our Shopify applications, create an account, or subscribe to our services. Without this processing, we would be unable to provide our Services to you.
Legal Obligation (Article 6(1)(c))
Where processing is necessary for compliance with a legal obligation to which we are subject. This includes maintaining financial records for tax and accounting purposes, responding to lawful requests from regulatory authorities, and complying with applicable anti-money laundering and fraud prevention regulations.
Legitimate Interests (Article 6(1)(f))
Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your interests, rights, or freedoms. We conduct a Legitimate Interest Assessment (LIA) for each processing activity that relies on this basis. Our legitimate interests include improving our Services, ensuring network and information security, preventing fraud, and conducting business analytics. You have the right to object to processing based on legitimate interests.
How We Determine the Lawful Basis
Before any new processing activity begins, we conduct an assessment to identify the most appropriate lawful basis. We document this assessment and the selected basis in our Record of Processing Activities (ROPA) as required by Article 30 of the GDPR. If we need to change the lawful basis for processing, we will notify you in advance and document the change accordingly.
5. Data Protection Officer
In accordance with Articles 37-39 of the GDPR, we have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with GDPR requirements. The DPO operates independently and reports directly to the highest level of management.
The DPO is responsible for:
- Informing and advising the organization on GDPR obligations
- Monitoring compliance with GDPR and internal data protection policies
- Providing advice on Data Protection Impact Assessments (DPIAs)
- Acting as the primary point of contact for data subjects and supervisory authorities
- Overseeing responses to data subject access requests
Contact Our DPO
Email: dpo@ocsengine.com
Subject Line: Please include "GDPR Request" or "Data Protection Inquiry" in your subject line
Response Time: We aim to acknowledge all inquiries within 48 hours and provide a substantive response within 30 days, as required by the GDPR
6. Data Processing Agreements
In accordance with Article 28 of the GDPR, we enter into Data Processing Agreements (DPAs) with all third-party processors who process personal data on our behalf. These agreements ensure that our sub-processors are contractually obligated to:
Security Obligations
- Implement appropriate technical and organizational measures
- Ensure confidentiality of personal data
- Conduct regular security assessments
Processing Limitations
- Process data only on our documented instructions
- Not engage further sub-processors without authorization
- Not transfer data outside the EEA without safeguards
Accountability
- Assist with data subject rights requests
- Notify us of any personal data breaches promptly
- Allow and contribute to audits and inspections
Data Handling
- Delete or return data upon termination of services
- Maintain records of processing activities
- Ensure staff are bound by confidentiality obligations
We regularly review and update our DPAs to ensure they remain compliant with evolving regulatory requirements and industry best practices. Copies of our DPAs are available upon request.
7. Sub-Processors
We use a limited number of carefully selected third-party sub-processors to help us deliver our Services. Each sub-processor has been vetted for GDPR compliance, and we have executed Data Processing Agreements with all of them. Below is a list of our current sub-processors:
Shopify Inc.
E-commerce Platform — Canada / Global
Core platform through which our applications are distributed. Processes store data, merchant information, and customer data as necessary for app functionality. Shopify maintains its own GDPR compliance program and has published a Data Processing Addendum.
Google Analytics (Google LLC)
Web Analytics — United States
Used to analyze website traffic and user behavior to improve our Services. Data collected includes IP addresses (anonymized), browser type, pages visited, and session duration. Google is certified under the EU-U.S. Data Privacy Framework, and we have configured IP anonymization to enhance privacy protection.
Cloud Hosting Provider
Infrastructure & Hosting — EU / United States
Provides the cloud infrastructure on which our Services are hosted. Processes all data stored in our systems, including personal data. Our hosting provider maintains SOC 2 Type II certification, ISO 27001 compliance, and has executed Standard Contractual Clauses (SCCs) for any data processed outside the EEA.
Email Service Provider
Transactional & Marketing Email — United States
Used to send transactional emails (account notifications, support responses) and marketing communications (newsletters, product updates). Processes email addresses, names, and email engagement data. Our email service provider is compliant with the EU-U.S. Data Privacy Framework and has executed a DPA with us.
Changes to Sub-Processors: We will notify you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object to such changes. You can subscribe to sub-processor change notifications by contacting our DPO at dpo@ocsengine.com.
8. Data Protection Impact Assessments
In accordance with Article 35 of the GDPR, we conduct Data Protection Impact Assessments (DPIAs) whenever we plan to carry out processing that is likely to result in a high risk to the rights and freedoms of individuals. This includes, but is not limited to:
- Systematic and extensive evaluation of personal aspects based on automated processing, including profiling
- Processing on a large scale of special categories of data
- Systematic monitoring of a publicly accessible area on a large scale
- Introduction of new technologies or processing activities that significantly change the risk profile
Our DPIA Process
Each DPIA we conduct includes the following elements:
- A systematic description of the processing operations and the purposes, including any legitimate interests pursued
- An assessment of the necessity and proportionality of the processing in relation to the purposes
- An assessment of the risks to the rights and freedoms of data subjects
- The measures envisaged to address and mitigate the risks, including safeguards, security measures, and mechanisms to ensure compliance
Where a DPIA indicates that the processing would result in a high risk in the absence of mitigating measures, we consult with the relevant supervisory authority before proceeding with the processing.
9. International Data Transfers
As our Services involve the use of global infrastructure and third-party providers, your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure that any such transfer is carried out in compliance with Chapter V of the GDPR and that your data receives an adequate level of protection at all times.
We rely on the following transfer mechanisms to ensure adequate protection for international data transfers:
Adequacy Decisions (Article 45)
Where the European Commission has determined that a third country ensures an adequate level of data protection, we may transfer data to entities in that country without requiring further safeguards. We monitor adequacy decisions and any changes that may affect our transfers.
Standard Contractual Clauses (Article 46(2)(c))
For transfers to countries without an adequacy decision, we use the European Commission's Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914. These clauses are incorporated into our Data Processing Agreements with all relevant sub-processors and provide contractual guarantees that your data will be protected to EU standards, regardless of where it is processed.
EU-U.S. Data Privacy Framework
For transfers to the United States, we prioritize working with sub-processors that are certified under the EU-U.S. Data Privacy Framework, as recognized by the European Commission's adequacy decision of July 2023. This framework provides a mechanism for lawful transfers of personal data to participating U.S. organizations.
Transfer Impact Assessments
In line with the recommendations of the European Data Protection Board (EDPB), we conduct Transfer Impact Assessments (TIAs) for each international data transfer. These assessments evaluate the legal framework of the recipient country, the effectiveness of the transfer mechanism used, and any supplementary measures that may be required to ensure an essentially equivalent level of protection.
Supplementary Measures: Where our Transfer Impact Assessment identifies a need for additional safeguards, we implement supplementary technical measures (such as encryption and pseudonymization), organizational measures (such as access controls and data handling policies), and contractual measures to ensure your data remains protected.
10. Data Breach Notification
We take data security extremely seriously and have implemented comprehensive incident response procedures to detect, report, and investigate personal data breaches. In the event of a breach, we follow the notification requirements set out in Articles 33 and 34 of the GDPR.
Detection
Continuous monitoring and automated alerting to detect potential breaches immediately
72-Hour Notification
Supervisory authority notified within 72 hours of becoming aware of a qualifying breach
Individual Notification
Affected individuals notified without undue delay when breach poses high risk to their rights
Our Breach Response Process
In the event of a personal data breach, our incident response team will:
- Contain and assess: Immediately contain the breach and assess its scope, nature, and the categories of data and individuals affected
- Document: Record the facts of the breach, its effects, and the remedial actions taken, in compliance with Article 33(5)
- Notify the supervisory authority: Report the breach to the relevant supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
- Notify affected individuals: Communicate the breach to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, describing the nature of the breach, likely consequences, and measures taken
- Review and improve: Conduct a post-incident review to identify root causes and implement measures to prevent recurrence
11. Cookie Compliance
In compliance with the GDPR and the ePrivacy Directive (Directive 2002/58/EC), we ensure that cookies and similar tracking technologies are used on our website only with your informed consent, except where strictly necessary for the provision of our Services.
Our cookie practices include:
- Consent-based approach: Non-essential cookies are only placed after you have provided clear, affirmative consent through our cookie consent banner
- Granular control: You can manage your cookie preferences at any time, choosing which categories of cookies to accept or reject
- Transparency: We provide clear information about each cookie, its purpose, duration, and the third party that sets it
- No cookie walls: Access to our website is not conditional upon consent to non-essential cookies
For a detailed breakdown of all cookies used on our website, including their names, purposes, and expiry periods, please refer to our Cookie Policy.
12. Exercising Your Rights
We have established a clear and straightforward process for you to exercise your GDPR rights. We take all requests seriously and aim to make the process as easy and transparent as possible.
How to Submit a Request
Contact Our DPO
Send your request to dpo@ocsengine.com with the subject line "GDPR Rights Request." Clearly state which right you wish to exercise and provide enough information for us to verify your identity and locate your data.
Identity Verification
To protect your data, we may need to verify your identity before processing your request. We will ask for information that helps us confirm you are the data subject (or an authorized representative). We will not request more information than is necessary for verification.
Request Processing
We will process your request and respond within one month of receiving it, as required by Article 12(3) of the GDPR. If your request is complex or we have received numerous requests, we may extend this period by a further two months, but we will inform you of any such extension within one month and explain the reasons for the delay.
Response and Delivery
We will provide the information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Responses will normally be provided in electronic form (email), unless you request otherwise. There is no charge for the first request; however, we may charge a reasonable fee or refuse to act if requests are manifestly unfounded or excessive.
Authorized Representatives
You may appoint an authorized representative to submit a request on your behalf. The representative must provide written authorization signed by you, and we may still require you to verify your identity directly.
Request Limitations
In certain circumstances, we may not be able to fully comply with your request, such as when it would adversely affect the rights and freedoms of others, when legal obligations require continued processing, or when an exemption applies. We will always explain our reasons if we cannot fulfill a request.
13. Changes to This GDPR Compliance Page
We may update this GDPR Compliance page from time to time to reflect changes in our data processing practices, regulatory requirements, or organizational structure. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Post the revised version on our website
- Notify you by email for significant changes that may affect your rights
We encourage you to review this page periodically to stay informed about how we are protecting your personal data.