GDPR Compliance

OCS Engine is committed to protecting your privacy and personal data in accordance with the General Data Protection Regulation (GDPR). Learn about our compliance measures and your rights.

Last updated: January 15, 2025 Effective date: January 15, 2025

What is GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union (EU), regardless of where the organization is located.

GDPR strengthens and unifies data protection for individuals within the EU and addresses the export of personal data outside the EU. It gives individuals greater control over their personal data and requires organizations to be more transparent about how they collect, use, and protect personal information.

Our GDPR Commitment

OCS Engine is fully committed to GDPR compliance and protecting the privacy and rights of all individuals whose personal data we process. We have implemented comprehensive measures to ensure compliance with GDPR requirements.

Our Compliance Measures

  • Data Protection by Design: Privacy considerations are integrated into all our systems and processes
  • Transparency: Clear and accessible information about our data processing activities
  • User Rights: Easy-to-use mechanisms for individuals to exercise their GDPR rights
  • Security: Robust technical and organizational measures to protect personal data
  • Accountability: Regular audits and assessments of our data protection practices
  • Training: Ongoing staff training on data protection and GDPR requirements

Data Controller Information

OCS Engine acts as a data controller for the personal data we collect and process in connection with our Shopify applications and services.

Data Controller Details

Company: OCS Engine
Email: privacy@ocsengine.com
Support: support.ocsengine.com

Your Rights Under GDPR

GDPR provides you with several important rights regarding your personal data. You can exercise these rights at any time:

Right of Access (Article 15)

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and access to that data.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete personal data completed.

Right to Erasure (Article 17)

You have the right to request the deletion of your personal data in certain circumstances, also known as the "right to be forgotten."

Right to Restrict Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to automated decision-making, including profiling, that produces legal effects concerning you.

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@ocsengine.com. We will respond to your request within one month of receipt.

Data Subjects We Process

We process personal data of the following categories of individuals:

Shopify Store Owners and Administrators

Personal data we collect includes:

  • Name and contact information
  • Shopify store details
  • Account and billing information
  • Usage and performance data
  • Support communications

End Customers (Through Your Store)

When you use our applications, we may process data about your customers, including:

  • Contact information (for WhatsApp chat)
  • Form submissions (for contact forms)
  • Usage analytics (anonymized)
  • Technical data (IP addresses, device information)

Website Visitors

We process data about visitors to our website, including:

  • IP addresses and browser information
  • Usage analytics and behavior data
  • Cookie data and preferences
  • Contact form submissions

Data Collection and Sources

We collect personal data from various sources:

Direct Collection

  • Information you provide when creating an account
  • Data you submit through our contact forms
  • Information provided during support interactions
  • Feedback and survey responses

Automatic Collection

  • Usage data from our applications
  • Website analytics and performance data
  • Technical information (IP addresses, device data)
  • Cookie and tracking data

Third-Party Sources

  • Shopify platform data
  • Payment processors
  • Analytics providers
  • Customer support platforms

Data Processing Activities

We process personal data for the following purposes:

Service Provision

  • Delivering our Shopify applications
  • Processing transactions and payments
  • Providing customer support
  • Managing user accounts

Business Operations

  • Improving our services and features
  • Conducting analytics and research
  • Ensuring security and preventing fraud
  • Complying with legal obligations

Communication

  • Sending service updates and notifications
  • Providing marketing communications (with consent)
  • Responding to inquiries and support requests
  • Conducting surveys and feedback collection

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law.

Retention Periods

  • Account Data: Until account deletion or 3 years of inactivity
  • Usage Data: Up to 2 years for analytics purposes
  • Support Communications: 3 years for quality assurance
  • Marketing Data: Until consent is withdrawn
  • Legal Compliance: As required by applicable laws

Data Deletion

When personal data is no longer needed, we securely delete or anonymize it. This includes:

  • Automatic deletion after retention periods expire
  • Manual deletion upon request
  • Secure destruction of physical records
  • Anonymization for research and analytics

Data Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.

Technical Measures

  • Encryption: Data encrypted in transit and at rest
  • Access Controls: Role-based access and authentication
  • Network Security: Firewalls and intrusion detection
  • Regular Updates: Security patches and system updates
  • Backup Systems: Secure and encrypted data backups

Organizational Measures

  • Staff Training: Regular data protection training
  • Access Policies: Strict access control policies
  • Incident Response: Comprehensive breach response procedures
  • Regular Audits: Security assessments and compliance reviews
  • Vendor Management: Due diligence on third-party processors

International Data Transfers

Some of our service providers and data processing activities may involve transfers of personal data outside the European Economic Area (EEA).

Transfer Safeguards

We ensure appropriate safeguards are in place for international transfers:

  • Adequacy Decisions: Transfers to countries with adequate protection
  • Standard Contractual Clauses: EU-approved contract terms
  • Binding Corporate Rules: Internal data protection policies
  • Certification Schemes: Privacy Shield and similar frameworks

Third-Party Processors

We use the following categories of third-party processors:

  • Cloud hosting and infrastructure providers
  • Payment processing services
  • Analytics and monitoring tools
  • Customer support platforms
  • Email and communication services

Data Breach Notification

In the unlikely event of a personal data breach, we have procedures in place to detect, assess, and respond to such incidents.

Our Response Process

  • Detection: Monitoring systems and incident detection
  • Assessment: Risk evaluation and impact analysis
  • Containment: Immediate measures to limit the breach
  • Investigation: Root cause analysis and evidence collection
  • Notification: Regulatory and individual notifications as required
  • Recovery: System restoration and security improvements

Notification Requirements

We will notify relevant authorities and affected individuals as required by GDPR:

  • Supervisory Authority: Within 72 hours of becoming aware
  • Data Subjects: Without undue delay if high risk to rights and freedoms
  • Documentation: Detailed records of all breach incidents

Data Protection Officer

While we are not required to appoint a Data Protection Officer under GDPR, we have designated privacy contacts to handle data protection matters.

Privacy Contact

Email: privacy@ocsengine.com
Response Time: Within 30 days of receipt
Languages: English

Contact for Data Protection Matters

You can contact us for any data protection-related matters, including:

  • Exercising your GDPR rights
  • Data protection questions or concerns
  • Privacy policy clarifications
  • Data breach notifications
  • Complaints about data processing

Contact Us

For any questions about our GDPR compliance or data protection practices, please contact us:

Privacy Email: privacy@ocsengine.com
General Support: info@ocsengine.com
Support Portal: support.ocsengine.com

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have not handled your personal data in accordance with GDPR. You can contact the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.