Privacy Policy

Table of Contents


This privacy policy sets out how Pandectes uses and protects any information you provide us when using our website (

Pandectes is committed to ensuring your privacy is protected. Should we ask you to provide any information by which you can be identified when using our website, it will only be used in accordance with this privacy statement.

Pandectes may, from time to time, change this privacy policy by making changes to this page.

I. Who we are

Welcome to, a website owned and administered by the company with the company name Pandectes OÜ, with its registered seat in Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe/1, 74626, Estonia and contact details Via this Policy, we inform you, as data controller, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as “GDPR”) and the relevant national legislation as applicable, on the type of personal data collected, the source of their collection, the reason for their collection and processing, any recipients thereof, the time of their retention, their transmission outside the EU and your rights in relation to your data as potential customers of the Company and how you can exercise them.  We act as Data Controller only when we decide about the crucial parameters of data collection and processing (means of processing, retention period, transfer, recipients, categories of data, etc.), such as when you use our website, you make an enquiry to us, or you contact us, you subscribe to our e-newsletter, or you apply for a job or a co-operation with us.

Herein, you could also find information on the way we process personal data in cases where we act as “data processors”. In case of the provision of the Service Pandectes acts as Data Processor:

  • Especially, Pandectes does not own, control, or direct the use of any Client Data stored or processed by a Client or User via the Service. Only the Client or Users are entitled to access, retrieve and direct the use of such Client Data. Pandectes is largely unaware of what Client Data is actually being stored or made available by a Client or User to the Service and does not directly access such Client Data except as authorized by the Client or as necessary to provide Services to the Client and its Users. Because Pandectes does not collect or determine the use of any Personal Data contained in the Client Data and because it does not determine the purposes for which such Personal Data is collected, the means of collecting such Personal Data, or the uses of such Personal Data, Pandectes is not acting in the capacity of data controller in terms of the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”). Pandectes should be considered only as a processor on behalf of its Clients and Users as to any Client Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this Privacy Policy, Pandectes does not independently cause Client Data containing Personal Data stored in connection with the Services to be transferred or otherwise made available to third parties, except to third-party subcontractors who may process such data on behalf of Pandectes in connection with Pandectes’ provision of Services to Clients. Such actions are performed or authorized only by the applicable Client or User.
  • The Client or the User is the data controller under the Regulation for any Client Data containing Personal Data, meaning that such party controls the manner such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.
  • Pandectes is not responsible for the content of the Personal Data contained in the Client Data or other information stored on its servers (or its subcontractors’ servers) at the discretion of the Client or User, nor is Pandectes responsible for the manner in which the Client or User collects, handles disclosure, distributes or otherwise processes such information.

II. How do we get information, and why do we use it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You use our website and our services.
  • You make an enquiry to us, or you contact us.
  • You subscribe to our e-newsletter.
  • You apply for a job or a co-operation with us.

We use your personal data in order to:

  • Provide you with our services:
  • Optimize or improve our services.
  • Provide you with information or advertising relating to our administrate businesses and our website.
  • Improve the products and services we provide.
  • Contact you via email, telephone, or mail for market research reasons to a specific enquiry.
  • Customize our website for you.
  • Send you promotional emails about products, services, offers, and other things we think might be of interest or relevance to you.
  • Specifically, regarding the provision of our Service, we process the following information for the following purposes (see also Section III below- Data Processing during the provision of the Service):

Collectable Information

Purpose of use

Shopify account data

To support all features running in App and make the App work properly.

Customer data

To send or present them to the customer through the Customer Data Requests module.

Orders data

To send or present them to the customer through the Customer Data Requests module.

Online Store data

To support all features running in App and make the App work properly.

App utilization

To improve the App experience and apply behavioral promotion.

Consent data

To support all features running in App and make the App work properly.

III. What kind of data is collected, and in which cases?

Most of the personal information we process is provided directly by you. We also collect your personal data from third providers (e.g., Google, in case you consent to the use of analytics cookies).

When you use our website, we may collect your personal data through the use of cookies. We use a cookies tool on our website to gain consent for the optional cookies we use. Cookies that are necessary for functionality, security, and accessibility are set and are not deleted by the tool (for further details, kindly read our cookie policy). You can manage your cookies preferences at any time via the integration on our website.

When you register for our e-newsletter, we collect and process information about you provided by you (e.g., your identification and contact details, such as name, e-mail, etc.).

When you communicate with us, we collect and process information about you provided by you which are relevant to the reason for your communication and your enquiry (e.g., information from surveys, questions, or offers you have responded to).

When you apply for a job or ask to cooperate with us, we collect and process information about you provided by you, which is relevant to the job position or your request for cooperation (e.g., CV, contact details, etc.). If we are not interested in any potential cooperation, we delete your personal data within two years from the receive, unless you ask to keep your CV in case of potential work opportunities with us.

We may collect from you as our your identification (e.g., full name) and pricing details (e.g., information about the chosen pricing plan- basic, plus, premium, etc.), but not any payment details via Shopify.

Data Processing during the provision of the Service

Regarding the personal information which we collect during the provision of our Service, we note that we provide applications to merchants who use platforms like Shopify to power their stores, so when you install one of our apps, we are automatically able to access certain types of information from your Shopify account: The full list available through Shopify can be seen here. This is visible in the setup process and can be reviewed before finishing the installation. In addition, we collect the following types of personal information from you and/or your customers once you have installed the App: Information about individuals who visit your store, such as their IP address (but not complete – we hold only the last two parts of the address), web browser details and time zone. We don’t collect personal information from store visitors. In some cases, we store our cookies for the store visitor, but again there, we don’t include any personal information for him. Regarding our app and Service, we store only visitor consents that include the following information:

  • Consent ID (that is and is not related to the user)
  • Consent date & time
  • User IP Address (not complete but only the last two parts)
  • User country (if detected)
  • User Agent
  • Consent Type (Accept / Deny / Custom
  • Consent Preference (if applicable)

Specifically, when you install the App, we are automatically able to access certain types of information from your Shopify store. In such cases Pandectes acts as Data Processor according to GDPR:

  • Shopify account data – The App will be able to access and store data from your Shopify account. These are: Store ID; Store plan; Store name; Store domain; Store owner; Store email address; Store country; Store province; Store city; Store timezone;
  • Customer data – The App will be able to access customer data. These are: customer name; customer email; and data requests. The App doesn’t store them.
  • Orders data – The App will be able to access orders data in order to present them to the client through the Customer Data Requests module. These are all the orders data. The App doesn’t store them.
  • Online Store data – The App will be able to access, add and change online store data. In more detail will be able to add new theme assets & snippets and inject scripts inside the theme files.
  • App utilization – The app will be able to store information about the installation. These are: Date of installation/upgrade/uninstallation; Operations inside the app; Contact through live chat.
  • Consent data – The App will be able to store user’s consents which will include an anonymous and random key (the “Key”); End user’s consent choice allow/dismiss/deny for each cookie category; Anonymized end user’s IP address (last 3 digits after “.” are set to x); Date and time of end user’s consent; End user’s browser agent and end user’s country code.

The consent data without the IP address and the browser agent are saved in the End User’s browser as a first-party cookie called _gdpr_pandectes in JSON encrypted form. The App later uses this information to remember the End User’s choice. The key can be found on the Customer Data Requests page on the store by the user. The Key can also be used as proof of the End User’s consent. The Key is not considered personally identifiable information.

IV. Legal Basis for processing in each case

When we provide you with our services, the legal basis for the processing of any personal data is the performance of the contract between us, in accordance with Article 6(1)(b) GDPR.

When you contact us, or you subscribe to our newsletter or for promotion and marketing purposes, as well as when you ask for a job, the lawful basis we rely on for processing your information is your consent under article 6(1)(a) of the GDPR. Similarly, the same legal basis applies in the case of the use of optional cookies on our website.

The data we process relating to your payments are further processed for the purpose of invoicing the Company’s services, and the legal basis for their processing is the fulfillment of the Company’s legal obligations under tax law, in accordance with Article 6(1)(c) GDPR.

V. Who are the recipients of your personal data?

We may engage external/third parties as providers, who act as data processors of ours, providing supporting services to us such us (technical support services, marketing services, logistics, accountant services). Any agreement of ours with any data processor is subject to written contract according to the GDPR with strict provisions relating the confidentiality and the protection of your personal data.  

Your information is never shared for the use of advertising.

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant, or other lawful requests for information we receive, or to protect our rights otherwise.

Do we transfer your personal data outside the EU?

We may transfer your personal data to third countries outside the EU. If your personal data need to be transferred outside the EU, such data transfer will take place in accordance with applicable law.

Pandectes will ensure an adequate level of data protection. By entering into appropriate data transfer agreements based, which are accessible upon your request, or taking other measures to provide an adequate level of data protection, Pandectes establishes or confirms that all data recipients will provide an adequate level of protection for your personal data.

VII. How long do we keep your personal data?

Your personal data will be retained for as long as necessary to fulfill the purposes we collected them for and for the maximum period provided by applicable law until the statute of limitations of your related claims.

We delete your personal data in case you exercise your right for deletion and the lawful preconditions for such exercise are met, as well as in case you uninstall the app.

VIII. What rights do you have as a data subject on your personal data?

In accordance with the data protection law, when we process your personal data you have certain rights that we need to inform you about.

  • The right to be informed / transparency: You have the right to know who is processing your data, what categories of data they are using and why (Articles 12, 13 and 14 of the GDPR).
  • The right of access: You have the right to request access to your personal data (Article 15 of the GDPR). You can exercise this right free of charge in most cases by making an access request in writing or verbally, if you wish to.
  • The right to rectification: You have the right to have the data rectified, if your data is inaccurate and/or incomplete (Articles 16 & 19 of the GDPR).
  • The right to erasure (‘right to be forgotten’): You have the right to have your personal data erased under specific conditions, such as where your data is no longer necessary, you have withdrawn your consent, your data has been unlawfully processed etc. (Articles 17 & 19 of the GDPR).
  • The right to restriction of processing: You have the right to obtain restriction of processing where the accuracy of your personal data is contested, the processing is unlawful, we no longer need the personal data for the purposes of the processing, you have objected to automated processing (Articles 18 and 19 of the GDPR).
  • The right to data portability: You have the right to have your data transmitted to another data controller (Article 20 of the GDPR).
  • The right to object: You have the right to object to the processing of your personal provided that this is not contrary to the public interest (Article 21 of the GDPR).
  • The right to human intervention: You have the right to object where a decision is based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you (Article 22 of the GDPR).
  • The right to lodge a complaint with the Authority: You have the right to lodge a complaint before the Data Protection Inspectorate ( ) in case you consider that the aforementioned rights have been infringed.

IX. How you can exercise your rights on your personal data?

We must reply to any request of yours for the exercise of your above rights within one month of receipt. This time limit may be extended by a further two months, if necessary, at our discretion, taking into account the complexity of your request and the number of requests we handle at the same time.

X. Miscellaneous

Links to other websites

Our website may contain links to other websites. Please note that we have no control over websites outside the domain. If you provide information to a website to which we link, we are not responsible for its protection and privacy policies. Always be wary when submitting data to websites, and read the site’s data protection and privacy policies fully.

Controlling your personal information

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. You may request details of personal information which we hold about you under the Data Protection Act 1998.

If there is anything else you would like to know about how information about you might be processed using this site, you can ask us. You can email us at: info[at]

Scroll to Top