Privacy Policy

This Privacy Policy explains how Sinka B.V., trading as SKUU(“SKUU”, “we”, “us”), handles personal data in connection with the SKUU app on the Shopify App Store and the website at skuu.io. Please read it carefully so that you know what we do with your data and what your rights are.

1. Who we are and how to contact us

The SKUU platform is operated by Sinka B.V., a private limited company incorporated under the laws of the Netherlands, with its registered office at Hennegras 2, 2498 BL, ‘s-Gravenhage, Netherlands. We are registered with the Dutch Chamber of Commerce (KVK) under number 95087982 and our VAT number is NL866996588B01.

For all privacy questions, data subject requests and complaints, please contact us at info@skuu.io. We respond to all valid privacy queries within five working days.

Sinka B.V. is established in the European Union and we have not appointed a Data Protection Officer because this is not required of us under Article 37 of the GDPR. We have not appointed an EU representative because we are established in the EU. If at any point we expand into markets where additional representation is legally required, we will update this policy and notify affected merchants.

2. Scope of this policy

This Privacy Policy applies to personal data processed by SKUU in connection with the SKUU app on the Shopify App Store, the SKUU order routing platform, the skuu.io website and any communications between SKUU and merchants, prospects or other contacts.

This policy does notapply to the privacy practices of merchants who use SKUU. Each merchant is the controller of its own customers’ data and publishes its own privacy policy. It also does not apply to Shopify itself, which operates under its own privacy policy, or to any third-party websites linked from SKUU.

3. Our role under data protection law

SKUU is a software platform that helps Shopify merchants route orders within a connected network. Two distinct roles apply to the personal data flowing through SKUU.

SKUU acts as a processor for end-customer personal data.When a merchant uses the SKUU app, the personal data of the merchant’s customers (name, contact details, delivery address, order content) is processed by SKUU strictly on the merchant’s instructions and for the limited purpose of providing the service. The merchant is the controller of that data. Under California law (CCPA/CPRA), SKUU acts as a service provider in the same circumstances.

SKUU acts as a controller for merchant account and platform data. This is the data we collect to operate our own business, including the merchant’s company name, shop domain, contact persons, OAuth tokens, billing details and platform usage logs. We need this data to manage the merchant relationship, secure and improve the platform, issue invoices and meet our own legal obligations.

If you are an end-customer of a SKUU merchant and want to exercise your privacy rights, please contact the merchant first because they are the controller of your data. You may also contact SKUU at info@skuu.io and we will route your request to the correct merchant within five working days.

4. Personal data we process

We only process the personal data we need to operate the platform. We do not process special categories of personal data within the meaning of Article 9 GDPR (such as health, biometric or political data), and we do notprocess payment card numbers or bank account credentials. Payment processing is handled by Shopify and the merchant’s own payment provider, not by SKUU.

When we act as a processoron behalf of a merchant, we receive end-customer personal data from the merchant’s Shopify store. This includes contact data (first and last name, email address, phone number), delivery data (street, house number, postcode, city and country), and order data (order number, line items, quantities, EAN codes, order status and order value).

When we act as a controllerfor our own merchant relationship, we collect and process the merchant’s company name and shop domain, KVK and VAT numbers, the contact person’s name and role, the billing email address, the Shopify OAuth access tokens issued during installation and the API scopes those tokens grant, communications with our team, and platform usage logs that record IP address, browser user agent and actions taken in the SKUU dashboard.

We may also process aggregated and fully anonymised data (data that cannot be linked to any individual or specific merchant) for platform analytics and service improvement. Once data is fully anonymised, it is no longer personal data under the GDPR.

5. Why we use personal data and our legal basis

We process personal data only for the purposes set out below.

We use the data to operate the SKUU service as agreed with each merchant, which includes routing orders between merchants and supporting fulfilment, returns and dispute resolution. The legal basis is performance of a contract under Article 6(1)(b) GDPR and our legitimate interest in operating the service under Article 6(1)(f).

We use the data to administer the merchant relationship, which includes account creation and maintenance, billing, invoicing and payouts. The legal basis is performance of a contract under Article 6(1)(b) and, where retention of accounting records is concerned, a legal obligation under Article 6(1)(c).

We use the data to provide customer support and resolve disputes, on the basis of our legitimate interest in serving merchants well and the merchants’ equivalent interest, under Article 6(1)(f).

We use the data to keep the platform secure and operational, which includes fraud prevention, debugging, abuse monitoring, capacity planning and incident response. The legal basis is our legitimate interest under Article 6(1)(f), balanced against the privacy interests of the people involved.

We use the data to comply with legal obligations, including Dutch tax and accounting law and lawful requests from competent authorities. The legal basis is Article 6(1)(c) GDPR.

We use the data to communicate with merchants and prospects about the service, including service updates, contractual notices and, where consent applies, information about new SKUU features. The legal basis is our legitimate interest under Article 6(1)(f) or, where required, your consent under Article 6(1)(a). You can withdraw consent at any time without consequences for processing already carried out.

We do not sell personal data, do not share it for cross-context behavioural advertising, and do not make decisions producing legal or similarly significant effects on individuals based solely on automated processing within the meaning of Article 22 GDPR.

6. How we collect personal data

We collect personal data in three ways.

We collect it directly from the merchant, when the merchant signs up, installs the SKUU app, signs the cooperation agreement (DPA), fills in onboarding forms or contacts our support team.

We collect it from Shopify on the merchant’s instruction, through the Shopify Admin API and the mandatory order, customer and shop webhooks. The merchant authorises this access by installing the SKUU app and granting the requested OAuth scopes.

We collect it automatically, through server logs and dashboard action logs when the merchant uses the platform. This is limited to what is needed to keep the service running and secure.

We do not buy personal data, scrape websites for personal data or acquire data from data brokers.

7. Sub-processors

We use a small number of vetted third parties to deliver the SKUU service. We have a written data processing agreement (or equivalent terms) with each of them, and they are bound to confidentiality and security obligations equivalent to ours.

Shopify International Limited is the source of merchant and end-customer order data and the channel through which the mandatory privacy webhooks are delivered. Processing takes place in the European Economic Area and Canada. Canada has a European Commission adequacy decision, and Shopify additionally relies on Standard Contractual Clauses for any onward transfers within its group.

Supabase, Inc.provides the managed Postgres database that stores SKUU’s operational data. The database is hosted in Frankfurt, Germany, within the European Union. Where any access from outside the EEA is required for support purposes, Supabase relies on the EU Standard Contractual Clauses (Module 2) and the UK Addendum.

Hostinger International Ltd.provides the virtual private server (VPS) infrastructure on which we self-host parts of the SKUU service. Processing takes place in EU data centres. Hostinger’s GDPR-compliant Data Processing Addendum is in force.

Our transactional email provideris used to send account notifications, settlement statements and support emails to merchants. Email content may include the merchant’s name, email address and order references. We will share the current provider’s identity on request.

We may use additional sub-processors in the future. Before adding or replacing a sub-processor that has access to personal data, we will inform merchants in advance, in line with Article 7b of our Cooperation Agreement. Merchants who object to a new sub-processor have the right to terminate the cooperation under the notice period set out in that agreement.

By default, all operational personal data is stored within the European Union. We may move primary storage to Microsoft Azure (Amsterdam or Dublin) at a later stage at equivalent or higher security standards, with prior notice to merchants.

8. International transfers

By default, personal data we process stays within the European Economic Area, with the primary database currently in Frankfurt, Germany.

Where personal data is, or may be, accessed from outside the EEA (for example by a sub-processor’s support team), we rely on one of the transfer mechanisms recognised under Articles 45 and 46 GDPR. These are: an adequacy decision of the European Commission for the destination country (where available), the EU Standard Contractual Clauses as adopted in Commission Decision 2021/914 (Module 2 controller-to-processor or Module 3 processor-to-processor), and the UK International Data Transfer Addendum (version B1.0, in force 21 March 2022) for transfers covered by the UK GDPR. Where required, we supplement these with additional technical and organisational measures based on a transfer impact assessment.

You can request a copy of the relevant transfer documentation by emailing info@skuu.io.

9. How long we keep personal data

We keep personal data only as long as we need it for the purpose for which it was collected.

End-customer order data and the related fiscal records are kept for up to seven years from the date of the order, in line with Dutch tax and accounting law (article 52 of the Algemene wet inzake rijksbelastingen). After that period the data is permanently deleted or fully anonymised.

Merchant account data is kept for the duration of the relationship, plus up to seven years for the parts that are subject to fiscal retention obligations.

Shopify OAuth access tokens are deleted when the SKUU app is uninstalled, and in any event within 48 hours of receiving Shopify’s shop/redact webhook.

Support communications are kept for two years after the last interaction, unless they are relevant to a dispute that requires longer retention.

Security and platform usage logs are kept for twelve months, after which they are deleted or anonymised.

Marketing contact data, where we hold it, is kept until the contact withdraws consent or opts out.

When a merchant ends the relationship, we delete all of that merchant’s personal data from our systems within 90 calendar days, except for data we are legally required to retain. We keep merchants informed of progress on this deletion in line with our cooperation agreement.

10. Security

We implement technical and organisational measures appropriate to the risk in line with Article 32 GDPR. Without disclosing details that could themselves create a security risk, our key measures include the following.

All data in transit is protected by TLS 1.3 or higher. All data at rest is encrypted with AES-256. Access to production systems requires multi-factor authentication, and access rights are granted on a least-privilege, role-based basis. We operate continuous security monitoring of production systems with a documented incident response process, and we run regular encrypted backups stored within the European Union. Our network is segmented, with strict isolation between test and production environments. All team members and contractors are bound by confidentiality obligations. Sub-processors are vetted for security and contractually bound to equivalent obligations.

We do not currently hold ISO 27001 or SOC 2 certification. We will update this policy if that changes.

11. Your rights

This section explains your privacy rights and how to exercise them. The exact list depends on where you live. If you are an end-customer of a merchant, please contact the merchant first because they are the controller of your data; we will support them in handling your request.

Under the EU and UK GDPRyou have the right to obtain access to your personal data, the right to have inaccurate or incomplete data corrected, the right to have your data erased (“right to be forgotten”), the right to restrict processing in certain circumstances, the right to data portability for data you provided us, the right to object to processing based on legitimate interests, and the right to withdraw consent at any time where we rely on consent. Withdrawal does not affect processing carried out before withdrawal.

Under the California Consumer Privacy Act and the California Privacy Rights Act, California residents have the right to know what personal information we have collected and how we use it, the right to delete it, the right to correct inaccurate information, the right to limit the use and disclosure of sensitive personal information (although we do not collect “sensitive personal information” as defined by the CPRA), the right to opt out of the sale or sharing of personal information, and the right not to be discriminated against for exercising any of these rights. SKUU does not sell or share personal information within the meaning of the CCPA/CPRA, and we do not engage in cross-context behavioural advertising.

To exercise any of these rights, please email info@skuu.io with your name, the email address connected to your data (or the order number if you are an end-customer of a merchant), the right you wish to exercise and enough context to allow us to locate your records. We will respond within 30 days for GDPR requests and within 45 days for CCPA requests, with one extension of an equal period in complex cases. We will tell you in advance if we need an extension. We may need to verify your identity before we act on your request, and we will only ask for the information strictly necessary to do so.

There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive in line with Article 12(5) GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. The lead authority for SKUU is the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl, Postbus 93374, 2509 AJ Den Haag). UK residents may contact the Information Commissioner’s Office (ico.org.uk). Other EEA residents may contact their local data protection authority. California residents may contact the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General (oag.ca.gov/privacy).

12. Shopify mandatory compliance webhooks

This section is for merchantswho install the SKUU app from the Shopify App Store. SKUU subscribes to and handles all three mandatory Shopify privacy webhooks within 30 days of receipt, in line with Shopify’s privacy law compliance requirements.

When Shopify sends the customers/data_request webhook on behalf of a customer of your shop, we compile the personal data SKUU holds about that customer (contact details, delivery address and the orders we have routed) and provide it to you, the merchant, so that you can deliver it to the customer. We do not contact the customer directly.

When Shopify sends the customers/redactwebhook, we delete or fully anonymise the personal data we hold about that customer in our systems, except for data we are legally required to retain (for example, invoice line data needed to meet the Dutch seven-year fiscal retention obligation). Where retention is required by law, we restrict the data to that purpose alone, in line with the documented exception in Shopify’s privacy webhook guidance.

When Shopify sends the shop/redactwebhook, which fires 48 hours after a merchant uninstalls the SKUU app, we delete the shop’s data from our systems within the limits described in section 9, again subject to legal retention obligations.

If you have questions about how SKUU has handled a specific webhook for your shop, please email info@skuu.io with your shop domain.

13. Cookies and similar technologies

The merchant-facing SKUU app, embedded in the Shopify admin, uses session tokens for authentication and does not rely on third-party cookies or local storage. This is in line with Shopify’s app development requirements.

The SKUU marketing website at skuu.io uses only strictly necessary cookies, which do not require consent under the Dutch Telecommunications Act and the ePrivacy Directive. We do not use advertising cookies, tracking pixels or third-party social media trackers. If we add any non-essential cookies in the future, we will present a cookie banner that asks for consent first, allows you to refuse without consequence and lets you change your choice at any time. See our Cookie Policy for full details.

14. Children’s data

SKUU is a B2B platform aimed at retailers and is not directed at children. We do not knowingly process personal data of children under the age of 16 in the EEA, under 13 in the United States, or under any higher minimum age set by applicable national law. If you believe we have inadvertently collected such data, please email info@skuu.io and we will delete it.

15. Automated decision-making and profiling

We use automated logic to match orders to merchants in the SKUU network that can fulfil them. This is order routing, not a decision about an individual. We do not make decisions producing legal or similarly significant effects on individuals based solely on automated processing within the meaning of Article 22 GDPR, and we do not profile end-customers for advertising or scoring purposes.

16. Data breach notification

If we become aware of a personal data breach affecting a merchant’s data, we will notify the affected merchant without undue delay and within 24 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences and the measures taken or proposed to address it. The merchant, as controller, decides whether and how to inform affected individuals or the supervisory authority under Articles 33 and 34 GDPR. We cooperate fully with any investigation.

17. Changes to this policy

We may update this policy from time to time, for example when our practices change, when the law changes, when we add a new sub-processor or when we expand into new markets. The “Last updated” date at the top of this page reflects the most recent change. For material changes that affect merchants, we will notify the merchant at least 30 days in advance by email or through the SKUU dashboard.

18. Contact

For all privacy questions, requests and complaints, please contact us at:

Email: info@skuu.io
Post:Sinka B.V., Hennegras 2, 2498 BL, ‘s-Gravenhage, Netherlands

This Privacy Policy is governed by Dutch law.