Privacy Policy

Last updated: April 24, 2026 — Effective Date: April 24, 2026

This Privacy Policy ("Policy") describes how Gemhubx and its affiliates, subsidiaries, agents, and assigns (collectively, "Gemhubx," "Company," "we," "us," or "our") collect, use, store, disclose, and protect information obtained from users ("you," "your," "User," or "Merchant") who access or use the Gemhubx application, website, and related services (collectively, the "Service"). By installing, accessing, or using the Service, you consent to the practices described in this Policy.

Gemhubx operates as a Shopify application available through the Shopify App Store and as a standalone platform accessible at https://gemhubapp.com. This Policy applies to all data collected through the Shopify integration, WooCommerce integration, our website, APIs, and any other interfaces through which you interact with the Service.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, physical addresses, phone numbers, IP addresses, device identifiers, and financial information.
• "Store Data" means information specific to your ecommerce store, including product data, order data, inventory data, and store configuration.
• "Customer Data" means Personal Data and order information of your end customers that is processed through the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Sub-processor" means any third party engaged by Gemhubx to process data on behalf of the User.

2. Information We Collect

2.1 Information You Provide Directly

• Account registration data: Name, email address, password (hashed), business name, phone number, and billing information
• Profile and settings data: Preferences, notification settings, markup rules, and import configurations
• Communications: Emails, support tickets, feedback, and any correspondence you send to us

2.2 Information Collected Through Platform Integrations

When you connect your Shopify, WooCommerce, or TikTok Shop store, we collect:

• Store information: Store domain, store name, owner name, email, plan details, currency, timezone, and access tokens (encrypted at rest)
• Product data: Product titles, descriptions, images, variants, pricing, SKUs, inventory quantities, weights, dimensions, tags, categories, and vendor information
• Order data: Order IDs, line items, quantities, pricing, discounts, shipping addresses, billing addresses, fulfillment status, payment status, tracking numbers, and timestamps
• Customer data: Customer names, email addresses, phone numbers, shipping addresses, billing addresses, and order history associated with orders that contain products imported via Gemhubx
• Fulfillment data: Shipping carrier information, tracking numbers, fulfillment timestamps, and delivery confirmations

2.3 Information Collected Automatically

• Usage data: Pages viewed, features used, actions taken, timestamps, frequency of use, and interaction patterns within the Service
• Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences
• Log data: Server logs, error reports, API call logs, and performance data
• Cookies and similar technologies: Session identifiers, authentication tokens, and preferences (see Section 10)
• Geolocation data: Approximate geographic location derived from IP address for analytics and fraud prevention

2.4 Information From Third Parties

• Shopify: Store and merchant data transmitted through Shopify's OAuth and API systems
• WooCommerce: Store and merchant data transmitted through WooCommerce REST API
• TikTok Shop: Shop credentials, product listing status, order data, and creator/affiliate metrics transmitted through TikTok Shop Open Platform APIs
• Suppliers and fulfillment partners: Product catalog data, pricing, availability, and shipment tracking information
• Payment processors: Transaction confirmations, payment status, and subscription billing data

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Core Service Delivery

• Providing, maintaining, and improving the Gemhubx platform and all related services
• Processing product imports from our catalog to your store
• Processing and managing order fulfillment, including communication with suppliers and shipping carriers
• Synchronizing product data, inventory levels, and pricing between your store and our platform
• Sending order notifications, fulfillment updates, and tracking information
• Managing your account, subscriptions, and billing

3.2 Service Improvement and Analytics

• Analyzing usage patterns to improve the Service's features, performance, and user experience
• Conducting internal research and development
• Generating anonymized, aggregated analytics and reports
• Testing new features, functionality, and user interfaces

3.3 Communication

• Responding to your inquiries, support requests, and feedback
• Sending transactional emails related to your account and orders
• Sending service announcements, updates, and security alerts
• Sending marketing communications where you have opted in (with easy opt-out)

3.4 Security and Legal Compliance

• Detecting, preventing, and investigating fraud, abuse, and security incidents
• Enforcing our Terms of Service and other agreements
• Complying with legal obligations, regulatory requirements, and lawful requests from authorities
• Protecting the rights, property, and safety of Gemhubx, its affiliates, users, and the public

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your Personal Data under the following legal bases:

5. Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Data or your customers' data to third parties for their marketing purposes. We may share data in the following limited circumstances:

5.1 Service Providers and Sub-processors

• Fulfillment partners and suppliers: To process and ship orders (limited to order and shipping details necessary for fulfillment)
• Payment processors: To handle subscription billing and payment transactions
• Shipping carriers: To provide tracking information and delivery services
• Cloud infrastructure providers: To host and operate the Service
• Email service providers: To send transactional and service-related emails
• Analytics providers: To analyze Service usage (using anonymized or aggregated data where possible)
• TikTok Inc.: When you connect TikTok Shop, product and order data is transmitted to TikTok's Open Platform APIs. TikTok processes this data under its own TikTok Shop Terms of Service.

All sub-processors are contractually bound to process data only as instructed by us and to maintain appropriate security measures.

5.2 Legal and Safety Disclosures

We may disclose information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Enforce our Terms of Service or other agreements
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of Gemhubx, its affiliates, its users, or the public

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar transaction involving Gemhubx or its affiliates, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

5.4 With Your Consent

We may share data with third parties when you have given us explicit consent to do so.

6. Data Retention

• Active accounts: We retain your data for as long as your account is active and the app is installed on your store.
• After uninstallation: When you uninstall the app, we retain your account data for thirty (30) days to allow for reinstallation. After 30 days, we permanently delete or anonymize your Store Data and Customer Data.
• GDPR redaction requests (Shopify): Upon receiving a valid redaction request from Shopify, we will delete or anonymize the specified data within forty-eight (48) hours.
• GDPR redaction requests (TikTok Shop): Upon receiving a valid shop-redact webhook from TikTok, all associated tokens, product mappings, orders, creator data, and webhook events are deleted within forty-eight (48) hours. Buyer email hashes (SHA-256 one-way) satisfy redaction requirements without additional action.
• Order and transaction records: We may retain anonymized order records for up to seven (7) years for tax, accounting, and legal compliance purposes.
• Backup data: Data in encrypted backups may persist for up to ninety (90) days after deletion from primary systems.
• Aggregated data: Anonymized, aggregated data that cannot be used to identify any individual may be retained indefinitely for analytics purposes.

7. Data Security

We implement and maintain appropriate technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption in transit: All data transmitted between your browser and our servers, and between our servers and third-party APIs, is encrypted using TLS 1.2 or higher
• Encryption at rest: Sensitive data such as access tokens and credentials are encrypted at rest using AES-256 encryption
• Authentication: Shopify OAuth 2.0 for Shopify integrations; secure API key authentication for WooCommerce integrations
• Access controls: Role-based access controls limiting data access to authorized personnel only
• HMAC verification: All incoming webhooks from Shopify are validated using HMAC-SHA256 signature verification
• Session security: Secure, HTTP-only session cookies with SameSite=None for embedded app compatibility
• Infrastructure security: Firewalled servers, regular security patching, and monitoring
• Incident response: Documented procedures for detecting, responding to, and recovering from security incidents (see our Security Incident Response Policy)
• Data loss prevention: Comprehensive strategy for preventing unauthorized data access, disclosure, and loss (see our Data Loss Prevention Strategy)

While we strive to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but commit to promptly notifying affected users and relevant authorities in the event of a data breach, in accordance with applicable law.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all sub-processors
• Compliance with applicable data transfer frameworks

9. Your Rights

9.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

• Right of access: Request a copy of the Personal Data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your Personal Data under certain circumstances
• Right to restrict processing: Request that we limit how we process your data
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format
• Right to object: Object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time
• Right to lodge a complaint: File a complaint with your local data protection authority

9.2 Rights Under CCPA/CPRA (California Residents)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know: Request disclosure of the categories and specific pieces of Personal Data we have collected
• Right to delete: Request deletion of Personal Data we have collected
• Right to correct: Request correction of inaccurate Personal Data
• Right to opt-out of sale: We do not sell Personal Data, but you may submit an opt-out request
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

In the preceding twelve (12) months, we have not sold any consumer Personal Data.

9.3 Rights Under Other Jurisdictions

If you are located in Canada (PIPEDA), Brazil (LGPD), Australia (Privacy Act 1988), or other jurisdictions with data protection laws, you may have additional rights. Contact us to exercise any applicable rights.

9.4 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within thirty (30) days. We may request verification of your identity before processing your request.

10. Cookies and Tracking Technologies

Our Service uses the following types of cookies and similar technologies:

Essential cookies are necessary for the Service to function within the Shopify Admin embedded iframe and cannot be disabled. You can control non-essential cookies through your browser settings. For full details, see our Cookie Policy.

11. Children's Privacy

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect Personal Data from children under 18. If we become aware that we have collected Personal Data from a child under 18, we will take steps to delete such data promptly. If you believe a child has provided us with Personal Data, please contact us at [email protected].

12. Data Processing Agreement

With respect to Customer Data processed through the Service, Gemhubx acts as a data processor on your behalf. You, as the Merchant, remain the data controller. Our processing of Customer Data is governed by:

• Our Data Processing Agreement, which details processing scope, security measures, sub-processors, and your rights
• Shopify's data processing terms and requirements
• Our Terms of Service, which include data processing provisions
• Applicable data protection laws

You are responsible for ensuring that your collection and sharing of Customer Data with us complies with applicable privacy laws, including obtaining any necessary consents from your customers.

13. TikTok Shop Integration

If you connect your TikTok Shop account to Gemhubx, the following additional terms apply:

Data Collected via TikTok Shop

• Shop credentials: TikTok Shop ID, shop cipher, and seller name — used to authenticate API requests. Access tokens and refresh tokens are stored AES-256 encrypted.
• Product data: Product details (title, description, SKU, price, inventory) are sent to TikTok Shop on your behalf to create or update listings.
• Order data: TikTok order ID, status, line items (product ID, SKU, quantity, price), shipping country code, and order timestamp are stored to populate the orders dashboard.
• Buyer email: Stored as a SHA-256 one-way hash only. The original email address is never retained in our systems.
• Creator metrics: TikTok creator/affiliate ID, display name, handle, 30-day GMV (in cents), and order count are cached for display in the Creators tab. This data is refreshed daily and is read-only.

Data Retention

• Raw webhook payloads are retained for 90 days for audit purposes, then purged.
• Order line items are retained as long as your account is active.
• Creator performance snapshots are overwritten on each daily sync.
• Access and refresh tokens are immediately nulled upon shop disconnection.

GDPR & Data Subject Rights (TikTok)

We honour TikTok Shop GDPR webhooks at the following endpoints:

• Data Request: https://gemhubapp.com/webhook/tiktok/gdpr/data-request
• Data Redact: https://gemhubapp.com/webhook/tiktok/gdpr/data-redact
• Shop Redact: https://gemhubapp.com/webhook/tiktok/gdpr/shop-redact

Upon receiving a valid shop redact request, all TikTok Shop tokens, product mappings, orders, creator data, and webhook events associated with the shop are deleted within 48 hours. Buyer email hashes are non-reversible and satisfy redaction requirements as-is.

TikTok as Third-Party Processor

When you connect TikTok Shop, data flows between Gemhubx and TikTok Inc. under TikTok's own TikTok Shop Terms of Service and Privacy Policy. We act as a data processor on your behalf in transmitting product and order data to and from TikTok's APIs.

14. Third-Party Links and Services

The Service may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this Policy
• Notify you via email or through the Service for significant changes
• Where required by law, obtain your consent before implementing material changes

Your continued use of the Service after any changes indicates your acceptance of the updated Policy.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

Gemhubx
Email: [email protected]
Website: https://gemhubapp.com
Support: [email protected]

For GDPR-related inquiries, you may also contact our Data Protection contact at [email protected].

Terms of Service · Privacy Policy · Data Processing Agreement · Information Security Policy · Security Policy · Data Loss Prevention · Cookie Policy · Support