Privacy Policy
Last updated: 7 May 2026
This privacy policy explains how AllergenAware (“we”, “us”, “our”) collects, uses, and shares personal data in connection with our Shopify app (the “Service”) and the website at allergenaware.app.
This policy is written for compliance with the UK GDPR and the Data Protection Act 2018. Please review it carefully before installing the Service.
Who we are
AllergenAware is operated by Arthur Williams, a UK sole trader trading as AllergenAware. We are the data controller for the personal data described in this policy.
For data protection enquiries, contact us at support@allergenaware.app.
What we collect
From Shopify merchants who install the Service
- Shop domain and store metadata (region, plan tier, installation date)
- Your Shopify access token (used solely to call Shopify APIs on your behalf)
- The merchant account owner’s email address (received via Shopify’s install flow)
- App configuration: allergen libraries, settings, styling, plan tier
- Subscription and billing records (received from Shopify’s billing API)
From shoppers visiting a store with the Service installed
- Saved dietary preferences (allergens and dietary tags), stored in the shopper’s own browser via
localStorageby default - If the shopper is signed in to a Shopify customer account: the same preferences saved as a metafield on the customer record. This metafield is owned and controlled by the merchant’s store, not by us
We do not store individual shopper preferences in our own database. We never receive shopper names, addresses, payment details, or order history.
How we use your data
| Purpose | Lawful basis |
|---|---|
| Provide and operate the Service for merchants | Contract performance |
| Bill via Shopify-managed subscriptions | Contract performance |
| Send service-related emails (billing failures, breaking changes) | Legitimate interest |
| Respond to support requests | Legitimate interest |
| Detect, prevent, and address abuse | Legitimate interest |
Sharing with sub-processors
We use the following sub-processors to operate the Service:
| Sub-processor | Purpose | Region |
|---|---|---|
| Shopify International Limited | App platform; merchant authentication; billing | Ireland / Global |
| Render Services, Inc. | Application hosting and managed Postgres database | Frankfurt, EU |
| Namecheap, Inc. | Domain registration and email forwarding | United States |
We do not sell personal data and do not share it with any third party for marketing purposes.
Data retention
- Merchant data is retained for as long as the Service is installed
- On app uninstall, we delete merchant data within 30 days
- Support correspondence is retained for 24 months
- Aggregate, anonymous usage data may be retained indefinitely
International transfers
Where personal data is transferred outside the UK or European Economic Area, we rely on the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK Addendum, or another safeguard recognised under UK GDPR.
Your rights
Under UK GDPR you have the right to:
- Request a copy of your personal data (subject access request)
- Have inaccurate data corrected
- Have your data erased
- Restrict or object to processing
- Data portability
- Withdraw consent (where consent is the lawful basis)
To exercise any of these rights, email support@allergenaware.app. We respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk.
Cookies
The marketing site at allergenaware.app does not set tracking cookies. The Shopify admin embed and storefront blocks may use Shopify’s session cookies (governed by Shopify’s own privacy policy). Our app stores shopper preferences in browser localStorage with no cross-site tracking.
Changes to this policy
We may update this policy from time to time. Material changes will be flagged on the marketing site and notified to merchants via the app dashboard.
Contact
For privacy queries, email support@allergenaware.app.