Privacy Policy

Rota Sortis  ·  Governing law: England & Wales  ·  Effective: 2 March 2026

1. Who We Are

Rota Sortis ("we", "us", "our") is a Shopify embedded application developed and operated by a UK-based developer. We provide merchants with tools for discount rules, product bundles, purchase modes (waitlists and pre-orders), email automation, and revenue attribution.

For questions about this policy, contact us at: support@rotasortis.com

2. What Data We Collect

When you install and use Rota Sortis, we collect and process the following categories of data:

Merchant data (from Shopify):

• Store name, domain, and shop owner email
• Shopify plan and store configuration
• Orders, products, and variant information (read access for attribution and rule evaluation)

Customer data (via your store):

• Customer email addresses — collected when a customer joins a waitlist or pre-order queue through your storefront
• Order and attribution data linked to specific customers

Configuration data:

• Discount rules, bundle definitions, purchase mode settings, and automation configurations you create within the app

Technical data:

• App usage logs for debugging and performance monitoring
• No marketing cookies or tracking pixels are used

3. How We Use Your Data

We use the data collected solely to:

• Operate and deliver the features of Rota Sortis
• Process waitlist and pre-order registrations on behalf of your store
• Send transactional emails to your customers via your configured email automation (delivered through Resend or equivalent provider)
• Synchronise order attribution data within your Shopify store
• Troubleshoot errors and improve app reliability
• Comply with legal obligations

We do not sell, rent, or trade your data or your customers' data to any third party. We do not use customer data for any purpose beyond fulfilling your store's operations.

4. Legal Basis for Processing (GDPR)

As a UK-based operator, we process personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our lawful bases are:

• Contract performance — processing your store and configuration data to deliver the service you have subscribed to
• Legitimate interests — processing usage and technical logs to maintain app security and performance
• Consent — where your customers voluntarily submit their email address to join a waitlist or pre-order list, consent is collected at the point of submission on your storefront

You, as the Shopify merchant, act as the data controller for your customers' personal data. Rota Sortis acts as a data processor on your behalf.

5. Data Sharing and Sub-Processors

We share data only with the following categories of sub-processors, each bound by appropriate data processing agreements:

Sub-processor	Purpose
Cloud hosting provider	Secure database hosting
Resend (or equivalent)	Transactional email delivery
Shopify Inc.	Billing, authentication, and app distribution

We do not transfer personal data outside the UK or EEA without appropriate safeguards in place (e.g. Standard Contractual Clauses or equivalent mechanisms).

6. Data Retention

We retain data for the following periods:

• Active merchant data — retained for the duration of your active subscription
• Customer waitlist/pre-order data — retained until the relevant campaign ends or you request deletion, whichever is earlier
• Order attribution data — retained for up to 24 months from the date of the associated order
• Technical logs — retained for up to 90 days on a rolling basis

Following uninstall of the app, merchant configuration data is deleted within 30 days. Customer personal data is deleted within 30 days of a valid deletion request or upon receipt of a GDPR webhook (see Section 7).

7. GDPR Data Subject Rights and Webhooks

We have implemented Shopify's mandatory GDPR webhooks:

• customers/data_request — upon receipt, we compile and return all personal data held relating to the specified customer
• customers/redact — upon receipt, we permanently delete all personal data held for the specified customer
• shop/redact — upon receipt following app uninstall, we delete all data associated with the merchant's store

As a merchant using Rota Sortis, you are responsible for forwarding data subject requests from your customers to us at support@rotasortis.com where applicable.

Data subjects whose personal data we hold have the right to: access, rectification, erasure, restriction of processing, data portability, and the right to object. To exercise these rights, contact support@rotasortis.com.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We implement industry-standard security measures including:

• Encrypted data storage (at rest and in transit via TLS)
• Access controls limiting data access to authorised personnel only
• Regular security reviews

No method of transmission over the internet is 100% secure. We will notify affected parties promptly in the event of a data breach as required by applicable law.

9. Changes to This Policy

We may update this policy from time to time. We will notify merchants of material changes via the app interface or by email. Continued use of the app after changes take effect constitutes acceptance of the updated policy.

10. Contact

For any privacy-related enquiries, data subject requests, or to exercise your rights under UK GDPR, contact:

Email: support@rotasortis.com