Let’s start with what needs to be said: Shoelace takes privacy very seriously. We realise that retargeting lives in a space that can be controversial and sometimes abused. Everything we do is designed to be in the best interests of you, the merchant, and your marketing efforts. We try very hard not to cross any lines. We do not resort to any scammy internet marketing tactics and we don’t help our merchants deliver campaigns that could cross any boundaries.
Shoelace strives to use Facebook’s marketing tools in the most transparent, as-intended way as possible. We were one of the first apps to encourage using your own Facebook ad account so that you own your data. Shoelace has a heavy reliance on both your Shopify and Facebook metrics to make the intelligent campaign we do. We NEVER sell your data to a third party for reuse.
Every tool we use, every data point we store and all analysis we do is in the effort of providing a better service putting together more engaging retargeting campaigns that speak to your customers. We know that even this comes with many responsibilities and we are committed to living up to our end of transparent and safe data use.
GDPR stands for the General Data Protection Regulation. It is a piece of privacy legislation adopted by the EU in April 2016, coming into effect 25 May 2018. The main aim of GDPR is to transfer control of personal data back to citizens as well as to unify the regulation within the EU to streamline the regulatory environment for international businesses.
The GDPR lays out various requirements with respects to consent, notification and users’ data rights. It requires companies to do many new things such as gathering explicit consent for data collection, stricter guidelines for disclosure of data breaches and legal ramifications for misuse of user data.
A large part of GDPR is concerned with personal data. Specifically, it explicitly places ownership of data in the hands of the end user, the “data subject”. In general, the GDPR substantially expands the definition of personal data.
Personal data is any information relating to an individual, their private, professional or public life. E.g. name, email address, photos, IP address, products purchased, etc. It also covers any data that could be used in conjunction with other data to identify someone.
There are additional safeguards placed on “sensitive data” which includes thing such as race, religious affiliation, political opinions, health records, biometric information, etc. Shoelace has never and does not intend to collect, process or use this kind of data.
The GDPR differentiates primarily between three parties: Data controller, data processor and data subject. The data controller determines the purposes for which and the means by which personal data is processed. The data processor processes personal data on behalf of the controller. The data processor is usually a third party external to the company.
For more information on the relationship between controller and processor, please see:
For most relevant cases, the data subject is either the merchant or the buyer, the data controller is the merchant (but sometimes Shoelace) and the data processor is Shopify, Facebook or Shoelace. In many cases Shoelace is a sub-processor to Shopify. For more details on Shoelace’s relationship to the merchant, please see “Data We Collect” below.
It is primarily the responsibility of the data controller to ensure that consent is gathered and data is handled responsibly by processors.
Shopify’s Whitepaper on the GDRP provides more details on the relationship between the merchant and Shopify:
All data processing must lawful, fair and transparent. Further, data processing should be relevant and limited to what is required to operate. The GDPR speaks to the circumstance under which data may lawfully be processed. Generally speaking, there are four bases for legal processing of data:
The GDPR protects European data subjects not matter where they transact online. It does not matter if the company is based outside the EU if the user lives there. Our customers are Shopify merchants and as such come from all over the world. Of course, many Shopify merchants are also based in Europe and many non-EU stores sell to Europeans. In all these cases, the merchant is responsible for GDRP compliance.
Anything we do for data privacy and protection is good for all our merchants and is available to all our merchants. It is unnecessary for Shoelace to distinguish between EU and non-EU Shoelace users, data protection is important for everyone.
Shoelace is prepared for GDPR, is aware of its obligations and has always tried to minimise data collection and potential impact. We have worked hard on understanding our exact obligations (like in this document) and are continuing work on rolling out more feature to deeper support the GDPR’s specific Data Subject Rights.
There are currently no certifications that would make any company GDPR compliant. The GDPR is a vast and untested piece of legislation that touches on all aspects of digital life. Shoelace is doing everything we can and have implemented a lot of changes and documentation to address GDPR requirements. This is not a one-off exercise; GDPR will continue to inform how we communicate with you, how we deal with your data and what tools we build to help you exercise your rights.
The fundamental principle under the GDPR is that the users (i.e. data subjects), not the collector of the data, own their data. To enable this, certain specific rights are explicitly listed and must be supported to be GDPR compliant. Several of these rights are explained below and additional details can be found here:
Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds. Shoelace supports this right in several ways. On uninstalling Shopify requests that a merchant’s customers’ data is deleted and Shoelace stores these requests and fully anonymises the relevant data. Buyers also have the ability to request deletion of their own data which again is passed to Shoelace from Shopify after being initiated with the merchant. Those records are completely erased. Lastly, Shoelace will respond to any request for full deletion through our own dashboard or by contacting us by email.
Article 15 and Article 20 provide that the data subject has the right to access and copy all their data being held by a controller. While technically separate rights, the implementation is similar in that the data subject may request a copy of all data being held by a controller, i.e. Shoelace. In many instances Shoelace is a subprocessor, however, Shoelace is able to fulfill its obligation as a controller in this respect.
Article 16 states that a data subject should have the right at any time to correct any information about themselves with the data controller. Shoelace has an adequate settings page and should you feel any information is about you is incorrect, will promptly correct it in our systems.
Article 22 protects the data subject against fully automated decision making. Shoelace does not have any black box decision making processes and as such is able to explain any data processing undertaken.
Shoelace has always operated under the mindset that we should collect as little data as we need to do our work and that we have a responsibility to be good stewards of this data. Much of the data in our care belongs to you, the merchant and we treat it as such. We never have and never will make a business of selling or sharing your data. In some cases, the data in our care belongs to your customers, the buyers. There are certain additional requirements that affect buyer data imposed by Shopify, which we fully agree with and abide by.
When the merchant installs the Shoelace app we interpret implied consent to process their data as required to provide our service. As part of the installation process Shopify gathers explicit consent for Shoelace to subprocess data supplied through the Shopify API.
By using the merchant’s ad account, we act as an agent on their behalf. All campaigns are approved by the merchant through explicit consent. Any processing of Facebook data required to produce campaigns is assumed under legitimate interest as a core part of Shoelace’s business.
Shoelace sends transactional and marketing emails. These can be unsubscribed from though not receiving transactional emails will impact Shoelace’s ability to deliver service.
GDPR does not make any attempts to control where data is stored or processed, it is concerned with the rights of the data’s owner. However, all Shoelace’s data is stored in the United States and Canada. Shoelace does not operate its own servers or data centres, instead relying on cloud providers (primarily Amazon AWS and Microsoft Azure but several others as well). Cloud providers simplify our development burden but also mean that we can leverage their security and privacy best practices without implementing complicated features ourselves.
If you have more specific questions about data storage, please reach out to Shoelace directly and we can answer any concerns.
Shoelace stores only the minimum amount of data required to perform our service and provide the best possible campaigns. Shoelace fully complies with all deletion request and on uninstall makes a merchants’ buyers’ data non-identifiable as required by Shopify.
Over and above this, Shoelace removes any data about a user after 48 months of inactivity.
Shoelace acts as a controller in several capacities. Primarily these activities revolve around opening, maintaining, administering the provision of service to merchants.
Shoelace collects personal information such as name, email and phone number so that we can communicate with and market to merchants. All marketing communication can be easily opted out of though some transactional messages are required as they may pertain to payment or critical parts of a merchant’s advertising accounts. We utilise processors such as SendGrid and Intercom to enable communication with merchants.
Shoelace uses processors such as Stripe to assist with payment and thus can be considered a controller in these instances.
As a controller Shoelace stores data including the following:
Shoelace processes merchant data on behalf of merchants in order to compose, create and monitor retargeting campaigns. All data generated by these campaigns is ultimately owned by the merchant. In many instance Shoelace is a subprocessor to Shopify and Facebook data controlled by the merchant.
Below is an overview of processing activities and their purpose.
For Merchants who enable the Google Analytics integration, we use Google user event information to supplement Custom Audience information in classifying merchants to provide the most effective Campaign.
Orders fall into a special category as orders contain data about the buyer as well as the merchant. Shoelace stores the minimal set of required data (e.g. we do not store shipping addresses) and has no use or desire to personally identify buyers. Buyer information is only used in aggregate e.g. for Facebook Custom Audiences.
Shoelace makes use of a variety of hosted solution for the simple reason that as a small startup we cannot build everything ourselves. By leveraging existing infrastructure, we can buy in technology that already has the best practices, performance and security built in. Our technical stack is comprised of:
Shoelace makes use of SaaS tools to help us deliver the best possible service to merchants
Shoelace uses industry standard marketing tools to communicate with our merchants and share important information. These marketing tools are only used to market Shoelace itself and thus these are data processors to data of which Shoelace is a controller, not sub-processors of merchant data.
The merchant is the data controller for the bulk of data and it is the merchant’s responsibility to ensure they are GDRP compliant with respect to their customers’ data. Merchants must conduct all the relevant consent gathering and notification. Shoelace cannot give specific advice as each case is different and merchant’s must satisfy themselves that they are doing what is required of them.
Shoelace uses the merchant’s Facebook Pixel to trigger tracking of events. We highly recommend using Shopify’s Facebook Pixel integration to simplify and streamline any Pixel related process. Shoelace also uses the merchant’s ad account so that the merchant has full control of this data. In this case the merchant is the data controller and Facebook is the data processor. For more information on this relationship please see:
In addition to the Standard Events (https://developers.facebook.com/docs/ads-for-websites/pixel-events/v3.0), Shoelace triggers the following custom events on behalf of the merchant:
We are currently able to comply with all required data subject requests, however, we are working on automating a lot of these processes so that requests can be served quicker and with less administrative overhead.
Shoelace is in the process of hiring security and privacy consultants to assist with anything we may have overlooked or that needs additional work.
For any additional question, comments or specific GDRP request please contact Shoelace via email at [email protected].