PRIVACY POLICY
This Privacy Policy explains how Actuals Oy (Business ID 3369432-8) (“Company”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data when providing and operating the Commslayer Shopify application, related integrations, websites, dashboards, and support channels (collectively, the “Service”), and when individuals otherwise interact with us.
This Privacy Policy applies to:
merchants and their authorised users who install or access the Service;
visitors to our websites or marketing channels; and
end-customers of merchants to the extent their personal data are processed through the Service on behalf of the merchant.
We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and the Finnish Data Protection Act (1050/2018), as well as other applicable data-protection laws.
When acting as a data controller, we determine the purposes and means of processing (for example, account administration, billing, analytics, and security).
When acting as a data processor, we process personal data solely on the documented instructions of our customers or other contracting parties, including data accessed through their Shopify stores or connected platforms, and always in accordance with a separate Data Processing Agreement (“DPA”).
1.
Data Controller and Contact Details
Controller: Actuals Oy (Business ID 3369432-8)
Registered Address: Munkkiluodonkuja 4 B11, 02160, Finland
Email: karri@commslayer.com
Data Protection Contact: Karri Koivuniemi
For the purposes of this Privacy Policy, we act as the “Data Controller” when determining how and why personal data are processed in connection with the operation, administration, and improvement of the Service, customer accounts, and related communications.
When personal data are processed on behalf of our customers or other contracting parties, such as when the Service handles or facilitates end-user communications, order information, or customer-support interactions through their Shopify stores or other connected platforms, we act as a “Data Processor” and the relevant customer acts as the “data controller”. In those circumstances, our processing is governed by a separate DPA executed with the customer in accordance with Article 28 GDPR.
2.
Categories of Personal Data Collected & Processed
We collect and process different categories of personal data depending on how you interact with us and how you use the Service:
Account and identification data – name, email address, company name, contact details, user ID, role, and authentication information required to register, manage, and secure your account.
Billing and financial data – payment details, VAT number, transaction identifiers, and billing history, processed for invoicing and accounting purposes. When billing occurs through Shopify, we receive only limited transactional identifiers. Full payment details remain with Shopify or its payment processors.
Service usage and operational data – login timestamps, access records, configuration settings, message histories, feature use, workflow actions, and error or diagnostic reports generated through your use of the Service.
Customer-support and communication data – support requests, messages, attachments, and other correspondence between you and us, including metadata such as timestamps and communication channels.
Marketing and preference data – contact details, consent status, communication preferences, and interaction data with our newsletters or promotional materials.
Technical and device data – device identifiers, browser type and version, operating system, IP address, language preferences, and cookie identifiers. For more information, see Section 10 (Cookies and Tracking Technologies).
Shopify-sourced end-customer data (processor context) – where the Service interacts with your Shopify store to perform automated support, order management, or communication functions, we process limited personal data of your store’s customers (for example, name, order details, contact information, and conversation history) strictly on your behalf and in accordance with the applicable DPA.
When we process Personal Data received from our customers’ Shopify stores or from connected third-party applications, the data originate from those platforms via secure APIs. We do not obtain such data from public sources. Where required under Article 14 GDPR, we provide this information through our customers or directly where feasible. Where notification would involve a disproportionate effort, we rely on the exemption under Article 14 (5)(b) GDPR.
We do not intentionally collect, or process special categories of personal data (sensitive data) as defined in the GDPR.
3.
Purposes and Legal Bases of Processing
Service provision and account management
Art. 6(1)(b) GDPR – Contract
Creating and maintaining user accounts, authentication, managing subscriptions, integrating with Shopify stores, providing core Service functionality
Billing and payments
Art. 6(1)(b) – Contract
Art. 6(1)(c) – Legal obligation
Processing invoices, reconciling payments, complying with accounting and tax obligations; when billing occurs through Shopify, only limited transaction identifiers are processed by us
Service security and maintenance
Art. 6(1)(f) – Legitimate interest
Monitoring system performance, detecting abuse, ensuring availability, preventing fraud or unauthorised access
Analytics, service improvement, and AI training
Art. 6(1)(f) – Legitimate interest
Analysing aggregated usage data, improving algorithms and automation accuracy, developing new features, enhancing user experience
Customer support and communications
Art. 6(1)(b) – Contract
Art. 6(1)(f) – Legitimate interest
Responding to inquiries, resolving issues, providing technical assistance
Marketing and promotional communication
Art. 6(1)(a) – Consent
Art. 6(1)(f) – Legitimate interest
Sending newsletters, event invitations, and product updates (with opt-out rights)
Compliance and legal defence
Art. 6(1)(c) – Legal obligation
Art. 6(1)(f) – Legitimate interest
Record-keeping, responding to lawful authority requests, enforcing contractual rights
Processing on behalf of customers (Shopify-sourced end-customer data)
Art. 6(1)(b) – Contract
Handling end-customer orders, communications, and refunds via the Service under the customer’s documented instructions pursuant to the DPA
With regards marketing and promotional communication, you have the right to object at any time to the processing of your Personal Data for direct-marketing purposes. If you exercise this right, we will immediately stop processing your data for those purposes.
Certain processing activities described above are based on our legitimate interests under Article 6(1)(f) GDPR. These interests include: (a) ensuring the security and integrity of our Service and IT systems; (b) maintaining and improving the Service’s functionality, performance, and user experience; (c) preventing fraud and misuse; (d) enforcing our contractual rights; and (e) establishing, exercising, or defending legal claims.
4.
Personal Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with statutory or contractual obligations, or to establish, exercise, or defend legal claims.
Retention periods vary depending on the nature of the data and the context of processing:
Account and contractual data are retained for the duration of the Agreement and for up to six (6) years thereafter to comply with accounting and legal record-keeping requirements.
Billing and payment data are retained for the period required under applicable tax and accounting laws.
Operational logs and diagnostic data are retained for up to twelve (12) months unless longer retention is required for security or incident-investigation purposes.
Customer-support correspondence is retained for up to twenty-four (24) months after resolution of the relevant issue.
Marketing data are retained until you withdraw consent or opt out of communications, after which the data will be deleted or anonymised.
Where the Service processes Shopify-sourced or customer-controlled end-customer data, retention is determined by the customer acting as data controller. We delete or anonymise such data upon termination of the Service or at the customer’s documented instruction, in accordance with the applicable DPA.
Backups containing personal data are automatically overwritten or deleted on a rolling basis in accordance with our data-retention schedule. After expiry of the relevant retention period, data are securely deleted or irreversibly anonymised, unless continued storage is required by law, judicial order, or legitimate interest related to legal claims.
5.
Recipients and International Transfers
We share personal data only where necessary for the operation of the Service, compliance with law, or protection of our legitimate interests. Typical categories of recipients include:
Affiliates and authorised sub-processors providing hosting, infrastructure, support, and analytics services;
Platform partners and integration providers, such as Shopify, to the extent required for the Service to interoperate with their systems;
Payment service providers and financial institutions involved in processing transactions;
Professional advisers, including accountants, auditors, and legal counsel, subject to confidentiality obligations;
Public authorities or courts, where disclosure is legally required or lawfully ordered.
Personal data are primarily stored and processed within the European Union (“EU”) or European Economic Area (“EEA”) and is not transferred countries outside the EU/EEA unless it is necessary for the provision of the Service.
If a transfer of personal data occurs to a country outside the EU/EEA that has not been recognised by the European Commission as providing an adequate level of data protection, we ensure that such transfer is protected by appropriate safeguards, including the European Commission’s Standard Contractual Clauses (“SCCs”) or another lawful transfer mechanism under Articles 46–49 GDPR. Where transfers rely on appropriate safeguards under Articles 46–49 GDPR, including the SCCs, information about such safeguards and copies thereof will be made available upon request.
When we act as a Data Processor, international transfers involving customer-controlled data are governed by the safeguards and sub-processor terms set out in the applicable DPA.
6.
Data Subject Rights
Under the GDPR, individuals have the following rights with respect to their personal data, subject to the conditions and limitations set out in the GDPR:
Right of access – to obtain confirmation as to whether we process personal data concerning you and to receive a copy of such data.
Right to rectification – to have inaccurate or incomplete personal data corrected or updated.
Right to erasure (“right to be forgotten”) – to request deletion of personal data when there is no lawful basis for further processing.
Right to restriction of processing – to request temporary suspension of processing in certain circumstances.
Right to data portability – to receive personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Right to object – to object at any time to processing based on our legitimate interests, including profiling.
Right to withdraw consent – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Requests may be submitted by email to karri@commslayer.com. We may require reasonable proof of identity before fulfilling a request. We will respond without undue delay and within one (1) month of receipt, extendable by two (2) months if necessary due to complexity or volume, in which case you will be informed of the reason for the delay.
When we process personal data on behalf of a customer (for example, end-customer data from a Shopify store), requests concerning such data should be directed to the relevant customer, who acts as the data controller. We will assist the customer in fulfilling those requests in accordance with the DPA.
7.
Security
We implement and maintain appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security framework includes, among other measures:
data encryption in transit and at rest;
strict access-control and authentication procedures;
network and application-level monitoring, logging, and intrusion detection;
regular vulnerability testing and security updates; and
confidentiality and data-protection obligations for all personnel and subcontractors with access to personal data.
Security controls are proportionate to the risks presented by the processing and are reviewed and updated on an ongoing basis to maintain compliance with Article 32 of the GDPR and industry best practices.
When the Service operates within the Shopify ecosystem, communication and data exchange with Shopify are protected through secure APIs and HTTPS connections, subject to Shopify’s own security and access-control standards.
8.
Automated Decision-Making and AI Features
The Service includes AI-assisted automation features that support users under human supervision. These features do not perform automated decision-making within the meaning of Article 22 of the GDPR, i.e., decisions producing legal or similarly significant effects on individuals.
Any information, data, or other content entered by the user into the AI-assisted features in the Service, such as free-form text (the “Input”), is temporarily transmitted for processing to our third-party service provider through a secure application programming interface. Our service provider processes the Input for a short period for the purpose of generating an “Output,” after which the service provider deletes the Input following a brief retention period required for abuse monitoring, prevention, and ensuring the operational functionality of the service. Our service provider is not entitled to use the Input for any purpose other than as described above.
In light of the foregoing, the User must not include any personal data, and under no circumstances any sensitive data belonging to special categories of personal data, in the Input. If the User nevertheless wishes to include data relating to or referring to individuals in the Input, such data must be anonymized so that it does not constitute personal data as defined under applicable data-protection laws. If personal data is nevertheless transmitted to our third-party service provider along with the Input, the said service provider acts as a data processor in accordance with the GDPR, subject to contractual and technical safeguards.
9.
We use cookies and similar technologies to operate and improve the Service.
Essential cookies are necessary for the secure and reliable operation of the Service (for example, to authenticate sessions or remember user preferences) and cannot be disabled.
Analytics and performance cookies help us understand how the Service is used, detect errors, and optimise functionality. These are used only with your consent where required by law.
You can control or delete cookies at any time through your browser settings. If you disable certain cookies, some parts of the Service may not function properly. Where we use third-party analytics or tracking tools, they operate in compliance with applicable law. Consent for non-essential cookies is collected through the Service interface or our website and may be withdrawn at any time.
10.
We may amend or update this Privacy Policy from time to time to reflect changes in our data-processing practices, technical developments, or legal obligations. Material changes will be communicated in advance through the Service interface or by email before they take effect. The effective date shown at the beginning of this Privacy Policy indicates the latest revision. Continued use of the Service after the effective date constitutes acceptance of the updated version.
11.
If you have questions or concerns regarding our processing of personal data or wish to exercise your rights under the GDPR, please contact us first at karri@commslayer.com so we can address the matter directly.
If you believe your rights have been infringed, you also the right to lodge a complaint with the competent supervisory authority. In Finland, this is the Office of the Data Protection Ombudsman (Fi. Tietosuojavaltuutetun toimisto):
Website: https://tietosuoja.fi/en/home
If you reside in another EU/EEA country, you may contact your local data-protection authority.