op Appz

Privacy Policy

Last updated: April 2026

1. Data Controller

The data controller is Grzegorz Kowal STMG, ul. Łomnicka 24 lok. 14, 54-061 Wrocław, Poland (NIP: 8943016728, REGON: 360372257), operating under the brand "Top Appz". In this policy, "we", "our", and "us" refer to Grzegorz Kowal STMG.

For data protection inquiries, contact us at: support@top-appz.com

2. What Data We Collect

2.1 Merchant Data (Shopify Store Owners)

When you install our app, we collect and process:

  • Store information: Shopify store domain, email address, timezone, and currency — collected via Shopify's OAuth authorization process.
  • Authentication tokens: OAuth access tokens required to communicate with your store. These are encrypted using AES-256-GCM and never stored in plain text.
  • App configuration: Timer settings, A/B test configurations, and design choices you make within the app.
  • Usage data: Monthly timer view counts used to enforce plan limits.

2.2 Store Visitor Data (Your Customers)

When a visitor views a page on your store that displays one of our timers, we collect:

  • Pseudonymous visitor ID: A randomly generated identifier (e.g., cfct_1706886400000_a1b2c3) stored in a cookie called _cfct_vid. This ID cannot be used to identify a real person.
  • Timer impressions: Which timer was displayed, when, and on which page path (URL path only — no query parameters or full URLs).
  • A/B test assignments: Which variant (A or B) the visitor was shown, determined by a deterministic hash — not profiling.
  • Conversion events: When a visitor adds an item to cart or completes a purchase after seeing a timer, we record the order ID, total price, and currency for attribution purposes. This data comes from Shopify's order webhook.

2.3 Data We Do NOT Collect

We do not collect or process:

  • Customer names or email addresses
  • IP addresses
  • Device information or browser fingerprints
  • Geolocation data
  • Payment or credit card information
  • Browsing behavior outside of timer interactions

3. Why We Process Your Data

We process data for the following purposes:

  • Service delivery: Displaying countdown timers, saving your configurations, and managing your account.
  • A/B testing: Assigning visitors to test variants, tracking impressions and conversions, and calculating statistical results.
  • Conversion attribution: Linking timer views to purchases so you can measure timer effectiveness.
  • Usage metering: Counting monthly timer views to enforce plan limits.
  • Error monitoring: Detecting and fixing technical issues to maintain app stability.
  • Product improvement: Using aggregated, non-identifiable analytics to improve our products.

We do not sell, rent, or share personal data with third parties for marketing or advertising purposes.

4. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR): Processing merchant data is necessary to deliver the app service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): Pseudonymous visitor tracking is necessary for A/B testing and conversion attribution — core features of the app. The data is non-identifiable and the impact on visitor privacy is minimal.

5. Third-Party Service Providers

We use the following sub-processors to operate our service:

Provider Purpose Data Processed
Google Cloud / Firebase Database and infrastructure All app data (timers, impressions, conversions, usage)
Google BigQuery A/B test analytics Aggregated impressions and conversion data
Sentry Error monitoring Error reports, shop domain, technical stack traces
Shopify Platform provider OAuth tokens, order webhooks, store data
Cloudflare Website hosting and CDN Website access logs

All sub-processors are bound by data processing agreements and maintain appropriate security measures.

6. International Data Transfers

Some of our sub-processors may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Security

  • OAuth access tokens are encrypted at rest using AES-256-GCM.
  • All API communications use HTTPS/TLS encryption in transit.
  • Shopify webhook and app proxy requests are verified via HMAC signature validation.
  • Visitor IDs are pseudonymous and cannot identify real individuals.

8. Cookies

8.1 App Cookie (Set on Your Store)

Our app sets one cookie on your store visitors' browsers:

  • Name: _cfct_vid
  • Purpose: Pseudonymous visitor ID for A/B test consistency and conversion attribution
  • Duration: 365 days
  • Type: First-party, SameSite=Lax

We do not set any tracking, advertising, or third-party cookies.

8.2 Marketing Website

Our website at top-appz.com uses only essential cookies required for basic functionality. No tracking or advertising cookies are used.

9. Data Retention

  • Visitor cookie: Expires after 365 days.
  • App data (timers, A/B tests, impressions, conversions): Retained while the app is installed on your store.
  • On app uninstall: All shop data is permanently deleted across all database collections.
  • On GDPR customer redaction request: All data associated with the specified customer orders is permanently deleted.
  • OAuth sessions: Retained until session expiration, then automatically removed.

10. Your Rights (GDPR/RODO)

Under the General Data Protection Regulation (GDPR) and Polish RODO, you have the right to:

  • Access (Art. 15): Request a copy of the personal data we hold about you.
  • Rectification (Art. 16): Request correction of inaccurate personal data.
  • Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Portability (Art. 20): Request transfer of your data in a machine-readable format.
  • Restriction (Art. 18): Request restriction of processing of your personal data.
  • Objection (Art. 21): Object to processing based on legitimate interest.

To exercise any of these rights, contact us at support@top-appz.com. We will respond within 30 days.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority. For Polish entities, this is the President of the Personal Data Protection Office (UODO):

Urząd Ochrony Danych Osobowych (UODO)
ul. Stanisława Moniuszki 1A, 00-014 Warszawa
uodo.gov.pl

12. Automated Decision-Making

Our app uses a deterministic hash function to assign store visitors to A/B test variants. This is not profiling — it is a technical mechanism that ensures the same visitor sees the same timer variant consistently. No automated decisions with legal or similarly significant effects are made about individuals.

13. Children's Data

Our services are designed for Shopify merchants (B2B) and are not directed at children under 16. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Your continued use of our services after changes constitutes acceptance of the updated policy.

15. Contact

For any privacy-related questions or data requests:
Email: support@top-appz.com
Grzegorz Kowal STMG
ul. Łomnicka 24 lok. 14, 54-061 Wrocław, Poland