Applicable from 1.12.2020

Compensate Privacy Policy – Shopify Plugin

Compensate provides a service which enables your store customers ways to offset the CO2 emissions generated by the shipping of their purchases ("the Service") to merchants who use Shopify to power their stores. The Service is implemented through an app ("the Application”).This Privacy Policy describes how your personal data and the data in relation to your Point of sale (POS) hosted by Shopify (hereinafter referred to as “Your Store” or “Merchant Store”) is collected, used, and shared when you install or use the Application. Your customers visiting Your Store are referred to as “Your Customers”. You must ensure you have the necessary authority to sign the Privacy Policy on behalf of the entity using the Application. You can always find this Privacy Policy right here and in the app in Shopify.

Data controllers

The Application is developed and owned by a non-profit company Compensate Operations Oy (Compensate Operations Oy, Lönnrotinkatu 7 B, 00120 Helsinki, Finland

Business ID 2993434-1, hereinafter referred to as “we” or “Compensate”).

Compensate is a subsidiary of a non-profit called Compensate Foundation sr (business ID: 2914937-8, address Lönnrotinkatu 7 B, 00120 Helsinki, Finland, hereinafter referred to as the “Foundation”). Because the Foundation receives the Compensation fees and is responsible for purchasing carbon offsets, the Foundation and Compensate are regarded as joint controllers. 

Compensate is responsible for complying with data protection laws and data security as well as ensuring your privacy rights relating to the implementation on the Application. Therefore your information shall be treated in accordance with the Compensate Privacy Statement. If you have any questions regarding the processing of your data or wish to exercise your rights, please contact Compensate through the contact information at the end of this Compensate Privacy Policy. 

Personal data the Application collects

Data relating to you and Your Store

When you install the Application, you give Compensate permission to access certain types of information from you and your Shopify account: 

  • Your Store details you give to us -for example, the name of Your Store, the country, VAT number, address 
  • Your personal details, such as your email address
  • Your communication with us through emails or other feedback service providers.

Analytics data

Plausible

The logging systems used by the Application automatically log certain analytics data when you use it. We are using an EU-based analytics service provider called Plausible Insights OÜ (hereinafter referred to as the "Plausible"). Plausible does not track nor collect any personal data. More information about Plausible here

Analytics data on the Website of Shopify

In addition, the page https://apps.shopify.com/compensate-production (hereinafter "Website") uses certain third- party service providers that collect analytics data. You can sometimes be recognized from it, either alone or when combined or linked with other data. In such situations, analytics data can also be considered personal data under applicable laws and we will treat such data as personal data.

We may collect the following analytics data when you visit or interact with the Website. We use various technologies to collect and store analytics data and other information when you visit the Website, including cookies, pixel tags, and web beacons:

  • device information
  • device and device identification number, device IMEI
  • country;
  • IP address;
  • browser type and version;
  • operating system;
  • name of your Internet service providers, and
  • advertising identifier of your device.

Usage Information

We collect information on your use of the Website, such as:

  • time spent on the Website;
  • interaction with the Website, and
  • the time and date of your visits to the Website.

Cookies

Like most internet sites, apps.shopify.com uses external services and cookies to enhance your experience on the internet. Cookies are small text files sent and saved on your device that allow us to identify visitors of the website and facilitate the use of our Application and to create aggregate information of our visitors. Most browsers allow you to prevent the browser from accepting new cookies, to be notified when you receive a new cookie, or to disable cookies. 

Shopify or other third-parties are the data controllers for most of the cookies connected with https://apps.shopify.com .

Which cookies have we set and how you can control it?

We have a certain power in deciding which external tools Shopify implements on the Website, meaning https://apps.shopify.com/compensate-production . In those cases, we are regarded as the data controllers and Shopify as a data processor. 

Shopify acts as a data processor and obtains consent for us to use cookies on https://apps.shopify.com/compensate-production and has a cookie banner in place. We only use cookies if you consent us to do so. Please see the Cookie Policy of Shopify on how to remove or block cookies here: 

https://www.shopify.com/legal/cookies

First-party cookies

We do not use any first-party cookies. 

Third-party cookies on the Website

In addition to what Shopfiy has installed, we use the following third-party cookies on the Website: 

Google Analytics:

With your consent, Google Analytics uses a set of cookies to collect information and report site usage statistics without personally identifying individual visitors to Google. 

The cookie used on the Website is the gtag.js. The purpose of the tag is analytics and tracking cookies and it is a persistent cookie.  We store the information for 26 months from your visit on the Website. 

It is possible for you to use Google Analytics Opt-out Browser Add-on which prevents your data being used by Google Analytics. To use the service, please visit: https://tools.google.com/dlpage/gaoptout/

Facebook Pixel:

With your consent, we will use Facebook's " visitor action pixels" or "tracking pixels". This pixel can be used to track user behaviour after they have been redirected to our website by clicking on a Facebook and / or Instagram ad. We also target FB/Instagram ads to people who have visited our product listing and create look-a-like audiences based on the information of who has been visiting our product listing. For more information, see the description of Facebook Pixel below under "third-party service providers we use" and Compensate - Facebook joint controllership privacy statement

Cookies we use in relation to the Facebook Pixel

“_fbp” is used to identify browsers for the purpose of providing advertising and site analytics services.

  • Advertising, Analytics
  • Persistent
  • 90 Days

“_fbc” is only set when a user arrives at your website from an Ad and the destination URL includes the click identifier “fbclid”

  • Advertising, Analytics
  • Persistent
  • 90 Days

“datr” Identifies browsers for purposes of security and site integrity, including for account recovery, and identification of potentially compromised accounts.

  • Security, Advertising
  • Persistent
  • 2 Years

“sb” Identifies browser for login authentication purposes

  • Security
  • Persistent
  • 2 Years

“xs” Used in conjunction with the c_user cookie to authenticate your identity to Facebook.

  • Authentication
  • Persistent
  • 1 Year

“c_user” Used in conjunction with the xs cookie to authenticate your identity to Facebook.

  • Authentication
  • Persistent
  • 1 Year

“spin” Enables the user’s ads to be tailored to their preferences

  • Advertising
  • Persistent
  • 1 Day 1 Hour

“wd” Allows delivery of optimal experience for user’s screen 

  • Performance
  • Persistent
  • 7 Days

“dpr” Allows delivery of optimal experience for user’s screen. 

  • Performance
  • Persistent
  • 7 Days

“fr” Facebook’s primary advertising cookie, used to deliver, measure, and improve the relevancy of ads.

  • Advertising
  • Persistent
  • 90 Days

The tracking of users who have landed on our website after clicking on one of our Facebook and Instagram ads can remain active up to 180 days. If you want to disable cookie storage for Facebook, you can do so via your browser settings. You can also request your data being deleted here: https://developers.google.com/analytics/devguides/config/userdeletion/v3/ .

Third-party service providers we use

Plausible

We are using an EU-based analytics service provider called Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia. Plausible does not track nor collect any personal data. More information about Plausible  here

Feedback fish

We use a service called Feedback fish, operated by Maximilian Stoiber e.U.You can provide us your ideas, report an issue or give us other feedback easily by using the service. More information about Feedback fish here.

Google services

The third-party service provider we have a contract with is Google Ireland Limited incorporated and operating under the laws of Ireland (Registered Number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland. According to Google, it might send the data to its affiliates and other third parties in the EU but also to non-EU countries. 

Google analytics

Google Analytics is Google’s web analytics tool that helps us to understand how their visitors engage with our properties. Web analytics is the gathering, collection and analysis of the data about the behaviour of visitors on a certain website or app. Among other things, a web analysis service collects data on which website you have come to a website from (so-called referrers), which subpages of the website were accessed or how often and for which period of time a subpage was viewed. A web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising. In addition to reporting site usage statistics, data collected on Google properties by Google Analytics may also be used, together with some advertising cookies described above, to help show more relevant ads on Google properties (like Google Search) and across the web and to measure interactions with the ads we show.

Google may share the information with its affiliates and other third-parties. The information might also be transferred to the U.S. or other non-European countries. 

Retention time: We store the information for 26 months from your visit on the Website. 

Further information on how Google uses data when you use the Website: https://policies.google.com/privacy?hl=en and https://policies.google.com/technologies/partner-sites . The following link includes a further explanation on how Google Analytics work: https://marketingplatform.google.com/about/

Google Ads

We have implemented Google Ads as a special feature to our use of Google Analytics. The Google Ads service requires Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers. Together with Google Analytics, Google Ads helps us to create target audiences. In this way, you might be shown more relevant advertisements in Google properties (such as Google Search) or other sites, videos, and apps across the internet. Although some of the information we collect is considered as personal data, we do not use it to target individuals but only audiences. We do not give any third-parties access to the data. 

More information on how Google uses cookies can be found here: https://policies.google.com/technologies/types?hl=en-US

Retention time: We store the information for 26 months from your visit on the Website.

Google Tag Manager

The Website also uses Google Tag Manager. Through this service so-called website tags can be managed centrally via a user interface. Google Tag Manager only implements tags. No cookies are used and no personal information is collected.For each third-party data collection, Google provides a respective privacy policy: https://www.google.com/analytics/tag-manager/use-policy/

However, Google Tag Manager will not access these data. If deactivation has been implemented for certain domains / websites or cookies, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.

Google Marketing Platform Home

In addition, we have added Google Marketing Platform Home to our Google services. It is a user interface through which we can control Google services we use. Google support representatives may have access to our Google Marketing Platform organization and its data for the purpose of troubleshooting or servicing the Google Marketing Platform organization.

Facebook Pixel

The third-party service provider we have a contract with is Facebook Ireland Ltd, incorporated and operating under the laws of Ireland (4 Grand Canal Square Grand Canal Harbour Dublin 2 Ireland). With your consent, we will use Facebook's "tracking pixel". This pixel can be used to track user behavior after they have been redirected to our website by clicking on a Facebook and / or Instagram ad. This allows us to record the effectiveness of online advertising on, for instance, Facebook and Instagram advertisements for statistical and market research purposes and, if necessary, create a look-a-like audience from users on our website where Facebook finds people who have attributes closed to our users. 

The tracking of users who have landed on our website after clicking on one of our Facebook and Instagram ads can remain active up to 180 days. 

The data collected in this way is anonymous for us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook, about which we will inform you to the best of our knowledge.Facebook may connect this data to the Facebook account and also use it for its own advertising purposes, according to its data usage policy. Facebook shares information with third-parties for example, to help advertisers understand the effectiveness of their Facebook advertising campaigns. More information on Facebook usage of the data, click here: https://www.facebook.com/about/privacy

If you want to disable cookie storage for Facebook, you can do so via your browser settings. You can also request your data being deleted here https://developers.google.com/analytics/devguides/config/userdeletion/v3/ , http://www.aboutads.info/choices or here http://www.youronlinechoices.eu/ ).

The joint data controllership with Compensate and the Foundation

The joint data controllership with Compensate and the Foundation starts from the moment Shopify receives the payment information and ends when you or Compensate suspends or terminates the use of the Application. In practise, the Foundation only receives information required for the invoicing and accounting of Compensation fees. These include the compensation items included on an order and the total sum of those Compensation fees. The Foundation may also have a legitimate interest or a legal obligation to deal with other personal data, such as analytics data. The Foundation does not act as a joint controller relating to the analytics data because the purpose and the means of processing analytics data is defined by Compensate. Therefore Compensate is solely responsible for the lawful processing of any analytics data. 

How do we use your personal data?

We use the personal data we collect from you and Your Store in order to provide the Service and to operate the Application. Additionally, we use this personal data to: communicate with you; optimize or improve the Application; and provide you with information or advertising relating to our products or services. We also may process the data to administer and fulfill our obligations under law and for claims handling and legal processes. 

We process your personal data primarily in order to fulfill our contractual obligations to you as well as to pursue our legitimate interest to run, maintain and develop our operations and to create and maintain customer and other business relationships. When choosing to use your data on the basis of our legitimate interests, we weigh our own interests against your right to privacy and e.g. provide you with easy to use opt-out from our marketing communications and use pseudonymized or non-personally identifiable data when possible.

We may also process your personal data in order to comply with our legal obligations.In some parts of the Service, you may be requested to grant your consent for the processing of personal data. In this event, you may withdraw your consent at any time.

Sharing your personal data

To the extent that third parties need access to the personal data for us to provide the Service, we provide third parties with Your personal data. Such third parties include Google Cloud Platform, which hosts the Service. We also use Google to communicate with you via email (Gmail). Google processes the data in accordance with their  privacy policy.  Furthermore, we receive payments relating to the Service to a Paypal account. Paypal processes the personal data in accordance with their  privacy policy.  Both Compensate and the Foundation can also transfer any personal data to each other if there is a legitimate interest or a legal obligation to do so. We share personal data to Facebook if you consent to the use of the Facebook Pixel as defined in this Privacy Policy. Facebook processes the data in accordance with their privacy policy . If you choose to give us feedback or report an error through our feedback service provider, we also transfer your data to Maximilian Stoiber e.U. More information here.

In addition, we may provide your personal data to our affiliates or to authorized service providers who perform services to us (including, for instance, data storage, accounting, payment, sales, and marketing service providers). 

When your personal data is processed by third parties as data processors on behalf of Compensate, Compensate has taken the appropriate contractual steps and organizational measures to ensure that the data are processed exclusively for the purposes specified in this Privacy Statement and in accordance with all applicable laws and regulations and subject to our instructions and appropriate obligations of confidentiality and security measures. 

Finally, we may also share your personal data to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights, with your explicit consent or for other legitimate reasons.

Your rights

If you are a European resident, you have the right to access personal data we hold about you and to ask that your personal data be corrected, updated, or deleted. You also have a right to object to the use of certain personal data, the right to restrict the processing, the right to receive the data in a structural and common format (so called “right to data portability”) and the right to withdraw your consent. In addition, you can also prohibit us from using your personal data for direct marketing purposes, market research and profiling. If you would like to exercise any of these rights, please contact us through  legal@compensate.com

Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. 

Data Transfers outside of the European Economic Area (EEA)

Please note that your information will be transferred outside of the EEA, including to Canada and the United States. We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which they are processed. We provide adequate protection for the transfers of personal data to countries outside of the EEA through a series of agreements with our service providers based on the  Standard Contractual Clauses  or through other appropriate safeguards.

Data retention

We do not store your personal data longer than is legally permitted and necessary for the purposes of this Compensate Privacy Statement. The storage period depends on the nature of the information and the purposes of the processing. The maximum period may, therefore, vary per use. 

When you stop using the Application, we will maintain the most of your personal data for our records for three and a half (3,5) years unless you ask us to delete this information. After your request or if 3,5 years have elapsed, some of the personal data may be still processed by us as long as it is required by law or is reasonably necessary for our legal obligations or legitimate interests, such as claims handling, bookkeeping, internal reporting and reconciliation purposes. All personal data will be anonymized or deleted with a period of ten (10) years after you have placed an order through the Site or you have asked us to delete the data, except for personal data required in certain, rare situations such as legal proceedings. 

Changes

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

Information security

We use administrative, organisational, technical, and physical safeguards to protect your personal data. Should despite the security measures, a security breach occurs that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities required by applicable data protection laws, about the breach as soon as possible. 

Contact us

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at legal@compensate.com or by mail using the details provided below:

Compensate

Lönnrotinkatu 7 B 

00120 Helsinki

Finland

Archived versions of this statement