Privacy Policy
Your privacy is important to us. Learn how we collect, use, and protect your information.
Welcome to Appaza's Privacy Policy
At Appaza Agency, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services. Please read this policy carefully to understand our practices regarding your personal data.
Data Controller Information
Controller Identity
Appaza Agency, located at Dhaka, Bangladesh, is the data controller responsible for your personal information. For GDPR purposes, our EU representative can be contacted at eu-representative@appaza.dev.
Data Protection Officer
For data protection inquiries, you may contact our Data Protection Officer at dpo@appaza.dev or privacy@appaza.dev.
Information We Collect
Personal Data (GDPR Art. 4)
We collect: (1) Identity Data: name, username, title; (2) Contact Data: email, phone, business address; (3) Technical Data: IP address, browser type, device information, operating system; (4) Usage Data: how you use our website and services; (5) Marketing Data: your preferences for receiving marketing communications.
Sensitive Personal Information
We do not intentionally collect sensitive personal data (racial origin, political opinions, religious beliefs, health data, biometric data, etc.) unless required for specific services with your explicit consent.
Automated Data Collection
We automatically collect Technical and Usage Data through cookies, server logs, and similar technologies. This includes IP addresses (which may be considered personal data under GDPR), browser fingerprints, and interaction patterns.
Third-Party Sources
We may receive data from analytics providers (Google Analytics), advertising networks, and publicly available sources. We ensure these third parties comply with applicable data protection laws.
Legal Basis for Processing (GDPR Art. 6)
Contractual Necessity
We process your data to perform our contract with you, including delivering services, processing payments, and providing customer support (GDPR Art. 6(1)(b)).
Legitimate Interests
We process data based on legitimate interests (GDPR Art. 6(1)(f)) for: improving services, fraud prevention, network security, business analytics, and direct marketing to existing clients. We balance these interests against your rights.
Legal Compliance
We process data to comply with legal obligations (GDPR Art. 6(1)(c)), including tax laws, accounting requirements, and responding to lawful requests from authorities.
Consent
For marketing communications and non-essential cookies, we rely on your explicit consent (GDPR Art. 6(1)(a)). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
How We Use Your Information
Service Provision
To deliver Shopify app development, theme development, WordPress solutions, website development, and SEO services as contracted. This includes project management, technical implementation, and ongoing support.
Communication
To respond to inquiries, provide customer support, send service-related notifications, security alerts, and administrative messages. We may also send marketing communications with your consent.
Business Operations
For billing, accounting, fraud prevention, legal compliance, dispute resolution, and enforcing our terms. We maintain records as required by law.
Analytics and Improvement
To analyze usage patterns, improve our services, develop new features, and conduct market research. We use both first-party and third-party analytics tools.
Data Sharing and Disclosure
Service Providers (Processors)
We share data with processors who provide: hosting (AWS, DigitalOcean), email services (SendGrid, Mailchimp), analytics (Google Analytics), payment processing (Stripe, PayPal), and CRM systems. All processors are bound by data processing agreements (GDPR Art. 28).
Legal Requirements
We disclose data when required by law, court order, or governmental request. For EU residents, we will notify you unless legally prohibited. We may also disclose data to protect our rights, property, or safety.
Business Transfers
In case of merger, acquisition, or asset sale, your data may be transferred. We will notify you and ensure the recipient maintains equivalent data protection standards.
No Sale of Personal Data
We do NOT sell your personal data to third parties. For California residents (CCPA), we have not sold personal information in the preceding 12 months and do not sell personal information of minors under 16.
International Transfers
Data may be transferred outside the EU/EEA. We use Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms to ensure GDPR-level protection.
Your Rights (GDPR & CCPA)
Right to Access (GDPR Art. 15, CCPA)
You have the right to request access to your personal data. We will provide a copy of your data in a commonly used electronic format. First copy is free; additional copies may incur a reasonable fee.
Right to Rectification (GDPR Art. 16)
You can request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification.
Right to Erasure / Deletion (GDPR Art. 17, CCPA)
You can request deletion of your personal data ('right to be forgotten') unless we have legal grounds to retain it (e.g., legal obligations, legitimate interests, contract performance). We will respond within 30 days.
Right to Restriction (GDPR Art. 18)
You can request restriction of processing while we verify data accuracy, assess legitimate grounds, or if you need the data for legal claims.
Right to Data Portability (GDPR Art. 20)
You can receive your data in a structured, machine-readable format (JSON, CSV) and transmit it to another controller where technically feasible.
Right to Object (GDPR Art. 21, CCPA Opt-Out)
You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds. California residents can opt-out of data 'sales' (though we don't sell data).
Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time. This doesn't affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint
EU residents can lodge complaints with their national data protection authority. US residents can contact the FTC or state attorney general. Bangladesh residents can contact the relevant authority.
Automated Decision-Making
We do not make solely automated decisions with legal or significant effects. If this changes, we will notify you and provide opt-out rights (GDPR Art. 22).
Data Retention
Retention Periods
We retain personal data only as long as necessary for the purposes outlined in this policy. Active client data: duration of contract + 6 years (tax/legal requirements). Marketing data: until consent withdrawn + 30 days. Technical logs: 90 days.
Deletion Procedures
After retention periods expire, we securely delete or anonymize data. Deletion includes all backups and archives unless legal obligations require retention.
Legal Hold
Data subject to legal proceedings, investigations, or regulatory requirements will be retained until the matter is resolved, regardless of standard retention periods.
Data Security (GDPR Art. 32)
Technical Measures
We implement: SSL/TLS encryption (minimum TLS 1.2), encrypted databases, secure authentication (multi-factor where available), regular security patches, firewalls, and intrusion detection systems.
Organizational Measures
Access controls (role-based), employee training on data protection, confidentiality agreements, regular security audits, incident response procedures, and data protection impact assessments (DPIAs) for high-risk processing.
Data Breach Notification
In case of a data breach, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay if there's a high risk to rights and freedoms (GDPR Art. 34).
Limitations
No security is absolute. While we implement industry-standard measures, we cannot guarantee complete security. You are responsible for maintaining the confidentiality of your credentials.
Cookies and Tracking Technologies
Types of Cookies
Essential cookies (strictly necessary for service operation), Functional cookies (remember preferences), Analytics cookies (Google Analytics - anonymized IP), Marketing cookies (with consent only). We comply with ePrivacy Directive and GDPR.
Cookie Consent
We obtain explicit consent before placing non-essential cookies. You can manage preferences through our cookie banner or browser settings. Withdrawing consent may affect functionality.
Third-Party Tracking
We use Google Analytics (with IP anonymization), Facebook Pixel (with consent), and similar tools. These are subject to third-party privacy policies. EU users can opt-out via browser settings or third-party opt-out tools.
Do Not Track (DNT)
We honor Do Not Track signals where technically feasible. However, DNT is not universally standardized.
Regional-Specific Rights
California Residents (CCPA/CPRA)
Right to know what personal information is collected, disclosed, or sold; Right to delete personal information; Right to opt-out of sale (we don't sell); Right to non-discrimination; Right to correct inaccurate information (CPRA). Contact privacy@appaza.dev to exercise rights.
European Union / EEA (GDPR)
All GDPR rights apply as detailed above. Data transfers outside EU/EEA use SCCs or adequacy decisions. You can lodge complaints with your national supervisory authority.
United Kingdom (UK GDPR)
UK residents have equivalent rights to EU GDPR. Contact the UK Information Commissioner's Office (ICO) for complaints.
Other US States
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) residents have similar rights to CCPA. Contact us to exercise these rights.
Children's Privacy (COPPA, GDPR)
Age Restrictions
Our services are not directed to children under 16 (GDPR) or 13 (COPPA in USA). We do not knowingly collect data from children without parental consent.
Parental Rights
If we learn we've collected data from a child without proper consent, we will delete it immediately. Parents can request access, deletion, or cessation of collection by contacting privacy@appaza.dev.
Verification
We may request age verification for certain services. We do not use age as a basis for discriminatory practices.
Changes to This Privacy Policy
Notification of Changes
We will notify you of material changes via email (if provided) or prominent website notice at least 30 days before changes take effect. For EU residents, we will obtain fresh consent if required by law.
Version History
Previous versions are available upon request. Current version is effective from the 'Last Updated' date shown on this page.
Continued Use
Continued use after changes constitutes acceptance. If you disagree with changes, you may terminate your account and request data deletion.
Contact Us & Data Protection Authorities
Privacy Inquiries
Email: privacy@appaza.dev | Data Protection Officer: dpo@appaza.dev | Phone: +880 1234-567890 | Address: Dhaka, Bangladesh
EU Representative
For GDPR matters: eu-representative@appaza.dev
Supervisory Authorities
EU: Your national data protection authority (list at edpb.europa.eu). USA: Federal Trade Commission (ftc.gov), California Attorney General (oag.ca.gov). UK: Information Commissioner's Office (ico.org.uk).
Response Time
We respond to privacy requests within 30 days (GDPR) or 45 days (CCPA), with possible extensions if complex. We will notify you of any delays.
Have Questions?
If you have any concerns about how we handle your data, we're here to help.
Contact Us