# GDPR & Data Protection My Product Cares takes data protection seriously. This page answers common questions about how we handle personal data and our compliance with data protection regulations including GDPR. *** ## Who is behind My Product Cares? My Product Cares is developed and operated by **Vital Iteration**, a UK-based company, under the brand **Varify**. *** ## Are you a data controller or data processor? Vital Iteration acts as a **Data Processor** on behalf of the merchants who install our app. * **The Merchant (you) is the Data Controller.** You decide what data to collect by designing your own registration and claim forms. You determine the purpose, scope, and means of processing. You are responsible for obtaining appropriate consent from your end customers and for providing your own privacy notice. * **Vital Iteration is the Data Processor.** We provide the software platform (My Product Cares) that you use to collect, store, and manage that data. We process data solely on your documented instructions and do not use end-customer data for our own purposes. A Data Processing Agreement (DPA) formalizing this relationship is available *** ## Where is data hosted? Is data transferred outside the EU? My Product Cares uses a combination of hosting locations: * **Application and database**: Servers in Canada and the United States — located close to Shopify (a Canadian company based in Toronto) for low-latency communication with the Shopify platform * **File storage and email delivery**: Cloud infrastructure in the European Union * **Content delivery**: Global network for fast, reliable access **Data is transferred and processed outside the EU** for the core application and database. We are committed to ensuring appropriate safeguards are in place for cross-border data transfers. If your end customers are based in the EU/EEA and you require Standard Contractual Clauses (SCCs), these are available as part of our Data Processing Agreement. *** ## What data does My Product Cares store? **The data stored is almost entirely determined by you, the merchant.** My Product Cares is a flexible form builder — you design your own forms and choose which fields to collect from your end customers. The only mandatory field is **email address**, which is essential for product registrations and warranty claims so that you can contact your customers. Beyond that, you have full control over what data is requested. Depending on how you configure your forms, data may include: * Customer identity information (name, email address, phone number) * Address information * Product details (product name, SKU, serial numbers, purchase date) * Uploaded files (images, receipts, documents) * Custom fields you define * Warranty and claim information **What we do NOT collect:** * Payment card details — payments are handled by Shopify or Stripe * Any data beyond what your forms request *** ## Who owns the data and can I export it? **You own your data.** As the Data Controller, the data collected through your forms belongs to you. You can export your data at any time through the App admin — there is a built-in export feature that lets you download all your registrations, claims, and related data on demand, giving you full control and the ability to maintain your own backups. *** ## When is data deleted? Data is deleted in the following circumstances: ### Shopify GDPR Compliance My Product Cares implements all Shopify-mandated GDPR webhooks: * **Customer data deletion** (`customers/redact`): When Shopify notifies us of a valid customer deletion request, we permanently delete all registration and claim data for that specific end customer. * **App uninstallation** (`shop/redact`): When you uninstall the app, your shop data is anonymized and uploaded files are permanently deleted. * **Customer data access** (`customers/data_request`): When Shopify notifies us of a customer data access request, we retrieve the relevant data and provide it to you (the Data Controller) for fulfillment. ### Manual Deletion You can delete individual registrations, claims, and customer data at any time through the admin interface. ### Data Retention Data is retained for as long as you use the app and require the data for your business purposes. As the Data Controller, you are responsible for defining and communicating your own data retention policy to your end customers. *** ## Do you share data with third parties? **We do not sell or monetize end-customer data.** Data sharing is limited to what is necessary to provide the service: ### Optional Integrations (enabled by you) | Integration | What it does | | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Klaviyo** | Sends customer and registration data to your Klaviyo account for marketing automation. Only activated if you configure your Klaviyo API key and enable this integration. | | **Mailchimp** | Sends customer and registration data to your Mailchimp audience. Only activated if you configure your Mailchimp API key and enable this integration. | | **Custom Webhooks** | Forwards registration data to a webhook URL you provide. | No data is sent to Klaviyo, Mailchimp, or any custom webhook unless you explicitly enable those integrations. ### Service Providers (required for app operation) We use trusted service providers for infrastructure and operations: * Cloud hosting and storage providers * Email delivery services * Monitoring and error tracking services * Bot/spam protection on forms A full list of sub-processors is included in our Data Processing Agreement. *** ## What is your uptime and backup policy? ### Reliability My Product Cares runs on a production infrastructure designed for high availability: * Multiple application servers across different data centers and providers * Automatic failover between servers * Managed database with standby failover node (99.95% uptime) * Zero-downtime deployments ### Backups * **Automated daily database backups** * **7-day point-in-time recovery** — we can restore the database to any point within the last 7 days * Uploaded files are stored on cloud infrastructure with high durability guarantees ### Monitoring Our infrastructure is continuously monitored with automated alerts for any issues. We run automated tests on every production deployment to verify the service is working correctly. *** ## How can end customers exercise their GDPR rights? Under GDPR, end customers (data subjects) have rights including access, rectification, erasure, restriction of processing, data portability, and the right to object. Since **you (the merchant) are the Data Controller**, end customers should direct their requests to you. As the Processor, we support you by: * Providing tools in the admin interface to view, edit, export, and delete customer data * Responding to Shopify GDPR webhooks for automatic data deletion and export * Assisting with any data subject requests you receive *** *For data protection inquiries, contact:* [***info@varify.xyz***](mailto:info@varify.xyz)*.* *Last updated: May 2026* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.product-reg.varify.xyz/gdpr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.