Privacy.

Conformica is operated by Harvest Sterling LLC, a Delaware limited-liability company. We are the data controller for merchant account data and the data processor for any merchant catalog data Shopify sends us under your authorisation. Contact: privacy@conformica.eu.

From you, the merchant:

• Shopify shop domain (e.g. your-shop.myshopify.com) and shop email
• Contact email + optional separate notification email
• GPSR configuration: Manufacturer / Responsible Person / Importer party profiles (legal name, address, email, country)
• Per-product compliance fields you enter: GTIN, type / batch / serial numbers, country of origin, safety warnings, instructions, source language, B2B-only and widget-display flags
• Billing plan + trial state (from Shopify Managed App Pricing)

From Shopify on your behalf:

• Product list (id, title, handle, status, primary barcode) — used to compute compliance state and to match against EU Safety Gate alerts
• Shop locale + Markets configuration — used to render the widget in the buyer's language

From buyers on your storefront:

• Nothing personal.The widget reads the buyer's Shopify Markets language + country to render in the right language, but we do not log IPs, set cookies, or correlate buyers across pages.

Strictly to deliver the service you subscribed to: keep your GPSR data current, translate it into the 24 official EU languages, render the widget on your storefront, scan the EU Safety Gate weekly report against your catalog, and email you when something matches. We do not profile merchants, sell data, or use your catalog to train models.

We use the following processors. Each is bound by a data-processing agreement and is the smallest possible set required to run the app.

Shopify Inc. (Canada / Ireland)

Authoritative source of your shop + catalog data. Governed by Shopify's own DPA.

Supabase Inc. (PostgreSQL + Storage, EU region)

Stores your tenant row, party profiles, per-product compliance fields, and the translation cache. Data residency: EU (Dublin).

Vercel Inc. (Hosting + CDN)

Runs the admin app at app.conformica.eu and this marketing site.

OpenRouter / Anthropic

Translation. We send your safety warnings and instructions; no merchant identifiers, no buyer data. Outputs are cached on our side; we don't re-send the same string twice.

Resend

Transactional email — Safety Gate alerts and billing notices.

While your subscription is active, we keep your data as long as it's in active use. When you uninstall Conformica, Shopify delivers a shop/redact webhook 48 hours later — we then permanently delete every row tied to your shop: tenant, parties, products, translations, alerts, audit logs, error logs, and any uploaded branding asset in our storage bucket.

You can also request immediate deletion at any time via privacy@conformica.eu — we will fulfil it within 30 days, as GDPR Art. 12 requires.

Under the GDPR you have the right to:

• Access a copy of the data we hold about your shop
• Have inaccurate data corrected
• Have data erased (right to be forgotten)
• Restrict processing
• Receive your data in a portable format (JSON export)
• Object to specific processing activities
• Lodge a complaint with your supervisory authority

Email privacy@conformica.eu with your shop domain to exercise any of these. We answer within 30 days; usually within 48 hours.

No tracking cookies anywhere.The Conformica widget on your storefront sets no cookies. The admin app uses Shopify's session token only — required to authenticate you to your own shop. This marketing site sets no analytics cookies and embeds no third-party trackers.

We'll email merchants at least 30 days before any material change to this policy. The current version is always linked at the bottom of every page on conformica.eu.