Our commitment
FIDE Labs builds FIDE with GDPR and UK GDPR in mind. We collect only the data the app needs, never sell it, and exclude IP addresses, cookies, and request headers from our error monitoring. This page explains how FIDE meets data-protection obligations. It complements our Privacy Policy.
Controller and processor roles
- Customer data (quote request submissions) — the merchant is the data controller and FIDE Labs is the processor, acting only on the merchant's instructions through the operation of the App.
- Merchant account data — FIDE Labs is the controller.
Lawful bases for processing
- Contract — to provide the App and run merchant accounts.
- Legitimate interests — to keep the App reliable, secure, and improving (usage and diagnostic data).
- Consent — for customer data, collected by the merchant from their customers.
- Legal obligation — where the law requires us to process or retain data.
Data subject rights
If you're in the EEA, UK, or Switzerland, you have the right to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where processing relies on it. You may also complain to your local supervisory authority.
Merchants exercise these rights by emailing us directly. Customers should contact the merchant they submitted a quote to, since that merchant is the controller; if a customer contacts us, we forward the request or help the merchant fulfil it. We verify identity before acting, acknowledge requests within 2 business days, and respond within 30 days (extendable for complex requests as GDPR allows).
Shopify GDPR webhooks & deletion
FIDE implements Shopify's three mandatory compliance webhooks:
customers/data_request— we provide a customer's data to the merchant so they can answer an access request.customers/redact— personal data fields are replaced with redacted values; the anonymised quote record is retained but holds no personal information.shop/redact— sent ~48 hours after uninstall; we run a final pass to permanently delete all store data.
Deletion is event-driven (uninstall, deletion request, or webhook) rather than on a fixed schedule, and webhook deletions are permanent.
Sub-processors & international transfers
FIDE is hosted on Fly.io (Singapore) using a managed PostgreSQL database, with Sentry (EU — Germany) for error monitoring, Cloudinary for file storage, and Gmail SMTP / Elastic Email / custom SMTP for transactional email. All sub-processors are bound by data-protection terms. Where data leaves the EEA/UK, we rely on Standard Contractual Clauses. A current sub-processor list is available on request.
Security measures
- TLS/HTTPS enforced for all data in transit.
- AES-256-GCM encryption at rest for sensitive fields such as SMTP credentials.
- Shopify OAuth, HMAC-verified webhooks, and per-shop data scoping.
- Least-privilege Shopify API scopes and PII-minimised error monitoring.
Contact
- Email: support@fidelabs.io
- Company: FIDE LABS (OPC) PRIVATE LIMITED