Privacy Policy

Last Updated: June 11, 2026

This Privacy Policy explains how Galaxy Web Links ("we," "us," or "our") collects, uses, stores, and protects personal data when you install or use the SmartDonate: Recurring & Receipts application (the "App") on a Shopify store.

1. Introduction

SmartDonate: Recurring & Receipts helps Shopify merchants collect charitable donations, offer recurring giving options, generate donation receipts, and manage donor contributions through their Shopify storefronts.

We are committed to protecting the privacy of merchants and their customers. This policy is designed to meet Shopify App Store requirements and to help you understand our data practices in accordance with applicable privacy laws, including the following:

  • The General Data Protection Regulation (GDPR) and UK GDPR
  • The California Privacy Rights Act (CPRA)
  • The Virginia Consumer Data Protection Act (VCDPA)
  • The Colorado Privacy Act (CPA)
  • Other applicable federal, state, and international privacy regulations

This Privacy Policy is provided for informational purposes only and does not constitute legal advice. If you have questions regarding your legal obligations, please consult a qualified legal professional.

2. Who This Policy Applies To

This Privacy Policy applies to:

  • Merchants who install and use the app.
  • Merchant staff who access the app through Shopify user accounts.
  • Customers and donors who make one-time or recurring donations through a merchant's storefront.

3. Information We Collect Through Shopify APIs

When a merchant installs the app, we access certain information from the merchant's Shopify store through Shopify APIs, only as necessary to provide the app's functionality and within the permissions granted during installation. This may include:

  • Store domain and shop identifier.
  • Product and donation-related information.
  • Donation campaign settings and configurations.
  • Order information related to donations processed through Shopify (including order creation, payment confirmation, cancellations, and refunds).
  • Recurring subscription contract details (creation, updates, billing attempt outcomes).
  • App installation, authentication, session, and scope information.
  • Billing and subscription plan information provided through Shopify's billing systems.

We do not collect or store customers' payment card information. Payment processing is handled by Shopify and its authorized payment providers.

4. Information We Collect Directly From Merchants

When merchants use the App, we may collect and store:

  • Merchant and staff account information available through Shopify authentication, such as name, email address, user ID, and locale.
  • Donation campaign settings and configurations.
  • Receipt templates and branding preferences.
  • App usage information and administrative actions.
  • Technical logs related to app performance, security, and troubleshooting.

5. Information We Collect From Customers and Donors

When customers or donors interact with donation features provided by the App, we may collect:

  • Donor name.
  • Email address.
  • Donation amount.
  • Donation frequency (one-time or recurring).
  • Donation campaign or cause selected.
  • Order identifier associated with the donation.
  • Subscription contract identifier (for recurring donations).
  • Receipt delivery preferences.
  • Technical request metadata necessary to process donations and generate receipts.

Customer information is collected solely to facilitate donation processing, recurring donation management, receipt generation, customer support, and compliance with applicable legal requirements.

6. Cookies and Tracking Technologies

The app does not use cookies, pixels, or similar tracking technologies to track, profile, or monitor customers or donors. Any cookies or similar technologies present during app usage are limited to those managed by Shopify for authentication, session management, and platform functionality and are governed by Shopify's own privacy policy.

We do not use any third-party analytics or tracking scripts on merchant storefronts through the App.

7. How We Use Information

We use the information we collect solely to:

  • Provide, operate, maintain, and improve the App.
  • Process one-time and recurring donations.
  • Generate and deliver donation receipts upon successful payment.
  • Manage donation campaigns and reporting.
  • Track and manage recurring donation subscription contracts, including billing outcomes.
  • Handle order cancellations and refunds related to donations.
  • Authenticate merchants and manage app subscriptions and billing plans.
  • Respond to support requests.
  • Monitor system performance and security.
  • Comply with legal, tax, accounting, and regulatory obligations.
  • Process data access, deletion, and redaction requests as required by privacy laws.

We do not sell personal data. We do not use merchant or donor personal data for unrelated marketing purposes. We do not share personal data with third parties for their own marketing or advertising purposes.

8. Legal Basis for Processing (EEA/UK/Applicable Jurisdictions)

Where required by applicable law, we process personal data based on:

  • Performance of a contract — to provide app services to merchants who install and use the app.
  • Legitimate interests — in maintaining, securing, and improving the App, provided such interests are not overridden by data subjects' rights.
  • Compliance with legal obligations — where we are required to process data by applicable law, regulation, or legal process.
  • Consent — where required for optional features or communications. Where processing is based on consent, you have the right to withdraw your consent at any time by contacting us at the details provided in Section 16.

9. Data Sharing and Service Providers

We may share information with trusted service providers that help us operate the app, including:

  • Cloud hosting and infrastructure providers — for hosting and running the app.
  • Database providers — for secure data storage.
  • Email delivery services (e.g., SendGrid) — used to send donation receipts and notifications.
  • Analytics and monitoring providers — used to maintain service reliability and performance.

These providers process data only on our behalf and under contractual obligations to protect personal information. We require that our service providers implement appropriate technical and organizational safeguards.

We may also disclose information when required by law, legal process, or to protect the rights, property, or safety of Galaxy Web Links, merchants, donors, or others.

We do not sell personal data to third parties.

10. International Data Transfers

Galaxy Web Links may process and store information in countries outside the country where merchants or donors are located, including outside the European Economic Area (EEA) and the United Kingdom.

Where required, we implement appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms recognized under applicable data protection laws, to ensure that personal data receives an adequate level of protection.

11. Data Retention

We retain personal information only for as long as necessary to provide the App and fulfill legal obligations.

  • Merchant account and configuration data are retained while the App remains installed. Upon uninstallation, merchant configuration data is deleted within 30 days, unless retention is required by law.
  • Donation and receipt records may be retained for up to 7 years after the relevant transaction, as required for accounting, auditing, tax, and compliance purposes.
  • Recurring subscription contract data is retained while the associated subscription is active and for the applicable retention period after cancellation.
  • Donor information is retained only as long as necessary to provide App services and comply with applicable laws.
  • Technical and webhook processing logs are retained for up to 90 days and then deleted or anonymized.

Upon uninstallation of the App, the App responds to Shopify's app/uninstalled webhook to clean up session data, and subsequently to the shop/redact webhook to process complete data deletion. Merchants may also request earlier deletion of their data by contacting us at the details provided in Section 16.

12. Data Subject Rights and Shopify Compliance

Depending on applicable laws (including the GDPR, UK GDPR, CPRA, VCDPA, and CPA), individuals may have rights to:

  • Access their personal information.
  • Correct inaccurate or incomplete information.
  • Request deletion of personal information.
  • Restrict or object to processing of personal information.
  • Request data portability — receive personal data in a structured, commonly used, and machine-readable format.
  • Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.
  • Opt out of the sale of personal data — we do not sell personal data, but this right is acknowledged under applicable US state privacy laws.
  • Lodge a complaint with a relevant data protection supervisory authority (for EEA/UK residents).

How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: appsupport@galaxyweblinks.com

We will acknowledge your request within 10 business days and respond in full within 30 days, or as required by applicable law. We may need to verify your identity before fulfilling certain requests.

Shopify Mandatory Privacy Compliance Webhooks

The App fully implements Shopify's required privacy compliance webhooks to ensure automated handling of privacy-related requests:

  • customers/data_request — Responds to requests from customers to access their personal data stored by the App.
  • customers/redact — Deletes or anonymizes a customer's personal data from the App's systems upon request.
  • shop/redact — Deletes all remaining merchant and associated customer data from the App's systems after app uninstallation and the expiration of the data retention period.

These mechanisms help merchants comply with privacy obligations and data subject requests under applicable laws including GDPR, UK GDPR, CPRA, and other privacy regulations. Merchants remain responsible for handling customer privacy requests relating to their stores in accordance with their own privacy obligations.

13. Security

We implement reasonable administrative, technical, and organizational safeguards designed to protect personal information, including:

  • Encrypted HTTPS connections for all data in transit.
  • Access controls and authentication mechanisms.
  • Secure hosting infrastructure.
  • Regular monitoring and logging of security events.
  • Role-based access to production systems and data.

While we strive to protect personal information, no method of transmission or storage can be guaranteed to be completely secure. In the event of a data breach involving personal data, we will notify affected parties and relevant authorities as required by applicable law.

14. Children's Privacy

The App is intended for use by merchants operating Shopify stores and is not directed toward children under the age of 16 (or the applicable age of consent in relevant jurisdictions).

We do not knowingly collect personal information from children. If we become aware that such information has been collected, we will take appropriate steps to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or business practices.

When material changes are made, we will update the "Last Updated" date at the top of this page and, where practicable, notify merchants through the App or by email. Continued use of the App after changes become effective constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data handling practices, please contact:

App: SmartDonate: Recurring & Receipts
Company: Galaxy Web Links
Email: appsupport@galaxyweblinks.com
Website: https://www.galaxyweblinks.com
Data Protection Inquiries: appsupport@galaxyweblinks.com

For EEA/UK residents, if you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority.

© 2026 Galaxy Web Links. All rights reserved.