ReboundInstall on Shopify
Back to home

Privacy Policy

How Rebound collects, uses, shares, and protects personal data — for the merchants who install the app and for their customers.

Last updated: [EFFECTIVE DATE]

This Privacy Policy explains how [LEGAL ENTITY NAME] ("Rebound", "we", "us") handles personal data in connection with the Rebound back-in-stock app for Shopify (the "App") and the website at rebound.shop (the "Site").

Rebound plays two different roles. For data about the merchants who install the App, we act as a data controller. For data about a merchant's own customers — such as the WhatsApp numbers collected through back-in-stock requests — we act as a data processor on the merchant's behalf, and the merchant is the controller. Section 9 explains this split in detail.

01Who we are

[LEGAL ENTITY NAME], registered in [JURISDICTION] at [REGISTERED ADDRESS], is responsible for the processing described in this policy where we act as controller.

For any privacy question or to exercise your rights, contact us at [CONTACT EMAIL]. Our Data Protection Officer (where appointed) can be reached at [DPO EMAIL].

02Personal data we collect

Merchant account data: name, email address, store URL, Shopify shop ID, billing plan, and support correspondence.

Customer data (processed for the merchant): the customer's WhatsApp phone number, first name where provided, the product and variant they subscribed to, consent records, and notification and order-match events.

Usage and technical data: log data, device and browser information, IP address, and analytics about how the App and Site are used.

  • We do not collect special categories of data, and we do not knowingly collect data from children.

03How we use personal data

To provide and operate the App: collecting back-in-stock subscriptions, sending WhatsApp notifications through the Meta Cloud API, and attributing recovered orders.

To bill for the service through Shopify, provide support, and send service-related communications.

To secure, maintain, debug, and improve the App and Site.

To comply with legal obligations and enforce our agreements.

04Legal bases (GDPR)

Where the GDPR applies and we act as controller, we rely on: performance of a contract (to provide the App to merchants); legitimate interests (to secure and improve the service); consent (where required); and compliance with legal obligations.

For customer data, the lawful basis for collecting and messaging customers is determined and obtained by the merchant as controller — typically the customer's explicit consent given at subscription.

05How we share data

We share personal data with the service providers (sub-processors) that make the App work:

  • Shopify — the platform the App runs on.
  • Meta Platforms, Inc. (WhatsApp Business Cloud API) — to deliver notifications.
  • [HOSTING PROVIDER] — application hosting and database, located in [HOSTING REGION].
  • [EMAIL/SUPPORT PROVIDER] — transactional email and support.

We may also disclose data to comply with the law, respond to lawful requests, or protect our rights. We do not sell personal data.

06International transfers

Personal data may be processed in countries other than your own. Where data is transferred out of the EEA, the UK, or Brazil, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms.

07Data retention

We retain merchant account data for as long as the App is installed and as required to comply with legal and accounting obligations.

Customer data is retained only as long as needed to provide the service to the merchant. When the App is uninstalled, or upon the merchant's instruction, subscriber data is deleted in accordance with Shopify's mandatory data-erasure webhooks, typically within [RETENTION PERIOD] days.

08Security

We use technical and organizational measures appropriate to the risk, including encryption in transit, access controls, phone-number masking across the admin interface, and least-privilege access to production systems. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

09Your rights

Subject to applicable law (including the GDPR and Brazil's LGPD), you may have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability.

If you are a customer of a merchant that uses Rebound, please direct your request to that merchant, who controls your data. We will assist the merchant in responding. To exercise rights against us as controller, contact [CONTACT EMAIL]. You also have the right to lodge a complaint with your local supervisory authority (in Brazil, the ANPD).

10Merchant and customer data (our role)

When we process a merchant's customer data, we do so only on the documented instructions of the merchant, as set out in our Data Processing Agreement. The merchant is responsible for having a lawful basis to collect customer contact details and to send messages, and for honoring data-subject requests.

11Cookies

The Site uses cookies and similar technologies. See our Cookie Policy for details and how to manage them.

12Changes to this policy

We may update this policy from time to time. We will post the updated version here and revise the "last updated" date. Material changes will be communicated as required by law.

13Contact us

Questions about this policy or our data practices: [CONTACT EMAIL]. Data Protection Officer: [DPO EMAIL]. Postal address: [REGISTERED ADDRESS].