Privacy Policy

Last updated: February 20, 2026

Owner and Data Controller

Catalogly

Owner contact email: [email protected]

Merchants and Merchant Customers

As a Shopify app, Catalogly interacts with two distinct groups:

  • Merchants — Shopify store owners who install and use Catalogly. Merchants are our direct customers and the primary users of our services. We are the data controller for personal data that merchants provide to us directly.
  • Merchant customers — End-users and buyers of merchants' stores. When we access Shopify store data on behalf of a merchant (such as product information), we act as a data processor on behalf of the merchant, who remains the data controller for their customers' data.

Catalogly's online catalog feature allows end-users to browse products and place orders directly from a published catalog. When a customer initiates an order through an online catalog, Catalogly collects the following data solely to create a draft order in the merchant's Shopify store:

  • First and last name — required to identify the customer on the draft order
  • Email address — required for Shopify to send the customer an order confirmation and invoice link
  • Phone number — required for shipping carrier contact and delivery coordination
  • Billing and shipping address — required to calculate shipping rates and fulfill the order

When a customer who already has an account on the merchant's Shopify store places an order through a catalog, Catalogly may use their Shopify Customer ID to associate the draft order with their existing account, ensuring the order appears correctly in the merchant's Shopify admin. After a draft order is successfully created, the resulting Shopify order number is displayed to the customer as confirmation of their request.

None of this data is stored by Catalogly. It is transmitted directly to Shopify via the Shopify API to create the draft order, and from that point is handled entirely by Shopify and the merchant's own privacy policy. Catalogly has no further access to this data after submission.

Data Processing Agreement

Where Catalogly processes personal data on behalf of merchants as a data processor, this is governed by our Data Processing Agreement (DPA). Merchants who require a DPA for GDPR or other compliance purposes may request one by contacting us at [email protected].

By installing and using Catalogly, merchants acknowledge that Catalogly may process data accessed via the Shopify API in accordance with this privacy policy and any applicable DPA.

Types of Data Collected

Data provided by merchants

When merchants install and use Catalogly, we collect:

  • Shopify store name and URL
  • Email address associated with the Shopify account
  • Subscription and billing plan information (billing is processed by Shopify, not stored by Catalogly)
  • App settings and preferences
  • Catalog names, configurations, and design settings

Data accessed via the Shopify API (on behalf of merchants)

To provide catalog creation services, Catalogly accesses the following Shopify data on behalf of merchants:

  • Product titles, descriptions, prices, and variants
  • Product images
  • Product SKUs and inventory identifiers
  • Collection names and product groupings

This data is used solely to generate catalogs as directed by the merchant and is not used for any other purpose.

Usage data collected automatically

  • IP address
  • Browser type and version
  • Pages of the application visited and time of visit
  • System log files and diagnostic data

Generated content

Catalogs generated by merchants (PDF files and online/flipbook catalogs) are stored on our file storage infrastructure. These files contain only the product data and design elements selected by the merchant.

Unless specified otherwise, all data requested by this application is necessary to provide the service. Failure to provide this data may make it impossible for Catalogly to function. Users uncertain about which data is mandatory are welcome to contact the Owner.

Mode and Place of Processing the Data

Methods of processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the data. Data processing is carried out using computers and IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated.

Access to personal data is restricted to staff members who require it to perform their role. Access is granted on a least-privilege basis — employees are only given access to the data necessary for their specific responsibilities — and access controls are actively enforced and reviewed.

In addition to authorized staff, data may be accessible to third-party service providers appointed as data processors by the Owner (such as hosting providers, file storage services, and IT infrastructure companies). The updated list of these parties may be requested from the Owner at any time.

Legal basis of processing

The Owner may process personal data relating to Users where one of the following applies:

  • Users have given their consent for one or more specific purposes.
  • Provision of data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof.
  • Processing is necessary for compliance with a legal obligation to which the Owner is subject.
  • Processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party.

Place

The data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located. Data transfers may involve transferring data to a country other than the User's own. Users are entitled to learn about the legal basis of such transfers and may contact the Owner for more information.

Data minimization

We only collect and process personal data that is necessary for the specific purposes described in this policy. We do not collect data beyond what is required to provide our services.

Retention periods

Personal data is retained only for as long as necessary for the purpose for which it was collected:

  • Merchant account and store data: Retained for the duration of the active subscription and for a reasonable period thereafter to allow for reactivation, legal compliance, or dispute resolution.
  • Generated catalogs (PDFs and online catalogs): Retained while the merchant's account is active. Merchants may delete individual catalogs at any time.
  • System logs and usage data: Retained for a limited period as needed for security and operational purposes.
  • Support communications: Retained for a reasonable period as required for customer support and legal purposes.

Once the retention period expires, personal data is deleted. Users may contact us to request deletion of their data at any time, subject to any legal obligations that require us to retain it.

Security Measures

The Owner implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or misuse. These measures are regularly reviewed and updated as necessary.

Data in transit

Data transmitted between Users and Catalogly is protected using industry-standard encryption protocols during transmission.

Access controls

We take reasonable steps to limit access to personal data to those who need it to perform their role. We periodically review access rights as part of our security practices.

Security incident response

In the event of a personal data breach, Catalogly will take steps to contain and assess the incident. Where required by applicable law, we will endeavor to notify affected merchants without undue delay. Merchants who are required to notify their own customers (as data controllers) will be provided with relevant information to assist them in doing so.

To report a security concern, please contact us at [email protected].

The Rights of Users

Users may exercise certain rights regarding their data processed by the Owner. In particular, Users have the right to:

  • Withdraw consent at any time where consent was previously given, without affecting the lawfulness of processing carried out before withdrawal.
  • Object to processing of their data where processing is based on a legal basis other than consent.
  • Access their data and obtain information about how it is being processed.
  • Rectify inaccurate data and request that it be updated or corrected.
  • Restrict processing of their data under certain circumstances.
  • Request deletion of their data ("right to be forgotten") under certain circumstances.
  • Data portability — receive their data in a structured, commonly used, machine-readable format.
  • Lodge a complaint with their competent data protection authority.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner via email at [email protected]. Requests are free of charge and will be addressed within one month.

California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA).

We do not sell personal data. Catalogly does not sell, rent, or trade the personal information of merchants or any other individuals to third parties for monetary or other valuable consideration.

California residents have the right to:

  • Know what personal information is collected, used, shared, or sold.
  • Request deletion of personal information.
  • Opt out of the sale of personal information (not applicable — we do not sell data).
  • Non-discrimination for exercising their privacy rights.

To exercise these rights, contact us at [email protected].

Automated Decision-Making

Catalogly does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on individuals, as described in Article 22 of the GDPR.

Automated processes are used solely to generate catalog documents (PDFs and online catalogs) from product data provided by merchants. These processes do not make decisions about individuals.

Additional Information about Data Collection and Processing

Legal action

The User's personal data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this application or the related services. The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.

System logs and maintenance

For operation and maintenance purposes, this application and any third-party services may collect files that record interaction with this application (system logs) or use other data (such as IP address) for this purpose.

How "Do Not Track" requests are handled

This application does not support "Do Not Track" requests. To determine whether any of the third-party services it uses honor the "Do Not Track" requests, please read their privacy policies.

Right to Suspend Access

The Owner reserves the right to suspend access to any User's account at any time if there is a reasonable suspicion that the account may not be genuine, or if it appears that the User does not intend to use the software in accordance with its designed purpose. This action is taken to ensure the security of our services, protect the legitimate interests of all users, and uphold the integrity of our product.

Changes to this Privacy Policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within this application. It is strongly recommended to check this page often, referring to the date of the last modification listed at the top.

Should the changes affect processing activities performed on the basis of the User's consent, the Owner shall collect new consent from the User, where required.