Tuesday Apps is the trading name of UAB Tuesday, a private limited company incorporated in Lithuania. In this policy, “Tuesday Apps”, “we”, “our”, and “us” refer to UAB Tuesday. We build Shopify applications for merchants. This Privacy Policy explains what personal information we handle when a merchant installs one of our apps, when staff in a merchant’s organization use our admin interface, and when end customers interact with a storefront on which one of our apps is active.
1. Who This Policy Applies To
This policy covers three groups of people whose data we may process:
- Merchants — the Shopify store owners and staff who install and configure our apps.
- Storefront visitors — the end customers who browse and purchase from a store where one of our apps is running.
- Website visitors — people who visit our marketing site, documentation, or support channels.
2. Our Role: Controller and Processor
Our responsibilities under data-protection law (including the EU GDPR, the UK GDPR, and comparable regimes) depend on whose data we are processing:
- For merchant account data — the contact details of the shop owner and staff, billing references, support correspondence, and our marketing communications — we act as the data controller.
- For storefront-visitor and end-customer data accessed through Shopify on a merchant’s behalf — for example, order, customer, and discount data — we act as a data processor. The merchant is the controller and determines the purposes and means of that processing; we process the data only to provide the functionality the app offers to that merchant.
- For storefront events we record directly — for example, that a bundle was viewed, added to cart, or completed at checkout — we act as a processor for the merchant. The merchant is responsible for obtaining any consent required under applicable law before such events are recorded.
If you are a storefront visitor and want to exercise a privacy right relating to a specific store, please contact that store directly. The merchant is the controller of that data and is best placed to action your request; we will support the merchant in doing so.
3. Information We Collect
3.1 Information we receive from Shopify
When you install a Tuesday Apps product on your Shopify store, Shopify grants us scoped access to the data the app needs in order to function. Depending on the app, this may include:
- Shop identifier, domain, country, currency, locale, and primary timezone
- Store owner name and email address used for support and billing notifications
- Product, variant, collection, inventory, and price data needed to render and price offers
- Order and discount data needed to apply offers and report on their performance, including any customer personal information contained in those orders (such as name, email, and shipping address)
- Theme metadata required to render storefront widgets and extensions
We do not request or store cardholder or full payment-method data. Billing is handled by Shopify and we only receive a Shopify-issued billing record reference.
3.2 Information collected automatically
As you and your customers use a Tuesday Apps product, we automatically collect technical information needed to operate the service, including IP address, user agent, device and browser information, referring URL, requested endpoints, response status, and timestamps. Storefront events tied to our offers (for example, that a bundle was viewed, added to cart, or completed at checkout) are recorded so that merchants can measure performance.
3.3 Information you provide directly
If you contact our support team, submit feedback, or fill out a form on our website, we collect the information you choose to send us, such as your name, email address, the contents of your message, and any attachments you include.
3.4 Cookies and similar technologies
We use cookies, local storage, and similar technologies in two distinct contexts:
- In the merchant admin interface, we use strictly-necessary cookies and local storage to maintain your session with Shopify and remember interface preferences. These are required for the app to function.
- On a merchant’s storefront, our theme extension may use local storage and short-lived identifiers to remember which bundle a visitor has assembled so the correct offer is applied at checkout, and to associate the resulting checkout with the offer for the merchant’s reporting. Where consent is required under applicable law (including the EU/UK ePrivacy regime), the merchant is responsible for collecting that consent through their storefront, typically via Shopify’s customer privacy API or a third-party consent platform.
We do not use cookies for cross-site advertising and do not share cookie-derived data with advertising networks.
4. How We Use Information and Our Lawful Bases
We use the information we collect for the following purposes. Where the EU or UK GDPR applies, we rely on the lawful bases indicated:
- Service delivery — running the app, syncing your configuration to Shopify, and applying offers at checkout. Lawful basis: performance of our contract with the merchant; for storefront-visitor data, processing carried out on the merchant’s instructions as their processor.
- Support and account communications — responding to your questions and sending transactional notices about your account. Lawful basis: performance of contract.
- Reliability, security, and fraud prevention — investigating errors, preventing abuse, detecting fraud, and protecting the integrity of the service. Lawful basis: our legitimate interest in keeping the service operational and secure, balanced against your interests and rights.
- Product improvement — understanding how features are used in aggregate so that we can prioritize improvements. Lawful basis: our legitimate interest in improving the service.
- Marketing communications — sending product updates and offers to merchant contacts who have not opted out. Lawful basis: your consent (where required) or our legitimate interest in promoting our services to existing merchants. You can opt out at any time by using the unsubscribe link in any message or by emailing john@tuesday-apps.com.
- Legal compliance — meeting our obligations under applicable law, including responding to lawful requests from authorities. Lawful basis: compliance with a legal obligation.
We do not sell personal information, we do not “share” it for cross-context behavioral advertising as those terms are defined under California law, and we do not use it to advertise unrelated products to your storefront visitors.
5. Sharing and Sub-processors
We share personal information only with parties who help us provide the service, and only to the extent they need it. Typical categories of recipients include:
- Cloud hosting and database providers that run our infrastructure
- Error-monitoring and observability tools that help us detect and fix issues
- Aggregate analytics providers that help us understand usage patterns
- Customer-support tools that store ticket history and conversations
- Shopify, where our apps are installed and operate
Each of these providers is bound by contractual confidentiality and data-protection obligations and is only permitted to process personal information on our instructions.
We may also disclose personal information when we believe in good faith that disclosure is required by law, necessary to enforce our terms, or needed to protect the rights, property, or safety of Tuesday Apps, our merchants, or others. In the event of a merger, acquisition, or sale of all or part of our business, personal information may be transferred to the acquiring entity, subject to this policy.
6. International Transfers
Tuesday Apps is established in Lithuania and primarily processes personal information within the European Economic Area. Some of our service providers operate in countries outside the EEA, including the United States. Where personal information is transferred to a country that has not been recognized as providing an adequate level of protection, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) together with supplementary technical and organizational measures where appropriate. You may request a copy of the safeguards in place for a specific transfer by contacting us.
7. Data Retention
We retain personal information only for as long as we have a lawful purpose to do so. Typical retention periods are:
- App configuration and operational data — for as long as the app is installed, then deleted or anonymized within 30 days of uninstallation, or sooner if Shopify’s privacy webhooks require it.
- Order and customer data accessed under Shopify scopes — only for as long as needed to operate the offer and produce reporting; in line with Shopify’s Protected Customer Data requirements (see Section 8), we minimize retention and remove this data in response to Shopify’s customer privacy webhooks.
- Storefront event records — up to 24 months for performance reporting, then deleted or aggregated.
- Application and security logs — up to 90 days, except where a longer period is required for incident investigation.
- Support correspondence — up to 24 months after the ticket is closed.
- Billing and tax records — up to 7 years to meet accounting and tax obligations.
Where we are legally required to retain information for longer, we will do so and continue to protect it under this policy.
8. Shopify-Specific Commitments
Because our apps are distributed through the Shopify App Store, we comply with Shopify’s Partner Program requirements and its Protected Customer Data Policy:
-
We honor Shopify’s mandatory privacy webhooks —
customers/data_request,customers/redact, andshop/redact— and action each within the timeframe Shopify requires. - We request only the OAuth scopes our apps actually need and apply data-minimization principles to any customer personal information we access.
- We do not retain customer personal information accessed under Shopify scopes beyond what is necessary to provide the requested service to the merchant.
9. Your Rights
Depending on where you live, you may have the right to:
- Request access to the personal information we hold about you
- Ask us to correct information that is inaccurate or incomplete
- Ask us to delete personal information, subject to legal exceptions
- Object to or restrict certain types of processing
- Request a copy of your information in a portable format
- Withdraw consent where we rely on your consent (for example, for marketing emails or non-essential cookies). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us using the details in Section 15. We will respond within the timeframe required by applicable law. If your request relates to data we process on behalf of a merchant (for example, your order history with a specific store), we will direct your request to the merchant, who is the controller of that data, and support them in actioning it.
10. California Privacy Rights
This section applies to California residents and supplements the rest of this policy. It is provided under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”).
In the preceding twelve months, we have collected the following categories of personal information, as defined in Cal. Civ. Code § 1798.140:
- Identifiers (name, email, IP address, account identifiers) — sourced from you, the merchant, and Shopify; used for service delivery, support, security, and communications.
- Commercial information (subscription status, order metadata accessed under Shopify scopes) — sourced from Shopify; used for service delivery and reporting.
- Internet or network activity (usage logs, storefront events, device and browser information) — sourced automatically; used for service delivery, security, and product improvement.
- Geolocation data at the country/region level, derived from IP address — sourced automatically; used for security and localization.
- Professional or employment-related information for merchant contacts (role, employer) — sourced from you; used for account management.
- Inferences drawn from the above for aggregate product analytics — sourced from the categories above; used for product improvement.
We do not sell personal information and do not share it for cross-context behavioral advertising. We do not knowingly collect or process sensitive personal information for the purpose of inferring characteristics about a consumer.
California residents may exercise the following rights, subject to verification of identity:
- The right to know what personal information we have collected and how it is used and shared
- The right to delete personal information, subject to statutory exceptions
- The right to correct inaccurate personal information
- The right to opt out of sale or sharing (we do not sell or share, but the right is acknowledged)
- The right to limit the use of sensitive personal information (not exercised here because we do not process sensitive personal information for inferences)
- The right not to receive discriminatory treatment for exercising any of these rights
To submit a request, email john@tuesday-apps.com with “California Privacy Request” in the subject line. You may also use an authorized agent to submit a request; we will require written proof of authorization and may verify your identity directly.
Under California Civil Code § 1798.83 (“Shine the Light”), California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not make such disclosures.
11. Automated Decision-Making
We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on individuals. Bundle, discount, and offer logic operates on merchant-defined rules applied to cart contents and does not produce decisions of that kind.
12. Security
We use industry-standard technical and organizational measures to protect personal information, including encryption in transit, access controls, audit logging, and routine review of our systems. No method of transmission or storage is fully secure, so we cannot guarantee absolute security, but we work continuously to strengthen our practices.
13. Children
Our apps are intended for use by merchants and their staff and are not directed to children. We do not knowingly collect personal information from anyone under the age of 13, or under the applicable age of digital consent in your jurisdiction (which is 16 in parts of the European Economic Area and the United Kingdom). If you believe a child has provided us with personal information, please contact us so we can take appropriate action.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will provide at least 30 days’ advance notice to active merchants by email to the account contact on file or by an in-app banner before the changes take effect.
15. Contact Us
If you have questions or concerns about this policy or how we handle your personal information, you can reach us at:
UAB Tuesday (trading as Tuesday Apps)
Panerių g. 39-833, LT-03209 Vilnius, Lithuania
john@tuesday-apps.com
Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, vdai.lrv.lt). If you are in the EEA and feel we have not adequately addressed your concern, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate or with the supervisory authority of your country of residence. If you are in California, you may contact the California Attorney General’s office. Other jurisdictions may have analogous regulators.