Privacy Policy
Last updated: July 16, 2026
1. Introduction
Byteex Ltd, a company registered in Cyprus (Gladstonos 16, Paphos, 8046, Cyprus), operating as Zoex Apps ("Zoex Apps", "we", "us"), provides this website (zoexapps.com, the "Site") and Shopify applications, including Zoex Coming Soon (together, the "Services"). This policy explains what personal information we collect, how we use it, and the rights you have under the GDPR and other applicable data-protection laws.
For information collected from merchants and Site visitors, Byteex Ltd is the data controller. For personal data our apps process about a merchant's storefront visitors (for example, emails collected by a coming soon page), the merchant is the controller and we act as a processor on the merchant's behalf (see section 4).
2. Information we collect
Information you provide
- Merchant account details: your myshopify.com domain, store name, contact email, and Shopify plan, provided by Shopify when you install an app.
- App configuration: the settings you create in the app (page design, schedule, templates, and similar).
- Integration credentials: API keys for marketing platforms you choose to connect (Klaviyo, Mailchimp, Omnisend). These are encrypted at rest and used only to deliver signups to the destination you chose.
- Support conversations: messages and contact details you share when contacting us by chat or email.
Information collected automatically
The Site does not use advertising or analytics trackers. Our hosting provider (Cloudflare) processes standard server logs (IP address, browser type, device, requested pages) for security and delivery. We do not combine these logs with other data.
3. Data from your Shopify store
Our apps access Shopify store data only through the API permissions you approve at install, and only to operate the features you configure: for example, reading your theme's settings to detect the app embed, or creating customers from signups when you enable that destination. We do not sell store or customer data, and we do not use it to train AI models.
4. Data processed for merchants (storefront visitors)
- Email addresses a visitor submits through a coming soon page signup form, stored for the merchant and, where configured, forwarded to the merchant's Shopify customer list or connected marketing platform.
- Aggregate visit counts: each device is counted once (using a browser flag) to show merchants a total-visitors number. We do not build visitor profiles or track visitors across sites.
- Password access: if a merchant enables password access, a signed token in the visitor's browser keeps them unlocked for up to 7 days. The password itself is stored only as a salted hash.
4.1 Data Processing Agreement
For this data the merchant decides why and how it is processed; we process it only on the merchant's instructions. A Data Processing Agreement incorporating GDPR Article 28 terms is available on request at [email protected].
5. How we use information
- To provide, maintain, and improve the Services.
- To deliver visitor signups to the destinations a merchant configures.
- To respond to support requests.
- To secure the Services, including rate limiting and abuse prevention.
- To comply with legal obligations, including Shopify's data protection requirements.
6. Cookies and local storage
The Site sets no cookies. On merchant storefronts, our apps use browser local storage for two narrow purposes: remembering that a device was already counted as a visitor, and holding a visitor's password-access token. Neither is used for tracking or advertising. If we ever introduce analytics or marketing cookies, they will be used only with consent where required by law.
7. Legal basis for processing (GDPR)
- Contract: providing the Services you signed up for.
- Legitimate interests: securing and improving the Services.
- Consent: where required, for example optional communications.
- Legal obligation: for example tax and accounting records.
8. How we share information
We do not sell personal information. We share it only with the service providers below, under contracts that protect it:
- Shopify: the platform our apps run on.
- Cloudflare: hosting and content delivery.
- Supabase: managed database hosting (PostgreSQL).
- Crisp: in-app support chat for merchants.
- Marketing platforms you connect (Klaviyo, Mailchimp, Omnisend): only when a merchant configures them, and only to deliver the signups the merchant collects.
We may also disclose information if required by law or to protect our rights, users, or the public.
9. International transfers
Our providers operate globally. Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards, including Standard Contractual Clauses.
10. Data security
All traffic is encrypted in transit (TLS). Integration credentials are encrypted at rest; bypass passwords are stored only as salted, iterated hashes and are never readable from the storefront. Access to production systems is limited and logged. No method of transmission or storage is 100% secure, but we work to protect your information with appropriate technical and organizational measures.
11. Data retention and deletion
- When a merchant uninstalls an app, access credentials are deleted immediately and all remaining store data, including collected signup emails and settings, is deleted within 48 hours through Shopify's data deletion process.
- We honor Shopify's privacy webhooks: customer data access requests, customer data erasure (the visitor's stored email is deleted), and full shop data erasure.
- Merchants can view, export, and delete collected signups from the app at any time.
- Records we are legally required to keep (for example for tax or accounting) may be retained longer where the law requires it.
12. Your rights
Depending on your location, you may have the right to access, correct, delete, or export personal information we hold about you, to object to or restrict certain processing, and to withdraw consent. California residents have corresponding rights under the CCPA/CPRA, including the right to know, delete, and opt out of "sales" (we do not sell personal information). Contact us at [email protected] and we will respond within 30 days. You may also lodge a complaint with your local supervisory authority. If a storefront visitor contacts us about data a merchant controls, we will refer the request to the merchant and assist them in fulfilling it.
13. Children's privacy
The Services are business tools intended for users aged 18 or older. We do not knowingly collect personal information from minors.
14. Changes to this policy
We may update this policy as the Services evolve. Updates are posted here with a revised "Last updated" date; material changes receive additional notice in-app or by email.
15. Contact us
Byteex Ltd (trading as Zoex Apps)
Gladstonos 16, Paphos, 8046, Cyprus
[email protected]