S
Shoplio

Privacy Policy

Last updated: April 2026

1. Data Controller

Shoplio AB, registered in Sweden, is the data controller for personal data processed through the Shoplio platform. For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Swedish Data Protection Act (Dataskyddslagen), the data controller can be contacted at [email protected].

Individual merchants who operate stores on Shoplio act as independent data controllers for the personal data of their customers. Shoplio acts as a data processor on behalf of merchants for customer data processed through the platform.

2. Information We Collect

We collect information you provide directly to us, as well as information generated through your use of the platform:

  • Account data: Email address, password (hashed), authentication provider details (GitHub, Google), avatar URL
  • Transaction data: Order amounts, payment references, cryptocurrency wallet addresses (for withdrawals), crypto amounts and currencies
  • Customer data: Email addresses provided during checkout, customer account information (where accounts are created on merchant stores)
  • Technical data: IP addresses and user agent strings (collected for fraud prevention and security), browser type
  • Store data: Shop names, descriptions, product listings, theme configurations
  • Communication data: Support emails and any information you provide when contacting us

3. Legal Basis for Processing

We process your personal data under the following legal bases as defined by the GDPR:

  • Performance of contract (Art. 6(1)(b)): Processing necessary to provide the Shoplio platform services, including account management, payment processing, order fulfillment, and customer support.
  • Legal obligation (Art. 6(1)(c)): Processing required by law, including fraud prevention, tax record keeping under Swedish bookkeeping requirements (Bokföringslagen), and compliance with law enforcement requests.
  • Legitimate interests (Art. 6(1)(f)): Processing for platform security, abuse prevention, service improvement, and analytics. Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent (Art. 6(1)(a)): For non-essential cookies (analytics), where required. You may withdraw consent at any time via our cookie consent mechanism.

4. How We Use Your Information

We use the information we collect to provide, maintain, and improve our services, process transactions, send you technical notices and support messages, detect and prevent fraud, and respond to your comments and questions.

5. Information Sharing & Third-Party Processors

We do not sell your personal information. We share data only with the following categories of third-party processors, each operating under data processing agreements:

  • Cryptomus — Cryptocurrency payment processing (payment creation, payout processing, transaction verification)
  • OxaPay — Alternative cryptocurrency payment processing (payment creation, payout processing)
  • SMTP email provider — Transactional email delivery (order confirmations, verification emails, password resets)
  • Cloudflare — DNS management, SSL certificates, and DDoS protection for custom domains

Where these processors operate outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in compliance with GDPR requirements.

6. International Data Transfers

Some of our third-party processors may process personal data outside the European Economic Area (EEA). When this occurs, we ensure the transfer is protected by one or more of the following mechanisms: (a) Standard Contractual Clauses (SCCs) as adopted by the European Commission, (b) an adequacy decision by the European Commission for the recipient country, or (c) other appropriate safeguards as permitted under Article 46 of the GDPR. You may request details of these safeguards by contacting us at [email protected].

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are as follows:

  • Account data: Retained for the duration of your account and deleted within 30 days of account deletion
  • Transaction and order records: Retained for 7 years from the date of the transaction, as required by Swedish bookkeeping law (Bokföringslagen)
  • IP addresses and security logs: Retained for up to 12 months for fraud prevention and security purposes
  • Customer data on merchant stores: Retained for as long as the merchant's store is active; deleted when the store is deleted
  • Support communications: Retained for up to 24 months after the last communication

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: AES-256 encryption for sensitive data at rest (such as stock items and delivered content), TLS encryption for all data in transit, JWT-based authentication with short-lived access tokens, and secure password hashing using bcrypt. We regularly review and update our security practices.

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, in accordance with Article 34 of the GDPR.

10. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
  • Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data.
  • Right to erasure (Art. 17): You have the right to request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18): You have the right to request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days, as required by the GDPR.

11. Cookies

We use cookies and similar technologies to operate the platform. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notice on the platform at least 30 days prior to taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at [email protected]