This Privacy Policy describes how Shoppable ("we", "us", or "our") processes personal data in connection with the provision of our Single Sign-On authentication platform (the "Service"). The Service enables individuals to authenticate and access integrated business-to-business applications ("Registered Applications") using a centralized identity account.
This Policy explains what personal data we collect, the purposes for which we process it, the lawful bases for processing, how data is shared with Registered Applications, and the rights available to data subjects.
In providing the Service, we process personal data necessary to create and manage user identities, facilitate authentication, and enable authorized data sharing.
When a user registers or signs in using the Service, we process identification data including username, email address, and phone number. We also process authentication credentials, which may include hashed passwords or OAuth-based tokens. Where users authenticate via Google, we receive and process profile data and email information as authorized through Google's OAuth consent mechanism.
We process session and technical data necessary to ensure system integrity and security. This includes IP address, device and browser information, timestamps of login activity, and token identifiers associated with active sessions.
Users may optionally provide additional profile information, including profile photographs, full legal name, address book information, contact details, and company or organizational information. The provision of such information is voluntary but may be required by certain Registered Applications depending on the services they provide.
The determination of whether we act as a data controller or a data processor depends on the specific processing activity being performed within the Service.
We act as a data controller with respect to the collection, storage, and management of user account data necessary to provide authentication, identity verification, consent management, and security monitoring. In this capacity, we determine the purposes and means of processing personal data required to operate the Service.
When a user authorizes a Registered Application to access personal data through OAuth scopes, we transmit such data in accordance with the user's explicit authorization. In relation to that transmission, we may act either as an independent data controller or as a data processor, depending on the contractual framework governing our relationship with the Registered Application.
Where a Registered Application independently determines the purposes and means of processing personal data obtained through the Service, that application acts as an independent data controller and is solely responsible for its own compliance with applicable data protection laws. In such cases, the Registered Application's privacy policy governs its subsequent use of the data.
Where we provide authentication or identity management services to a Registered Application under a written agreement, and process personal data solely on documented instructions from that Registered Application, we act as a data processor. In such circumstances, our processing activities are governed by a Data Processing Agreement that sets out our obligations regarding confidentiality, security, sub-processing, and data subject rights assistance.
Nothing in this Privacy Policy limits the independent obligations of Registered Applications to comply with applicable data protection laws.
We process personal data for the purpose of providing secure authentication and identity management services, maintaining user accounts, enabling OAuth-based authorization, managing session security, preventing fraud, complying with legal obligations, and improving service reliability.
The lawful basis for processing personal data necessary for authentication and account management is the performance of a contract.
We process security-related data, including IP addresses and login metadata, on the basis of our legitimate interests, specifically our interest in protecting systems, preventing unauthorized access, and ensuring account integrity.
Where users authorize the sharing of personal data with Registered Applications through OAuth scopes, we rely on the user's consent. Consent is obtained through a clear authorization interface specifying the categories of data requested. Users may withdraw consent at any time by revoking access within their account settings.
Where processing is required to comply with applicable laws or regulatory obligations, we rely on Article 6(1)(c) GDPR.
The Service operates in accordance with OAuth standards, allowing Registered Applications to request access to specific categories of personal data through defined scopes. Applications may request access to identity information such as username, email address, phone number, full name, and profile photograph. Applications may also request access to address book data, contact information, or organizational information, depending on the functionality of the application.
Access to such data is granted only after the user provides explicit authorization. Registered Applications may only access data within the scope granted by the user and are contractually required, where applicable, to process such data.
We do not sell personal data. Data is transmitted solely to enable user-directed integration between the Service and Registered Applications.
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including the provision of authentication services and compliance with legal obligations. Personal data associated with an active account is retained for the duration of the account's existence.
If a user deletes their account, authentication credentials are securely removed, and active access tokens are revoked. Certain records may be retained where required for legal compliance, dispute resolution, or security purposes.
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include encryption of data in transit using HTTPS and TLS protocols, secure storage of credentials using salted and hashed password mechanisms, token expiration and revocation controls, role-based access restrictions, and audit logging.
We continuously assess and improve our security practices to mitigate risks of unauthorized access, accidental loss, destruction, or alteration of personal data.
Personal data may be processed outside the United States where our infrastructure or service providers are located. Where such transfers occur, we ensure appropriate safeguards, including the use of Standard Contractual Clauses or other legally recognized transfer mechanisms.
Individuals have the right to access their personal data, request rectification of inaccurate information, request erasure of their data, restrict processing, object to processing based on legitimate interests, and request data portability where applicable.
Where processing is based on consent, individuals may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Requests to exercise data subject rights may be submitted using the contact details provided below.
Individuals also have the right to lodge a complaint with a supervisory authority.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority without undue delay and, where required, within 72 hours. Where the breach is likely to result in a high risk, affected individuals will be informed without undue delay.