Privacy Policy
Last updated: 2026-06-02
This Privacy Policy is published in English, Arabic, and Spanish. The English version is the legally binding version; translations are provided for the convenience of readers. In the event of any conflict between the English version and a translation, the English version governs.
1. Who we are
Badilify ("Badilify," "we," "us," or "our") is operated by Dawerlee Single Person Company for Software Sales, a company registered in Kuwait under Commercial Registration number 501532, with its registered office at Al Nasser Tower, 1st Floor, Office 2, Block 13, Al Sour Street, Al Qibla, Al Asimah, Kuwait. Badilify provides software-as-a-service tools for Shopify merchants to manage out-of-stock product replacements and customer notifications. For privacy-related questions, requests, or complaints, contact us at support@badilify.com. When this policy says "Store owner" or "merchant," we mean the Shopify shop owner who installs Badilify. When it says "Shopper" or "customer," we mean the end-buyer placing orders on the Store owner's storefront. When it says "you," the meaning is determined by the section context. For data protection purposes, Badilify acts as a data controller for data we collect directly from Store owners (such as account settings and notification preferences), and as a data processor acting on the Store owner's instructions for shopper personal data that flows through our service.
2. What data we collect
We collect only the data needed to operate the service. We do not buy data, sell data, or use data for advertising. From the Store owner (when installing or using Badilify): • Shopify shop domain (e.g. your-store.myshopify.com) • Shopify access token, scoped to the permissions the Store owner grants at install time (read_products, read_orders, read_customers only) • Public contact name and contact email — provided by the Store owner via Settings, displayed to Shoppers on customer-facing pages • Notification email — used to send the Store owner alerts about new backup requests • Brand color, language preference, and other display settings • Subscription plan, billing events, and usage metrics needed for billing • Server logs of admin actions (e.g. settings changes, rule edits) retained for operational debugging From the Shopper (when placing an order on a Store owner's storefront, only if Badilify is installed and the Shopper interacts with a Badilify-managed product): • Customer email address (from the order Shopify sends us) • Order identifier and order line item details • The Shopper's choice of replacement product, if they make one • Shopper-language preference, stored in browser localStorage on the Shopper's device only Badilify does not itself collect, store, or log the Shopper's IP address. Our hosting provider (Fly.io) may process IP addresses transiently at the network/infrastructure level for security and abuse prevention under its own policy; we do not retain IP addresses in our application data or logs. Generated by our service: • Backup request records (one row per request), including the original product, the replacement product offered, the timestamp, and the resolution • Email logs (one row per outbound notification), used for delivery deduplication Not collected: • Payment card details (handled directly by Shopify Billing — we never see them) • Shopper street addresses or phone numbers • Browsing activity outside Badilify-managed product pages • Any biometric, health, financial account, or government-ID data From waitlist sign-ups (when you leave your email on our homepage because your store runs on a platform we don't support yet): • Your email address • The e-commerce platform you selected • Optionally, your store URL, name, and country, if you provide them We collect this only with your explicit consent, and use it solely to email you product updates about Badilify for your platform. You can unsubscribe or ask us to delete it at any time by emailing support@badilify.com.
3. Why we collect it
We process personal data on the following lawful bases: • Performance of a contract — providing the service to the Store owner; notifying the Shopper that an item is unavailable; billing the Store owner. • Legitimate interest — sending the Store owner notifications about backup request activity; investigating abuse, fraud, or security incidents. • Legal obligation — complying with applicable laws. We do not process any personal data on the basis of consent, except where you explicitly opt in (for example, by enabling email notifications in Settings). Where consent is the basis, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
4. How long we keep it
• Active install data: retained for the duration of the install. Deleted within 48 hours of uninstall via automated webhook. • Backup request records: retained 12 months from final status. After 12 months, personally identifying fields anonymised; aggregate record preserved. • Customer redaction requests: anonymised within 30 days of Shopify's customers/redact webhook. • Customer-action tokens: expire after 7 days. • Email send logs: 12 months for deduplication, then deleted. • Server access logs: 30 days, then deleted. • Billing event records: 7 years for Kuwait corporate accounting and tax obligations. You can request earlier deletion by emailing support@badilify.com. See section 7.
5. Who we share it with
We share personal data only with the following sub-processors, each operating under our instructions: • Shopify Inc. — App platform, billing, GDPR webhooks. All Shopify-sourced data. Multiple regions per Shopify policy. • Fly.io, Inc. — Application hosting, database. All service data. Frankfurt, Germany (eu-central). • Resend, Inc. — Transactional email. Recipient email, message content. European Union (Ireland, eu-west-1). Resend is incorporated in the United States, so cross-border transfer safeguards still apply (see section 6). • GoDaddy.com, LLC — Domain DNS, MX forwarding. Inbound email to support@badilify.com. United States. • Supabase, Inc. — Waitlist lead storage. Waitlist sign-up data only (email, selected platform, optional store URL/name/country). Hosted on AWS in the European Union. Each sub-processor is contractually required to handle data per applicable data protection law. We do not sell personal data. We will disclose data only when legally compelled, and where legally permitted will notify the affected party first. We do not use Google Fonts, Google Analytics, Facebook Pixel, or any third-party analytics or tracking. As of 2026-05-08, the Cairo typeface used in our customer-facing pages is self-hosted from badilify.com; no font requests are sent to Google or any third-party CDN.
6. International data transfers
Personal data is stored on infrastructure located outside Kuwait: • Application database and primary processing in Frankfurt, Germany (Fly.io eu-central) • Outbound email processed via Resend in the European Union (Ireland, eu-west-1) Resend, Inc. is incorporated in the United States, so although email is processed in the EU, the relationship may involve a cross-border element. These transfers are necessary for service operation. Where required, we rely on the European Commission's Standard Contractual Clauses, the recipient's adequacy decision, or equivalent transfer safeguards. Data subjects in any jurisdiction may request a copy of relevant transfer safeguards by contacting support@badilify.com.
7. Your rights
Subject to applicable law, you have the right to: • Access — request a copy of personal data we hold about you • Rectification — correct inaccurate or incomplete data • Erasure — request deletion of your personal data • Restriction — limit how we process your data while a request is investigated • Portability — receive your data in a structured, machine-readable format • Objection — object to processing based on legitimate interests • Withdraw consent — where processing is based on consent • Complain — to a supervisory authority (Kuwait's Communication and Information Technology Regulatory Authority for Kuwait residents; the data protection authority of your country of residence for others) To exercise any of these rights, email support@badilify.com. We will acknowledge within 7 days and respond substantively within 30 days. We may need to verify your identity before acting; this protects you from unauthorised disclosure. If you are a Shopper interacting with a Store owner's storefront, please direct rights requests to the Store owner first. The Store owner is the data controller for order data we process on their behalf. We will assist the Store owner in responding. Badilify implements Shopify's mandatory privacy webhooks and acts on the requests they carry: customers/data_request — we retrieve the data we hold for the identified customer and make it available to the Store owner; customers/redact — we erase or irreversibly anonymise the identified customer's data; shop/redact — on uninstall, we purge all data associated with the shop.
8. Cookies and similar technologies
We use only the cookies and storage strictly necessary for the service to function: • Session cookies set by Shopify, required for embedded admin authentication. Governed by Shopify's policy. • localStorage on the Shopper's device, used to remember preferred language for the replacement-choice page and pre-selected backup product across cart-to-checkout. Both writes are functional, not tracking. The Shopper can clear them at any time via browser settings. We do not set advertising cookies, tracking pixels, or behavioural analytics cookies. We do not need a cookie consent banner because we do not set non-essential cookies.
9. Children's data
Badilify is a business-to-business service. We do not knowingly collect personal data from anyone under 16. If a Shopper under 16 interacts with a Store owner's storefront and Badilify processes their data, the Store owner remains responsible for any age verification or parental consent obligations. If you believe we hold data of a person under 16 in error, contact support@badilify.com and we will delete it.
10. Security
• All traffic served over HTTPS (TLS 1.2 or higher) • Application database resides on encrypted persistent storage at our hosting provider • Principle of minimum scope: we request only the Shopify permissions strictly needed (read_products, read_orders, read_customers); never payment, fulfilment, or inventory write scopes • Production system access limited to authorised Badilify personnel and audited • We validate cryptographic signature of every Shopify webhook before processing • We do not store payment card data; handled by Shopify Billing No system is perfectly secure. If we discover a personal data breach affecting you, we will notify you and the relevant supervisory authority per applicable law.
11. Changes to this policy
We may update this Privacy Policy from time to time. The current version is always available at this URL with the date at the top. For material changes (expanding data categories, changing legal bases, expanding recipients), we will notify Store owners at least 30 days in advance via in-app banner and email to the notification email on file. Continued use after the effective date constitutes acceptance. For non-material changes (clarifications, typo fixes, formatting), we update the document and "Last updated" date without separate notice.
12. Contact us
Email: support@badilify.com Postal address: Dawerlee Single Person Company for Software Sales, Al Nasser Tower, 1st Floor, Office 2, Block 13, Al Sour Street, Al Qibla, Al Asimah, Kuwait Commercial Registration: 501532 We respond to privacy inquiries within 30 days. If not satisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority.