Privacy Policy for PeakShip Shopify Application
Last updated: November 10, 2025
This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.
We use Your Personal data to provide and improve the Service.
By using the Service, You agree to:
Controller name: Peak Tech Korlátolt Felelősségű Társaság
Headquarters: Hungary, (zip:) 1196, (city:) Budapest, (street:) Hunyadi utca 140. Fsz. 2. ajtó
Tax number: 32863576-2-43
Company registration number: 01-09-446645
Name: Gulyás Bendegúz
Address: 1106 Budapest, Gyakorló utca 6. 9. em. 38. ajtó
E-mail: [email protected]
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR), and the Act CXII of 2011 on the right to self-determination and freedom of information (Hungarian law), we provide the following information on data processing to owners of online stores using the extension, their customers, and interested users (hereinafter: customers). The terms used in this information notice shall have the meanings defined in the GDPR.
By accepting Shopify's cookie policy, as a Shopify partner, we have access to the following data: IP address, number of clicks, visit duration. This data is detailed in the cookie policy (https://www.shopify.com/legal/cookies).
Monitoring visitors to the site. When someone views the app on the App Store, we monitor visitors to the Listing Page using Google Analytics.Google Analytics is provided by Google Inc. You can opt out of the use of your data by Google Analytics by installing the Google Analytics Opt-out Browser tool: tools.google.com/dlpage/gaoptout. For more information about Google's privacy practices, please visit Google's Privacy and Terms page: www.google.com/policies/privacy.
The processing of marketing cookies and statistical cookies is based on Article 6(1)(a) of GDPR, on the basis of the consent of the data subject. The processing of necessary cookies is based on Article 6(1)(f) of GDPR, on the basis of the legitimate interest of the data controller, as they are essential for the operation of the application.
In the case of marketing or statistical cookies, until consent is withdrawn or the cookie expires. You can see exactly how long each cookie is stored on your device at: https://www.shopify.com/legal/cookies.
The data controller uses the online advertising program "Google Ads" and, within this framework, also uses Google's conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). Further information and Google's privacy policy can be found at: https://policies.google.com/privacy
Meta Platform Ireland Ltd. (registered office: Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland 662881, Companies Registration Office: Facebook Ireland Limited, registration number: 462932 Contact details for Facebook's data protection officer: https://www.facebook.com/help/contact/540977946302970
Data processing for purposes other than those specified: None
Risks associated with data processing: The data controller considers data processing to be low risk
Basis for data provision: tracking visitors to the website, assessing interest
Method of data processing: electronically
Source of data: As a Shopify partner, we have access to data collected by Shopify cookies (https://www.shopify.com/legal/cookies) in accordance with section 9.9 of the Shopify Terms of Use.
The following data of online store owners are recorded: the name of the person managing the admin interface, the name and telephone number of the contact person, email address, the name and contact details (phone number) of the person requesting assistance from customer service, the login details provided by the courier service, the location data of the packages, the data recorded in the Shopify application, payment details (account number, billing name, billing address, phone number), the IP address of the service users.
In the course of its activities, the online store operator records the names, delivery addresses, billing addresses, payment confirmations, email addresses, and telephone numbers of persons ordering from the online store in the application, and also has access to the location data of these packages through the Shopify system.
Providing shipping management functions to online store owners
Shipping management functions may include the following:
Owners and administrators of the online store, persons placing orders through the online store, persons contacting customer service.
Article 6(1)(b) of the GDPR, data related to the conclusion and performance of the contract, the billing data provided by the web store operator in the case of a paid application are processed by the data controller in order to comply with the legal obligation under Article 6(1)(c) of the GDPR. This legal obligation is defined in Sections 166 and 169(2) of Act C of 2000 on Accounting (Hungarian law).
The data processing period is 60 days after the termination of the contract with the owner of the online store.
The personal data of persons ordering from the online store will be deleted 60 days after receipt of the ordered product. The 60-day storage period is used for the purpose of handling any complaints or troubleshooting.
Medium
Processing is carried out electronically via the online store operated on Shopify and the installed PeakShip application.
After installing the PeakShip app, the app will access the data you have provided on your Shopify online store. You have consented to this by accepting the terms of Shopify's User Agreement, section 9.9, in which you agree to share your data (and potentially your customers' data). Shopify's privacy policy is available at the following link: https://www.shopify.com/legal/privacy/consumers.
The data controller uses the online advertising program "Google Ads" and, within this framework, also uses Google's conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). Further information and Google's privacy policy can be found at: https://policies.google.com/privacy
PeakShip uses Google Analytics for "viewing," but only for anonymized data.
The name and contact details of the data subject, as well as other data necessary for identifying the data subject, data relating to the applicant's eligibility, and data provided by the data subject in connection with the case or application, including, where applicable, special categories of personal data
The purpose of data processing is to assess and fulfill the data subject's request or submission received by the data controller (regarding access to, rectification, erasure, or restriction of processing of personal data, and objection to the processing of personal data).
Legal basis for data processing: Data processing is based on the legitimate interest of the data controller pursuant to Article 6(1)(f) of GDPR.
Duration of data processing: 5 years
Data transfer: We do not transfer personal data.
Data processing for purposes other than those specified: None
Risks of data processing: The data controller considers data processing to be low risk
Basis for data provision: to enable the data subject to exercise their rights
Method of data processing: electronically and/or on paper, manually.
Source of data: directly from the data subject
The data subject shall have the right to request from the Data Controller and obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the following information:
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
If the data subject requests a copy of their personal data, the Data Controller shall provide it free of charge on one occasion.
If the data subject has submitted the request electronically, the Data Controller shall provide the information in electronic format, unless the data subject requests it in another format.
The right to request a copy shall not adversely affect the rights and freedoms of others, so, for example, the personal data of others may not be requested.
The data subject shall have the right to obtain from the Data Controller, without undue delay, the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed, including by means of providing a supplementary statement. Any change in identification data must be verified.
The Data Controller requests that any changes to the data be reported immediately, within 8 days at the latest.
he data subject has the right to request that the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller is obliged to erase personal data concerning the data subject without undue delay if one of the reasons listed in Article 17(1) of the GDPR applies. The right to erasure of personal data shall not apply to data included in the information notice pursuant to Article 17(3)(b) of the GDPR in respect of data processing necessary for the performance of a task carried out in the public interest.
The Data Controller shall restrict data processing until the request for erasure has been assessed.
Withdrawal of consent shall not affect the lawfulness of data processing based on consent before its withdrawal.
f data processing is restricted, such personal data may be processed, with the exception of storage, only with the consent of the data subject or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
The data subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:
When exercising the right to object, the Data Controller may no longer process personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
In the case of data processing based on the consent of the data subject, a contract, or a legal obligation, this right may not be exercised pursuant to Article 21(1) of the GDPR.
The Data Controller shall comply with the data subject's request to exercise his or her rights within one month of receiving the request. The date of receipt of the request shall not be included in the deadline.
If necessary, taking into account the complexity of the request and the number of requests, the Data Controller may extend this deadline by a further two months. The Data Controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.
With regard to the secure operation of the application, the data controller declares that the data controller's hosting provider pays special attention to the secure operation of the application. The data controller selects and operates the IT tools and software used for the processing of personal data in the course of providing the service in such a way that the data processed:
The data controller shall take organizational, organizational, and IT measures to ensure the security of data processing, providing a level of protection appropriate to the risks associated with data processing.
During data processing, the data controller shall maintain
The data controller's IT system and network are protected against fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses and break-ins, using IT tools. The operator ensures security through server-level and application-level protection procedures.
The data controller logs the systems in order to record any security deviations and to provide evidence in the event of a security breach. System monitoring also allows the effectiveness of the precautions taken to be checked.
When determining and applying measures to ensure data security, the data controller takes into account the current state of technology and the circumstances of data processing. From among several possible data processing solutions, the data controller chooses the one that ensures a higher level of protection for personal data, unless this would impose a disproportionate burden on the data controller. The data controller shall also enforce these requirements on data processors.
The data controller undertakes to require any third parties to whom it may transfer or disclose data to comply with the above commitments. However, in the case of lawful data transfer by the data controller, the data controller shall not be liable for any damage caused by the recipient.
Data controller If you have questions about the data processed by the data controller or if you believe that you have been harmed during data processing, please first contact the data controller at [email protected]. If the data controller does not take action on the request of the data subject, it shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for not taking action and that the data subject may lodge a complaint with a supervisory authority and seek judicial remedy. (GDPR Article 12(4))
The Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH National Authority for Data Protection and Freedom of Information)
Headquarters: 1055 Budapest, Falk Miksa utca 9-11.
web: www.naih.hu
Phone: +36-1-391-1400
Anyone (i.e. not only the data subject) may initiate an investigation by filing a report with the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) on the grounds that a violation of rights has occurred or is imminent in connection with the processing of personal data.
It is important that the report is not anonymous, otherwise the Authority may reject the report without conducting a substantive investigation. Further grounds for rejection are set out in Section 53 of the Infotv.
The Authority's investigation is free of charge, and the costs of the investigation are advanced and borne by the Authority. Detailed rules on the conduct of the procedure are contained in Sections 54, 55(1)-(2) and 56-58 of the Infotv.
As a general rule, a decision shall be made within two months of receipt of the report.
In Hungary, the lawsuit may be brought before the court of the place of residence or domicile of the data subject, at the discretion of the data subject.
In the event of a violation of their rights, the data subject may take legal action against the data controller, as all data subjects are entitled to effective judicial remedy if, in their opinion, their rights under the GDPR have been violated as a result of the processing of their personal data in a manner that does not comply with the GDPR.
The action shall be brought against the controller or processor before the courts of the Member State where the controller or processor has its place of business. Such proceedings may also be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
In Hungary, the action may also be brought before the court of the place of residence or domicile of the data subject, at the choice of the data subject.