Smart Breadcrumbs by TiwaaData Processing
Last updated: April 22, 2026
This page describes how Tiwaa processes data on behalf of merchants who use Smart Breadcrumbs, in accordance with the GDPR (as data processor) and CCPA. It supplements our Privacy Policy.
1. Roles
In the context of GDPR:
- You (the merchant) are the data controller for your customers' personal data.
- Tiwaa is a data processor acting on your instructions when we access your store data via the Shopify API. We are also a data controller for data we hold directly (shop settings, billing records).
2. Data We Process
The table below lists every category of data we hold or process:
| Category | Data | Purpose | Retention |
|---|---|---|---|
| Shop identity | Shop domain (e.g. mystore.myshopify.com) | Identify and namespace per-merchant data | Until uninstall + 30 days |
| Authentication | Shopify offline access token (encrypted) | Webhook processing and admin API calls | Until uninstall + 48 hours |
| App settings | Breadcrumb style preferences | Render breadcrumbs on storefront | Until uninstall + 30 days |
| Billing state | Active plan name, installation timestamp | Trial tracking and plan gating | Until uninstall + 30 days |
We do not process customer PII (names, emails, addresses, payment data) from your store.
3. Sub-processors
We engage the following sub-processors. All are bound by data processing agreements consistent with GDPR requirements:
| Sub-processor | Purpose | Location | Privacy policy |
|---|---|---|---|
| Shopify Inc. | Merchant authentication, billing, and webhook delivery | Canada / USA | View policy |
| Cloudflare, Inc. | App hosting (Workers, Pages), database (D1), KV storage | USA (global edge) | View policy |
We will notify you of any new sub-processors by updating this page and revising the "Last updated" date at least 10 days before the new sub-processor begins processing.
4. International Transfers
Data may be processed in the United States (Cloudflare, Shopify) and Canada (Shopify). Cloudflare participates in the EU–US Data Privacy Framework. Shopify's international transfers are covered by Standard Contractual Clauses.
5. GDPR Webhook Processing
We implement all mandatory Shopify GDPR webhooks:
customers/data_request— we respond with confirmation that no customer PII is held within 30 days.customers/redact— processed within 30 days; no customer PII to delete.shop/redact— all shop data deleted within 30 days of receipt.
6. Security Measures
- All data in transit encrypted with TLS 1.2+.
- Shopify access tokens encrypted at rest in Cloudflare D1.
- API endpoints require a shared secret header (
X-Platform-Key) in addition to OAuth session verification. - Dependency audits run on every deployment; high/critical CVEs block release.
7. Contact
Data processing enquiries: support@tiwaa.io