Privacy notice
This notice covers personal data handled by sico across all our products. Each product also has a focused notice with the specifics of its data flows: Ops Console, Growth Layer, Affiliate Manager.
1. Who we are
"sico" is the trading name of Sico Software Ltd, registered in Scotland at Suite 2/3, 2nd Floor, 48 West George Street, Glasgow G2 1BP, United Kingdom. We are registered with the UK Information Commissioner's Office under registration number ZC106029.
We are the data controller for direct customers of our standalone products. For data we process on behalf of merchants (Shopify shop owners using our apps with their shoppers' data), the merchant is the controller and sico is the processor.
2. What we collect, by category
| Category | Examples | Lawful basis |
|---|---|---|
| Account | email, name, hashed password | contract |
| Operational | orders, products, inventory levels (from merchant Shopify) | contract / processor |
| Marketing performance | ad spend, campaign metadata, conversion counts | contract / processor |
| Identifying | email, phone, name, address, IP | processor (merchant-controlled) |
| Derived | visitor session ID, fingerprint hash | processor (merchant-controlled) |
| Financial | order line items, payouts, refund amounts | legal obligation (tax) |
3. How we use it
- Run the products you (or your merchant) installed.
- Show you reports, anomalies, and recommended actions.
- Detect fraud and abuse on our infrastructure.
- Bill paying customers (via Stripe and Shopify Billing).
- Reply to support tickets you raise with us.
We do not use your data, or your shoppers' data, to train AI models. We do not sell data. We do not run third-party advertising on our properties.
4. Where it lives
One Postgres database on a single VPS in Falkenstein, Germany (Hetzner Cloud, EU/EEA). Daily encrypted backups to S3-compatible object storage in the EU. A small set of named third-party processors receive scoped data — see section 8. Where a processor offers regional residency, we configure EU/EEA where available and operate under their Standard Contractual Clauses where not.
5. Retention
We apply storage limitation per Art 5(1)(e) of UK/EU GDPR. The windows below are enforced by an automated daily job; nothing is retained "just in case."
| Data | Window | Reason |
|---|---|---|
| Webhook bodies (raw payloads) | 90 days | troubleshooting; metadata kept for audit |
| Domain event log | indefinite | system of record |
| Admin actions audit trail | 7 years | compliance audit (Art 30) |
| Compliance audit trail | 7 years | proof of DSAR/redaction handling |
| Order and financial mirrors | 10 years from last order | UK/EU tax law (VAT, HMRC) |
| Customer / visitor identifying data | 30 days after last activity, or on redact | data minimisation |
| Click and conversion identifying data | 90 days; aggregates kept | attribution + minimisation |
| Portability pack download URLs | 30 days from generation | post-uninstall self-serve |
6. Your rights (UK/EU GDPR)
- Access (Art 15) — copy of your data within 30 days.
- Erasure (Art 17) — without undue delay; financial records retained under tax law are anonymised, not deleted.
- Portability (Art 20) — JSON + CSV bundle within 30 days; for merchants, also generated automatically on app uninstall.
- Rectification, restriction, objection, and the right to complain to your supervisory authority.
Email privacy@sico.software. We do not require account verification beyond proving control of the email address tied to the data. The data deletion page covers the erasure procedure end-to-end, including the per-processor redact instructions and what we retain for tax law.
7. App-uninstall handling (Shopify)
When a merchant uninstalls one of our Shopify apps, we revoke our access token within seconds, generate a portability pack, and email the merchant a download link. We hold the data for 48 hours as a recovery window in case of accidental uninstall, then schedule full deletion. Shopify also sends us a shop/redact webhook 48 hours after uninstall, which we honour as the final cue to delete.
8. Third-party processors
The processors we share scoped data with, and what each holds. Each one implements a redact-on-request contract that is invoked when you exercise your rights under section 6.
| Processor | Holds | Purpose |
|---|---|---|
| Hetzner Cloud (DE) | everything (infrastructure) | hosting |
| Stripe | customer + payment data | billing, affiliate payouts |
| Klaviyo | profile + event history | email marketing on merchant's behalf |
| Meta (Facebook) | hashed audiences | custom audience push |
| Google Ads | hashed customer-match lists | customer match push |
| PostHog (EU region) | person + event properties | product analytics |
| Sentry (EU region) | user context + error events | error monitoring |
| Resend | delivery metadata (recipient, timestamp) | transactional email |
| Anthropic | prompt context (no PII; scrubbed pre-send) | LLM-generated narratives and diagnoses |
Per-app privacy notices list which subset of these is in play for each product.
9. Cookies and tracking
This marketing site (sico.software) uses no analytics cookies, no advertising cookies, and no third-party trackers. Our authenticated apps use first-party session cookies needed to keep you signed in, and may load product-analytics scripts from the processors listed in section 8 — those are scoped to authenticated users only and never run on this marketing site.
10. Changes
Material changes are announced by email to active customers and reflected in the "Last updated" date above. The previous version remains accessible on request.