Circle Halo Privacy Policy

Effective Date: October 2, 2025

Last Updated: October 2, 2025

1. Introduction

Circle Halo (“Circle Halo,” “Company,” “we,” or “us”) provides a software-as-a-service (SaaS) platform that enables sellers of personalized and made-to-order products to manage, monitor, and fulfill eCommerce orders (the “Services”).

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our Services. It applies to all users, visitors, and customers who access Circle Halo’s websites, applications, or connected integrations (collectively, the “Software”).

By using our Services, you acknowledge and agree to this Privacy Policy. If you do not agree, you should discontinue use of the Services.

2. Scope, Roles, and Responsibility

(a) Scope of Policy

This Privacy Policy applies to:

• User Data: Information collected directly from you when you create an account, subscribe, or interact with us.
• Order Data: Data imported from third-party platforms you connect (e.g., Etsy, Amazon, Shopify) for order management.
• Payment Data: Processed through our merchant-of-record provider, Paddle.

This Policy does not govern the privacy practices of third parties (such as Etsy, Amazon, Shopify, or Paddle), which maintain their own privacy policies.

(b) Data Controller and Processor Roles

For the purposes of the General Data Protection Regulation (GDPR) and similar global privacy laws:

• You (Our Customer/Seller) are the Data Controller for the Order Data (personal data of your end-customers) that is imported into the Services. You determine the purposes and means of processing that data.
• Circle Halo is the Data Processor acting strictly on your instructions to provide the Services (e.g., importing, unpacking, displaying data for fulfillment). Our use of Order Data is governed by this Policy and our Terms of Service.

When you connect your Shopify store to Circle Halo:

• You (the Merchant) are the Data Controller for all customer order data imported from your Shopify store.
• Circle Halo acts as a Data Processor for Shopify order data, processing it solely to provide order management and fulfillment services.
• Shopify Inc. maintains its own privacy policy and data practices for data stored on Shopify’s platform.

When you connect your Etsy shop to Circle Halo:

• You (the Etsy seller) are the Data Controller for all Etsy Member personal information accessed through the Etsy API.
• Circle Halo acts as a service provider to you and processes Etsy Member personal information only to fulfill the services provided under our Application Terms with you.
• Etsy, Inc. maintains its own privacy policy and data practices for data stored on Etsy’s platform.

(c) Etsy Notice

The term ‘Etsy’ is a trademark of Etsy, Inc. This Application uses Etsy’s API, but is not endorsed or certified by Etsy.

3. Data We Collect

We collect information to provide, maintain, and improve our Services.

(a) Information You Provide (User Data)

• Account Data: Name, email address, password, phone number, company details, and business identification information.
• Billing Data: Payment details and billing address (processed securely by our Merchant of Record, Paddle).
• Communications: Support requests, survey responses, platform feedback, or other correspondence.

(b) Information from Connected Platforms (Order Data)

When you connect Circle Halo to your eCommerce accounts (e.g., Etsy, Amazon, Shopify), we collect personal data related to your sales and fulfillment:

• Authentication Data: API tokens or credentials required for secure, ongoing synchronization.
• Order Details: Order IDs, customer names, shipping addresses, personalization requests, and any files (including ZIP files) containing design or order information.
• Product Data: Listing details and inventory information required for effective order management.

Etsy Integration:

When you connect your Etsy shop, we collect and process:

• Etsy API credentials (API keys and access tokens) required for secure API access to your Etsy shop via Etsy’s official API
• Order data including buyer names, email addresses, shipping addresses, order items, transaction details, and order metadata
• Listing data including product listings, inventory information, and shop details
• Etsy Member personal information accessed solely through the Etsy API for the purpose of order management and fulfillment

Shopify Integration:

When you connect your Shopify store, we collect and process:

• OAuth access tokens and API credentials required for secure API access to your Shopify store via Shopify’s GraphQL Admin API (version 2026-01)
• Order data including customer names, email addresses, shipping addresses, billing addresses, order items, fulfillment status, and order metadata
• Product data including product listings, variants, and inventory information
• Customer data from orders including personalization requests and custom attributes
• Webhook data including order events (create, update, cancel, fulfill) and app lifecycle events (install, uninstall)
• GDPR compliance webhook data (customer data requests, customer deletion requests, shop deletion requests) as required by Shopify App Store requirements

(c) Automatically Collected Data

When you use our Software, we automatically collect:

• Device & Connection Data: IP address, operating system, device identifiers, browser type, and time zone.
• Usage Data: Login timestamps, activity logs, performance metrics, pages viewed, and feature interactions.
• Tracking Technologies: Data collected via cookies, pixels, and similar technologies used to authenticate sessions, analyze platform usage, and improve security.

4. How We Use Data

We process personal data for the following lawful purposes:

• Service Delivery: To provide, operate, and maintain the Services you subscribe to.
• Order Management: To import, unpack, and display Order Data for fulfillment (as your Processor).
• Billing & Payments: To process subscriptions and generate invoices via Paddle.
• Account Security & Support: To create, secure, and maintain your user account and respond to inquiries.
• Analytics & Improvements: To analyze platform performance, enhance features, and monitor usage patterns.
• Compliance & Legal: To comply with tax, legal, and regulatory requirements.

Etsy-Specific Processing:

• Synchronize order data from your Etsy shop to enable order management and fulfillment workflows
• Display Etsy listing content that is no more than six (6) hours older than the corresponding information on the Etsy Site
• Display other Etsy content that is no more than twenty-four (24) hours older than the content displayed on the Etsy Site
• Maintain secure API connections using API credentials for ongoing data synchronization
• Cache and store Etsy content only as long as reasonably necessary to provide service to your account

Shopify-Specific Processing:

• Synchronize order data from your Shopify store to enable order management and fulfillment workflows
• Process GDPR compliance requests (data export, customer deletion, shop deletion) within required timeframes (30 days for customer requests, 48 hours for shop deletion)
• Maintain secure API connections using OAuth tokens for ongoing data synchronization
• Process webhook events to keep order data current and accurate
• Comply with Shopify App Store requirements including mandatory GDPR webhook handling

We do not sell personal data and do not use customer order data for advertising or marketing unrelated to the Services.

We do not use Etsy order data for advertising, third-party marketing, resale, profiling, licensing, or for training artificial intelligence or machine learning models.

5. Legal Basis for Processing (GDPR)

If you are located in the EU/EEA or UK, our legal basis for processing your data includes:

• Performance of a Contract (Art. 6(1)(b) GDPR): Processing data necessary to provide you with the Services and maintain your account.
• Compliance with a Legal Obligation (Art. 6(1)(c) GDPR): Processing data required for tax, billing, security, or regulatory requirements.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing data to improve the Services, prevent fraud, and ensure platform security (where our interests are not overridden by your rights).
• Consent (Art. 6(1)(a) GDPR): Where applicable (e.g., for optional marketing communications).

6. Data Sharing & Disclosure

We may disclose your data in limited circumstances to fulfill our obligations:

• Service Providers: We share necessary data with vendors providing hosting, IT infrastructure, analytics, and platform support. These parties are contractually bound to process data only on our behalf and protect it securely.
• Payment Processing: Paddle processes billing and payment information as the Merchant of Record. We do not store or process full credit card numbers ourselves.
• Connected Platforms: We exchange data (primarily Order Data) with the third-party marketplaces (Etsy, Amazon, Shopify, etc.) that you explicitly choose to connect, solely for the purpose of syncing and managing orders.
• Corporate Transactions: In connection with a merger, acquisition, or asset sale, your personal data may be transferred to the successor entity.
• Legal Obligations: When required by law, subpoena, court order, or regulatory authority.

Etsy Integration:

• When you connect Etsy, we exchange data with Etsy solely through Etsy’s official API to synchronize and display order information you choose to import for order management and fulfillment
• We do not use Etsy order data for advertising, third-party marketing, resale, profiling, licensing, or for training artificial intelligence or machine learning models
• Etsy API credentials are stored securely and used only for the purpose of providing the Services
• When you disconnect your Etsy shop, we delete associated API credentials and stop data synchronization
• Etsy maintains its own privacy policy and data practices; we recommend reviewing Etsy’s privacy policy for information about how Etsy handles your data

Shopify Integration:

• We exchange data with Shopify Inc. through their GraphQL Admin API (version 2026-01) and webhook system to synchronize orders and manage your store connection
• OAuth tokens and API credentials are stored securely and used only for the purpose of providing the Services
• When you disconnect your Shopify store, we delete associated API credentials and stop data synchronization
• We comply with Shopify’s mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact) and process these requests within required timeframes
• Shopify maintains its own privacy policy and data practices; we recommend reviewing Shopify’s privacy policy for information about how Shopify handles your data

7. Cookies and Tracking

Circle Halo uses cookies and similar technologies for essential purposes:

• Strictly Necessary: To authenticate sessions and secure your account.
• Functionality: To remember your preferences and enhance the user experience.
• Analytics: To analyze platform usage and performance metrics.

You may manage or disable cookies through your browser settings. Be aware that disabling strictly necessary cookies may limit the functionality of the Services. For more detail, please refer to our separate Cookie Policy.

8. Data Retention

We retain your personal data only for as long as necessary to provide the Services, fulfill legal obligations, or resolve disputes.

• Account Data: Retained for as long as you maintain an active account.
• Order Data: Retained as long as required for your order fulfillment operations and your own legal obligations as the Data Controller, typically tied to the life of your active account.
• Upon verified account deletion, personal data will be deleted or anonymized within 30 days, except for data we are legally required to retain for tax, billing, or auditing purposes.

Etsy Data:

• Order data imported from Etsy is retained as long as your account is active and you maintain the Etsy connection
• Etsy listing content is displayed no more than six (6) hours older than the corresponding information on the Etsy Site
• Other Etsy content is displayed no more than twenty-four (24) hours older than the content displayed on the Etsy Site
• Etsy content is cached and stored only as long as reasonably necessary to provide service to your account
• Upon disconnection of your Etsy shop, we will delete API credentials immediately; order data will be retained according to our standard retention policy unless you request deletion

Shopify Data:

• Order data imported from Shopify is retained as long as your account is active and you maintain the Shopify connection
• Upon disconnection of your Shopify store, we will delete API credentials immediately; order data will be retained according to our standard retention policy unless you request deletion
• When we receive a Shopify GDPR webhook (shop/redact), all Shopify-related data will be deleted within 48 hours as required by Shopify App Store requirements
• Customer data deletion requests (customers/redact) will be processed within 30 days, with personal information anonymized while preserving order records for accounting purposes

9. International Data Transfers

Your data may be transferred to and processed in jurisdictions outside your country, including the United States, the European Union, and Türkiye, where our service providers or we may operate.

Where required by law, especially for transfers of data outside the EU/EEA or UK, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use SCCs approved by the European Commission, and their UK equivalent, to ensure an adequate level of data protection.
• Encryption: Utilizing industry-standard encryption for data in transit and at rest.

By using the Services, you consent to this international transfer and processing of your data.

10. Security Measures

We use industry-standard technical and organizational measures designed to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest.
• Strict role-based access control for employees.
• Secure servers, firewalls, and regular vulnerability monitoring.
• Routine security audits and data backup protocols.

While we strive for absolute protection, no internet-based system can guarantee 100% security.

Data Breach Notification:

If any Etsy Member data accessed via the Etsy API is compromised or suspected to be compromised, we will promptly notify Etsy at [email protected] and the affected Etsy seller, but in no event later than 24 hours from discovery of the data breach.

11. Your Privacy Rights

You have rights concerning your personal data, which vary based on your location:

(a) GDPR (EU/EEA & UK)

• Right to Access: To obtain confirmation about your data processing and receive a copy of your data.
• Right to Rectification: To correct inaccurate or incomplete data.
• Right to Erasure (‘Right to be Forgotten’): To request the deletion of your data when it is no longer necessary for the purposes collected.
• Right to Restriction of Processing: To limit the way we use your data.
• Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable format.
• Right to Object: To object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: To withdraw consent at any time where processing is based on consent.

Etsy-Specific Rights:

• You may request access to all data we have collected from your Etsy shop
• You may request deletion of your Etsy connection and associated data at any time
• You may export all Etsy order data we have stored in your account
• You have control over the use, sharing, and access of Etsy Member information collected by our Application

Shopify-Specific Rights:

• You may request access to all data we have collected from your Shopify store
• You may request deletion of your Shopify connection and associated data at any time
• If Shopify sends us a GDPR deletion request on your behalf (via webhook), we will process it according to Shopify’s requirements and notify you
• You may export all Shopify order data we have stored in your account

(b) CCPA/CPRA (California)

• Right to Know: To request the categories and specific pieces of personal data collected, used, and disclosed.
• Right to Delete: To request the deletion of personal data we have collected, subject to exceptions.
• Right to Opt-Out of Sale/Sharing: Circle Halo does not sell or share personal data for cross-context behavioral advertising.
• Right to Non-Discrimination: For exercising your privacy rights.

(c) KVKK (Türkiye)

• Right to Learn: Whether your personal data is processed.
• Right to Request Information: Regarding the purpose of processing.
• Right to Correction/Deletion: To request correction or deletion if the reasons for processing are no longer valid.
• Right to Object: To the occurrence of an unfavorable outcome through automatic analysis.

To exercise any of these rights, please contact us at [email protected].

12. Data Deletion Requests

You may request the deletion of your Circle Halo account and all associated personal data at any time.

To request account deletion, please contact us at [email protected] with the subject line “Account Deletion Request” and include your registered email address. We will verify your identity and process your request according to the timeline described below.

• Verified requests will be processed within 30 days of receipt.
• Certain data may be retained as required by tax, billing, or regulatory law, which will be clearly communicated upon request.

Etsy Shop Disconnection:

• You may disconnect your Etsy shop at any time through the Circle Halo interface
• Upon disconnection, we will immediately revoke API access and stop data synchronization
• You may request complete deletion of all Etsy-related data, which will be processed within 30 days

Shopify Store Disconnection:

• You may disconnect your Shopify store at any time through the Circle Halo interface
• Upon disconnection, we will immediately revoke API access and stop data synchronization
• You may request complete deletion of all Shopify-related data, which will be processed within 30 days
• If Shopify sends a shop deletion webhook (shop/redact), we will delete all associated data within 48 hours as required by Shopify App Store compliance requirements

13. Children’s Privacy

Our Services are intended for business use and are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

14. Changes to This Policy

We may amend this Privacy Policy from time to time. We will communicate significant changes by posting the updated policy on our website, through email notification, or via platform banners. The revised policy will be effective as of the “Last Updated” date.

15. Contact Information

If you have questions, concerns, or wish to exercise your privacy rights, please contact us at:

Circle Halo

Email: [email protected]

Etsy-Specific Inquiries:

For questions about our Etsy integration, data handling, or Etsy API compliance, please contact us at [email protected]. We process Etsy data solely through Etsy’s official API and in compliance with Etsy’s API Terms of Use.

Shopify-Specific Inquiries:

For questions about our Shopify integration, data handling, or GDPR compliance related to Shopify data, please contact us at [email protected]. We process Shopify GDPR webhook requests automatically and will respond to merchant inquiries within 30 days for customer requests and 48 hours for shop deletion requests.