Superstack

Privacy policy

Effective date: May 12, 2026

1. Introduction

This Privacy Policy describes how Gallery 6 ("Superstack", "we", "us", or "our") collects, uses, and shares information in connection with the Shopify applications we develop and operate (the "Apps"). It applies to merchants who install or use any Superstack app and, where applicable, to visitors of our website at superstack.ltd.

This policy covers data practices only. The legal framework governing your use of the Apps — including warranties, liability limits, indemnification, and governing law — is set out in our Terms of Use, which you agreed to when installing the Apps.

2. Data We Collect

We collect two distinct categories of data:

Merchant account data

When you install a Superstack app, Shopify provides us with information about your store, including your Shopify store URL, store owner email address, and store configuration data necessary to operate the Apps. We do not independently collect payment or billing information — all billing is handled directly by Shopify through Shopify App Pricing.

Merchant customer data

In the course of delivering the Apps, we process personal data belonging to your customers on your behalf. This includes customer phone numbers, order information, and WhatsApp message history. We process this data solely as a data processor acting on your instructions as data controller. We do not own, sell, or make independent use of your customers' personal data for any purpose.

3. How We Use Data

We use the data we collect to:

  • Operate, maintain, and deliver the Apps and their features.
  • Process and route messages through the WhatsApp Business Platform on your behalf.
  • Provide customer support and respond to your inquiries.
  • Detect, investigate, and prevent fraud, abuse, and security incidents.
  • Comply with our legal obligations.

We do not sell your data or your customers' data to any third party. We do not use any data collected through the Apps for advertising or marketing purposes unrelated to operating the Apps for your benefit.

4. Data Sharing and Third Parties

We share data only as necessary to deliver the Apps. The third-party services we rely on are:

  • Meta Platforms, Inc. (WhatsApp Business Platform). Messages sent through the Apps are routed through Meta's infrastructure. Meta processes this data under its own terms and privacy policy. We are not responsible for Meta's data practices. See Meta's Privacy Policy.
  • Shopify Inc. Your store data is accessed via Shopify's APIs and is subject to Shopify's own Terms of Service and Privacy Policy. We do not control how Shopify processes data on its platform.
  • Vercel Inc. (application hosting). Our Apps are hosted on Vercel's serverless infrastructure in the EU (Frankfurt, Germany). Vercel accesses data only as necessary to serve application requests and is bound by data protection obligations equivalent to those in our DPA.
  • Neon Inc. (database hosting). Customer and message data is stored in a Neon database located in the EU (Frankfurt, Germany). Neon accesses data only as necessary to provide database services and is bound by equivalent data protection obligations.

We do not sell, rent, or trade personal data with any third party.

5. Cookies

Our public website (superstack.ltd) does not use tracking or advertising cookies.

The Apps use session cookies that are strictly necessary to authenticate your Shopify store session and to operate the embedded app within the Shopify admin. These cookies are set by the Shopify OAuth flow and by our app infrastructure. They cannot be disabled without breaking core App functionality. We do not use cookies to track you across other websites or for any advertising purpose.

6. Data Retention

We retain data only as long as necessary for the purposes described in this policy:

  • Merchant store data. Upon uninstallation of an App or termination of your subscription, your store data is retained for up to 30 days to allow for reinstallation, after which it is permanently deleted.
  • WhatsApp message logs. Message history stored within the Apps is retained for 1 year from the date each message was sent or received, then permanently deleted.
  • Support correspondence. Emails and support tickets are retained for up to two years and then deleted.

We may retain data for longer periods where required by law or to resolve ongoing disputes.

7. Merchant Responsibilities as Data Controller

You are the data controller for your customers' personal data. Superstack processes that data solely on your instructions. As data controller, you are responsible for:

  • Having a lawful basis for processing your customers' personal data.
  • Obtaining all required consents before sending messages through the Apps.
  • Providing an adequate privacy notice to your own customers.
  • Fulfilling data subject rights requests from your customers.

The full scope of your obligations is set out in Sections 3 and 5 of our Terms of Use. Superstack's obligations as your data processor — including sub-processor details, breach notification, and audit rights — are set out in our Data Processing Agreement, which forms part of those Terms.

8. Your Data Subject Rights

Depending on your jurisdiction, you may have rights regarding your personal data, including the right to access, correct, delete, or receive a portable copy of your data, and the right to object to or restrict certain processing.

Merchant account data. To exercise rights regarding your own Superstack account data, contact us at hello@superstack.ltd. We will respond within the timeframe required by applicable law.

Customer data (merchant customer data). If you are an end customer of a merchant using our Apps, your rights requests regarding your personal data must be directed to that merchant. Superstack is a data processor for that data and cannot fulfill data subject rights requests independently of the merchant's instructions.

9. Security

We implement industry-standard technical and organizational measures to protect data against unauthorized access, loss, or disclosure, including encryption in transit (TLS) and encryption at rest. However, no method of electronic transmission or storage is completely secure. We make no guarantee of absolute security.

We are not responsible for security incidents originating from Meta's, Shopify's, or any other third-party provider's infrastructure.

10. International Data Transfers

Superstack's own infrastructure — application hosting (Vercel) and database (Neon) — is located entirely within the European Economic Area (EU Frankfurt, Germany). We do not transfer personal data to third countries in the course of operating the Apps.

When you send messages through the Apps, message content and recipient data is transmitted to Meta Platforms, Inc., which operates infrastructure outside the EEA. This transmission occurs at your direction as the data controller. You are responsible for ensuring a valid transfer mechanism exists for this onward transfer under Chapter V of the GDPR. Superstack is not responsible for Meta's processing of that data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where practicable, provide notice through the Apps or by email. Your continued use of the Apps after the updated policy takes effect constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you must uninstall and stop using the Apps.

12. Contact

If you have questions or concerns about this Privacy Policy, or wish to exercise your data rights, please contact us at hello@superstack.ltd.