Privacy Policy and Personal Data Protection

CONVERTY FOR ECOMMERCE, operator of the converty.shop platform, is committed to protecting the privacy of its users and safeguarding their personal data, in accordance with the provisions of Tunisian Law No. 63 of 2004 on the Protection of Personal Data, as well as the applicable provisions of the General Data Protection Regulation (GDPR) in connection with the relevant contractual relationships.

This Policy sets out how the platform collects personal data, the purposes for which it is used, the parties with whom it may be shared, and the rights guaranteed to users in this regard.

Contact Information:

• Email: contact@converty.shop
• Phone: +216 48 272 872
• Website: converty.shop

By using or registering on the platform, you acknowledge that you have read, understood, and agreed to this Policy.

This Policy applies to:

• Merchants: any natural or legal person who creates an account on the platform and uses its services to create and manage an online store.
• Visitors: any person who browses the platform or views its content without registering.
• Store Customers: any person who interacts with online stores created through the platform, whether by registering, browsing, or making purchases.

This Policy does not apply to third-party websites linked to the platform via external links, as such websites are governed by their own privacy policies.

The platform collects the following categories of data:

I. Identity Data

Includes: full name and username.

II. Contact Data

Includes: email address, phone number, postal or geographical address, and any other contact details entered by the user.

III. Technical Data

Includes: Internet Protocol (IP) address, browser type and version, operating system, Cookies data, session data, and device identifiers.

IV. Usage Data

Includes: platform pages visited, session duration, links clicked, browsing patterns within the platform, and interaction logs with the services.

V. Online Store Data

Includes: store name, product and inventory details, order records, and customer data entered by the merchant within their store, as further detailed in the "Store Customer Data" section below.

VI. Passwords

Passwords are stored in encrypted form (Hashed) using industry-standard cryptographic algorithms, and cannot be accessed in plaintext under any circumstances.

The platform collects data from the following sources:

• Registration and Account Creation: when a new account is created on the platform, the user provides a set of personal data necessary for service activation.
• Daily Platform Use: usage and technical data are collected automatically during browsing and interaction with platform services.
• Cookies and Tracking Technologies: as detailed in the "Cookies" section below.
• Contact with the Support Team: additional information may be collected when a user contacts the technical or administrative support team.
• Third Parties: the platform may receive supplementary data from service partners (such as payment gateways and shipping companies) when their services are used.
• Automatic Technical Logs: technical data is automatically recorded on the platform's servers upon each access, including IP address, browser data, and session details.

Collected data is used for the following purposes:

• Service Provision and Operation: creating user accounts, activating online stores, processing orders, and providing all operational features of the platform.
• Communication and Technical Support: sending account and transaction notifications, and responding to user inquiries and technical support requirements.
• Payment Management and Financial Settlements: processing commissions and payments related to platform use, in coordination with approved payment gateways.
• Service Quality Improvement: analyzing usage patterns to develop features, improve platform performance, and enhance user experience.
• Marketing and Promotional Communications: sending newsletters, offers, and updates to users who have consented to receive them, with the right to unsubscribe at any time.
• Account Review and Risk Management: reviewing merchant accounts and transaction patterns to detect indicators of fraud or use contrary to the platform's policies, in order to preserve the safety of the entire merchant community.
• Rights Protection: defending the rights of the platform and its users and resolving disputes where necessary.

The platform bases the processing of personal data on the following legal grounds in accordance with Tunisian Law No. 63 of 2004 and the applicable provisions of the GDPR:

• Explicit Consent (Article 6(1)(a) GDPR): when the user is requested to provide consent for the collection of specific data for defined purposes, such as marketing communications and non-essential Cookies. The user has the right to withdraw consent at any time without affecting the lawfulness of prior processing.
• Contractual Necessity (Article 6(1)(b) GDPR): processing of data necessary for the performance of the contract concluded between the platform and the user, such as account creation, store operation, and payment management.
• Legitimate Interests (Article 6(1)(f) GDPR): processing data for the purposes of usage analysis, service improvement, fraud detection, and platform security — to the extent that this does not conflict with the fundamental rights and freedoms of users.

No Sale or Rental

The platform does not sell, rent, or trade your personal data to any third party.

Lawful Sharing Cases

The platform may share data in the following cases only:

• Service Providers: sharing data with technical partners responsible for providing services necessary for operations (such as cloud hosting, payment gateways, shipping companies, and analytics tools).
• Partner Products: when the user chooses to activate third-party applications or services integrated into the platform, the data necessary for operating these products may be shared with their providers, with the user's knowledge and in accordance with each party's terms of service.
• Auditors and Legal Advisors: sharing data with auditors or legal consultants bound by professional confidentiality obligations under law or contract.
• Merger and Acquisition: in the event of the sale of the platform, a merger, or the acquisition of its assets by another entity, data may be transferred to the successor entity, with a commitment to notify users in advance.
• Rights Protection: when sharing is necessary to defend the legal rights of the platform or the contractual rights of its users.

The platform uses payment gateways operated by approved third parties. Upon completion of any financial transaction, payment data is subject to the privacy policies of those parties. The platform bears no responsibility for the processing carried out by these parties on payment data.

What Are Cookies?

Cookies are small text files stored on the user's device when visiting the platform. They enable the platform to recognize the browser, remember preferences, and improve the user experience.

Types of Cookies Used

Managing Cookies

The user may at any time modify their Cookie settings via:

• The privacy settings panel available on the platform.
• Browser settings (declining or deleting all Cookies). Please note that declining essential Cookies may impair certain core platform functionalities.

The platform implements a comprehensive set of security measures to protect personal data, including:

• Communication Encryption: the platform uses SSL/TLS protocols to encrypt all data transmitted between the user and the servers.
• Password Encryption: passwords are stored in encrypted form (Hashed) using robust, industry-standard cryptographic algorithms and cannot be recovered under any circumstances.
• Access Controls: access to databases and user information is subject to strict rules limiting data access to authorized personnel only, on a need-to-know basis.
• Security Audits: the platform conducts periodic security audits of its technical infrastructure and proactively addresses identified vulnerabilities.
• Multi-Layered Technical Protection: including Firewalls, intrusion detection systems, and continuous monitoring of unusual activities.

Nevertheless, the platform does not guarantee absolute protection against all cyber-intrusion risks, and encourages users to choose strong passwords and maintain the confidentiality of their login credentials.

The platform retains personal data for the following periods:

• Active Account Data: account data is retained throughout the duration of the contractual relationship with the user.
• Financial Data and Transaction Records: retained for five (5) years from the date of each transaction, in accordance with applicable accounting and tax requirements.
• Usage and Technical Logs: retained for twelve (12) months from the date of their generation.
• Data Following Account Closure: upon account termination, personal data is deleted within ninety (90) days, while retaining the minimum necessary to comply with legal obligations for the applicable statutory period.
• Technical Support Data and Correspondence: retained for three (3) years from the date of the last interaction.

Personal data may be transferred to servers or processors outside the territory of the Republic of Tunisia for the purposes of cloud hosting or technical service provision. In such cases, the platform undertakes to:

• Verify that the recipient countries or receiving entities provide an adequate level of protection for personal data.
• Enter into contractual data processing agreements with receiving entities, obligating them to comply with the protection standards set forth in Tunisian Law No. 63 of 2004.
• Apply transfer mechanisms recognized by the Tunisian National Authority for the Protection of Personal Data (INPDP — Instance Nationale de Protection des Données Personnelles) or their equivalent, where applicable.

Every platform user is entitled to the following rights with respect to their personal data:

• Right of Access: the right to access the personal data that the platform holds about them.
• Right to Rectification: the right to request the correction of any inaccurate, incomplete, or misleading data.
• Right to Erasure: the right to request the deletion of their personal data where the legal or contractual grounds for retaining it no longer exist.
• Right to Restriction of Processing: the right to request restriction of the processing of their data in specific cases (such as contesting its accuracy or objecting to its use for certain purposes).
• Right to Data Portability: the right to receive their personal data in a structured, machine-readable electronic format and to transfer it to another entity where technically feasible.
• Right to Object: the right to object to the processing of their data for direct marketing purposes or for purposes based on legitimate interests.
• Right to Withdraw Consent: the right to withdraw consent to data processing at any time, without affecting the lawfulness of prior processing.

How to Exercise Rights

To exercise any of the above rights, the user must contact the platform by email at contact@converty.shop, clearly specifying the right they wish to exercise and providing proof of identity.

The platform undertakes to respond to the request within thirty (30) days of the date of receipt, with the possibility of extending this period by a further thirty days in complex cases, after notifying the user accordingly.

In the event of dissatisfaction with the response, the user has the right to lodge a complaint with the National Authority for the Protection of Personal Data (INPDP — Instance Nationale de Protection des Données Personnelles) in Tunisia.

Distinction of Roles

With respect to the data of online store customers, the platform acts as a Data Processor on behalf of the merchants, who are the Data Controllers. This means:

• The merchant bears full responsibility for determining the purposes and means of processing their customers' data in accordance with applicable laws.
• The platform provides the technical infrastructure necessary for processing such data in accordance with the merchant's instructions, without using it for its own account.
• The platform undertakes to apply adequate security standards for the storage and protection of store customer data.

Types of Data Collected About Store Customers

Data that may be processed via the platform on behalf of merchants includes:

• Store Registration Data: name, email address, phone number, and delivery address.
• Browsing and Interaction Data: pages viewed by the customer, products browsed, and shopping cart contents.
• Order Data: purchase details, order value, purchase date, and delivery status.

Each merchant is required to publish a privacy policy specific to their store, disclosing to their customers the purposes of data collection and how it is used.

The platform does not direct its services to persons under the age of eighteen (18) and does not intentionally collect their data.

If it is discovered that a minor has provided their data without the consent of their legal guardian, the platform undertakes to delete such data as soon as it becomes aware of this. Parents and guardians are encouraged to contact the platform at contact@converty.shop should they suspect the existence of any such cases.

Service Communications

Certain messages are sent to users as an integral part of service delivery, such as account notifications, transaction confirmations, and security alerts. It is not possible to unsubscribe from these communications during the active use period of the platform.

Marketing Communications

• Marketing messages are only sent to users who have given their explicit consent to receive them.
• The user has the right at any time to unsubscribe from marketing messages by one of the following means:
  • Clicking the "Unsubscribe" link at the bottom of any email.
  • Modifying notification settings in their dashboard.
  • Contacting support at contact@converty.shop.
• The unsubscription request will be processed within fifteen (15) business days from the date of the request.

The platform offers an optional integration with Google Sheets that allows merchants to automatically export their order data to a Google Sheets spreadsheet. This section describes how the platform accesses, uses, stores, and protects Google user data in connection with this feature.

Scope of Access

The platform requests the drive.file OAuth scope from Google. This scope limits the platform's access exclusively to files that the platform itself creates. The platform cannot access, view, modify, or delete any other files in the user's Google Drive account. The platform does not request access to contacts, email, calendar, or any other Google services.

How Google Data Is Used

When a merchant connects Google Sheets, the platform performs the following actions:

• Creates a single new Google Sheets spreadsheet in the merchant's Google Drive.
• Populates it with the store's order data, including: reference number, customer name, phone number, city, address, products, quantities, order status, delivery details, and timestamps.
• Periodically synchronizes new orders to keep the spreadsheet up to date.

Data Stored by the Platform

The platform stores only the following in its database to maintain the connection: the spreadsheet identifier, the spreadsheet URL, and the OAuth refresh token. The platform does not store copies of the spreadsheet content on its servers.

Retention and Deletion

The OAuth refresh token and spreadsheet reference are retained for as long as the Google Sheets integration remains active on the merchant's account. When the merchant disconnects the integration, the platform immediately deletes the OAuth refresh token and spreadsheet reference from its database. The spreadsheet itself is not deleted from the merchant's Google Drive and remains under the merchant's full control.

Revoking Access

Merchants may disconnect the integration at any time from their Converty dashboard. They may also revoke the platform's access from their Google Account permissions page.

No Sharing of Google Data

The platform does not sell, rent, or share Google user data with any third party. Google data is used solely to provide the synchronization feature described above. No personnel access the contents of a merchant's spreadsheet unless the merchant explicitly requests technical support.

Legal Basis

The processing of Google user data is based on the merchant's explicit consent, provided when they authorize the integration through the Google OAuth consent flow, in accordance with Article 6(1)(a) of the GDPR.

Google's Privacy Policy

For information about how Google collects, uses, and protects user data, please refer to Google's Privacy Policy.

Converty's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The platform limits its use of Google user data as follows:

• Google user data is used only to provide and improve the Google Sheets order synchronization feature that the user has explicitly requested.
• Google user data is not transferred to third parties, except as necessary to provide the service, as required by law, or with the user's explicit consent.
• Google user data is not used for advertising or marketing purposes.
• No person is permitted to read Google user data unless the user has given explicit consent for technical support, it is necessary for security purposes, or it is required by law.

In the event of a security breach that may compromise users' personal data, the platform undertakes to:

• Immediately investigate the breach and assess its scope and impact.
• Notify affected users within seventy-two (72) hours of discovering the breach, with a clear description of the nature of the affected data and recommended measures for their protection.
• Notify the competent supervisory authorities (including the National Authority for the Protection of Personal Data INPDP) in accordance with the applicable legal framework.
• Take all necessary technical and procedural measures to remediate the vulnerability and prevent its recurrence.

The platform reserves the right to amend this Policy from time to time, in response to legal and technical developments or changes in the nature of the services provided.

In the event of any material amendment to the Policy:

• Registered users will be notified by email to their registered address thirty (30) days before the amendment's effective date.
• The updated version of the Policy will be published on the platform with its effective date indicated.
• The user's continued use of the platform following the entry into force of the amendments constitutes their tacit acceptance thereof. Should the user refuse the amendments, they have the right to terminate their account in accordance with the procedures set forth in the General Terms and Conditions.

For any inquiries relating to this Policy or to exercise any of the rights mentioned herein, the platform may be contacted via:

• Email: contact@converty.shop
• Phone: +216 48 272 872
• Registered Office: Ariana, Mnihla — Republic of Tunisia
• Website: converty.shop