Privacy Policy
Last updated: 25 February 2026
This privacy policy describes how Litho Services Ltd ("we", "us", "our") collects, uses, and handles personal data across our Shopify applications. This policy applies to all apps published by Litho Services Ltd on the Shopify App Store.
General principles
- We only collect the minimum personal data required to provide app functionality.
- We never sell, rent, or share personal data with third parties for marketing or advertising.
- All data is transmitted over encrypted connections (HTTPS/TLS).
- All data is stored on infrastructure that encrypts data at rest.
- We respond to all GDPR data deletion requests automatically via Shopify's mandatory webhooks.
App-specific data collection
Each app collects different data depending on its functionality. Details for each app are listed below.
Customer Gallery
A photo gallery app that lets verified customers upload photos of their purchases to product pages.
Data collected:
- First name and last initial — retrieved from the customer's existing Shopify account. We do not ask customers to enter their name separately.
- Email address — retrieved from the customer's Shopify account, used for admin moderation purposes only. Never displayed publicly.
- Photo — the image uploaded by the customer.
- Caption — the text the customer writes to accompany their photo.
- Shopify customer ID — to associate the submission with the customer's account.
How it's used:
- Customer's first name, last initial, photo, and caption are displayed publicly on the product page after store admin approval.
- Email is visible only to store administrators for moderation.
- A hash of each image is stored to prevent duplicate submissions.
Storage: Database on Railway (encrypted). Images on Cloudflare R2 (encrypted at rest, served via HTTPS).
Data retention
Personal data is retained for as long as the app is installed on a merchant's store. Merchants can delete individual data records at any time through each app's admin panel.
When an app is uninstalled, session data is deleted automatically. We respond to Shopify's GDPR shop/redact webhooks to handle full data cleanup.
Your rights
Under GDPR and other applicable data protection laws, individuals have the right to:
- Access — request a copy of personal data we hold. Contact the store owner or us directly.
- Deletion — request that personal data be deleted. We handle deletion requests automatically via Shopify's GDPR webhooks, anonymising names and removing email addresses.
- Rectification — request correction of inaccurate personal data.
- Withdraw consent — contact the store owner to have any submitted content removed.
Third-party services
Our apps use the following third-party services to operate:
- Shopify — for merchant store integration and customer authentication.
- Railway — for application and database hosting.
- Cloudflare — for content delivery and file storage.
We do not share personal data with any parties beyond those required for the apps to function.
Cookies
Our apps do not set cookies. Any client-side storage (such as browser local storage) is used only for non-personal preferences and does not contain identifiable information.
Security
- All data in transit is encrypted using HTTPS/TLS.
- All databases use encrypted connections and encrypted storage at rest.
- Access to personal data is limited to authorised store administrators.
- We use Shopify's built-in authentication for all admin access.
Changes to this policy
We may update this privacy policy from time to time. Changes will be reflected on this page with an updated date. We encourage you to review this page periodically.
Contact
If you have questions about this privacy policy or how your data is handled, contact us at:
Litho Services Ltd
Email: support@weblegs.co.uk