1. Who is responsible for your data
Storebolt is a trading name of Ourfires LTD, a company registered in England and Wales (company number 10271109), registered office at 41 Devonshire Street, London W1G 7AJ, United Kingdom.
Ourfires LTD is the data controller for the personal data we collect for our own purposes: website-visitor data, subscriber and team-member contact details, billing data, and correspondence. For personal data held inside your own Shopify store — including your end-customers' details — you are the controller and we act as your processor, on your instructions and under the Data Processing Agreement (Schedule 1 of our Terms).
For any privacy question, contact us at support@storebolt.co.
This policy explains what personal data we collect, why, the lawful basis for processing it, who we share it with, and your rights under the UK GDPR and the Data Protection Act 2018.
2. The personal data we collect
Website visitors. When you visit storebolt.co we collect the basic technical data needed to operate and secure the site (such as IP address and browser information, in server logs) — this happens on every visit. Separately, and only after you opt in through our consent banner, PostHog collects usage/analytics events. See the Cookies section (2A) for detail.
Subscribers and their team members. When you subscribe and we set up your service, we process:
- Contact details — name and email address of the subscriber and of any team member you add to your Trello board.
- Billing data — handled by our payment processor, Stripe. We never hold full card numbers. Through Stripe we retain the standard merchant view: billing name and email, billing country (and address where collected), transaction and invoice history, and the card brand and last four digits.
- Task and store data — the content of the Trello cards you file (titles, URLs, descriptions, screenshots or recordings) and the data we access in your Shopify store through collaborator access in order to perform the work. This may incidentally include personal data held in your store (for example, your end-customers' details), which we access only to carry out the task and which you control.
- Correspondence — emails you send us for billing, onboarding, and off-boarding.
Analytics identifiers and usage events are collected via PostHog (see section 2A). We collect no other categories at launch — there is no marketing list or newsletter, no error-monitoring tooling capturing personal data, and no support records held outside Trello and email. If that changes (for example, a newsletter signup is added), this policy will be updated first.
2A. Cookies and similar technologies
Our cookie disclosure lives in this policy; there is no separate cookie page.
Strictly necessary. storebolt.co sets the cookies required for the site and Stripe Checkout to function. These do not require consent, but they are disclosed here.
Analytics. We use PostHog (EU Cloud, Frankfurt) to understand how the site is used (page views, events, device and browser information). Analytics cookies and similar identifiers are set only after you opt in through our consent banner; you can reject them, and withdraw consent at any time, without affecting your use of the site.
You can control or delete cookies through your browser settings; blocking strictly necessary cookies may stop parts of the site (including checkout) from working.
3. Why we process it and our lawful basis
| Purpose | Data | Lawful basis (UK GDPR) |
|---|---|---|
| Providing the Service (triaging and delivering cards, accessing your store) | Contact details, task and store data | Performance of a contract |
| Taking payment and managing your subscription | Billing data, contact details | Performance of a contract |
| Account and billing communication, onboarding, off-boarding | Contact details, correspondence | Performance of a contract |
| Operating and securing the website | Technical/website data | Legitimate interests (running and securing our site) |
| Understanding how the site is used (analytics) | Usage events and identifiers via PostHog | Consent (Article 6(1)(a)) — analytics runs only after you opt in and stops if you withdraw (see section 2A) |
| Meeting legal and tax obligations | Billing records | Legal obligation |
We do not use your data for advertising and we do not sell your data.
4. Where your data is processed (sub-processors)
We use the following third parties to operate the Service. Some are located outside the UK, which may involve international transfers (see Section 5).
| Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | USA / Ireland |
| Trello (Atlassian, Inc.) | Per-customer intake board (contact details, task and store data) | USA |
| Vercel Inc. | Website hosting (storebolt.co) | USA |
| Plus Five Five, Inc. (trading as Resend) | Transactional email (onboarding, off-boarding, billing-related email) | USA |
| PostHog, Inc. | Website analytics (storebolt.co) | EU (Frankfurt — PostHog EU Cloud) |
Shopify is deliberately not listed as a sub-processor — it is your platform, not ours. We access personal data inside your Shopify store as your processor under Schedule 1 of our Terms; Shopify's own processing, and where your store is hosted, are governed by your agreement with Shopify. (The Terms' Annex 3 treats Shopify the same way.)
Ahrefs is used for SEO research against public web data only; it does not process our visitors' or customers' personal data and is therefore not listed (decided: no Ahrefs script runs or will run on storebolt.co). No error-monitoring or support tooling is in use at launch; if any is added, it will be listed here first.
5. International transfers
Some of our providers process data outside the UK. For EEA destinations (PostHog's EU Cloud in Frankfurt), transfers rely on the UK's adequacy regulations for the EEA. For US providers (Stripe, Trello, Vercel, Resend), we rely on the UK Extension to the EU-US Data Privacy Framework where the provider is certified, or otherwise on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
6. How long we keep your data
We keep personal data no longer than necessary for the purposes described in this policy:
- Task and store data (your Trello board): archived for 90 days after the Service ends — or deleted earlier on your instruction (see Schedule 1, paragraph 11 of our Terms) — then deleted.
- Billing and tax records: 6 years, as required by UK tax and VAT law.
- Contact details and correspondence: for as long as necessary to administer our relationship with you and to establish, exercise, or defend legal claims.
- Analytics data (PostHog): for as long as it remains relevant to operating and improving the site.
When your subscription ends, we export your Trello board to JSON, email it to you, and archive the board for the period above in case you resubscribe; we revoke our collaborator access to your Shopify admin.
7. Your rights
Under the UK GDPR you have the right to access your personal data; to have inaccurate data corrected; to have data erased in certain circumstances; to restrict or object to processing; and to data portability. To exercise any of these, email support@storebolt.co. We will respond within the period required by law.
These rights apply to the personal data for which we are the controller (section 1). For personal data held in a merchant's own Shopify store, the merchant is the controller — please direct requests about that data to the merchant. If such a request reaches us, we forward it to the merchant and act only on their instructions (Schedule 1, paragraph 7 of our Terms).
You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk.
8. Security
We take reasonable measures to protect personal data: access to client stores and systems on a least-privilege basis, limited to what the work needs; unique credentials with multi-factor authentication where the platform supports it; encryption of personal data in transit; time-bound admin access, revoked promptly at off-boarding; reputable, access-controlled tooling; and due diligence on sub-processors. (These mirror Annex 2 of the Data Processing Agreement in our Terms.)
9. Children
The Service is a business-to-business service and is not directed at children. We do not knowingly collect personal data from children.
10. Changes to this policy
We may update this policy; the current version is always at storebolt.co/privacy. We will indicate the last-updated date at the top.
11. Contact
Privacy questions or rights requests: support@storebolt.co.
Ourfires LTD, 41 Devonshire Street, London W1G 7AJ, United Kingdom. Company number 10271109.
Ourfires LTD is registered with the UK Information Commissioner's Office (ICO). Registration reference: C1950730.