No External Storage: Ongoing does not independently store, process, or retain any merchant or customer personal data outside of the Shopify platform. All data flows exclusively through Shopify’s systems and APIs during the normal operation of our apps. We rely on Shopify to host and maintain all merchant and customer information.
Types of Data Accessed: When you install or use an Ongoing app, Shopify may provide us with access to certain data from your store as needed for the app’s functionality. This can include, for example, order details, product information, and limited customer data relevant to the app’s features. We do not have direct access to sensitive personal information such as full payment details (credit card numbers, etc.) or customers’ passwords – Shopify or its payment processors handle those directly. Any personal data our app interacts with (such as a customer’s name, email, or address on an order) is fetched via Shopify’s API and is not stored on our servers.
Purpose of Data Use: We only use the data obtained through Shopify to provide and improve the app’s functionality for your store. This includes using the data to perform the tasks you expect from the app (e.g. generating subscription orders, managing inventory, etc.) and to enhance or troubleshoot the app’s performance. We never sell, rent, or exploit this data for marketing or any purposes outside of providing the Service to you. Data is never used or shared beyond what is necessary to serve your needs as the merchant.
We value your privacy and your customers’ privacy. We do not sell personal information, as “sell” is defined under the California Consumer Privacy Act (CCPA). We also do not share personal information for cross-context behavioral advertising or for third-party marketing purposes. Any customer or merchant data accessed by our apps is used solely for your benefit and as instructed by you via the Shopify platform.
Disclosure to Third Parties: Ongoing LLC does not disclose or share merchant or customer personal data with any third parties, except in the following rare circumstances: (a) to service providers or sub-processors that assist in operating our Services (for example, cloud hosting or database services), and only to the extent necessary and under strict data protection obligations; (b) if required by law or valid legal process, in which case we will notify you unless legally prohibited; or (c) in the event of a business transfer (such as a merger or acquisition), in which case the successor will be bound to the same privacy commitments. In all cases, the data remains within Shopify’s ecosystem or under equivalent protections. Shopify itself is not considered a third party in this context – it’s the primary platform handling the data.
All payment processing, financial transactions, and storage of customer personal information are handled by Shopify or Shopify’s approved payment gateways. Ongoing does not receive or store full payment details (like credit card numbers or bank information). For example, if our app needs to create a subscription or charge a customer, it triggers Shopify’s payment process via the API; the sensitive payment data is processed by Shopify’s secure, PCI-compliant systems. We may receive confirmation details (e.g. the last 4 digits of a card or a transaction ID) to record a successful charge, but not the full payment information.
Because Shopify manages all customer accounts, order records, and payments, any personal data (including names, emails, addresses, order history, etc.) remains on Shopify’s servers. Our app may temporarily cache or process data while performing tasks, but such data is not stored persistently by Ongoing. Once the data has been used for the intended function, it remains in Shopify’s infrastructure.
Aside from Shopify, Ongoing’s apps do not directly integrate with unrelated third-party services unless explicitly stated. If in the future our app offers an integration (for example, connecting with an email service or a shipping provider at your request), we will disclose relevant privacy implications in an updated policy or within the app settings. Any data passed to a third-party integration you enable will be limited to what is necessary and will be subject to that third party’s own privacy policies. Ongoing is not responsible for the data practices of third-party services that you may connect to our apps or for any data you choose to export outside our platform.
Shopify’s Policies: Your use of Ongoing’s apps is also governed by Shopify’s privacy policy and terms since your store data is on Shopify. We encourage you to review Shopify’s Privacy Policy and data handling practices. Shopify’s Customer Privacy settings (such as GDPR or CCPA tools provided to you as a merchant) will apply to data in your store. Our app will honor any such settings and consents as communicated through Shopify’s API (for instance, if a customer has opted out of certain processing, our app will attempt to respect that as technically feasible).
Ongoing LLC takes reasonable and industry-standard measures to secure any data processed through our app. All communication between our app and Shopify’s API is encrypted via HTTPS to prevent eavesdropping. We limit access to merchant data strictly to what is needed for operation. Within our organization, any data (which remains primarily on Shopify) is handled only by authorized personnel who are bound by confidentiality obligations.
However, please note that we rely on Shopify’s security for the storage and protection of personal data. Shopify is a large platform with its own robust security protocols. While we trust Shopify’s safeguards, we do not control and are not responsible for Shopify’s security or their infrastructure. Similarly, if you install other apps or use third-party services in conjunction with our app, we cannot guarantee the security of data in those systems.
No Guarantee & Liability: Despite our efforts, no method of transmission or electronic storage is 100% secure. Ongoing LLC cannot and does not guarantee absolute security of data handled through Shopify’s APIs. Moreover, Ongoing is not liable for data breaches, unauthorized access, or security failures that originate from or are due to Shopify’s systems, third-party providers, or your own actions. For example, if Shopify’s databases were compromised or if you (the merchant) misconfigure your store, use a weak password, or otherwise cause data to be exposed, Ongoing is not responsible for such incidents. We will, however, promptly notify you if we become aware of any actual breach of data within our possession and assist as needed in Shopify’s investigative or remedial efforts.
As a merchant using our app, you are responsible for managing your Shopify store’s privacy settings and obtaining any necessary consents from your customers. Our app operates as an extension of your store; therefore, you should ensure that your own store’s privacy policy discloses the use of third-party apps like Ongoing’s and how they may process customer data on your behalf. It is also your responsibility to use our app in compliance with applicable laws and Shopify’s terms. Do not use the app to collect or import sensitive personal data into Shopify that is outside the app’s intended use (for example, do not ask customers to provide social security numbers or other highly sensitive info via our app unless Shopify officially supports and secures that data).
If you become aware of any security issue or misuse of personal data in connection with our app, you should inform us immediately at support@ongoing.so so we can take appropriate action.
Merchant Compliance Disclaimer:Ongoing LLC does not guarantee compliance with GDPR, CCPA, or any other data protection laws. It is solely your responsibility to ensure that your store's operations comply with applicable regulations. Ongoing LLC shall not be held liable for any compliance failures, penalties, or legal consequences resulting from your use of the Services.
Ongoing LLC is based in the United States, and our Services are provided primarily through Shopify’s global infrastructure. When you use our app, personal data may be transferred to and processed in the United States or other locations where Shopify or our service providers operate. Shopify may store your store data in the U.S., Canada, or other jurisdictions. By installing and using our app, you acknowledge and consent that data related to you and your customers may be transferred to and processed in the U.S. (and other countries) which may have different data protection standards than your home jurisdiction.
We will rely on Shopify’s mechanisms for international data transfer (such as Standard Contractual Clauses or other lawful measures under GDPR) as applicable, since Shopify controls the data storage. Ongoing’s handling of data will be in line with those protections as we act as a service provider to you through Shopify.
GDPR (EEA/UK): If you are located in the European Economic Area, United Kingdom, or other regions with data protection laws, you have rights regarding personal data of yours or your customers that may be processed via our app. These rights include the right to access the data, correct or rectify inaccurate data, delete data, restrict or object to certain processing, and data portability. Because Ongoing does not store personal information independently of Shopify, if you or one of your customers wishes to exercise these rights, the request should typically be directed to the Shopify merchant (store owner) or to Shopify itself as the primary data controllers. As the app provider, Ongoing LLC acts as a “data processor” or “service provider” processing data on behalf of the merchant (who is the “data controller”). We will assist the merchant in fulfilling GDPR data subject requests as needed and in accordance with Shopify’s policies. If a data subject sends us a request directly, we will forward it to the relevant merchant or Shopify and help as required to ensure the request is addressed.
Ongoing LLC is willing to provide a Data Processing Addendum (DPA) to merchants upon request, to affirm our role as a processor and to document the safeguards we uphold under GDPR. By using our app, you agree that we may process personal data from your store on your behalf in accordance with Article 28 of the GDPR and other relevant laws.
CCPA/CPRA (California): If you or your customers are California residents, California law provides specific rights regarding personal information. These include the right to know what categories of personal information have been collected, the right to access specific pieces of information, the right to request deletion (with some exceptions), the right to correct inaccurate information, and the right to opt-out of the sale or sharing of personal information. As noted, Ongoing does not sell personal information and does not share it for cross-context advertising. We also do not disclose personal information to third parties for their direct marketing purposes. If a California consumer’s personal data is processed via our app, that data is actually held by the merchant and Shopify. Therefore, to exercise CCPA rights (access, deletion, etc.), the consumer should send a request to the Shopify store owner. We will cooperate with our merchants by deleting or disconnecting any data we can access if we receive a verified deletion or access request via the merchant or Shopify. If a consumer or merchant contacts us directly about a CCPA request, we will assist and direct the request appropriately. We honor the spirit of California privacy laws and strive to ensure that no personal information processed through our app is used in any way that would trigger “sale” or unauthorized “sharing” under those laws.
Other Regions: For residents of other jurisdictions (e.g. Canada, Australia, etc.), we also commit to respecting applicable data rights and regulations. You may have rights to access or delete personal data, or to withdraw consent where our processing is based on consent. Because our role is limited in handling data (as a conduit through Shopify), typically any such requests should be resolved by the data controller (the merchant or Shopify). Nonetheless, you can contact us at support@ongoing.so with any privacy-related inquiries or requests, and we will do our best to assist or point you in the right direction.
Our Services are not intended for use by children. Ongoing’s apps are designed for Shopify merchants (businesses) and their adult customers. We do not knowingly collect personal information from anyone under the age of 13 (or under 16 in certain jurisdictions) directly. Any information about minors that might be contained in a Shopify store’s data (for example, if a minor makes a purchase from a merchant’s store) is handled by Shopify and the merchant, not by Ongoing. If you believe we have inadvertently received personal data about a child under 13, please contact us immediately and we will work with Shopify and the merchant to delete such information.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes, we will notify merchants by appropriate means (for example, by email notice or through the Shopify App listing/dashboard). The “Last Updated” date at the top indicates the latest revision. We encourage you to periodically review this Policy for any updates. Your continued use of our app after any modifications to the Policy will signify your acceptance of the updated terms.
This Privacy Policy and any matters related to it or our handling of personal data are governed by the laws of the State of California, USA, without regard to its conflict of laws principles. In particular, Ongoing LLC is based in San Diego County, California, and we operate under California law.
Dispute Resolution: If you have a dispute or complaint regarding privacy or data use related to our Services, please contact us first at support@ongoing.so so we can attempt to resolve it. In the event that a dispute cannot be resolved amicably, you agree that any claim or dispute arising under this Privacy Policy shall be brought exclusively in the state or federal courts located in San Diego County, California. You also consent and submit to the personal jurisdiction of such courts for resolving any such disputes.
Governing Law and Exclusive Jurisdiction: This Privacy Policy and any dispute arising from or related to it shall be governed by the laws of the State of California, United States, without regard to its conflict of law principles. All disputes shall be resolved exclusively in the state or federal courts located in San Diego County, California. You expressly waive any rights under foreign laws or jurisdictions. By using our Services, you agree that no other legal system, court, or governing body outside of California shall apply.
If you have any questions, concerns, or requests regarding this Privacy Policy or how Ongoing LLC handles data, please contact us at:
Ongoing LLC
Email: support@ongoing.so
We will be happy to address your inquiries and work with you to ensure your privacy is protected.
