PRIVACY POLICY

Rubikc Oy

Effective Date: February 9, 2026

1. Introduction

This Privacy Policy describes how Rubikc Oy (“Rubikc,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data in connection with our website at https://www.rubikc.com, our Shopify application, and the swipeable storefront experiences we generate for our merchant partners (collectively, the “Services”).

Rubikc is a Finnish company headquartered in Vantaa, Finland. We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws worldwide.

This Policy applies to two categories of individuals:

Merchants: Shopify store owners who install and use the Rubikc application to create swipeable storefronts.
Consumers (End Users): Individuals who browse and interact with Rubikc-powered storefronts.

2. Data Controller

The data controller responsible for your personal data is:

Rubikc Oy

Joukontie 2 A

01400 Vantaa, Finland

Email: privacy@rubikc.com

Website: https://www.rubikc.com

For merchants using our Shopify app, Rubikc acts as a data processor on behalf of the merchant (who is the data controller) with respect to consumer data processed through the swipeable storefront.

3. Information We Collect

3.1 Information from Merchants

When you install and use the Rubikc Shopify app, we collect:

Account and store information: Shopify store name, store URL, owner name, email address, and store configuration data obtained through Shopify App Bridge and Admin API.
Product and collection data: Product titles, descriptions, images, prices, inventory status, and collection structures accessed via the Shopify Storefront API and Admin API.
Content and configuration: Editorial blocks, images, videos, and layout preferences you create within the Rubikc dashboard.
Billing information: Subscription plan details processed through Shopify’s billing system. We do not directly collect or store payment card information.
Communications: Messages, support requests, and correspondence you send to us.

3.2 Information from Consumers (End Users)

When consumers browse a Rubikc-powered storefront, we may collect:

Device and browser information: Device type, operating system, browser type, screen resolution, and language preferences.
Usage and interaction data: Pages viewed, swipe patterns, scroll depth, time spent on content, products viewed, and click/tap behavior.
Approximate location data: Country and city-level location derived from IP address (we do not collect precise geolocation).
Referral data: The URL or source that directed the consumer to the storefront.
Cookies and similar technologies: Session identifiers, analytics cookies, and performance cookies as described in Section 9.

3.3 Information We Do NOT Collect

Rubikc does not collect, access, or process:

Payment or credit card information
Customer account passwords
Order or transaction details
Checkout data
Social security numbers or government-issued identifiers

All purchases continue to be processed through the merchant’s existing Shopify checkout. Rubikc does not modify checkout, orders, payments, or customer accounts.

4. How We Use Your Information

4.1 Merchant Data

We use merchant information to:

Provide, operate, and maintain the Rubikc application and swipeable storefront services
Sync and render product and collection data in the storefront experience
Process subscription billing through Shopify’s billing infrastructure
Provide customer support and respond to inquiries
Send service-related communications (e.g., updates, security alerts, technical notices)
Improve and optimize our platform, features, and user experience
Comply with legal obligations

4.2 Consumer (End User) Data

We use consumer interaction data to:

Render and deliver the swipeable storefront experience
Personalize content and product discovery for individual consumers
Generate analytics and engagement reports for merchants
Optimize content presentation, layout, and conversion performance
Identify and resolve technical issues and improve platform performance
Conduct aggregate, anonymized analysis to improve our Services

Under the GDPR, we process personal data based on the following legal grounds:

Performance of a contract (Art. 6(1)(b)): Processing merchant data is necessary to provide the Services under our terms of service and subscription agreement.
Legitimate interests (Art. 6(1)(f)): We process consumer interaction data based on our legitimate interest (and the merchant’s legitimate interest) in optimizing storefront performance, personalizing the shopping experience, and generating analytics. We balance these interests against consumer privacy rights.
Consent (Art. 6(1)(a)): Where required by applicable law, we obtain consent for the use of non-essential cookies and similar tracking technologies.
Legal obligation (Art. 6(1)(c)): We process data where necessary to comply with applicable legal or regulatory requirements.

We do not sell, rent, or trade your personal data to third parties. We may share data in the following limited circumstances:

6.1 Shopify

As a Shopify app, Rubikc integrates with Shopify’s platform through App Bridge, Admin API, and Storefront API. Data exchanged with Shopify is governed by Shopify’s own privacy policy and the Shopify Partner Program Agreement.

6.2 Service Providers

We may engage trusted third-party service providers who process data on our behalf for purposes such as:

Cloud hosting and infrastructure
Analytics and performance monitoring
Customer support tools
Email communications

These providers are contractually obligated to process data only as instructed by us and to maintain appropriate security measures (including Data Processing Agreements where required under GDPR).

6.3 Legal and Compliance

We may disclose personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Rubikc, our users, or others.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users of any change in data controller.

7. International Data Transfers

Rubikc is based in Finland (European Economic Area). If we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

European Commission adequacy decisions
Standard Contractual Clauses (SCCs) approved by the European Commission
Other legally recognized transfer mechanisms

For transfers to the United States, we rely on Standard Contractual Clauses and assess the legal framework of the recipient country to ensure adequate protection.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy:

Merchant data: Retained for the duration of the merchant’s active subscription, plus up to 12 months after termination for administrative purposes and legal compliance. Upon request, merchant data can be deleted sooner.
Consumer interaction data: Retained in identifiable form for up to 24 months. After this period, data is either deleted or anonymized for aggregate analytics.
Anonymized and aggregated data: May be retained indefinitely as it no longer constitutes personal data.

9. Cookies and Tracking Technologies

Rubikc-powered storefronts may use the following types of cookies and similar technologies:

Strictly necessary cookies: Required for the storefront to function (e.g., session management). These do not require consent.
Analytics and performance cookies: Used to understand how consumers interact with the storefront, measure engagement, and optimize content. These are deployed only with appropriate consent where required by law.
Personalization cookies: Used to remember consumer preferences and deliver tailored content experiences.

We do not use advertising or third-party tracking cookies for behavioral advertising purposes.

Consumers can manage cookie preferences through the cookie consent mechanism on the storefront, or through their browser settings. Note that disabling certain cookies may affect storefront functionality.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit (TLS/SSL) and at rest
Access controls and role-based permissions
Regular security assessments and vulnerability monitoring
Secure development practices
Incident response procedures

While we take reasonable steps to protect your data, no method of transmission or storage is 100% secure. We encourage merchants to also maintain appropriate security practices within their Shopify stores.

11. Your Rights

If you are located in the European Economic Area, you have the following rights:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data (“right to be forgotten”).
Right to restriction: Request that we restrict processing of your data in certain circumstances.
Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
Right to object: Object to processing based on legitimate interests, including profiling.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact us at privacy@rubikc.com. We will respond within 30 days. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.

11.2 Rights Under the CCPA (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it.
Right to delete: Request deletion of personal information we have collected from you.
Right to opt out of sale: We do not sell personal information. However, you may still submit an opt-out request.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@rubikc.com. We will verify your identity and respond within 45 days.

11.3 Rights Under Other Jurisdictions

If you are located in another jurisdiction with applicable data protection laws (such as the UK GDPR, Brazil’s LGPD, Canada’s PIPEDA, or Australia’s Privacy Act), you may have similar rights. Contact us at privacy@rubikc.com and we will address your request in accordance with applicable local law.

12. Children’s Privacy

Our Services are not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take prompt steps to delete it. If you believe a child has provided us with personal data, please contact us at privacy@rubikc.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the “Effective Date” at the top of this Policy
Notify merchants through the Rubikc dashboard or via email
Where required by law, obtain consent for material changes to data processing

We encourage you to review this Policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Rubikc Oy