Privacy Policy
Last updated: [date de publication] · This policy explains what data the Oak Translate app processes for merchants, why, and what your rights are. Version française.
Who we are
[Oakmont Court — forme sociale, RCS, adresse], France, is the publisher of Oak Translate and acts as a processor on your behalf (GDPR art. 28). A full Data Processing Agreement is available on request at [e-mail contact].
What we process — and what we don't
- Store content to translate: product, collection, page, blog, menu and filter texts, read and written through the Shopify API. This content may incidentally contain personal data (e.g. a designer's name in a description).
- Your merchant account data: store domain, locale, contact e-mail (for notifications), app preferences.
- Billing aggregates through Shopify billing — we never see or store card details.
- We never read or transmit your customers' data. The app requests no customer scopes (Shopify Protected Customer Data: level 0). The mandatory GDPR webhooks are implemented and answer with the absence of data.
What we use it for
One purpose only: providing the translation service and its management tools (glossary, translation memory, inventory). No profiling, no advertising, and no AI training on your data — neither by us, nor by the default managed AI providers, which contractually refrain from training on API data.
AI providers and international transfers
Translations run on the AI provider you select for each job. Our full, dated sub-processor register lists each provider's contracting entity, processing location, training policy, retention and transfer safeguards (SCC/DPF). Production infrastructure is hosted in the European Union (Scaleway, France).
Retention and deletion
- Your data is kept while the app is installed — you can delete glossaries, translation memory and translations at any time from the app.
- On uninstall, your API keys (BYOK) are purged immediately. About 48 hours
later, Shopify sends the
shop/redactrequest and we run a real, tested purge of all content and operational data — including any remaining credit balance. Reinstalling after that starts from a clean slate. - Statutory billing records (subscriptions, charges, credit ledger) are kept for the legal accounting period (~10 years), detached from any active profile.
Security
Envelope encryption (AES-256-GCM) for your API keys — decrypted only in the translation engine's memory, never displayed, never logged. TLS in transit, role-based access with mandatory two-factor authentication and an append-only audit log on our operations side.
Your rights
You can access, rectify and delete the content we process directly in the app. For any GDPR request (access, erasure, portability, objection), contact [e-mail contact]. You may also lodge a complaint with your supervisory authority (in France: the CNIL).