Privacy and Data Protection Policy
Last updated: June 2026
This policy explains how Skumo collects, uses, stores, and protects personal data. We've written it to be as clear and straightforward as possible.
1. Who We Are
Skumo is operated by Matthew Nuttall, a sole trader:
- Address: 61 Hunter Hill Road, Sheffield, S11 8UD, United Kingdom
- Email: [email protected]
Matthew Nuttall is the data controller for personal data processed through Skumo.
2. What Data We Collect and Why
2.1 Merchant data (you — the Shopify store owner)
When you install Skumo, we collect and store:
| Data | Why we collect it |
|---|---|
| Your Shopify shop domain | To identify your account and connect to your Shopify store |
| Shopify access tokens | To read and update your products, inventory, and orders on your behalf |
| App settings and preferences | To remember your configuration between sessions |
| Staff names you enter | To populate dropdown menus within the app |
Legal basis (UK/EU GDPR): Performance of a contract — this data is necessary to provide the Skumo service you have subscribed to.
2.2 Your supplier data
When you create suppliers in Skumo, we store:
- Supplier name, email address, and phone number
- Order history and preferences you record
Legal basis: Legitimate interests — storing your supplier information is necessary for Skumo to function as a purchase order management tool. This data relates to your business contacts, not consumers.
2.3 Customer data via Special Orders
The Special Orders feature allows you to record individual customer orders. When you use this feature, Skumo stores on your behalf:
- Customer first name and last name
- Customer phone number
- Customer email address (if provided)
- Order details, notes, and dates
Important — your obligations as a data controller: Skumo processes this customer data on your behalf as a data processor. You, as the Shopify merchant, are the data controller for your customers' personal data. This means you are responsible for:
- Having a lawful basis to collect and store your customers' personal data
- Providing your customers with appropriate privacy information
- Responding to any data subject requests from your customers
We process this data only as instructed by you through your use of the app.
Legal basis for Skumo's processing: Legitimate interests in providing the agreed service; compliance with our contractual obligations to you.
2.4 Data we do not collect
- Payment card details (all payments are handled by Shopify)
- Shopify customer order data beyond what you enter directly into Special Orders
- Any data unrelated to your use of Skumo
3. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Account and session data | Deleted within 30 days of app uninstallation |
| Purchase Orders and supplier data | Deleted within 30 days of app uninstallation |
| Special Order customer data | Deleted within 30 days of app uninstallation |
| Stock count records | Deleted within 30 days of app uninstallation |
We may retain anonymised, aggregated data (for example, total number of orders processed) that cannot be linked back to you or your customers, for the purpose of improving the service.
If you request earlier deletion of your data, contact us at [email protected].
4. Who We Share Your Data With
We do not sell your data. We share data only with the following third-party service providers ("sub-processors") who help us operate Skumo:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Shopify | Platform provider — all data flows through the Shopify API | Global (Shopify's infrastructure) | Shopify GDPR Data Processing Addendum |
| Railway | Application hosting and database storage | EU West (Frankfurt, Germany) | Standard Contractual Clauses |
| Resend | Transactional email delivery — used to send Purchase Order emails to your suppliers on your behalf | USA | Standard Contractual Clauses |
| Cloudflare | DDoS protection and content delivery | Global | Standard Contractual Clauses; adequacy decisions where applicable |
Server location note: Skumo's application and database are hosted on Railway in the EU West region (Frankfurt, Germany), within the European Economic Area. No transfer mechanism is required for EU/EEA data. For UK data transfers to an EU EEA host, the UK–EU adequacy decision applies. Where other sub-processors (e.g. Resend) process data outside the UK/EEA, Standard Contractual Clauses are in place.
5. International Data Transfers
Your data may be transferred to and stored in countries outside the UK and European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) — contracts approved by the UK ICO (IDTA) or European Commission that bind the recipient to the same data protection standards
- Adequacy decisions — where the receiving country has been recognised by the UK or EU as providing adequate data protection
If you would like more information about the specific safeguards in place for any transfer, contact us at [email protected].
6. Your Rights
If you are in the UK or EU/EEA
Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:
- Right of access — you can ask for a copy of the personal data we hold about you
- Right to rectification — you can ask us to correct inaccurate data
- Right to erasure — you can ask us to delete your data in certain circumstances
- Right to restriction — you can ask us to limit how we use your data
- Right to data portability — you can ask for your data in a machine-readable format
- Right to object — you can object to processing based on legitimate interests
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
If you are in California, USA
If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information (we do not sell personal information). To exercise these rights, contact us at [email protected].
If you are in other US states
Several US states have enacted privacy legislation (including Colorado, Virginia, Connecticut, and others). We will honour verifiable requests made under applicable state privacy laws. Contact us at [email protected].
7. Cookies and Tracking
Skumo is a Shopify embedded application. It does not use advertising cookies or third-party tracking cookies. Session data is managed through Shopify's authentication system to keep you logged in while using the app.
The Skumo website (skumo.app) may use cookies for basic analytics. Details are provided in the cookie notice on the website.
8. Security
We take reasonable steps to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Application-level AES-256-GCM encryption for sensitive data at rest (Shopify access tokens, supplier contact details, Special Order customer data)
- Database-level access controls limiting who can access stored data
- Shopify authentication tokens encrypted at the application level and never exposed to other users or logged
- Separate encryption keys per environment (development and production) — data from one environment cannot be decrypted in the other
If you believe there has been a security incident involving your data, contact us immediately at [email protected].
9. Special Category Data
We do not intentionally collect or process any special category data (health information, racial or ethnic origin, political opinions, religious beliefs, biometric data, or similar) through Skumo. Please do not enter this type of information into any Skumo field.
10. Children
Skumo is a business tool and is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email or through a notice within the app. The "Last updated" date at the top of this page will always reflect when the policy was last revised.
12. Contact
If you have any questions about this policy, or want to exercise your data rights, please contact:
Matthew Nuttall [email protected] 61 Hunter Hill Road, Sheffield, S11 8UD, United Kingdom
For complaints, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.