Privacy Policy

JMS Dev Lab ("we", "us", "our") operates the website jmsdevlab.com, develops Shopify applications including JewelryStudioManager and StaffHub, and provides custom software development services. This Privacy Policy explains how we collect, use, and protect your personal data.

1. Data Controller

The data controller responsible for your personal data is:

• Name: John Moore
• Business: JMS Dev Lab
• Location: Ireland
• Email: hello@jmsdevlab.com

2. Information We Collect

Information You Provide

• Contact information: Name, email address, and message content when you contact us through our website or email.
• Account information: When you install one of our Shopify apps, Shopify provides us with your store name, store URL, email address, and the data access scopes you authorize. For custom development clients, we collect business name, contact details, and project requirements as provided during consultation.

Information Collected Automatically

• Usage data: When you use our apps, we collect information about how you interact with the application to improve our services.
• Shopify data: Depending on which app you install and the permissions you grant, we may access customer data, order data, and product data from your Shopify store. This data is used solely to provide the app's functionality.
• Website analytics data: When you visit our website, we collect analytics data including pages visited, time on site, referral source, browser type, device type, and approximate geographic location. This data is collected via Google Analytics 4 (property G-B7SYY8F9XY) with cross-domain tracking enabled across all JMS Dev Lab domains and Google Signals enabled. Analytics data is retained for 14 months.
• Privacy-first analytics: We also use Cloudflare Web Analytics and Plausible Analytics, which collect aggregate website usage data without using cookies and without collecting personal data.
• Advertising data: With your consent, Meta Pixel (Facebook) and Google Ads Remarketing may collect data about your visit for audience building and remarketing purposes.

Information We Do Not Collect

• We do not sell your personal data to third parties.

3. How We Use Your Information

• To provide and maintain our Shopify applications
• To respond to your enquiries and support requests
• To process billing through Shopify's payment system
• To improve our apps and website based on usage patterns
• To provide custom software development services as agreed with clients
• To measure website traffic and understand how visitors use our site
• To build remarketing audiences and display relevant advertising (with your consent)
• To send email marketing communications (with your consent, via MailerLite)
• To comply with legal obligations, including Shopify's requirements and GDPR

4. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR:

• Consent: For analytics cookies, advertising cookies (Meta Pixel, Google Ads Remarketing, Google Analytics), and email marketing. You can grant or withdraw consent at any time via our cookie banner or by contacting us.
• Legitimate interest: For essential website functionality, security, and privacy-first analytics (Cloudflare Web Analytics and Plausible Analytics, which do not use cookies or collect personal data).
• Contractual necessity: To provide our Shopify apps and custom development services as agreed.
• Legal obligation: To comply with applicable laws, including GDPR and Shopify's requirements.

5. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. We use Google Tag Manager (container GTM-NPTXDRDH) to manage all tracking tags on our website.

Cookie Consent

We implement GTM Consent Mode v2. By default, all analytics and advertising cookies are denied until you explicitly accept them via our cookie consent banner. You can change your cookie preferences at any time by clicking the cookie settings link in the footer.

Analytics Cookies (require consent)

• Google Analytics 4 (GA4): Property G-B7SYY8F9XY. Used to measure website traffic and understand user behaviour. Cross-domain tracking is enabled across all JMS Dev Lab domains. Google Signals is enabled, which may link your activity to your Google account if you have opted into Google ad personalisation. Data is retained for 14 months. Google's Privacy Policy.

Advertising Cookies (require consent)

• Meta Pixel (Facebook): Pixel ID 1762011307420822. Used for audience building and remarketing on Meta platforms (Facebook, Instagram). Meta's Privacy Policy.
• Google Ads Remarketing: Conversion ID 198296860. Used to build remarketing audiences and measure advertising conversions. Google's Privacy Policy.

Cookie-Free Analytics (no consent needed)

• Cloudflare Web Analytics: Privacy-first analytics that does not use cookies, does not track individual visitors, and does not collect personal data. Cloudflare's Privacy Policy.
• Plausible Analytics: Privacy-first analytics that does not use cookies, does not track individual visitors, and does not collect personal data. Plausible's Data Policy.

6. Data Security

We take data security seriously. Our security measures include:

• All data is encrypted in transit using TLS (HTTPS)
• Sensitive data is encrypted at rest using AES-256 encryption
• Authentication uses secure HttpOnly cookies
• Passwords are hashed using bcrypt
• Shopify access tokens are encrypted with AES-256-GCM
• CSRF protection is implemented on all state-changing operations

7. Data Retention

We retain your data for as long as your account is active or as needed to provide our services. If you uninstall one of our apps:

• Your data is retained for 30 days to allow for reactivation or data export
• After 30 days, your data is permanently deleted
• You can request immediate deletion at any time by contacting us

For custom development clients, project-related data is retained for 12 months after project completion to support ongoing maintenance and warranty obligations, unless otherwise agreed in your project contract.

8. GDPR Compliance

We comply with the General Data Protection Regulation (GDPR). As a data processor for Shopify merchants, we:

• Process data only as instructed by the merchant (data controller)
• Implement appropriate technical and organisational security measures
• Handle all Shopify-mandated GDPR webhooks (customer data requests, customer data erasure, shop data erasure)
• Respond to data subject requests within 30 days

Your Rights Under GDPR

If you are in the European Economic Area or the UK, you have the right to:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure: Request deletion of your personal data
• Right to restriction: Request restriction of processing of your personal data
• Right to data portability: Request your data in a structured, commonly used, machine-readable format
• Right to object: Object to processing of your personal data

To exercise any of these rights, please contact us at hello@jmsdevlab.com. We will respond within 30 days.

Right to Lodge a Complaint

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Irish Data Protection Commission (DPC):

• Website: www.dataprotection.ie
• Phone: +353 (0)1 765 0100 / 1800 437 737
• Email: info@dataprotection.ie

9. Data Processors and Third-Party Services

We use the following third-party data processors to operate our website and services:

• Google (GA4, GTM, Ads): Google LLC provides Google Analytics 4 for website analytics, Google Tag Manager for tag management, and Google Ads for remarketing. Google processes data as a data processor on our behalf. Google's Privacy Policy.
• Meta (Pixel): Meta Platforms, Inc. provides the Meta Pixel for audience building and remarketing on Facebook and Instagram. Meta's Privacy Policy.
• Cloudflare (Web Analytics, hosting): Cloudflare, Inc. provides website hosting via Cloudflare Pages and privacy-first web analytics. Cloudflare's Privacy Policy.
• Plausible (analytics): Plausible Insights OÜ provides privacy-first website analytics without cookies or personal data collection. Plausible's Data Policy.
• MailerLite (email marketing): MailerLite Limited provides email marketing services for sending newsletters and marketing communications. MailerLite's Privacy Policy.
• Shopify: Our apps run on the Shopify platform. Shopify's use of your data is governed by Shopify's Privacy Policy.

10. International Data Transfers

Some of our data processors (Google, Meta, Cloudflare) are based in the United States. Where personal data is transferred from the EEA to the US, these transfers are protected by the EU-US Data Privacy Framework, ensuring an adequate level of data protection as recognised by the European Commission.

11. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: hello@jmsdevlab.com
• Website: jmsdevlab.com