ShipCommerceBack to Home

Privacy Policy

Last updated: June 2026

1. Controller

Controller in accordance with Art. 4 VII GDPR is:

WEB ART MEDIA (operating under the brand “ShipCommerce”)
Website: https://shipcommerce.io/
Email: hello@shipcommerce.io

WEB ART MEDIA acts solely as a software provider and does not process personal data on behalf of customers unless explicitly agreed otherwise.

2. What are my rights as a data subject?

As a data subject, you have the following rights:

2.1 Right of access (Art. 15 GDPR)

You have the right to be informed at any time of the categories of personal data processed, the purposes of processing, any recipients or categories of recipients of your personal data and the planned storage period.

2.2 Right of rectification (Art. 16 GDPR)

You have the right to request the rectification or completion of personal data concerning you that is incorrect or incomplete.

2.3 Right to erasure (“right to be forgotten”) (Art. 17 GDPR)

You have the right to request the immediate erasure of your personal data. In particular, we are obliged as the controller to delete your data in the following cases:

  • Your personal data is no longer needed for the purposes for which it was collected.
  • A processing of your personal data took place solely on the basis of your consent, which you have now withdrawn, and there is no other legal basis that legitimises a processing of your personal data.
  • You have objected to a processing which is based on the legitimate or public interest and we cannot prove that there are legitimate grounds for processing.
  • Your personal data has been processed unlawfully.
  • The erasure of your personal data is necessary in order to comply with a legal obligation to which we are subject.
  • Your personal data has been collected in connection with information society services offered in accordance with Art. 8 I GDPR.

Please be aware that the right to erasure is subject to a limitation in the following cases, so that a deletion is excluded:

  • Your personal data is used to exercise the right to freedom of expression and information.
  • Your personal data serves to fulfil a legal obligation to which we are subject.
  • Your personal data is used to carry out a task that is in the public interest or in the exercise of official authority that has been assigned to us.
  • Your personal data serves the public interest in the field of public health.
  • Your personal data are necessary for archiving purposes in the public interest, for scientific or historical research or for statistical purposes.
  • Your personal data serve for us to establish, exercise or defend legal claims.

2.4 Right of restriction of processing (Art. 18 GDPR)

You also have the right to request that the processing of your personal data be restricted; in such a case, your personal data will be excluded from any processing. This right applies if:

  • You contest the accuracy of your personal data and we have to verify the accuracy of your personal data.
  • The processing of your personal data is unlawful and instead of erasing your personal data, you request a restriction of processing.
  • We no longer need your personal data for the fulfilment of the specific purposes, but you still need this personal data to establish, exercise or defend legal claims.
  • You object to the processing of your personal data and it has not yet been determined whether your or our legitimate reasons override this.

2.5 Right of data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us as a controller in a structured, common and machine-readable format and to transfer it to another controller. Furthermore, you also have the right to request that your personal data be transferred from us to another controller, insofar as this is technically feasible.

The requirements for the applicability of data portability are:

  • Your personal data is automatically processed based on your consent or a contract.
  • Your personal data does not serve to fulfil a legal obligation to which we are subject.
  • Your personal data will not be used to perform a task that is in the public interest.
  • Your personal data do not serve for the performance of a task which is performed in the exercise of an official authority delegated to us.
  • The exercise of your right shall not interfere with the rights and freedoms of others.

2.6 Right to object (Art. 21 GDPR)

You have the right at any time to object to the processing of your personal data on grounds arising from your particular situation. This also applies to profiling. The requirement for this is that the processing is based on a legitimate interest on our part (Art. 6 I lit. f GDPR) or the public interest (Art. 6 I lit. e GDPR).

Furthermore, you may also at any time object to the processing of your personal data for the purposes of direct marketing or profiling linked to such direct marketing.

Should you object to the processing of your personal data based on a legitimate interest, we will check in each individual case whether we can show grounds worthy of protection that override your interests and rights and freedoms. In the event that there are no reasons worthy of protection on our part or your interests as well as rights and freedoms override our own, your personal data will no longer be processed. An exception is made if your personal data is still used for the establishment, exercise or defence of legal claims.

If you object to the processing of your personal data for the purposes of direct marketing or profiling, insofar as this is linked to such direct marketing, your personal data will no longer be processed for these purposes.

2.7 Right to lodge a complaint with the supervisory authority (Art. 77 GDPR)

You also have the right to lodge a complaint with a supervisory authority at any time, in particular with a supervisory authority in the Member State of your residence, place of work or place of suspected infringement, if you consider that the processing of personal data concerning you is in breach of the data protection regulations.

The address of the supervisory authority is:

Commission for Personal Data Protection
Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Email: kzld@cpdp.bg
Website: www.cpdp.bg

2.8 Right of withdrawal (Art. 7 GDPR)

If you have given us consent to process your personal data, you can withdraw this consent at any time without giving reasons and in an informal manner. Withdrawal of consent does not affect the lawfulness of the processing that has taken place on the basis of the consent up to the point of withdrawal.

3. General information regarding the topic “purposes”

As a matter of principle, the processing of your personal data by us is always linked to a specified, explicit and legitimate purpose, which has already been defined before the processing activity is commenced, in accordance with the principle of purpose limitation under Art. 5 I lit. b GDPR. In the further course of this privacy policy, when a processing activity is cited, a description of the specific purpose is also included.

4. General information regarding the topic “legal base”

We process your personal data in accordance with the GDPR. Accordingly, the processing of your personal data is always founded on a legal basis. Article 6 of the GDPR defines legal bases for the processing of personal data.

Legal bases for the processing of personal data

Consent

If we obtain your consent for the processing of your personal data, the processing will be carried out on the legal basis of Art. 6 I lit. a GDPR. The following example serves to clarify this legal basis: You receive advertising from us by electronic mail and/or telephone and have given your prior consent.

Contract or pre-contractual measure

If the processing of your personal data is necessary for the fulfilment of a contract with you or for the implementation of pre-contractual measures taken in response to your request, the legal basis on which the processing of your personal data is based is Art. 6 I lit. b GDPR.

Legal obligation

In cases where the processing of your personal data is necessary to comply with a legal obligation to which we are subject, this processing is based on Art. 6 I lit. c GDPR.

Vital interest

Should the processing of your personal data be necessary to protect your vital interests or those of another person, this processing is carried out in accordance with Art. 6 I lit. d GDPR.

Public interest

In cases where we process your personal data in order to perform a task which is in the public interest or in the exercise of official authority delegated to us, Art. 6 I lit. e GDPR constitutes the legal basis.

Legitimate interest

If the processing of personal data is necessary to safeguard a legitimate interest of our company or a third party and at the same time the interests, basic rights and fundamental freedoms of the data subject, which require the protection of personal data, do not override our legitimate interest, Art. 6 I lit. f GDPR serves as the legal basis for the processing.

5. General information regarding the topic “obligation to preserve records and time limits of erasure”

Unless otherwise stated, we delete personal data in accordance with Art. 17 GDPR or restrict its processing in accordance with Art. 18 GDPR. Apart from the retention periods stated in this privacy policy, we process and store your personal data only as long as the data are necessary for the fulfilment of our contractual and legal obligations. Personal data that are no longer required after the purpose has been fulfilled will be regularly deleted.

6. General information regarding the topic “disclosure of personal data”

Recipient of your data

We do not sell or rent user data in principle. A transfer to third parties beyond the scope described in this privacy policy will only take place if this is necessary for the processing of the respective requested service.

Data may be shared with service providers strictly where necessary, including:

  • Payment processing: Stripe
  • Repository access: GitHub
  • Website analytics and monitoring: Google Analytics, Plausible Analytics
  • Website administration and performance monitoring: Google Search Console

These providers process data on our behalf or as independent controllers under their own privacy policies.

Locations of the processing of your personal data

In principle, we process your data in Bulgaria and in other European countries (EU/EEA). Certain service providers may process data outside the EU/EEA, including in the United States, subject to appropriate safeguards under applicable data protection laws.

7. Cookies

We use strictly necessary cookies required for the operation, security, and functionality of the website. These cookies may include session cookies, authentication cookies, and security-related cookies.

We may also use analytics technologies and similar tools to understand website usage, improve performance, and optimize user experience.

Analytics services used on the website may include: Google Analytics, Plausible Analytics. Google Analytics may use cookies and similar technologies to collect information such as IP address, browser type, device information, pages visited, and interactions with the website.

Legal basis:

  • Strictly necessary cookies: Art. 6(1)(b) and Art. 6(1)(f) GDPR
  • Analytics and optional cookies: Art. 6(1)(a) GDPR

Where required by applicable law, analytics cookies and technologies will only be activated after the user has provided consent through the cookie banner or consent management tool.

8. In the context of which processing activities are my personal data processed?

8.1 Website usage

When visiting our website, we process: IP address
Purpose: website functionality, security
Legal basis: Art. 6(1)(f) GDPR

8.2 Purchase and order fulfillment

When you purchase a product, we process: GitHub username, email address. Payment data is processed securely by Stripe (we do not store card details).
Purpose: contract fulfillment
Legal basis: Art. 6(1)(b) GDPR

8.3 Product delivery

Depending on the product, delivery may include: GitHub account access, download links
Purpose: provide purchased product
Legal basis: Art. 6(1)(b) GDPR

8.4 Customer support

When you contact us: email content, contact details
Purpose: respond to inquiries
Legal basis: Art. 6(1)(b) or (f) GDPR

8.5 Product updates (lifetime plans)

We may send: essential product updates
Purpose: service delivery
Legal basis: Art. 6(1)(b) GDPR

9. Data security

We implement appropriate technical and organizational measures, including: HTTPS encryption, secure payment processing (Stripe), restricted access to data.

While we implement appropriate technical and organisational measures to protect personal data, please note that no method of transmission over the Internet or method of electronic storage is completely secure.

Accordingly, although we strive to ensure a high level of security, we cannot guarantee absolute security of your personal data. To the extent permitted by applicable law, we shall not be liable for any unauthorised access, loss, or disclosure of personal data resulting from events beyond our reasonable control, including but not limited to force majeure events or actions of third parties.

10. Changes to this Privacy Policy

We reserve the right to update or amend this Privacy Policy in order to reflect changes in legal, regulatory, or operational requirements.

Any changes will be published on this page, and where appropriate, notified to you by other means. The “last updated” date at the top of this Privacy Policy will indicate when the latest changes were made.

11. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of Bulgaria and applicable EU law.