Skip to main contentSkip to Content
Skip to Content

Privacy policy

FiveOh Reviews on Metaobjects (the “App”) enables merchants on Shopify to collect, manage, and display customer reviews using metaobjects.

This Privacy Policy explains how personal information is collected, used, and shared when you install or use the App in connection with your Shopify-supported store.

Effective date: March 18, 2026
Last updated: March 18, 2026

Data controller / responsible entity

The responsible entity (data controller) for data processing in connection with this App is the provider identified on the Legal information page.

Contact details:

Roles and responsibilities (merchant vs app provider)

For store data processed through Shopify, the merchant is generally the data controller, and the App provider acts as a data processor on the merchant’s behalf.

The App provider may act as an independent data controller for limited data required to operate the App business (for example account administration, billing, support communication, security monitoring, and legal compliance).

If you are an end customer of a merchant store, please contact that merchant first for privacy requests related to your customer data. If you are a merchant using the App, you may contact us directly using the contact details above.

Personal information the App collects

When you install the App, we can access specific Shopify data based on the permissions (access scopes) granted to the App.

The App currently uses the following permissions:

  • write_app_proxy, read_app_proxy: to serve and manage app proxy endpoints used by storefront/app features.
  • read_products, write_products: to read and update product-related review data, links, and app-related product metadata.
  • read_customers: to associate reviews with customer identities where applicable.
  • read_orders: to validate purchases and support verified-review related workflows.
  • read_metaobjects, write_metaobjects: to read and manage review records stored in Shopify metaobjects.
  • read_metaobject_definitions, write_metaobject_definitions: to create and maintain required metaobject schemas used by the App.
  • read_translations, write_translations, read_locales: to localize review content and app-generated labels/messages across store languages.
  • write_product_reviews: to create or update product review content through Shopify’s review APIs/capabilities.

From these permissions, the App may process store-level and customer-related information such as product data, order references, customer references, locale/translation data, and review/metaobject content required to operate the service.

Cookies and similar technologies

We may also collect technical information using standard technologies:

  • Cookies: data files placed on your device, often including an anonymous unique identifier. Learn more at https://allaboutcookies.org .
  • Log files: records of actions on the site or app interface, including IP address, browser type, ISP, referring/exit pages, and date/time stamps.
  • Web beacons, tags, and pixels: electronic files used to understand browsing and usage behavior.

How we use your personal information

We use collected information to provide and operate the App, including to:

  • communicate with you,
  • maintain, optimize, and improve the App,
  • provide product-related information, updates, or marketing communications.

Lawful basis for processing (EEA/UK)

Where GDPR or similar laws apply, we rely on the following legal bases depending on the purpose:

  • Contract performance (Art. 6(1)(b) GDPR): to provide, maintain, and support the App features requested by the merchant.
  • Legitimate interests (Art. 6(1)(f) GDPR): to secure, monitor, improve, and optimize the App, prevent abuse, and provide product support.
  • Legal obligation (Art. 6(1)(c) GDPR): to comply with applicable legal, tax, accounting, and regulatory requirements.
  • Consent (Art. 6(1)(a) GDPR), where required: for specific optional activities that require consent under applicable law.

If you have questions about the legal basis applied to a specific processing activity, contact us using the details in this policy.

Sharing your personal information

We may share personal information only where necessary to:

  • comply with applicable laws and regulations,
  • respond to lawful requests (such as subpoenas or warrants),
  • protect our rights and the security of the App.

Service providers and subprocessors

We may use trusted third-party providers (subprocessors/service providers) to operate and secure the App, such as providers for:

  • cloud hosting and infrastructure,
  • monitoring, logging, and error tracking,
  • customer support and communications,
  • email delivery and transactional messaging,
  • analytics and performance measurement.

These providers are contractually required to process personal information only for permitted purposes and with appropriate confidentiality and security safeguards.

International data transfers

Your information may be transferred to and processed in countries outside your own, including outside the EEA/UK (for example Canada and the United States).

Where required by applicable law, we rely on appropriate transfer safeguards, such as:

  • adequacy decisions issued by relevant authorities, and/or
  • Standard Contractual Clauses (SCCs) and related contractual protections.

We also apply technical and organizational safeguards designed to protect personal information during international transfers.

Behavioural advertising

We may use personal information to provide targeted advertisements or marketing communications that may be relevant to you.

For more about how targeted advertising works, visit the NAI page: https://www.networkadvertising.org/understanding-online-advertising/how-does-it-work .

Your rights (EEA residents)

If you are a European resident, you have the right to:

  • access personal information we hold about you,
  • request correction, updates, or deletion of your personal information.

To exercise these rights, contact us using the details in this policy.

If you are a European resident, we process your information to fulfill contracts with you and/or pursue our legitimate business interests described above.

We respond to valid privacy requests within the deadlines required by applicable law. We may request additional information to verify identity before processing a request.

You may also have the right to lodge a complaint with your local data protection authority.

Data retention

We retain personal information only for as long as necessary for the purposes described in this policy, including to provide the App and comply with legal obligations.

Retention is determined based on factors such as:

  • the duration of your active use of the App,
  • support, dispute-resolution, and fraud-prevention needs,
  • legal, tax, accounting, or regulatory retention requirements.

When data is no longer required, we delete it or anonymize it, unless retention is required by law.

Data security

We apply reasonable technical and organizational security measures designed to protect personal information, including:

  • access controls and least-privilege access practices,
  • encryption in transit where supported,
  • logging and monitoring for security and reliability,
  • periodic review of data access and processing practices.

No method of transmission or storage is completely secure, but we work to maintain safeguards appropriate to the nature of the data processed.

Changes

We may update this Privacy Policy from time to time to reflect changes in our practices or for operational, legal, or regulatory reasons.

Material changes will be reflected by updating the “Last updated” date above and, where required by law, by providing additional notice.