1. Introduction
We are CapRelease Limited (known as "CapRelease", "we", "us", or "our"). Here's how we protect your data and respect your privacy.
This Privacy Policy applies to you if you are a CapRelease customer, a Shopify merchant using our app, a subscriber, or a visitor to our website. It describes how we collect, use, store, and share your personal data, and sets out your rights.
If you are a registered CapRelease customer or a visitor to our website, we act as the "data controller" of personal data. This means we determine how and why your data is processed.
2. Our Role in Your Privacy
Our Responsibilities
As data controller, we are responsible for ensuring your personal data is processed lawfully, fairly, and transparently. We implement appropriate technical and organisational measures to protect your data.
Your Responsibilities
- Read this Privacy Policy
- If you are our customer, also review the contracts between us, including the Data Processing Agreement (available upon request at hello@caprelease.com)
- If you provide us with personal information about other people, you confirm that you have the right to authorise us to process it on your behalf
3. When and How We Collect Data
If you are only a visitor to our website, we do not collect any personal data before you request contact or information from CapRelease. We use Google Analytics to carry out website measurement.
Data You Give Us
- When you register for or use CapRelease services
- When you install our Shopify app and grant permissions
- When you complete identity verification (KYC) via Onfido
- When you sign agreements via DocuSign
- When you contact us for customer support
- When you opt in to marketing communications
Data We Collect Automatically
- When you browse our website (via Google Analytics)
- When you use our platform or Shopify app
- When you receive and interact with our emails
Data Collected via Shopify
When you install the CapRelease Shopify app, we access certain data from your Shopify store via Shopify's APIs and through our integration partner Codat, including store information, order data, product and inventory data, customer data, and financial data.
Data Collected via TrackStar
We use TrackStar to integrate with your warehouse management and inventory systems, accessing inventory levels, product data, stock movements, warehouse and fulfilment data for real-time visibility into your operations.
4. Types of Data We Collect
Contact Details: Your name, email address, phone number, role in your company, and business address.
Financial Information: Bank account number, sort code, Direct Debit mandate details, revenue data, and other financial metrics.
Identity Verification Data: Information collected during KYC checks via Onfido, including government-issued identity documents and facial biometric data (for document matching purposes only).
Business and Inventory Data: Product listings, stock levels, order history, sales performance, supplier information, warehouse data, and other operational metrics.
Buyer Data from Your Store: Names, email addresses, delivery addresses, and phone numbers of your customers. We use this solely to analyse purchasing patterns. We do not contact your customers or share their data for unrelated purposes.
Data That Identifies You: IP address, login information, browser type, time zone, geolocation, and operating system.
Usage Data: URL clickstreams, pages viewed, page response times, session duration, and actions taken.
Sensitive Data: We do not intentionally collect any sensitive data. Biometric data collected by Onfido is not retained by CapRelease.
5. How and Why We Use Your Data
| Purpose | Description | Legal Basis |
|---|---|---|
| Providing Our Services | Delivering the platform, syncing store data, generating analytics | Contract / Legitimate Interests |
| Shopify Data Sync | Accessing store, order, inventory, and buyer data for insights | Contract / Legitimate Interests |
| Identity Verification | KYC checks via Onfido for directors and beneficial owners | Legal Obligation |
| Contract Management | Sending, signing, and storing agreements via DocuSign | Contract |
| Improving CapRelease | Product analytics, testing features, improving models | Legitimate Interests |
| Customer Support | Service notifications, issue resolution | Legitimate Interests |
| Marketing | Emails about features and content via Mailchimp (with consent) | Consent |
| Transactional Comms | System notifications via Mailgun and SendGrid | Contract / Legitimate Interests |
| Payment Collection | GoCardless Direct Debit | Contract |
| Legal & Regulatory | AML regulations, FCA requirements | Legal Obligation |
Legal Bases Explained
Consent: Clear consent for a specific purpose. Withdraw at any time via hello@caprelease.com.
Legitimate Interests: Necessary for our interests, not outweighed by your rights.
Contract: Necessary for performing a contract with you.
Legal Obligation: Necessary to comply with AML, KYC, and FCA rules.
6. How We Use Your Customers' (Buyer) Data
- What we access: Buyer names, email addresses, delivery addresses, phone numbers, and order details
- Why: To analyse purchasing patterns including customer concentration, repeat vs new ratios, and average order values
- What we do NOT do: We never contact your buyers, never use their data for marketing, never sell or share it
- Retention: Only as long as necessary for our services. Deleted per Shopify redaction requirements on app uninstall
- Buyer rights: Buyers can request access, correction, or deletion via hello@caprelease.com within 30 days
7. Your Privacy Choices and Rights
Your Choices
- You can choose not to provide personal data (but we cannot provide services without it)
- You can turn off cookies in your browser settings
- You can opt out of marketing via hello@caprelease.com or the unsubscribe link
Your Rights
Exercise these by emailing hello@caprelease.com:
- Access: Request what data we hold and how we process it
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion where no longer necessary
- Data Portability: Receive your data in CSV or JSON format
- Object: Object to profiling or automated decision-making
- Restrict Processing: Limit how we use your data
- Complain: Lodge a complaint with the ICO
We respond within one month.
8. How Secure Is the Data We Collect?
- Encryption in transit (TLS/SSL) and at rest
- Access controls and role-based permissions
- Regular security reviews and vulnerability assessments
- Microsoft Azure hosting in the UK (UK South region)
- Multi-factor authentication for sensitive systems
- Microsoft 365 security and compliance features
If you believe your privacy has been breached, contact us immediately at hello@caprelease.com.
9. Where Do We Store the Data?
Primarily on Microsoft Azure servers in the UK (UK South region). We also process data through providers in the UK, EU, and US with appropriate safeguards including UK IDTAs, SCCs, and encryption.
10. How Long Do We Store Your Data?
We archive data within 3 months of your last use. We delete it no later than 6 years after, or as agreed in a separate contract.
Identity Verification Data
Biometric data is processed by Onfido and not stored by CapRelease. Verification results retained per AML requirements (typically 5 years after the business relationship ends).
Shopify App Data
- We cease accessing store data immediately on uninstallation
- We respond to Shopify's deletion webhooks within 30 days
- Data for active agreements retained as needed for legal obligations
- Aggregated anonymous data may be retained for analytics
11. Shopify Data Compliance
We implement Shopify's mandatory compliance webhooks:
- customers/data_request: Buyer data provided within 30 days
- customers/redact: Buyer data deleted or anonymised within 30 days
- shop/redact: All store and buyer data deleted within 30 days of uninstall
12. Third Parties Who Process Your Data
Data is shared only when strictly necessary with appropriate safeguards including IDTAs, SCCs, and encryption.
Infrastructure & Hosting
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting and data storage | UK (UK South) |
| Microsoft 365 | Email, productivity, collaboration | UK / EU |
Platform Integrations
| Provider | Purpose | Location |
|---|---|---|
| Shopify Inc. | eCommerce platform integration | US / Canada |
| Codat Limited | Data aggregation from merchant platforms | UK |
| TrackStar | Inventory and warehouse integration | US |
CRM & Sales
| Provider | Purpose | Location |
|---|---|---|
| Salesforce, Inc. | CRM and partner portal | US |
| Apollo.io | Sales prospecting | US |
| ChilliPiper | Meeting scheduling | US |
Identity & Legal
| Provider | Purpose | Location |
|---|---|---|
| Onfido Ltd | KYC and identity verification | UK / EU |
| DocuSign, Inc. | Electronic signatures | US / EU |
Communications & Marketing
| Provider | Purpose | Location |
|---|---|---|
| Mailgun (Sinch) | Transactional email | US / EU |
| SendGrid (Twilio) | Transactional email | US |
| Mailchimp (Intuit) | Marketing emails | US |
Payments
| Provider | Purpose | Location |
|---|---|---|
| GoCardless Ltd | Direct Debit collection | UK / EU |
Website & Analytics
| Provider | Purpose | Location |
|---|---|---|
| Webflow, Inc. | Website hosting | US |
| Google Analytics | Website analytics | US |
13. Cookies
We use Google Analytics cookies to understand how visitors use our site. You can opt out via the Google Analytics Opt-out Add-on.
| Provider | Cookies | Purpose |
|---|---|---|
| Google Analytics | _ga, _ga_*, _gid | Tracks visitors and sessions for usage measurement |
You can block cookies via your browser settings. Some parts of our service may not function fully without them.
14. Data Protection & Contact
Email: hello@caprelease.com
Post: CapRelease Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Company Number: 15180252 (England and Wales)
Supervisory Authority: Information Commissioner's Office (ICO)