Privacy Policy (EPR One)
Effective date: 27 September 2025
Who we are: New Venture Capital Pty. Ltd. (ACN 626 647 256, ABN 56 626 647 256) (“we”, “us”, “our”).
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you install or use EPR One (the “App”) and when you visit our marketing website. It also outlines rights available under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and—where applicable—the EU/UK GDPR.
1) Roles we play
For personal information about your customers that flows from Shopify into the App (e.g., names and postal addresses on orders), you are the controller, and we act as your processor/service provider.
For information about your team/account (e.g., admin emails, billing identifiers) and visitors to our marketing site, we act as a controller.
2) Information we collect
Merchant & account data: store name/URL, admin names, emails, role, billing identifiers.
Operational data: product SKUs, order metadata, packaging/material mappings, weights, classification codes, configuration, and audit logs.
Technical data: device/browser type, IP address, timestamps, usage telemetry, error logs.
Support data: messages, screenshots, attachments you share with support.
Imports/adjustments data: if you ask us to import CSVs or email us data for manual import, we will process that content to assist you. Avoid sending unnecessary end-customer personal data.
We do not intentionally collect special-category/sensitive data or payment card data.
3) Why we use personal information
- Provide and secure the App (contract; legitimate interests).
- Generate exports/reports at your instruction (contract).
- Troubleshoot, improve, and analyse performance and reliability (legitimate interests).
- Communicate about service, security, and billing (contract/legitimate interests).
- Comply with law (legal obligation).
4) Where we host and transfer data
App data (production systems). We host and process App data in the EU/EEA, primarily Frankfurt (DE) and Ireland (IE) using:
- Salesforce Heroku (app platform, Postgres/Redis) — EU regions
- Amazon Web Services S3 (object storage/backups) — EU (Frankfurt/Ireland)
- New Relic (centralised logs/metrics) — EU region
- Sentry (error monitoring) — EU region
Support/help desk and optional chat. We use Help Scout for support ticketing and, if enabled, live chat (Beacon) and knowledge base. Support messages, chat transcripts, and any information you include are processed in the United States. Where transfers occur outside the EEA/UK/CH we rely on the EU Standard Contractual Clauses (2021/914) and the UK Addendum and apply appropriate safeguards. Any chat widget may set functional cookies to maintain a session. We recommend you avoid including end‑customer PII in support interactions where possible.
AI assistance for support and translation. To improve support quality and response times, we may use limited AI assistance tools (e.g., language translation, drafting, summarisation) provided by reputable vendors such as OpenAI (ChatGPT) and Google (Translate/Gemini). We minimise inputs, prefer de‑identified snippets, and where provider controls exist we instruct that inputs are not used to train models. Where processing occurs outside the EEA/UK/CH, we rely on the EU Standard Contractual Clauses and the UK Addendum. You may request that we do not use AI assistance for your tickets by emailing support@epr-one.com.
Rare debugging use. In rare cases, to investigate complex issues, we may submit narrowly scoped, de‑identified log excerpts or data samples to such tools solely to diagnose the issue. We avoid end‑customer PII wherever feasible and obtain internal approval before sharing any Customer Personal Data for this purpose.
Marketing/website (epr-one.com). Our marketing site is delivered by Vercel’s global edge network and may cache/serve content worldwide and execute serverless functions in the United States unless configured otherwise.
International transfers. Where personal data is transferred outside the EEA/UK/Switzerland, we rely on the EU Standard Contractual Clauses (2021/914) and, for the UK, the UK Addendum, and we implement appropriate technical and organisational safeguards.
5) Sharing with service providers
We use vetted providers to operate, secure, and support the service (hosting, storage, logging/monitoring, error tracking, email/helpdesk, analytics for the marketing site). We require confidentiality and security commitments. We maintain a current list of sub-processors and will notify merchants of material changes where required.
Examples of providers: Salesforce Heroku (EU), AWS S3 (EU), New Relic (EU), Sentry (EU), Proton Mail (email), Help Scout (support), OpenAI (AI assistance, US), Google (translation/AI, EU/US). See our Sub-processors page for the current list and change-notice policy. For controller–processor terms, see our Data Processing Addendum (DPA).
Cyber insurer and incident response. If we experience a security incident, we may share limited personal information with our cyber insurer, its appointed claims managers, and their panel providers (including breach counsel, forensic investigators, and crisis communications advisors) solely to investigate, mitigate, and comply with legal obligations. These providers may operate in the EU/UK/US/AU and are bound by confidentiality; where required, transfers rely on the EU Standard Contractual Clauses (and the UK Addendum).
6) Security
We implement reasonable technical and organisational measures, including encryption in transit and at rest where supported, least-privilege access with MFA, environment isolation, audit logging, vulnerability/patch management, backups with periodic restore tests, and incident response procedures. No method is 100% secure.
7) Data retention
We retain personal information for as long as necessary to provide the App and meet the purposes above. After your subscription ends, we delete or de-identify App data within a reasonable period (typically within 90 days), subject to any legal retention requirements and backup cycles.
8) Your privacy rights
Australia (APPs): You may request access to, or correction of, your personal information.
EU/UK GDPR (if applicable): You may have rights to access, rectification, erasure, restriction, portability, and objection, and rights related to automated decision-making.
If you are an end-customer of a merchant, please contact the merchant directly; we will assist the merchant as their processor.
9) Cookies & analytics
The App uses essential cookies/tech for authentication and security. The marketing site may use limited analytics and cookies; where required by law, we will request consent and provide controls. If our help desk chat is enabled on the site, it may set functional cookies (e.g., to persist the chat session and associate messages) — these are considered necessary for the chat feature.
Analytics & measurement on the marketing site. We use Google Analytics 4 and Google Tag Manager to measure traffic and the effectiveness of our marketing. We implement Google’s Consent Mode v2 so that analytics/ads cookies are only used after you provide consent via our cookie controls. We also operate a server‑side Tag Manager endpoint on our first‑party subdomain (sgtm.epr-one.com) hosted in Google Cloud’s EU region (Netherlands, eu-west4) to route measurement requests. Depending on your consent choices, Google may receive pseudonymous online identifiers (e.g., cookie or similar identifiers), device/browser information, and page interaction data; IP addresses are truncated per Google’s current GA4 privacy controls. Recipients for this processing include Google Ireland Limited (EU) and, where applicable, Google LLC (US). Where transfers occur outside the EEA/UK/CH, we rely on the EU Standard Contractual Clauses and the UK Addendum and apply appropriate safeguards.
- Purpose. Site analytics and advertising measurement to improve the site and understand campaign performance.
- Legal basis (where required). Your consent for analytics/advertising cookies; necessary cookies are used for security and core functionality.
- Control. You can change your cookie preferences at any time via the banner/controls on the site. You may also use Google’s browser add‑on to disable Analytics in your browser (see Google’s opt‑out).
9c) First‑party identifiers we set
To support install attribution and site functionality, we set limited first‑party identifiers:
vid(visitor id): a pseudonymous identifier needed to securely start the Shopify OAuth install flow and match an install to its originating request. This is first‑party, does not track you across other sites, and is considered necessary for the install function.ab_v(variant): assigns a UI experiment variant; bots receive control. Used to evaluate UX, not for profiling.utm_*,gclid,wbraid,gbraid,fbclid,msclkid(if present in the page URL): stored in first‑party cookies so we can attribute an install you initiate to a prior ad click._fbcand_fbp(if applicable): first‑party Meta identifiers used for conversions measurement, set only when the corresponding URL parameters are present or by Meta’s scripts after consent.first_landing_url,first_referrer,first_landing_ts: capture your first visit context on our site for attribution (first‑party only).ga_cid(derived from_ga, if present): a GA4 client ID used for consistent analytics measurement.
When you click “Install on Shopify,” we carry a pseudonymous install identifier through Shopify’s OAuth state parameter to link your install to the initial request. This helps us measure campaign effectiveness without relying on third‑party cookies. See “Advertising & remarketing” above for how we may send limited, consented identifiers to Google Ads and Meta for conversions measurement.
Advertising & remarketing. With your consent, we may use Google Ads (including remarketing) and Meta (Facebook) advertising on the marketing site. Tags are deployed via Google Tag Manager and, where applicable, routed through our server‑side endpoint at sgtm.epr-one.com. For improved conversion measurement, we may send pseudonymous identifiers and limited hashed contact data (e.g., email hashed with SHA‑256 or email domain) to Google (Enhanced Conversions) and Meta (Conversions API). Recipients for these activities include Google Ireland Limited (and Google LLC, US) and Meta Platforms Ireland Limited (and Meta Platforms, Inc., US). Where transfers occur outside the EEA/UK/CH, we rely on the EU Standard Contractual Clauses and the UK Addendum and apply appropriate safeguards. You can control advertising cookies via our cookie controls, manage Google Ads preferences in your Google Ads Settings, and review Meta’s ad preferences in your Facebook account settings.
9a) No sale or sharing for cross‑context behavioural advertising
We do not sell personal information. We do not “share” personal information for cross‑context behavioural advertising as those terms may be defined under certain privacy laws.
9b) Automated decision‑making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects about individuals.
10) Data breaches & notifications
If we become aware of a personal-information breach, we will investigate and, where required by law, notify you and any relevant authorities/affected individuals. In Australia, we follow the Notifiable Data Breaches (NDB) scheme.
Where appropriate, we will coordinate through our insurer’s incident response process. We may engage insurer‑appointed providers described above and share the minimum necessary information to evaluate and remediate the incident, document evidence, and meet notification requirements.
11) Children
The App is for business use and not directed to children under 16.
12) Third-party services
Your use of Shopify and any other connected services is governed by their terms and privacy policies. We are not responsible for their practices.
13) Contact us
For any privacy enquiries or requests, email support@epr-one.com.
13a) Complaints
If you have concerns about our handling of personal information, you may lodge a complaint with us at the contact above. If you are in Australia and are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC). If you are in the EU/UK, you may contact your local data protection authority.
14) Changes to this Policy
We may update this Policy from time to time. Material changes will be notified in-App or by email. Continued use after the effective date means you accept the updated Policy.