Privacy Policy

1. Who we are and how to contact us

Batoniq is operated by Birubi Inc. For the categories of personal data described below where we act as a controller, Birubi Inc. is the controller. Our registered address and full corporate details are available on request.

Privacy and data-protection requests: privacy@batoniq.com.
Security reports: security@batoniq.com.
General support: hello@batoniq.com.

If local law requires us to appoint a representative (for example, an EU or UK Art. 27 representative), we will do so and publish their contact details. Until then, all correspondence should be sent to the addresses above.

2. Scope of this policy

This policy applies to personal data we process in the course of operating the Services. It does not cover:

• Personal data controlled by our Merchants about their end-customers. When a Shopify merchant installs Batoniq, we process end-customer data on the Merchant’s documented instructions as a processor; the Merchant’s own privacy notice governs its collection and use of that data.
• Third-party websites, apps, or services you reach through the Services (for example Shopify, Klaviyo, LINE, Stripe, Google). Those services have their own privacy policies.

Please read this policy together with our Terms of Service and Cookie Policy.

3. Key definitions

"Personal data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data (collection, storage, use, disclosure, erasure, and so on).
"Merchant" means a Shopify merchant that installs Batoniq and uses the Services.
"End-customer" means a natural person who interacts with a Merchant (for example a LINE follower, a Shopify customer) whose personal data the Merchant routes through the Services.
"Controller", "Processor", "Data Subject" have the meanings given under the GDPR; analogous roles under APPI, PDPA and other applicable laws apply where relevant.

4. Our roles as controller and processor

We have two distinct privacy roles depending on whose personal data is being processed:

• Merchant account data (Section 5.a below): we are the controller. We decide what to collect, why, and how.
• End-customer data routed through the Services on a Merchant’s instruction (Section 5.b): we are a processor acting on the Merchant’s behalf under a Data Processing Addendum ("DPA") incorporated into our Terms of Service.

Some activities, such as security monitoring and fraud prevention, may involve both roles.

5. Personal data we collect

5.a Merchant account data (we are the controller).
• Identifiers: name, email address, company name, Shopify store domain, job title.
• Authentication data: hashed passwords, one-time-password (TOTP) secrets for two-factor authentication, single-sign-on identifiers (for example a Google account identifier when you use Google login).
• Billing contact data: billing email, billing address, and VAT/tax identifiers. Payment card numbers are never transmitted to or stored by Batoniq — payments are processed by Stripe, Inc. ("Stripe") which tokenises card data in its own environment.
• Communications with us: support requests, onboarding call notes, product feedback.

5.b End-customer data (we are the processor).
We receive end-customer data from the Merchant’s connected systems (Shopify, Klaviyo, LINE) and route it through the Services:
• Contact identifiers: email address, first and last name, phone (where provided), LINE user ID, Shopify customer ID, Klaviyo profile ID.
• Commerce events: started checkout, placed order, order fulfilment, refund, product viewed, and similar events forwarded from Shopify.
• Messaging events: whether a LINE message was sent, delivered, opened, or clicked; reply payloads; unsubscribe or block signals.
• Consent state: whether the end-customer opted in to LINE messaging from the Merchant.

We do not process payment card data, government identifiers, biometric data, precise geolocation, or special categories of personal data (for example health data or racial or ethnic origin) through the Services. Merchants undertake not to send such data through Batoniq.

5.c Usage and technical data.
• Log data: IP address, user agent, referrer, request path, request ID, timestamps, response status, and error traces, retained for security, abuse detection, and debugging.
• Device and browser data: screen size, timezone, language, used for product analytics inside the merchant dashboard only.
• Cookies: see Section 13 and our Cookie Policy.

6. How we use personal data

We use personal data to:

• Provide the Services, including matching end-customer identities across Shopify, Klaviyo, and LINE and delivering lifecycle messages on a Merchant’s behalf.
• Authenticate users, manage sessions, enforce two-factor authentication, and detect unauthorised access.
• Bill Merchants and collect payment through Stripe.
• Respond to support requests and account inquiries.
• Monitor performance, detect errors, and debug the Services.
• Comply with legal obligations (including honouring GDPR / APPI / PDPA rights requests, Shopify GDPR webhooks, and tax / accounting requirements).
• Send service-related communications (security alerts, billing notices, material changes to this policy). We send marketing emails only to Merchants who have opted in; each such email includes an unsubscribe link.

We do not sell personal data. We do not share personal data with advertising networks. We do not use end-customer personal data to train artificial-intelligence or machine-learning models.

7. Legal bases for processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): providing the Services to a Merchant, billing, and account management.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, service improvement, aggregated analytics, and corporate-diligence communications. A balancing test has been conducted for each of these interests.
• Legal obligation (Art. 6(1)(c)): tax reporting, responding to lawful requests from authorities, and retention of records required by law.
• Consent (Art. 6(1)(a)): where we ask for consent (for example, non-essential cookies or optional marketing communications). You can withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.

We do not process special categories of personal data under Art. 9 GDPR in the ordinary course of the Services.

8. Disclosure of personal data and sub-processors

We disclose personal data only to:

• Sub-processors that help us operate the Services, under written contracts that oblige them to security and confidentiality equivalent to this policy. Our current sub-processors are:
• Railway Corp. — infrastructure hosting (primary region US-East).
• Stripe, Inc. — payment processing.
• Klaviyo, Inc. — the Merchant’s marketing platform, accessed via OAuth.
• LINE Corporation — message delivery.
• Cloudflare, Inc. — edge network, bot mitigation, DDoS protection.
• Postmark — transactional email, where enabled on your account.
• Professional advisors (lawyers, auditors, accountants) under confidentiality obligations.
• Authorities when required by valid legal process (for example a court order, subpoena, or investigatory demand). We assess every request and push back on over-broad or unlawful requests where reasonably possible.
• Successors in a merger, acquisition, or asset sale, subject to continued protection of your data under terms no less protective than this policy.

A current sub-processor list is maintained and can be requested from privacy@batoniq.com. We provide advance notice of new sub-processors to Merchants on request via the DPA.

9. International data transfers

We are based in Japan and host our production environment on Railway’s US-East region. Personal data may therefore be transferred to, stored in, and processed in the United States, Japan, and other countries where our sub-processors operate. These countries may have data-protection laws that differ from those of your country of residence.

Where required, we rely on the following transfer mechanisms:

• European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum for transfers out of the EEA and the UK.
• Japan’s Personal Information Protection Commission contractual framework for cross-border transfers under APPI.
• Equivalent safeguards under Thailand’s PDPA for cross-border transfers.

A copy of the transfer documentation applicable to your transfer is available on request.

10. Data retention

We retain personal data only as long as necessary for the purposes described in this policy:

• Merchant account data: for the life of the account plus up to 90 days after termination, and longer where required by law (for example, tax records).
• End-customer data in our operational database: while the Merchant’s account is active and the data is needed to provide the Services.
• Log and audit data: up to 90 days in hot storage; up to 12 months in cold storage for security and incident-response purposes.
• Encrypted backups: rolling 30-day retention.
• Billing records: seven (7) years as required by Japanese tax law.

After the applicable retention period expires, we delete, anonymise, or aggregate the data so it can no longer be associated with you.

11. Security measures

We maintain technical and organisational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Least-privilege access and role-based access control (five admin roles, thirteen permissions).
• Mandatory two-factor authentication (TOTP) for internal administrators; optional TOTP 2FA for Merchants.
• Failed-login monitoring, IP restriction on admin access, rate limiting, and Slack alerting.
• Webhook integrity (HMAC-SHA256 signatures on all inbound Shopify, Klaviyo, and LINE webhooks; signed tokens for flow-action URLs).
• Secret rotation and environment isolation between development, staging, and production.
• Dependency scanning and deploy-time TypeScript strict-mode checks.

No system is perfectly secure. You are responsible for keeping your credentials confidential and for notifying us promptly at security@batoniq.com if you suspect unauthorised access to your account.

12. Your rights

Subject to applicable law, you have the right to:

• Access: obtain confirmation of whether we process your personal data and a copy of that data.
• Rectification: correct inaccurate or incomplete data.
• Erasure: ask us to delete your personal data.
• Restriction: ask us to limit processing in defined circumstances.
• Data portability: receive a structured, machine-readable copy of your data or ask us to transmit it to another controller.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent.
• Not be subject to automated decision-making with legal or similarly significant effects (we do not perform such decision-making in the ordinary course of the Services).
• Lodge a complaint with your local supervisory authority.

If you are an end-customer of one of our Merchants, exercising these rights usually starts with the Merchant because the Merchant is the controller. We will assist the Merchant in responding. You may contact us directly at privacy@batoniq.com if you cannot reach the Merchant or are unsure who to approach.

13. How to exercise your rights

Email privacy@batoniq.com. We will verify your identity (typically by confirming you control an email address we have on file) and respond within 30 days, extendable by up to 60 additional days where the request is complex — in which case we will notify you of the extension and its reason. We do not charge for rights requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request (and explain why).

Shopify merchants: we honour the Shopify GDPR customer data-request, redact-customer, and redact-shop webhooks; no separate request is needed if you use the standard Shopify flow.

14. Cookies and similar technologies

We set only the cookies described in our Cookie Policy. We do not use third-party advertising cookies, cross-site tracking pixels, or fingerprinting techniques. Where required, we honour the Global Privacy Control (GPC) signal and equivalent "do not track" mechanisms.

15. Children’s privacy

The Services are not directed at children and are not intended for users under 16 years of age (or the higher minimum age that applies in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@batoniq.com and we will delete it.

16. Automated decision-making and profiling

We do not subject individuals to decisions based solely on automated processing that produce legal or similarly significant effects. Product analytics and segmentation inside the merchant dashboard (for example cohort metrics) are aggregate and statistical in nature; they are not used to make decisions about individuals.

17. Region-specific notices

17.1 Japan (APPI).
Birubi Inc. is the business operator handling your personal information under APPI. We will provide personal information to third parties only with your prior consent or as otherwise permitted by APPI (for example, to entrusted parties such as the sub-processors listed in Section 8, or where required by law). For cross-border transfers, we will provide the information required by APPI on request. Complaints can be lodged with the Personal Information Protection Commission of Japan (PPC).

17.2 Thailand (PDPA).
We respect your rights as a data subject under the PDPA, including the rights to be informed, access, rectification, erasure, restriction, data portability, and objection, and the right to lodge a complaint with the Personal Data Protection Committee (PDPC). Where processing relies on consent, you may withdraw consent at any time.

17.3 European Economic Area and the United Kingdom (GDPR / UK GDPR).
Where GDPR or UK GDPR applies, the legal bases in Section 7 apply. If we transfer personal data out of the EEA or the UK to a country that has not received an adequacy decision, we rely on the SCCs and the UK IDTA. Residents of the EEA and the UK may lodge a complaint with their local supervisory authority.

17.4 California (CCPA/CPRA).
We do not sell personal information or share it for cross-context behavioural advertising. We do not use or disclose "sensitive personal information" for purposes that would require an opt-out under the CPRA. California residents have the rights to know, delete, correct, limit the use of sensitive personal information, and opt-out of sale or sharing. Exercise these rights under Section 13.

18. Changes to this policy

We may update this policy to reflect changes in law, our Services, or our practices. Material changes will be notified by email to account owners and by a prominent notice on batoniq.com at least 14 days before they take effect, unless a shorter period is required by law. The "Last updated" date at the top of this policy shows when it was most recently changed.

19. Contact and complaints

Privacy requests: privacy@batoniq.com.
Security reports: security@batoniq.com.
General support: hello@batoniq.com.

We will acknowledge privacy and security reports within three (3) business days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority.