Ottu Privacy Policy

Ottu "the App” provides an online payment management system for merchants. Focused on innovation and direct integration with Banks, Ottu has forged strategic alliances with banks, schemes, and acquirers, bolstering the fintech ecosystem in the MENA region "the Service" to merchants who use Shopify to power their stores. This Privacy Policy describes how personal information is collected, used, and shared when you install or use the App in connection with your Shopify-supported store.

Personal Information the App Collects

When you install the App, we automatically gain access to certain types of information about your store and your customers, including:

• Customer Data GDPR Webhook: when customer data is redacted or requested, it collects: shop ID, shop domain, customer ID, email, phone (if available).
• Shop Data GDPR Webhook: when shop data is redacted(erasure) it collects shop-related data: shop ID and shop domain.
• Payment Session: when a payment session request is sent by Shopify it gathers: Shopify API Version, Shopify Shop Domain, unique identifier for the payment attempt, identifier for the payment in communication with Shopify, payment kind (either sale or authorization), test mode indicator (boolean, indicating if the payment is in test mode), group ID (for associating multiple payment flows for the same order), amount to be charged, currency code (ISO 4217), customer Email, customer phone number, customer locale (language and country code), customer billing address, cancel URL, proposed timestamp, payment method, and merchant locale (language tag representing the language. used by the merchant)
• Capture Session: when a capture session requests is sent by Shopify it collects: shopify api version , shopify shop domain , unique identifier for the capture attempt, identifier for the capture in communication with shopify, test mode indicator (boolean, indicating if the capture is in test mode), amount to be captured, currency code (iso 4217), payment id of the authorized payment, proposed timestamp, and merchant locale (language tag representing the language used by the merchant)
• Refund Session: when a refund session request is sent by Shopify it collects: shopify api version , shopify shop domain , unique identifier for the refund attempt, identifier for the refund in communication with shopify, test mode indicator (boolean, indicating whether the refund is in test or live mode), amount to be refunded, currency code (iso 4217), payment id of the original payment that is to be refunded, proposed timestamp, and merchant locale (language tag representing the language used by the merchant)
• Void Session collects: when a void session request is sent by Shopify it collects: shopify api version , shopify shop domain, unique identifier for the void attempt, identifier for the void in communication with shopify, test mode indicator (boolean, indicating whether the void is in test or live mode), payment id of the authorized payment that is to be voided, proposed timestamp, and merchant locale (language tag representing the language used by the merchant)
• App Uninstall Webhook: collects the following data fields when app is uninstalled: shop domain
• App installed: when app is installed it collects the shop domain ottu installation and payment operation type(purchase or authorize)
• Transaction details such as Payment ID, Auth Code and masked card number if returned from the hosted payment gateway

How Do We Use Your Personal Information?

We use the personal information we collect from you and your customers to provide the support regarding the transactions state, whenever requested by you.

Sharing Your Personal Information

This is pivotal because every instance of personal data processing must have what's called a 'legal basis'. Data protection regulations outline these potential legal grounds, which include:

1. Consent: Processing personal data is permissible when the individual has given explicit consent for one or more specific purposes
2. Contract: Processing may be necessary for fulfilling a contractual obligation to which the individual is a party or for undertaking pre-contractual measures at the individual's request
3. Legal Obligation: Processing is justified when it's essential for complying with a legal obligation binding upon the data controller
4. Vital Interests: Data processing is warranted when it's crucial for safeguarding the vital interests of the individual or another natural person
5. Public Task: Processing is legitimate when it's indispensable for carrying out a task in the public interest or exercising official authority delegated to the controller
6. Legitimate Interests: Processing is acceptable when it serves the legitimate interests of the controller or a third party, unless such interests conflict with the individual's rights and freedoms, necessitating the protection of personal data

Your Rights

You have the right to request your personal information we hold, please contact us through the contact information below to get your personal information

Data Retention

All the data mentioned in the section “Personal Information the App Collects” are kept in the system if no catastrophic issue happened

Changes

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons

Contact Us

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at csd@ottu.com