Legal
Bingsviken Consulting AB ("we", "us", "our") is the data controller for personal data processed in connection with the Hive Reviews service. We are registered in Sweden.
Contact: [email protected]
For privacy-specific enquiries or to exercise your rights, please use the same address and include "Privacy" in the subject line.
This policy applies to:
When we process personal data about end customers on behalf of a merchant, the merchant is the data controller and we act as their data processor under a data processing relationship governed by Section 9 of these Terms.
| Data | Why we collect it | Legal basis (GDPR Art. 6) |
|---|---|---|
| Shopify store domain | To identify and authenticate your store | Art. 6(1)(b) — performance of contract |
| Shopify access token | To read orders and register webhooks on your behalf | Art. 6(1)(b) — performance of contract |
| Plan and billing status | To gate features and administer your subscription | Art. 6(1)(b) — performance of contract |
| Email address (contact) | To send service notifications and support | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest |
| Data | Why we collect it | Legal basis |
|---|---|---|
| Customer email address | To send review request emails as instructed by the merchant | Merchant's instructions as data controller; typically Art. 6(1)(f) — legitimate interest of the merchant |
| Order ID and SKUs | To link review requests to specific products | As above |
| Reviewer name, email, review text, rating | To create and display the review | Art. 6(1)(a) — consent of the reviewer at submission |
| Review media (photos/video) | To attach media to the review as submitted by the reviewer | Art. 6(1)(a) — consent at submission |
When you visit hivereviews.app we may collect standard server logs including IP address, browser type, referrer, and pages visited. This data is used solely for security and to understand aggregate usage. It is not linked to any individual identity unless required to investigate abuse.
The Hive Reviews app uses a session cookie strictly necessary to maintain authentication. No tracking or advertising cookies are set. The marketing website (hivereviews.app) does not use analytics cookies. If this changes, we will update this policy and request consent where required.
We use the data described above to:
We do not use personal data for advertising, profiling, or any purpose beyond operating the Service.
We do not sell, rent, or trade personal data. We share data only with the following trusted sub-processors, under contracts that require them to protect it:
| Sub-processor | Purpose | Location |
|---|---|---|
| Shopify Inc. | App installation, billing, and OAuth | Canada / USA |
| Resend (WorkOS Inc.) | Transactional email delivery (review requests) | USA |
| Cloud infrastructure provider | Hosting, databases, and storage | EU (primary) |
We may also disclose data to law enforcement or regulators when required by law.
Some of our sub-processors are based outside the European Economic Area (EEA), notably in the USA. Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:
You may request a copy of the relevant transfer safeguards by contacting us.
| Data type | Retention period |
|---|---|
| Merchant account and session data | For the duration of the Shopify app installation, plus 90 days after uninstall |
| Order and review token data | 2 years from the date of the order, or until the merchant requests deletion |
| Published reviews | For as long as the merchant's account is active, or until deleted by the merchant |
| Review media | Same as published reviews |
| Server logs | 30 days |
After a retention period expires, data is deleted or irreversibly anonymised. Merchants may request earlier deletion at any time (see Section 10).
By installing Hive Reviews, merchants enter into a data processing agreement (DPA) with Bingsviken Consulting AB for the processing of end-customer personal data. The key terms of that DPA are:
Merchants who require a signed DPA for their own compliance purposes may request one at [email protected].
If you are located in the EEA (or the UK), you have the following rights regarding your personal data:
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before acting on a request.
End customers: If you submitted a review through a merchant's store and wish to have it deleted or corrected, you may contact us directly or contact the merchant. We will action verified requests within 30 days.
You have the right to lodge a complaint with a supervisory authority. As we are based in Sweden, the lead supervisory authority is:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
imy.se
You may also contact the supervisory authority in your own EU member state.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration. These include encrypted data in transit (TLS), access controls, and regular security reviews.
No system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay where required by law.
The Service is directed at businesses and is not intended for children under the age of 16. We do not knowingly collect personal data from children.
We may update this Privacy Policy from time to time. We will post the updated version on this page with a revised effective date. For material changes, we will provide notice by email or through the app. Your continued use of the Service after the effective date constitutes acceptance.
For any privacy-related questions or requests:
Bingsviken Consulting AB
Sweden
[email protected]