日本語

Veno Booking Privacy Policy

Last updated: May 26, 2026 ・ Version: 1.1

This Privacy Policy explains how slee, Inc. ("we", "us") handles personal information in connection with the Shopify app "Veno Booking — Events & Experiences" (the "App") that we offer on the Shopify App Store.

We strive to comply with applicable data protection laws including the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Japan's Act on the Protection of Personal Information (APPI), and similar laws in other jurisdictions.


1. Who we are (Controller contact)

1.1 Data Protection Officer (DPO)

Considering the nature, scope, and purposes of our processing activities, we are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For data protection inquiries, please contact contact@slee-group.co.jp.

2. Our role

We process personal information in two distinct capacities:

  1. As a Processor — We process customer information on behalf of Shopify merchants that install the App ("Merchants"), following their instructions. The Merchant is the Data Controller for that data.
  2. As a Controller — We process information about the Merchants themselves (store owners and staff) for purposes of providing, billing, and supporting the App.

Under the California Consumer Privacy Act (CCPA/CPRA), we operate as a "Service Provider" (CCPA §1798.140(v)). Personal information provided to us by Merchants is processed solely for contractual purposes and does not constitute a "Sale" as defined by the CCPA.

3. Categories of personal information we collect

3.1 About the Merchant's customers (as Processor)

Item Source Stored in our DB?
Shopify order ID (GID) orders/create webhook ✅ Stored (identifier only)
Order name (e.g. #1024) Same ✅ Stored (identifier only)
Ticket viewing token (opaque random value) Generated by the App ✅ Stored
Booking quantity, date, check-in status Generated within the App ✅ Stored (no PII)
Customer name, email Shopify Admin API (display time only) Not stored (fetched on demand)
Free-text survey responses App's post-purchase survey ⚠️ Stored (may contain PII)

Important: Direct identifiers such as the customer's name, email, phone number, or address are never persisted to our database. When needed (e.g. to display them on the booking management screen), they are retrieved on demand from the Shopify Admin API, kept in memory only for the duration of the request, and discarded after the response is returned.

3.2 About the Merchant (as Controller)

Item Source
Merchant name, email, user ID Shopify OAuth
Shop domain (*.myshopify.com) Shopify OAuth
Shopify Admin API access token Shopify OAuth
Billing and usage history Shopify Billing API

3.3 Special categories of data (GDPR Article 9)

We do not collect or process special categories of personal data, including race, ethnicity, political opinions, religion, health information, sexual orientation, biometric data, or genetic data. To prevent customers from voluntarily entering such data through the App's survey feature, we display warnings to Merchants in the admin UI not to create questions that request personal information.

3.4 Source of data (GDPR Article 14)

Personal information about customers is collected indirectly — via the Merchant's Shopify store and the Shopify Admin API — rather than directly from the data subject (the customer). For this data we act as a Data Processor, which means the direct notification duty under GDPR Article 14 lies with the Data Controller, i.e. the Merchant. Data subjects should first contact the Merchant (the Shopify store operator) that holds their relationship.

4. Purposes of processing

We use personal information only for the following purposes:

  1. To provide booking management features (creating bookable items, selling tickets, managing time slots, tracking inventory).
  2. To provide the ticket check-in feature.
  3. To display booking information on the Merchant's admin dashboard.
  4. To provide the post-purchase survey feature.
  5. To calculate and bill commission on Merchant sales.
  6. To improve the App and troubleshoot issues (without targeting individual customer data for analysis).
  7. To respond to legal and compliance webhooks.

If we propose to change a purpose of processing, the new purpose will be reasonably related to the original, and we will update this Policy and notify Merchants accordingly.

5. Lawful basis for processing (GDPR Article 6)

In accordance with EU/EEA and UK GDPR, we identify the lawful basis for each processing activity below:

Processing activity Lawful basis (GDPR Art. 6)
Processing Merchant information (OAuth, billing, support) Art. 6(1)(b) Performance of a contract — necessary to perform the App service agreement
Processing identifiers (order ID, etc.) about Merchant's customers Lawful basis of the Merchant (Controller). Typically Art. 6(1)(b) or Art. 6(1)(f) Legitimate interests
Temporary fetching of customer name/email for display Merchant's Art. 6(1)(f) Legitimate interests — minimum necessary display for booking management
Processing post-purchase survey responses Art. 6(1)(f) Legitimate interests — voluntary feedback to improve services
Cookies / OAuth session Art. 6(1)(b) Performance of a contract — strictly necessary for service delivery
Disclosure or deletion mandated by law Art. 6(1)(c) Compliance with a legal obligation

Data subjects have the right to object (Art. 21) to processing based on Art. 6(1)(f) Legitimate interests.

6. Retention periods

Data category Retention period
Booking records Retained throughout App use; deleted within 30 days after uninstall
Post-purchase survey responses Retained throughout App use; deleted within 30 days after uninstall
Session (OAuth tokens) Retained only during App use; deleted immediately on uninstall
Order identifiers (orderName, shopifyOrderId) Same as Booking records (retained during use, deleted within 30 days after uninstall)
Access logs (personal data access records) Automatically deleted 90 days after capture (access-log.cron)
Access logs (Render platform default) Approx. 30–90 days (per Render's retention policy)
Customer name and email (NOT stored) N/A (we do not store)

Upon a valid erasure request from a data subject, we delete promptly after identity verification (see Section 11).

7. Disclosures and subprocessors

We do not disclose personal information to third parties except as required by law.

The following subprocessors are used to deliver the service, and we share the minimum necessary data with them:

Subprocessor Purpose Location DPA
Shopify Inc. Authentication, orders, checkout, billing Canada / USA Shopify's standard DPA
Render Services Inc. Application hosting and database (Singapore) USA (HQ) / Singapore (datacenter) Render's standard DPA
Google LLC Usage analytics of the merchant admin UI only (Google Analytics 4) USA Google Ads Data Processing Terms (incl. SCCs)

Each subprocessor handles data under its own privacy policy and DPA.

7.1 Changes to subprocessors

When we engage a new subprocessor, we will give Merchants reasonable prior notice and a 30-day window to object. If the Merchant raises an objection that cannot be resolved, the Merchant may terminate their use of the App.

8. International data transfers

The App runs on Render servers in Singapore. Personal data from the EU/EEA, UK, California, and other jurisdictions may be transferred to that region.

For transfers to jurisdictions that do not benefit from a GDPR/UK GDPR adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCC) (Decision 2021/914) to ensure an adequate level of data protection. Japan benefits from an adequacy decision; however, downstream transfers to subprocessor locations are still protected by SCCs.

9. Security measures

We protect personal information using the following measures:

10. Cookies and tracking

On pages used by a Merchant's customers (the booking widget on product pages, the ticket page, and checkout), the App does not use marketing cookies or third-party tracking of any kind.

Within the merchant admin UI only, we use Google Analytics 4 to measure feature usage (screens viewed, actions taken) for product improvement. This measurement covers the Merchant's admin operations only; no customer personal data, order contents, or customer behavioral data is transmitted.

Cookie name (example) Purpose Category Lifetime
shopify_app_session etc. Maintain Shopify OAuth session Strictly necessary Browser session or per Shopify's policy
_ga / _ga_* (admin UI only) Admin usage analytics (Google Analytics 4) Analytics Up to 2 years (per Google's policy)

Under the ePrivacy Directive, the session cookies are classified as strictly necessary for service delivery and do not require separate consent (Recital 47 of the GDPR). Use of the analytics cookies is disclosed through this Policy.

11. Rights of data subjects

A Merchant's customer (data subject) may exercise the following rights regarding personal information processed by the App:

11.1 How to exercise

We recommend submitting requests through the Merchant that handled the purchase. When Shopify forwards a customers/data_request or customers/redact webhook to us via the Merchant, we respond promptly.

Direct requests can be sent to the contact email in Section 1. After verifying the requester's identity, we will respond within 30 days as a rule (extendable up to 90 days for complex cases as per GDPR Art. 12(3)).

11.2 Right to lodge a complaint

Data subjects have the right to lodge a complaint with the supervisory authority in their place of residence or the location of the infringement (GDPR Art. 77).

Region Supervisory authority
Japan Personal Information Protection Commission (https://www.ppc.go.jp/en/)
EU National DPA in each Member State. EDPB list: https://edpb.europa.eu/about-edpb/about-edpb/members_en
United Kingdom Information Commissioner's Office (ICO, https://ico.org.uk/)
California, USA California Privacy Protection Agency (https://cppa.ca.gov/)

12. Automated decision-making and profiling

The App does not carry out automated decision-making, including profiling, that produces legal effects or similarly significant effects on data subjects (GDPR Art. 22).

13. Minors

The App is not directly aimed at individuals under the age of 16 (or the applicable age in your jurisdiction). When a Merchant collects personal information from minor customers, it is the Merchant's responsibility to obtain appropriate consent under GDPR Art. 8, APPI Art. 16, and other applicable laws.

14. Rights of California residents (CCPA/CPRA)

California residents have the right to request disclosure of categories and purposes of personal information collected over the past 12 months, and to request deletion of such personal information.

We do not sell personal information (no transactions meeting the CCPA's definition of "Sell"), nor do we "Share" personal information for cross-context behavioural advertising. Under the CCPA, we act as the Merchant's "Service Provider" (§1798.140(v)) and process personal information solely for the contractual purposes set out in this Policy.

15. Changes to this Policy

We may update this Policy from time to time in response to changes in law or our services. For material changes, we will update the "Last updated" date at the top and notify Merchants in advance via the Shopify App Store or direct messaging.

16. Complaints and contact

For questions or complaints about this Policy or our handling of personal information, please contact:


Version history

Version Date Notable changes
1.0 2026-05-26 Initial publication
1.1 2026-05-26 Added GDPR Article 6 lawful basis, Article 14 indirect collection clarification, Article 9 special categories statement, Cookie detail, DPO non-appointment statement, CCPA Service Provider role, data-category retention table, supervisory authority list, subprocessor objection procedure
1.2 2026-06-10 Added Google LLC as subprocessor (Google Analytics 4, merchant admin UI usage analytics only); added analytics cookies (admin UI only) to the cookies section