Veno Booking Privacy Policy
Last updated: May 26, 2026 ・ Version: 1.1
This Privacy Policy explains how slee, Inc. ("we", "us") handles personal information in connection with the Shopify app "Veno Booking — Events & Experiences" (the "App") that we offer on the Shopify App Store.
We strive to comply with applicable data protection laws including the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Japan's Act on the Protection of Personal Information (APPI), and similar laws in other jurisdictions.
1. Who we are (Controller contact)
- Business name: slee, Inc.(株式会社 slee)
- Registered address: 3-27-31-302 Taishido, Setagaya-ku, Tokyo 154-0004, Japan
- Representative: Kaito Sagawa, Representative Director
- Contact email: contact@slee-group.co.jp
- App name on the Shopify App Store: Veno Booking — Events & Experiences
- Corporate site: https://www.slee-group.co.jp/
1.1 Data Protection Officer (DPO)
Considering the nature, scope, and purposes of our processing activities, we are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For data protection inquiries, please contact contact@slee-group.co.jp.
2. Our role
We process personal information in two distinct capacities:
- As a Processor — We process customer information on behalf of Shopify merchants that install the App ("Merchants"), following their instructions. The Merchant is the Data Controller for that data.
- As a Controller — We process information about the Merchants themselves (store owners and staff) for purposes of providing, billing, and supporting the App.
Under the California Consumer Privacy Act (CCPA/CPRA), we operate as a "Service Provider" (CCPA §1798.140(v)). Personal information provided to us by Merchants is processed solely for contractual purposes and does not constitute a "Sale" as defined by the CCPA.
3. Categories of personal information we collect
3.1 About the Merchant's customers (as Processor)
| Item | Source | Stored in our DB? |
|---|---|---|
| Shopify order ID (GID) | orders/create webhook |
✅ Stored (identifier only) |
Order name (e.g. #1024) |
Same | ✅ Stored (identifier only) |
| Ticket viewing token (opaque random value) | Generated by the App | ✅ Stored |
| Booking quantity, date, check-in status | Generated within the App | ✅ Stored (no PII) |
| Customer name, email | Shopify Admin API (display time only) | ❌ Not stored (fetched on demand) |
| Free-text survey responses | App's post-purchase survey | ⚠️ Stored (may contain PII) |
Important: Direct identifiers such as the customer's name, email, phone number, or address are never persisted to our database. When needed (e.g. to display them on the booking management screen), they are retrieved on demand from the Shopify Admin API, kept in memory only for the duration of the request, and discarded after the response is returned.
3.2 About the Merchant (as Controller)
| Item | Source |
|---|---|
| Merchant name, email, user ID | Shopify OAuth |
Shop domain (*.myshopify.com) |
Shopify OAuth |
| Shopify Admin API access token | Shopify OAuth |
| Billing and usage history | Shopify Billing API |
3.3 Special categories of data (GDPR Article 9)
We do not collect or process special categories of personal data, including race, ethnicity, political opinions, religion, health information, sexual orientation, biometric data, or genetic data. To prevent customers from voluntarily entering such data through the App's survey feature, we display warnings to Merchants in the admin UI not to create questions that request personal information.
3.4 Source of data (GDPR Article 14)
Personal information about customers is collected indirectly — via the Merchant's Shopify store and the Shopify Admin API — rather than directly from the data subject (the customer). For this data we act as a Data Processor, which means the direct notification duty under GDPR Article 14 lies with the Data Controller, i.e. the Merchant. Data subjects should first contact the Merchant (the Shopify store operator) that holds their relationship.
4. Purposes of processing
We use personal information only for the following purposes:
- To provide booking management features (creating bookable items, selling tickets, managing time slots, tracking inventory).
- To provide the ticket check-in feature.
- To display booking information on the Merchant's admin dashboard.
- To provide the post-purchase survey feature.
- To calculate and bill commission on Merchant sales.
- To improve the App and troubleshoot issues (without targeting individual customer data for analysis).
- To respond to legal and compliance webhooks.
If we propose to change a purpose of processing, the new purpose will be reasonably related to the original, and we will update this Policy and notify Merchants accordingly.
5. Lawful basis for processing (GDPR Article 6)
In accordance with EU/EEA and UK GDPR, we identify the lawful basis for each processing activity below:
| Processing activity | Lawful basis (GDPR Art. 6) |
|---|---|
| Processing Merchant information (OAuth, billing, support) | Art. 6(1)(b) Performance of a contract — necessary to perform the App service agreement |
| Processing identifiers (order ID, etc.) about Merchant's customers | Lawful basis of the Merchant (Controller). Typically Art. 6(1)(b) or Art. 6(1)(f) Legitimate interests |
| Temporary fetching of customer name/email for display | Merchant's Art. 6(1)(f) Legitimate interests — minimum necessary display for booking management |
| Processing post-purchase survey responses | Art. 6(1)(f) Legitimate interests — voluntary feedback to improve services |
| Cookies / OAuth session | Art. 6(1)(b) Performance of a contract — strictly necessary for service delivery |
| Disclosure or deletion mandated by law | Art. 6(1)(c) Compliance with a legal obligation |
Data subjects have the right to object (Art. 21) to processing based on Art. 6(1)(f) Legitimate interests.
6. Retention periods
| Data category | Retention period |
|---|---|
| Booking records | Retained throughout App use; deleted within 30 days after uninstall |
| Post-purchase survey responses | Retained throughout App use; deleted within 30 days after uninstall |
| Session (OAuth tokens) | Retained only during App use; deleted immediately on uninstall |
| Order identifiers (orderName, shopifyOrderId) | Same as Booking records (retained during use, deleted within 30 days after uninstall) |
| Access logs (personal data access records) | Automatically deleted 90 days after capture (access-log.cron) |
| Access logs (Render platform default) | Approx. 30–90 days (per Render's retention policy) |
| Customer name and email (NOT stored) | N/A (we do not store) |
Upon a valid erasure request from a data subject, we delete promptly after identity verification (see Section 11).
7. Disclosures and subprocessors
We do not disclose personal information to third parties except as required by law.
The following subprocessors are used to deliver the service, and we share the minimum necessary data with them:
| Subprocessor | Purpose | Location | DPA |
|---|---|---|---|
| Shopify Inc. | Authentication, orders, checkout, billing | Canada / USA | Shopify's standard DPA |
| Render Services Inc. | Application hosting and database (Singapore) | USA (HQ) / Singapore (datacenter) | Render's standard DPA |
| Google LLC | Usage analytics of the merchant admin UI only (Google Analytics 4) | USA | Google Ads Data Processing Terms (incl. SCCs) |
Each subprocessor handles data under its own privacy policy and DPA.
7.1 Changes to subprocessors
When we engage a new subprocessor, we will give Merchants reasonable prior notice and a 30-day window to object. If the Merchant raises an objection that cannot be resolved, the Merchant may terminate their use of the App.
8. International data transfers
The App runs on Render servers in Singapore. Personal data from the EU/EEA, UK, California, and other jurisdictions may be transferred to that region.
For transfers to jurisdictions that do not benefit from a GDPR/UK GDPR adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCC) (Decision 2021/914) to ensure an adequate level of data protection. Japan benefits from an adequacy decision; however, downstream transfers to subprocessor locations are still protected by SCCs.
9. Security measures
We protect personal information using the following measures:
- Encryption in transit: All communications use TLS 1.2 or higher (HTTPS).
- Encryption at rest: Render PostgreSQL at-rest encryption is enabled.
- Access control: Required authentication via Shopify OAuth. Admin
API access is requested at minimum-privilege scope only
(
read_orders,read_customers,write_products, etc.). - Data minimisation: Direct identifiers such as customer name and email are not stored in our database by design (GDPR Art. 5(1)(c)).
- Subprocessor oversight: We use subprocessors that have signed a GDPR DPA or provide equivalent protection.
- Breach notification: If a personal data breach is detected, we notify affected Merchants (Controllers) within 72 hours (GDPR Arts. 33 / 28(3)(f)). Merchants remain responsible for notifying their relevant supervisory authority when required.
- Incident response procedure: Detailed detection, notification, and remediation procedures are defined in our Security Incident Response Policy (security-incident-response.en.md).
- Access logging: Staff access to personal data is recorded in an internal AccessLog table and retained for 90 days (data minimization).
10. Cookies and tracking
On pages used by a Merchant's customers (the booking widget on product pages, the ticket page, and checkout), the App does not use marketing cookies or third-party tracking of any kind.
Within the merchant admin UI only, we use Google Analytics 4 to measure feature usage (screens viewed, actions taken) for product improvement. This measurement covers the Merchant's admin operations only; no customer personal data, order contents, or customer behavioral data is transmitted.
| Cookie name (example) | Purpose | Category | Lifetime |
|---|---|---|---|
shopify_app_session etc. |
Maintain Shopify OAuth session | Strictly necessary | Browser session or per Shopify's policy |
_ga / _ga_* (admin UI only) |
Admin usage analytics (Google Analytics 4) | Analytics | Up to 2 years (per Google's policy) |
Under the ePrivacy Directive, the session cookies are classified as strictly necessary for service delivery and do not require separate consent (Recital 47 of the GDPR). Use of the analytics cookies is disclosed through this Policy.
11. Rights of data subjects
A Merchant's customer (data subject) may exercise the following rights regarding personal information processed by the App:
- Right of Access (Art. 15)
- Right to Rectification (Art. 16)
- Right to Erasure ("right to be forgotten", Art. 17)
- Right to Restrict Processing (Art. 18)
- Right to Data Portability (Art. 20)
- Right to Object (Art. 21)
- Right to Withdraw Consent (Art. 7(3), where consent is the basis)
- Right not to be subject to automated decision-making (Art. 22 — we do not engage in such processing)
11.1 How to exercise
We recommend submitting requests through the Merchant that handled the
purchase. When Shopify forwards a customers/data_request or
customers/redact webhook to us via the Merchant, we respond promptly.
Direct requests can be sent to the contact email in Section 1. After verifying the requester's identity, we will respond within 30 days as a rule (extendable up to 90 days for complex cases as per GDPR Art. 12(3)).
11.2 Right to lodge a complaint
Data subjects have the right to lodge a complaint with the supervisory authority in their place of residence or the location of the infringement (GDPR Art. 77).
| Region | Supervisory authority |
|---|---|
| Japan | Personal Information Protection Commission (https://www.ppc.go.jp/en/) |
| EU | National DPA in each Member State. EDPB list: https://edpb.europa.eu/about-edpb/about-edpb/members_en |
| United Kingdom | Information Commissioner's Office (ICO, https://ico.org.uk/) |
| California, USA | California Privacy Protection Agency (https://cppa.ca.gov/) |
12. Automated decision-making and profiling
The App does not carry out automated decision-making, including profiling, that produces legal effects or similarly significant effects on data subjects (GDPR Art. 22).
13. Minors
The App is not directly aimed at individuals under the age of 16 (or the applicable age in your jurisdiction). When a Merchant collects personal information from minor customers, it is the Merchant's responsibility to obtain appropriate consent under GDPR Art. 8, APPI Art. 16, and other applicable laws.
14. Rights of California residents (CCPA/CPRA)
California residents have the right to request disclosure of categories and purposes of personal information collected over the past 12 months, and to request deletion of such personal information.
We do not sell personal information (no transactions meeting the CCPA's definition of "Sell"), nor do we "Share" personal information for cross-context behavioural advertising. Under the CCPA, we act as the Merchant's "Service Provider" (§1798.140(v)) and process personal information solely for the contractual purposes set out in this Policy.
15. Changes to this Policy
We may update this Policy from time to time in response to changes in law or our services. For material changes, we will update the "Last updated" date at the top and notify Merchants in advance via the Shopify App Store or direct messaging.
16. Complaints and contact
For questions or complaints about this Policy or our handling of personal information, please contact:
- Email: contact@slee-group.co.jp
- Supported languages: Japanese, English
- Response target: initial reply within 5–10 business days; complex requests may be extended per GDPR Art. 12(3).
Version history
| Version | Date | Notable changes |
|---|---|---|
| 1.0 | 2026-05-26 | Initial publication |
| 1.1 | 2026-05-26 | Added GDPR Article 6 lawful basis, Article 14 indirect collection clarification, Article 9 special categories statement, Cookie detail, DPO non-appointment statement, CCPA Service Provider role, data-category retention table, supervisory authority list, subprocessor objection procedure |
| 1.2 | 2026-06-10 | Added Google LLC as subprocessor (Google Analytics 4, merchant admin UI usage analytics only); added analytics cookies (admin UI only) to the cookies section |