Privacy Policy
How Keaz handles your data and your customers' data. Written in plain language wherever the law allows.
1 · Controller
Pocket Agency GmbH, Kollwitzstraße 76, 10435 Berlin, Germany, is the controller (Verantwortlicher) under Art. 4 (7) GDPR. Contact: privacy@keaz.app.
For our customers (Shopify shops), Keaz acts as a processor under Art. 28 GDPR for the personal data of their end-customers. A Data Processing Agreement is signed automatically on sign-up.
2 · What we collect
From Shopify shops (our customers)
- Account data: name, email, password hash, role, time zone.
- Billing data: company name, address, VAT ID, payment method (processed by Stripe — we never see card numbers).
- Shop connection data: Shopify store domain, OAuth tokens, app installation timestamps.
- Usage data: pages viewed, features used, error reports — for product improvement.
From end-customers of our customers' shops
- Contact data: first name, last name, phone number, email — provided by the shop or collected via Keaz growth tools (with explicit opt-in).
- Behavioural data from Shopify: orders, cart contents, browsing events, subscription state.
- WhatsApp message metadata: message ID, delivery status, read receipts, click events on CTAs.
We do not collect: payment card data (Stripe handles this), passwords from connected systems, or the content of conversations between you and your customers beyond the templates you set up.
3 · Why we process it
- To run the service: deliver messages, run flows, generate forecasts.
- To bill you and prevent fraud.
- To improve the product (aggregated, never identifying individual end-customers).
- To comply with legal obligations (tax, accounting, regulator requests).
4 · Legal basis
- Contract (Art. 6 (1)(b) GDPR) — to deliver the service you subscribed to.
- Legitimate interest (Art. 6 (1)(f) GDPR) — for product improvement, fraud prevention, security monitoring.
- Consent (Art. 6 (1)(a) GDPR) — for end-customer marketing messages on WhatsApp, collected by the shop via documented opt-in (double opt-in where required).
- Legal obligation (Art. 6 (1)(c) GDPR) — for accounting records (10 years) and tax compliance.
5 · Sub-processors
We use the following carefully vetted sub-processors. All operate under DPAs with us and the necessary SCCs where applicable.
Shopify Inc.
Source of order and customer data via OAuth.
Canada / EU servers
WhatsApp Business Platform (Meta)
Message delivery to end-customers.
USA · SCCs in place
Klaviyo, Inc.
Optional integration: shop-controlled, opt-in only.
USA · SCCs in place
Stripe Payments Europe Ltd.
Billing & payment processing.
Ireland / EU
Amazon Web Services EMEA
Hosting, storage and backup.
eu-central-1 (Frankfurt)
Postmark / Resend
Transactional email (account, billing).
USA · SCCs in place
7 · Retention
- Active account data: while your subscription is active + 30 days for offboarding.
- End-customer messaging data: 24 months from last message, then deleted unless required by your active retention policy.
- Accounting records: 10 years (German tax law).
- Server logs: 14 days.
8 · Your rights (GDPR Art. 15–22)
- Right of access — what we have on you.
- Right to rectification — fix it.
- Right to erasure — delete it (subject to legal retention).
- Right to restrict processing.
- Right to data portability.
- Right to object to processing based on legitimate interest.
- Right to withdraw consent at any time.
- Right to lodge a complaint with a supervisory authority (Berlin: Berliner Beauftragte für Datenschutz und Informationsfreiheit).
Email privacy@keaz.app and we'll respond within 30 days.
9 · International data transfer
Some sub-processors (Meta, Klaviyo, Stripe, Postmark/Resend) are based in the USA. Transfers happen under Standard Contractual Clauses (SCCs) approved by the European Commission. We do not transfer data to countries without an adequacy decision or SCCs in place.
10 · Security
Encryption in transit (TLS 1.3) and at rest (AES-256). Audit logging on all data access. Role-based access control. Annual penetration testing. We can sign customer DPAs and provide ISO/SOC2 documentation on request.
11 · Contact
Privacy questions: privacy@keaz.app
Data Protection Officer: dpo@keaz.app
Postal: Pocket Agency GmbH · Datenschutz · Kollwitzstraße 76 · 10435 Berlin · Germany
Last updated · 18 May 2026