GDPR Compliance

Last updated: February 13, 2025

Our Commitment to GDPR

LimeForge is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Union and European Economic Area.

This page explains how we comply with GDPR requirements and outlines your rights as a data subject.

Who We Are

LimeForge acts as both a data controller and data processor depending on the context:

  • Data Controller: For data collected directly through our website (limeforge.io), including contact form submissions and account information
  • Data Processor: For data processed through our Shopify apps on behalf of merchants who use our services

Legal Bases for Processing

We process personal data under the following legal bases as defined by GDPR:

Contract Performance (Article 6(1)(b))

Processing necessary to provide our services to you, including app functionality and billing.

Legitimate Interests (Article 6(1)(f))

Processing for analytics, service improvement, and fraud prevention, where our interests don't override your rights.

Consent (Article 6(1)(a))

Where you have given specific consent, such as for marketing communications.

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal requirements, such as tax and accounting obligations.

Your Rights Under GDPR

As an EU/EEA resident, you have the following rights regarding your personal data:

Right of Access

You can request a copy of all personal data we hold about you.

Right to Rectification

You can request correction of inaccurate or incomplete data.

Right to Erasure

You can request deletion of your personal data ("right to be forgotten").

Right to Restriction

You can request temporary restriction of processing your data.

Right to Portability

You can request your data in a structured, machine-readable format.

Right to Object

You can object to processing based on legitimate interests or direct marketing.

AgeVerify and GDPR

Our AgeVerify app is designed with privacy by default. Here's how it handles data:

Data Minimization

  • AgeVerify does not collect actual birth dates or personal identification documents
  • Verification responses are limited to yes/no confirmations
  • The "Remember visitors" feature uses anonymized session tokens, not personal identifiers

Data Processing for Merchants

When merchants use AgeVerify:

  • Merchants are the data controller for their store visitors
  • LimeForge acts as data processor on behalf of the merchant
  • Merchants are responsible for informing visitors about data collection in their privacy policy

For Merchants: We recommend including information about AgeVerify in your store's privacy policy. Our documentation includes sample language you can use.

Data Transfers

Your data may be transferred to and processed in countries outside the EU/EEA. When this occurs, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all sub-processors
  • Supplementary measures where required

Data Retention

We retain personal data only as long as necessary:

  • Account data: Until account deletion + 30 days
  • Analytics data: 24 months (aggregated/anonymized)
  • Support communications: 3 years
  • Billing records: As required by law (typically 7 years)

Security Measures

We implement technical and organizational measures to protect your data:

  • Encryption of data in transit (TLS 1.2+)
  • Encryption of data at rest
  • Access controls and authentication
  • Regular security assessments
  • Employee training on data protection
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Articles 33 and 34.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

Data Protection Contact

Email: privacy@limeforge.io

Please include "GDPR Request" in your subject line

When making a request, please provide:

  • Your name and email address
  • Your Shopify store URL (if applicable)
  • Description of your request
  • Any information to help us locate your data

We will respond to your request within 30 days. In complex cases, we may extend this by an additional 60 days with notice.

Right to Lodge a Complaint

If you believe we have not handled your data in compliance with GDPR, you have the right to lodge a complaint with your local Data Protection Authority (DPA). We encourage you to contact us first so we can address your concerns.

Contact Us

For any questions about GDPR compliance or data protection:

LimeForge - Privacy Team

Email: privacy@limeforge.io

Contact Form

Related Policies

Privacy PolicyCookie PolicyTerms of Service