k-sync
Back to home

Privacy Policy

Last updated: March 16, 2026

This Privacy Policy explains how Krokanti Games SL ('we', 'us', 'our') collects, uses, and protects your personal data when you use k-sync (sync.krokanti.com), our Shopify product management platform.

Data Controller

Krokanti Games SL, a company registered in Spain, is the data controller for your personal data. You can contact us at hello@krokanti.com for any data protection inquiries.

Data We Collect

We collect the following categories of data to provide and improve our service:

  • Account information: name, email address, and profile image provided via Krokanti Account SSO (Single Sign-On)
  • Shopify store data: store URL, OAuth access tokens, and store configuration connected through Shopify OAuth integration
  • Product catalog data: product titles, descriptions, images, variants, prices, inventory levels, and metadata imported from or synced with your Shopify store
  • Sync history: migration run logs, import/export records, field mapping configurations, and sync job timestamps
  • Usage data: pages visited, features used, session duration, and interaction patterns
  • Payment information: subscription plan, billing status, and payment history (payment details are processed directly by Stripe and never stored on our servers)
  • Device data: IP address, browser type, operating system, and device identifiers collected through cookies and analytics

How We Use Your Data

We process your data for the following purposes:

  • To provide the k-sync service: connecting to your Shopify store, managing product catalogs, running migrations and sync jobs
  • To authenticate your identity via Krokanti Account SSO and manage your account access
  • To interact with the Shopify Admin API on your behalf using OAuth tokens you authorize
  • To process subscription payments and manage your billing through Stripe
  • To send transactional emails about your account, sync job completions, and critical service updates
  • To analyze usage patterns and improve the platform using Google Analytics 4 (when you consent to analytics cookies)
  • To respond to your support requests and troubleshoot technical issues

Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your data based on:

  • Contract performance: processing necessary to provide the k-sync service you subscribed to, including Shopify store connection and product management
  • Consent: for analytics cookies and marketing communications (you can withdraw consent at any time)
  • Legitimate interest: for service improvement, security monitoring, and fraud prevention
  • Legal obligation: for tax, accounting, and regulatory compliance under Spanish law

Third-Party Services

We share data with the following third-party processors to operate our service:

  • Shopify API: to read and write product data, orders, and inventory in your connected Shopify store (data remains in Shopify's infrastructure)
  • Stripe: payment processing and subscription management (PCI DSS compliant, USA with EU SCCs)
  • Vercel: application hosting and serverless infrastructure (USA with EU SCCs)
  • Neon: PostgreSQL database hosting for account and sync data (EU region available)
  • Google Analytics 4: anonymous usage analytics, only activated with your cookie consent (USA with EU SCCs)
  • Brevo: transactional email delivery (EU-based, GDPR compliant)
  • Cloudflare R2: temporary storage for product images during migrations (global edge network)

Data Security

We protect your data with TLS encryption in transit and encryption at rest. Shopify OAuth tokens are stored encrypted in our database. API tokens use SHA-256 hashing. We follow industry-standard security practices including regular security audits and access controls.

Data Retention

We retain your account data for as long as your account is active. Sync history and migration logs are retained for 12 months after completion. Product data imported from Shopify is retained while your connection is active and deleted within 30 days of disconnecting. If you delete your account, all associated data is permanently removed within 30 days. Backups may retain anonymized data for up to 90 days.

Your Rights (GDPR)

As a data subject under GDPR, you have the following rights:

  • Right of access: request a copy of all personal data we hold about you
  • Right to rectification: request correction of inaccurate personal data
  • Right to erasure: request deletion of your personal data ('right to be forgotten')
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to restriction: request temporary restriction of data processing
  • Right to object: object to processing based on legitimate interests
  • Right to withdraw consent: withdraw your consent for analytics cookies or marketing at any time

To exercise any of these rights, contact us at hello@krokanti.com. We will respond within 30 days as required by GDPR. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

Children's Privacy

k-sync is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes via email or a notice on our website. The 'Last updated' date at the top indicates the latest revision.

Contact Us

For any questions about this Privacy Policy or your data, contact us at hello@krokanti.com or write to Krokanti Games SL, Spain.