Skip to main content

1. Commitment to Data Privacy

Naridon, operated by Thom & Co GmbH (Switzerland), is fully committed to compliance with the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP). We prioritize the security and privacy of both our Merchants and their End-Customers.

2. Roles & Responsibilities

It is crucial to understand our role in processing data:
  • Merchant Data: When you (the merchant) install Naridon, we act as a Data Controller for your account information (name, email, billing details).
  • End-Customer Data: When we process your store’s customer queries or search history, we act as a Data Processor. You remain the Data Controller. We process this data solely on your instructions.

3. Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so, in accordance with Article 6 GDPR.
Data TypePurposeLawful Basis
Account InformationTo provide the Naridon App service, manage billing, and authentication.Contractual Necessity (Art. 6(1)(b))
Product DataTo index and optimize your store’s catalog for AI models.Contractual Necessity (Art. 6(1)(b))
Customer Queries (Search)To provide AI search results and analytics to the merchant.Legitimate Interest (Art. 6(1)(f)) & Contractual Necessity
Usage LogsTo ensure security, debug issues, and improve app performance.Legitimate Interest (Art. 6(1)(f))
Marketing CommsTo send product updates or offers.Consent (Art. 6(1)(a))

4. International Data Transfers

As a modern SaaS application, we utilize cloud infrastructure that may be located outside of Switzerland/EU (specifically the USA). To ensure your data remains protected, we rely on the following safeguards:
  • Adequacy Decisions: For transfers to countries recognized by the EU/Switzerland as providing adequate protection.
  • Standard Contractual Clauses (SCCs): For transfers to providers in the USA (e.g., OpenAI, Supabase), we enter into DPA agreements incorporating the standard contractual clauses approved by the European Commission.
  • Data Privacy Framework: Where applicable, we prioritize vendors participating in the EU-U.S. Data Privacy Framework.

5. Sub-Processors

We use the following third-party sub-processors to provide our service.
Sub-ProcessorRoleLocationSafeguard
ShopifyE-commerce Platform & IdentityCanada (Adequate) / GlobalAdequacy / SCCs
Vercel Inc.Cloud Hosting & Edge FunctionsUSASCCs
Supabase Inc.Database & Vector StorageUSA (AWS East)SCCs
OpenAI, LLCLLM Inference (Zero Retention)USASCCs
Anthropic, PBCLLM Inference (Zero Retention)USASCCs
Note: We have signed specific “Zero Data Retention” agreements with our AI providers where available, ensuring they do not use your data to train their models.

6. Data Subject Rights

Under GDPR, you (and your customers) have the following rights:
  1. Right of Access: Request a copy of the personal data we hold about you.
  2. Right to Rectification: Request correction of inaccurate or incomplete data.
  3. Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data, subject to legal retention obligations.
  4. Right to Restriction: Request that we restrict the processing of your data.
  5. Right to Data Portability: Request your data in a structured, commonly used format.
  6. Right to Object: Object to processing based on legitimate interests.
To exercise these rights, please contact our Data Protection Officer at privacy@naridon.com.

7. Technical & Organizational Measures (TOMs)

We implement state-of-the-art security measures to protect data:

Encryption

  • In Transit: TLS 1.2+ encryption for all data moving between Shopify, our servers, and the client.
  • At Rest: AES-256 encryption for all database volumes and backups.

Access Control

  • Role-Based Access: Internal access is restricted to engineering staff with a specific business need.
  • MFA: Multi-Factor Authentication is enforced for all administrative access.

Availability & Resilience

  • Backups: Automated daily backups with point-in-time recovery.
  • Redundancy: Critical services are deployed across multiple availability zones.

8. Data Breach Notification

In the event of a personal data breach, we will notify:
  • The competent supervisory authority within 72 hours, unless the breach is unlikely to result in a risk to rights and freedoms.
  • Affected controllers (Merchants) without undue delay, providing sufficient information to allow you to meet your own notification obligations.

9. Contact Information

Data Protection Officer (DPO) Thom & Co GmbH Scherzingerstasse 16, 8598 Bottighofen, Switzerland Email: privacy@naridon.com