Introduction
Welcome to the Privacy Policy of BOGOS: Free gift & Buy X Get Y app!
We are BOGOS, a part of Secomapp group (the “we”, “us” or “our”). This Privacy Policy outlines the collection and usage of personal data, as well as the rights granted to our visitors, customers, and merchants in relation to their respective data. For purposes of this Privacy Policy, “you” and “your” means you as the user of the services, or any individual whose information we have collected pursuant to this Privacy Policy.
By accessing or utilizing this website, our apps, or any of our services, you indicate your consent to abide by the terms stated in this Privacy Policy, as well as other terms and policies published on our website. If you do not agree with this Privacy Policy, kindly refrain from using this website and discontinue all use of our services.
Occasionally, we may update this Privacy Policy to reflect changes in our privacy practices, and operational procedures, or to comply with legal or regulatory requirements. In the event of substantial modifications, we will notify you of such changes by posting the revised policy on this website and, when appropriate, through other means. By continuing to use our apps, website, or services following the posting of these changes, you agree to be bound by the updated policy.
Information collected from Merchants
Upon installation of our app, we have the capability to automatically retrieve specific information from your Shopify account. The details regarding this information can be found here. We gather this information to facilitate the provision of our services, which may include verifying your identity, establishing communication with you, offering customer support when you reach out to us, as well as delivering targeted advertising and marketing materials.
Information collected from Merchants’ customers
We do not collect any personal data from the customers of our merchants. Our focus is solely on providing services and support to merchants themselves, and we do not gather any information about their customers.
We may temporarily browse through customer data from orders to analyze and identify patterns related to potential fraudulent activities. If we detect data that matches records from previous fraud cases, we will promptly notify the merchant to help them take appropriate action.
Information collected when you visit our Website
When you visit our website, certain information about your device, such as your web browser, IP address, time zone, and some installed cookies, is automatically collected. We gather this information using various technologies like cookies, log files, web beacons, tags, and pixels.
Our website may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of such sites, including the accuracy, completeness, or reliability of information found on these sites.
How we share information
We do not sell your personal data to other organizations for commercial purposes. We may share your information with certain third-party services to support our business and provide better services to you. These include Mixpanel, Clarity, Zendesk, and Customer.io.
- We use Mixpanel to understand how customers use our app. You can read more about how Mixpanel collects your information at: https://mixpanel.com/legal/privacy-policy
- We use Clarity for insights into app analytics. You can read more about how Clarity collects your information at: https://privacy.microsoft.com/en-US/privacystatement
- We used Zendesk for communication and merchant support. You can read more about how Zendesk collects your information at: https://www.zendesk.com/company/agreements-and-terms/privacy-notice/
- We used Customer.io for email marketing and maintaining customer lists. You can read more about how Customer.io collects your information at: https://customer.io/legal/privacy-policy/
Cross-border transfer
Please note that we may transfer, store and process your personal information outside the country you live in, including the United States. Your personal information is also processed by staff and third party service providers and partners in these countries.
Use of BOGOS by Children
BOGOS are not intended to be used by children. If you are under 13, you may use the site and services only with the supervision of your parents or guardian.
Your Rights
We recognize and respect your rights over your personal information. We take reasonable measures to enable you to access, correct, amend, delete, port, or restrict the use of your personal information. If you are a merchant and wish to exercise these rights, please contact us through [email protected]. We may require you to provide acceptable verification of your identity before granting access to such information.
If you are a customer of a merchant and want to exercise these rights, please directly contact the merchants you interacted with. We act as a processor on their behalf and can only forward your request to them for their response.
Your privacy and control over your personal information are important to us, and we are committed to assisting you in the exercise of your rights.
Retention
We understand the importance of data retention and strive to maintain appropriate retention practices. Your personal data and the data associated with your store will be deleted within 30 days after uninstalling the app. If you require immediate removal of your data, whether as a merchant or a buyer, please reach out to us at [email protected]. Please note that we may request acceptable verification of your identity before proceeding with the removal of your information.
We take the security and privacy of your data seriously and aim to ensure that it is handled in accordance with applicable laws and regulations.
Security incident response policy
The objective of this policy is to establish a systematic framework for identifying, reporting, evaluating, and addressing security incidents. The primary goal is to mitigate the effects of such incidents on the operations, reputation, and assets of the business. By implementing this policy, we aim to enhance our ability to effectively manage and respond to security-related events, ensuring the safeguarding of our organization’s integrity and interests.
Incident severity scales
- Level 1 (Low): Incidents that have minor impact and can be resolved quickly without causing significant damage.
- Level 2 (Moderate): Incidents that have a noticeable impact on the organization and require immediate attention to avoid further damage.
- Level 3 (High): Incidents that have a severe impact on the organization’s operations and require immediate action to contain and resolve the incident.
Roles and responsibilities
- Incident Response Team (IRT): This team is accountable for handling security incidents and comprises IT staff, security personnel, and other relevant stakeholders. They work together to promptly respond to and mitigate incidents.
- Incident Coordinator: This individual oversees the incident response process. Their responsibilities include coordinating with the IRT and other stakeholders, evaluating the severity of the incident, and ensuring that the response is efficient and effective.
- IT/Security Staff: These professionals are responsible for identifying, investigating, and resolving security incidents. They possess the necessary expertise to analyze the incidents, implement necessary measures, and restore normal operations as quickly as possible.
Escalation paths
- Incident Reporting: As soon as incidents are identified, they must be reported to the Incident Response Team (IRT). This can be accomplished through a dedicated incident reporting system, an email address, or a phone number. The incident report should provide a description of the incident, its impact on the organization, and any pertinent evidence.
- Initial Assessment: The IRT will conduct an initial assessment of the incident to determine its severity and impact. Based on this assessment, the IRT may decide whether to escalate the incident to a higher level.
- Level 1 Escalation: For incidents of low-level severity, the IRT may be capable of resolving the incident without further escalation. This may involve implementing temporary solutions, applying security patches, or updating security policies.
- Level 2 Escalation: In the case of moderate-level incidents, the IRT will escalate the incident to the Incident Coordinator. The Incident Coordinator will evaluate the incident and determine the appropriate response, which might involve engaging additional resources or experts. The Incident Coordinator will also keep relevant stakeholders, such as management and legal departments, informed about the incident and any response actions.
- Level 3 Escalation: High-level incidents prompt the IRT to escalate the matter to senior management or executive leadership. This may entail activating the organization’s emergency response plan or enlisting external experts or consultants to aid in the response. The Incident Coordinator will continue to coordinate the response efforts but with added oversight from senior management or executive leadership.
Evidence collection
Upon detection or reporting of an incident, all pertinent systems, devices, and logs will be safeguarded to prevent any subsequent alterations or deletions of data. This entails the collection and preservation of electronic data, such as system logs, network traffic, and application data. The purpose is to ensure that the integrity of the evidence is maintained for further investigation and analysis.
Required actions
- Incident Identification: All employees will receive training to promptly detect and report any security incidents. This includes reporting suspicious activities, unauthorized access, data breaches, malware infections, and other security-related incidents.
- Incident Categorization: The IRT will perform an initial assessment of the incident’s severity and impact. The incident will be categorized using a predefined severity scale to determine the appropriate response level.
- Incident Containment: Immediate measures will be taken by the IRT to contain the incident and prevent further data loss or damage. This may involve isolating affected systems, disabling network connections, or shutting down impacted services.
- Incident Analysis: The IRT will analyze the incident to ascertain its root cause and identify any indicators of compromise. This analysis may involve gathering and examining system logs, network traffic, and other pertinent data.
- Incident Response: The IRT will develop a response plan based on the incident’s severity and its impact on the organization. The plan will encompass clear procedures for communication, coordination, and collaboration among IRT members and other relevant stakeholders.
- Incident Recovery: The IRT will diligently work to restore normal operations while ensuring the security of systems and data. This may involve restoring from backups, patching vulnerabilities, or rebuilding systems.
- Incident Review: Once the incident is resolved, the IRT will conduct a post-incident review to identify lessons learned and areas for improvement. This review will inform updates to the organization’s security incident response policy and procedures, enhancing preparedness for future incidents.
Contact information
If you have any inquiries regarding your personal data or this Privacy Policy, or if you wish to file a complaint regarding how we handle