DAEN
Legal

Privacy Policy

Last updated: 2 May 2026

1. Data Controller

BestSupport ("we", "us", "our") is operated by:

Vel Media

Company Reg. (CVR): 43732404

Contact: Kris Nielsen

Email: kris@bestsupport.dk

Country: Denmark

We are the data controller for the processing of personal data described in this Privacy Policy.

2. Information We Process

2.1 When a webshop (merchant) uses BestSupport

We process the following information about merchants and their employees:

  • Name, email, phone number
  • Company information (CVR, address, industry)
  • Login credentials for Gmail and Shopify (via OAuth tokens)
  • API keys for shipping carriers (encrypted with AES-256)
  • AI response configuration, rules, and settings
  • Billing information

2.2 When BestSupport processes emails from end-customers

When a merchant connects their Gmail and Shopify to BestSupport, we process the following about the merchant's end-customers:

  • Name, email, phone number
  • Content of emails sent to the merchant (customer inquiries)
  • Order information from Shopify (order ID, products, shipping address, amount)
  • Tracking data from shipping carriers
  • Returns and complaints
Important: For end-customer data, BestSupport acts as a data processor — the merchant is the data controller. End-customers should contact the merchant they purchased from regarding their rights.

3. Why We Process the Information

PurposeLegal Basis
Provide customer service automation to merchantContract (GDPR Art. 6(1)(b))
Generate AI responses based on email content and order dataContract (GDPR Art. 6(1)(b))
Service improvement and troubleshootingLegitimate interest (GDPR Art. 6(1)(f))
Compliance with legal obligations (accounting)Legal obligation (GDPR Art. 6(1)(c))
Billing and paymentContract (GDPR Art. 6(1)(b))

4. Data Retention

Data TypeRetention Period
Merchant account and settingsWhile merchant is an active customer + 12 months
Customer tickets (emails from end-customers)24 months after ticket is closed
Order data from Shopify24 months after last interaction
Billing data5 years (Danish accounting law)
Webhook logs and error logs12 months
Encrypted API keysUntil merchant removes integration

When a merchant cancels BestSupport or uninstalls the app from Shopify, we delete all related data within 30 days, except data we are legally required to retain.

5. Where Data Is Stored and Transferred

5.1 Data stored in the EU

  • Vercel (hosting): Frankfurt, Germany
  • Supabase (database): EU region
  • Nango (OAuth handling): EU region

5.2 Data transferred outside the EU/EEA

BestSupport uses the following sub-processors located in the United States:

Sub-processorPurposeCountry
Anthropic, Inc.AI response generation (Claude API)USA
ResendEmail deliveryUSA
ShopifyWebshop integrationCanada/USA

For transfers to the United States, we rely on the EU Commission's Standard Contractual Clauses (SCC) as the legal basis, pursuant to GDPR Art. 46(2)(c). We have entered into Data Processing Agreements (DPAs) with all sub-processors.

What this means: When a customer email is processed by BestSupport, the content is sent to Anthropic's Claude API in the United States to generate a response. Anthropic does not retain data for training purposes and deletes data after processing.

6. Security

We have implemented the following technical and organizational security measures:

  • Encryption of sensitive data (AES-256) at rest
  • Encryption in transit (TLS 1.3) for all connections
  • HMAC validation of all Shopify webhooks
  • Access logs and monitoring
  • Role-based access control
  • Regular security updates
  • Backups with same security level as production data

If we discover a security breach involving personal data, we report it to the Danish Data Protection Authority within 72 hours, pursuant to GDPR Art. 33.

7. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15): Find out what information we hold about you
  • Rectification (Art. 16): Correct inaccurate information
  • Erasure (Art. 17): Request deletion ("right to be forgotten")
  • Restriction (Art. 18): Restrict processing
  • Data Portability (Art. 20): Receive your data in a structured format
  • Objection (Art. 21): Object to processing based on legitimate interest
  • Withdraw Consent (Art. 7): If processing is based on consent
To exercise your rights, contact: kris@bestsupport.dk. We respond to requests within 30 days.

8. Right to Complain

If you believe we are processing your data in violation of GDPR, you may file a complaint with:

Datatilsynet (Danish Data Protection Authority)

Carl Jacobsens Vej 35, 2500 Valby, Denmark

Phone: +45 33 19 32 00

Email: dt@datatilsynet.dk

Web: www.datatilsynet.dk

9. Cookies

BestSupport uses only strictly necessary cookies required for the app to function:

  • Session cookies (login, security)
  • CSRF tokens
  • Language and UI preferences

We do not use marketing cookies, tracking pixels, or third-party cookies. See separate Cookie Policy.

10. Shopify-Specific Obligations

When BestSupport is installed on a Shopify store, we comply with Shopify's mandatory GDPR webhook requirements:

  • customers/data_request: When an end-customer requests access to their data, we receive the request and provide the data within 30 days
  • customers/redact: When a merchant requests deletion of a customer's data, we anonymize all customer data in our systems
  • shop/redact: When a merchant uninstalls BestSupport, we delete all data about the store within 30 days

We process Shopify customer data (including names, emails, phone numbers, and addresses) solely for the purpose of providing customer service automation. We do not sell, share, or use this data for any other purpose.

11. Google API Services User Data Policy

BestSupport's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, BestSupport:

  • Does NOT use Gmail data for serving advertisements
  • Does NOT allow humans to read Gmail data, except:
    • with the user's explicit consent for specific messages;
    • where necessary for security purposes (e.g., investigating abuse);
    • where required by applicable law; or
    • for internal operations, with the data anonymized and aggregated.
  • Does NOT transfer Gmail data to AI/ML models for training purposes
  • Does NOT sell Gmail data

Gmail Scope We Use

  • https://mail.google.com/ (full Gmail access): Used to read incoming customer emails, classify intent, prepare AI replies, send AI-prepared replies to customers (after merchant approval where applicable), and apply labels for ticket organization.

Note: We are evaluating reducing to narrower scopes (gmail.modify + gmail.send) in a future update to follow the principle of least privilege.

Revoking Access

Users can revoke BestSupport's access to their Gmail at any time by:

This will immediately disconnect the integration from BestSupport.

12. Changes

This Privacy Policy may be updated. Material changes will be communicated via email to registered merchants at least 30 days before they take effect.

13. Contact

Questions about this Privacy Policy:

Vel Media

Attn: Kris Nielsen

Email: kris@bestsupport.dk

CVR: 43732404

← Back to homepageLæs på dansk →