Legal

Privacy Policy

Last update: July, 2025

Table of content

1. Sources of Personal Information Collected

2. Purpose of Data Processing 

3. Data sharing

3.1. Third Party

3.2. Law enforcement and Legal Requirements

3.3. Change of ownership

3.4. Testimonials

3.5. Hosting

4. Data Retention

5. Security

6. Your Rights Under Applicable Laws

7. Children’s Privacy

8. Google API Limited Use Disclosure

9. Update to the Policy

10. Contact us
Title

Back To Legal

Please read this privacy policy carefully

GemX is a software-as-a-service product developed and owned by GemCommerce Co., Ltd. (“GemX”, “Company”, “we”, “us”, or “our”). GemX provides key features that enable Users to optimize their website performance by running experiments to test web page variations, enhancing user experience and increasing conversions. These services are made available through our application on the Shopify App Store (the “App”), our website at https://gemexp.net/, and related functionalities (collectively, the “Services”).

This Privacy Policy (“Policy”) describes how we collect, use, disclose, and protect personal data obtained through the use of the Services. References to your use of the Services in this Policy include any interaction with the GemX, whether or not you are a subscribed User. By using the Service, you acknowledge that you have read, understood, and agreed to the terms of this Policy.

 

Definitions

 

“Service”, “App” or “GemX” refers to the Shopify application developed by GemCommerce Co., Ltd., which includes all associated features, tools, functionalities, content, and services provided to User.

 

“User”, “You” or “Your” means any individual or legal entity that accesses or uses the Service in connection with the operation of a Shopify store.

 

“Customer” refers to any end user, visitor, or purchaser who interacts with your Shopify store and whose Personal Information may be collected, processed, or stored through your use of the Service.

 

“Personal Information” or “Personal Data” refers to any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a specific, identified or identifiable natural person. This includes, but is not limited to: (i) Identifiers such as full name, alias, mailing address, unique personal identifiers, online identifiers, Internet Protocol (IP) address, email address, account name, government-issued identification numbers (e.g., national ID, passport, driver’s license), or other similar identifiers; and (ii) Any other information that is considered “personal information”, “personally identifiable information”, “personal data”, or similar terms under applicable data protection and privacy laws, including but not limited to the GDPR, CCPA, and any other relevant international, federal, or state data privacy regulations. In addition, Personal Information may also include information about your device, browsing activities, purchase or usage history, and customer data submitted through the Service if such data can be used to identify a natural person.

 

“Personal Data Breach” means any actual or suspected incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed by GemX or its authorized third-party service providers. This includes breaches resulting from both intentional and unintentional acts or omissions that compromise the confidentiality, integrity, or availability of personal data, as defined under applicable data protection laws.

 

“Aggregated/De-Identified Data” refers to information that has been processed in such a way that it can no longer reasonably be linked to any identified or identifiable individual.

 

Usage Fee” or “Usage Charge” refers to a variable, usage-based charge that applies in addition to a fixed Subscription Fee, with the calculation formula and applicable plans specified in our Pricing.

1. Sources of Personal Information Collected

For the purposes of providing and enhancing the Service, Personal Information is collected from multiple sources, as further described in the sections below.

  • Information You Provide to Us: We collect Personal Information you directly submit to GemX when you install or configure the App, contact customer support, fill out forms, provide feedback, or otherwise interact with our services. This may include your name, contact information, preferences, and any content or files uploaded through the App.
  • Information from Shopify: We may receive data from Shopify, which we process solely to provide and enhance the Service’s functionality and to improve the user experience. When you install or authorize the App, we access store and account-related information through Shopify, including but not limited to your Shopify store name, email address, order data, and other merchant-related information necessary for providing the Service.
  • Information from Third Parties: We may receive Personal Information from third parties, including but not limited to analytics providers, advertising networks, service vendors, or business partners that assist us in operating and improving the App. These third parties may provide us with information such as usage statistics, support interactions, or aggregated demographic insights. We do not purchase personal data from third parties, nor do we process third-party data for profiling unless specifically described in this Policy or separately consented to.
  • Automatically Collected Data (Log Data and Cookies): We automatically collect technical data when you access or use the App, such as IP address, browser type, operating system, device identifiers, and usage logs. We may also use cookies and similar technologies to enhance functionality and performance. You can manage your cookie preferences or opt out of certain types of tracking by following the instructions provided in our [Cookie Policy].

GemX is committed to processing Personal Information in accordance with applicable laws and the requirements set forth by the Shopify platform. We ensure that diagnostic and analytics data collected through cookies and logs are used solely for the purpose of monitoring, maintaining, and enhancing the performance, security, and quality of the Service.

2. Purpose of Data Processing 

GemX processes Personal Information only for specific, legitimate purposes that are necessary to operate, maintain, and enhance our Services. GemX does not sell, rent, or otherwise disclose Personal Information to third parties in exchange for monetary or other valuable consideration. In particular, we process Personal Information for the following primary purposes, among others:

  • App Operation and Enhancement: To operate, maintain, and improve the functionality, performance, and reliability of the GemX. This includes enabling A/B testing capabilities, measuring conversion rates, analyzing site interactions (such as page views and click-through behavior), and ensuring compatibility across browsers and devices. This processing is necessary for the core functions of the App.
  • Communications and Support: To communicate with you as the User, including providing important notices related to your account, billing updates, service announcements, and responses to technical or customer support inquiries. Where permitted by applicable law and based on your consent where required, we may also use your contact information to send non-transactional messages, such as product updates, surveys, or marketing communications.
  • Personalization and User experience: To tailor your experience with GemX, including by providing personalized features, content, and recommendations based on your store's configuration, historical usage data, or testing performance.
  • Legal Compliance and Enforcement: To comply with applicable legal obligations, regulatory requirements, or enforce our contractual rights. This includes responding to lawful requests from governmental authorities, such as subpoenas or court orders, and protecting the security, integrity, and lawful use of the Service.
  • Security and Fraud Prevention: To prevent, detect, investigate, and mitigate potentially fraudulent, unauthorized, or malicious activities. This may involve analyzing behavioral patterns and usage anomalies to identify threats and ensure a secure operating environment for all users.
  • Research and Development: To analyze aggregated data, identify trends, assess user interactions, and enhance the performance and functionality of our features. Insights derived from A/B testing and user behavior are used to inform product improvements and develop new features.
  • Marketing and Promotion: To send promotional messages or display marketing content tailored to your interests, including product offers, service recommendations, and newsletters. These communications may be based on how you interact with the Service and your usage patterns, and are only sent where legally permitted or with your consent. You have the right to opt out of receiving these communications at any time by following the unsubscribe instructions in the message, adjusting your communication preferences in your account settings, or by contacting our support team.

Business Operations and Analytics: To generate usage statistics, evaluate the effectiveness of product features, and understand overall user engagement with the Service. We may use this data to improve operational efficiency and guide business decisions.

3. Data sharing

3.1. Third Party

Personal Information may be shared with trusted third-party service providers who support our business operations and enable us to provide, maintain, and improve the Service. These service providers act on our behalf and are granted access to Personal Information solely to the extent necessary to perform their designated functions. They are contractually obligated to process such data only as instructed and not for their own purposes.

Categories of such providers include, but are not limited to:

  • Customer Communication and Support: We may use Intercom and Customer.io to facilitate customer communication, support, and deliver personalized email communications related to user onboarding, product updates, and promotional campaigns.
  • User Experience Analysis: We may use Fullstory and Hotjar, Google Analytics to understand User engagement through session replays and heatmaps, helping us enhance user experience.

In addition, GemX engages third-party service providers to support the infrastructure and operations of the Service, including but not limited to hosting, storage, data processing, and payment facilitation. These service providers are granted access to Personal Data strictly as necessary to perform services on our behalf and are contractually prohibited from using such data for their own marketing or unrelated purposes.

3.2. Law enforcement and Legal Requirements

Personal Information may be disclosed where required by applicable law, regulation, legal process, or enforceable governmental request (e.g., subpoenas or court orders). We may also disclose such data when reasonably necessary to:

  • Establish, exercise, or defend legal claims,
  • Protect the rights, property, or safety of GemX, its Users, or others,
  • Detect, prevent, or respond to suspected fraud, security incidents, or technical issues.

Any Disclosures under this section will be strictly limited to the extent required by law and executed in a secure and responsible manner.

3.3. Change of ownership

In the event of a merger, acquisition, reorganization, sale of assets, or any other change in ownership, Personal Information may be transferred to a successor entity or affiliate as part of the transaction. Such transfers will be conducted in compliance with applicable data protection laws. Where required, you will be notified of the change and your rights under relevant legislation will be  respected.

3.4. Testimonials

With your explicit consent, we may publish aggregated or anonymized testimonials and reviews on our website or other marketing materials. These will not include any directly identifiable information unless you have expressly agreed to such disclosure.

3.5. Hosting

GemX uses a secure cloud-based infrastructure which may be distributed across several regions to ensure a stable and reliable Service experience. We may host, process, and share Personal Data across these jurisdictions within these regions with our Affiliates and trusted service providers solely for the purpose of delivering and improving the Service, and always in compliance with applicable privacy laws.
In such cases, we will also employ appropriate technical and organizational measures to protect confidentiality, integrity, and availability of Personal Data. These measures are designed to secure your data against unauthorized access, misuse, or disclosure and to ensure that your rights are upheld throughout all stages of the aforementioned activities.

4. Data Retention

We retain Personal Information only for as long as is necessary to fulfill the purposes set out in this Privacy Policy, or as required to comply with applicable legal, regulatory, or contractual obligations. For the purposes of this section, Personal Information may include, but is not limited to, account credentials, IP addresses, device identifiers, cookie data, test variant assignments, event logs, and any other identifiers or usage metrics collected in the course of A/B testing activities.

While your use of the GemX App remains active, we will maintain your account details, configuration data, and related records to support the ongoing operation and performance of the Service. Upon uninstallation of the App, we will immediately cease the collection of any new data. You may submit a request to delete your stored Personal Data at any time. GemX will evaluate and respond to such requests within a reasonable period, consistent with applicable data protection and privacy laws. Notwithstanding the foregoing, GemX reserves the right to refuse, in whole or in part, any deletion request where the continued retention of Personal Data is required to satisfy legal, regulatory, or contractual obligations. These obligations may include, but are not limited to, compliance with tax rules, retention duties, and audits required by authorities.

GemX may retain de-identified experiment results, aggregated performance metrics, and variant assignment logs in a non-personalized format beyond the retention of Personal Data, for the purposes of improving testing algorithms, benchmarking, and reporting accuracy. All processing of aggregated and de-identified Data is performed in accordance with applicable data protection laws and supported by a legitimate interest in enhancing and maintaining the performance, functionality, and relevance of the Service.

GemX adheres to the principle of data minimization,  ensuring that no more Personal Data is retained than is necessary to fulfill the purposes described herein. Server logs, error logs, and other system-generated metadata related to Service performance or experiment execution may be retained for an unlimited duration solely to facilitate diagnostics, prevent fraudulent activities, and maintain service reliability.

5. Security

GemX will implement appropriate technical and organizational measures to safeguard Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to, the use of industry-standard encryption protocols, firewalls, secure access controls, and multi-factor authentication.

Despite our best efforts and implementation, you acknowledge and agree that no method of transmission over the Internet or method of electronic storage is entirely secure. Accordingly, GemX cannot ensure or warrant the absolute security of Personal Data transmitted through or stored within the Services on our systems.

In the event of a confirmed Personal Data Breach, GemX will, without undue delay, take all necessary steps to assess, contain, and mitigate the breach. Where the breach is likely to result in a risk to the User’s rights, GemX will promptly notify impacted Users and, where legally required, report the breach to the relevant supervisory authorities within the timelines established under applicable data protection laws. 

All such actions will be carried out in accordance with Shopify’s policies and relevant legal obligations to ensure transparency and  accountability.

6. Your Rights Under Applicable Laws

GemX is committed to enabling and supporting you in exercising your data protection rights in full compliance with applicable laws and regulations, including but not limited to the GDPR, the CCPA, and Shopify’s policies.

  • Right of Access and Information: You have the right to request information about the personal data we hold about you, including the categories of data, purposes of processing, and third-party disclosures. Upon request, we will provide a copy of your personal data in a structured, commonly used, and machine-readable format.
  • Right to Rectification: If any of your personal information is inaccurate or incomplete, you have the right to request that we update or correct it promptly and in a timely manner.
  • Right to Erasure: You may request the deletion of your personal data, and we will honor such requests unless we are legally required or otherwise permitted to retain the data for legitimate purposes (e.g. regulatory compliance or legal claims).
  • Right to Restriction of Processing: You may request that we limit the processing of your personal data under certain circumstances, such as when you contest the accuracy of the data or object to its processing.
  • Right to Data Portability: Where applicable, you may request to receive a copy of your personal data in a portable format or request that it be transferred to another service provider.
  • Right to withdraw Consent: If the processing of your personal data is based on consent, you have the right to withdraw that consent at any time. Please note that this may impact your ability to use certain features of the Service.
  • Right to Opt-Out of Marketing Communications: You can opt out of receiving marketing emails or other promotional communications from us at any time by using the unsubscribe link in those communications or contacting us directly.

To safeguard your personal information, GemX may require verification of your identity before processing any request to exercise your rights. This verification process may include confirming account credentials or requesting additional information necessary to authenticate your identity and prevent unauthorized access.

If you are a resident of California, you may be entitled to additional rights under CCPA, such as: (i) right to know what personal information is being collected and to access that information), (ii) right to know what personal information is sold or shared and to whom, (iii) right to opt out of the sale or sharing of personal information. Please note that these rights are subject to certain limitations and exceptions as provided by law.

To exercise any of the rights above, please contact us using the information provided in the “Contact Us” section of this Policy. We will respond to verifiable requests in accordance with applicable legal requirements.

7. Children’s Privacy

GemX is designed for adult Users operating stores on the Shopify platform and is not intended for use by children. In compliance with applicable laws, including the Children’s Online Privacy Protection Act (COPPA) and Shopify’s policy guidelines, we do not knowingly collect or process personal information from individuals under the age of 13.

If we become aware that we have inadvertently collected personal data from a child under 13 without verified parental consent, we will take immediate steps to delete such information from our systems.

If you believe that a child under 13 may have provided us with personal data, please contact us promptly using the contact information provided in this Privacy Policy. We will investigate and address the issue in accordance with our obligations under applicable data protection laws.

8.  Google API Limited Use Disclosure

GemX’s integration with Google services (e.g., Google Analytics) complies with the Google API Services User Data Policy, including its Limited Use requirements. Specifically, GemX accesses metrics such as page views, conversion rates, or user sessions, solely to generate A/B test performance reports within the App. This data is not used for advertising, user profiling, AI model training, or any commercial purpose, nor is it transferred to unauthorized third parties.

All Google-derived user data is processed and stored securely in strict accordance with applicable privacy laws and regulatory obligations. The data is handled only for the period necessary to support core Service functionality and is subject to the principle of data minimization. You retain the right to request the deletion of Google-derived data associated with your account, and such requests will be verified and processed in line with applicable legal requirements and within the timelines prescribed by law.

9. Update to the Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements, and such updates may be made without prior notice. When we make changes, we will update the “Last Updated” date at the top of this page. The revised Policy will become effective upon its publication on this page. Accordingly, we encourage you to review this Policy periodically before submitting any personal information.

Your continued use of our services after any amendments to the Policy constitutes your acceptance of the updated terms. Where material changes are made, we will highlight them at the top of this page and indicate the date on which the Policy was last updated

10. Contact us

If you have any questions about our Privacy Policy, please email us at gemx-support@gemcommerce.com or by post to:

GemCommerce Company Limited

5th Floor, Artemis Tower, 3 Le Trong Tan Street, Phuong Liet Ward, Hanoi, Vietnam