Privacy Policy for InstantPay – Direct Payment Buttons on Product & Cart page

Last updated: 25 August 2025
Company: Grafeco Network (Estonian registration code 16255245)
Registered address: A. H. Tammsaare tee 47, Kristiine linnaosa, Tallinn, Harju maakond, 11316, Estonia
Website & contact: grafeco.com · [email protected]

1. Introduction

This Privacy Policy explains what personal and technical data Grafeco Network (“we”, “us”, “our”) collects, how we use it, and your rights in relation to the use of the InstantPay – Direct Payment Buttons on Product & Cart page extension (the “Extension”) — in particular data collected for licence activation and minimal telemetry purposes. This policy applies to customers who obtain the Extension via the Adobe/Commerce Marketplace or directly from us. It complements the Extension’s End User Licence Agreement (EULA).

2. Data we collect

We collect only the minimal information necessary for licence activation, fraud prevention, product support and product improvement. Collected items may include:

Licence activation & verification data

• Licensed Domain name (e.g. www.example.com)
• Licence key or token (issued to the purchaser)
• Date and time of activation / verification request
• Extension version and build identifier
• Server IP address (source of activation request)
• Basic system information required for compatibility checks (e.g. Magento/Adobe Commerce version)

Minimal telemetry / diagnostic data (optional / limited)

• Extension usage metrics in aggregated or anonymised form (for example: feature usage counters, counts of button clicks aggregated per store or per version — no customer personal data)
• Non-sensitive error reports (stack traces or error codes) where necessary to diagnose defects — sensitive customer data will be excluded or redacted.

3. Purposes of processing

We process the data for the following purposes:

• To validate licence entitlement and enforce the per-domain licence.
• To provide technical support and to diagnose and correct defects.
• To monitor product usage in aggregate for the purposes of product improvement and prioritising fixes/features.
• To prevent fraud and unauthorised distribution of the Extension.
• To comply with our legal obligations and to respond to lawful requests.

4. Legal basis

Where applicable under data protection law, our legal bases for processing are:

• Performance of a contract (licence verification and fulfilment);
• Legitimate interests (fraud prevention, product improvement, security and support) — we limit these processing activities to minimise privacy impact; and
• Consent (where we request explicit opt-in for any non-essential telemetry).

5. Telemetry opt-in / opt-out

• Licence verification requires certain technical data and cannot be opted out if you wish to use automatic online activation. We will minimise the amount of personal data transmitted.
• Non-essential telemetry (aggregated feature usage or diagnostic reports) will be collected only if you opt in (explicit checkbox) or if clearly stated in the product documentation; where permitted we provide an opt-out mechanism in the extension configuration.

6. Storage and retention

• Licence activation records and associated logs are retained for as long as necessary to manage licences and for a maximum of 24 months after last activity, unless a longer retention period is required by law or for active disputes.
• Aggregated telemetry and anonymised usage metrics are retained for product improvement purposes; retention periods are minimised and periodically reviewed.

7. Sharing and recipients

We do not sell personal data. We may share licence verification data with:

• Our authorised service providers for hosting, analytics or technical support (under contract and limited to what they need);
• As required by law, legal process, or to respond to lawful requests by public authorities;
• In the event of a business sale, merger or acquisition (subject to confidentiality obligations).

Where we use third-party providers (for example hosting or analytics), we ensure appropriate contractual and technical safeguards; any cross-border transfers will be subject to appropriate safeguards.

8. Security

We employ reasonable technical and organisational measures to protect data (encryption in transit, access controls, logging and monitoring). However, no method of transmission or storage is completely secure — please contact us immediately if you suspect misuse or a breach.

9. Your rights

Subject to applicable law, you may have the right to:

• Request access to personal data we hold about you;
• Request correction of inaccurate personal data;
• Request deletion of personal data (where lawful and not required for contract performance or legal compliance);
• Object to or restrict certain processing;
• Request data portability (where applicable).

To exercise these rights contact [email protected]. We will respond within applicable legal timeframes.

10. Cookies and similar technologies

This Privacy Policy covers data processed by the Extension (licence/telemetry). If our website uses cookies, those are described separately in our website cookie policy or in the store listing as required by Adobe. For Marketplace submissions, list any cookies placed by your licence/activation flows.

11. Children

The Extension is not directed at children. We do not knowingly collect personal data from minors.

12. Changes to this policy

We may update this Policy. Where changes materially affect data processing for licence activation or telemetry, we will provide notice (for example on our site or via the Marketplace listing) and the date of last update will be changed above.

13. Contact

Grafeco Network
[email protected] · grafeco.com
Registered in Estonia, reg. code 16255245.
For privacy / data enquiries, subject access requests, or to request deletion please contact [email protected].