Skip to content

Privacy Policy

Last updated: [Please set the date when you publish this policy]

This Privacy Policy describes how the MUP Compliance App ("we", "us", or "our") collects, uses, and protects information when the app is used within your Shopify store. The app was built by Underwaterpistol LTD and helps merchants comply with Scotland's Minimum Unit Pricing (MUP) law for alcohol sales.

1. Overview

The MUP Compliance App processes certain data to enforce minimum unit pricing for alcohol orders destined for Scotland. We process data only as necessary to provide this functionality and to operate the app on the Shopify platform.

2. Information We Process

2.1 Data Processed for MUP Compliance

The app processes the following types of data to calculate levies, validate checkout, and determine whether MUP applies:

Data type Purpose Source
Cart and checkout data Product IDs, quantities, prices, discounts; used to calculate MUP levies and validate compliance Shopify Cart/Checkout APIs
Product data Alcohol unit metafields, product details; used for levy calculation and health checks Shopify Product APIs
Region / location data UK region (England, Scotland, Wales, Northern Ireland); used to determine if MUP applies Customer selection, postcode, or detection (see below)
Postcodes To identify Scottish delivery addresses so MUP can be applied correctly Entered at checkout or in the region selector
Order data Order details for tagging and compliance tracking Shopify Order APIs
Customer data Used for region detection and compliance (e.g. saved address) Shopify Customer APIs

2.2 Region Detection

The app may determine a customer's UK region using one or more of:

  • Manual selection – The customer chooses their region (England, Scotland, Wales, or Northern Ireland) in the region selector.
  • Postcode – Postcodes are used to infer whether the delivery address is in Scotland (e.g. AB, DD, DG, EH, FK, HS, IV, KA, KW, KY, ML, PA, PH, TD, ZE, and certain G-prefixes).
  • GeoIP – If configured by the merchant, MaxMind GeoIP or similar services may be used to infer region from IP address.
  • Browser geolocation – If the customer agrees, browser geolocation may be used for auto-detection (only when enabled and with consent).

Postcodes and region selections are used solely to decide whether MUP applies and to calculate and display the correct levies.

2.3 Data We Do Not Collect

We do not independently collect or store:

  • Names, email addresses, or phone numbers for marketing
  • Payment card or financial details (handled entirely by Shopify)
  • Any data beyond what is required for MUP compliance and app operation

3. How We Use Information

We use the data described above only to:

  1. Enforce MUP – Calculate and add levy charges when alcohol is priced below the minimum per unit for Scottish orders.
  2. Validate checkout – Block checkout when discounts would result in a price below the MUP floor for Scotland.
  3. Detect region – Determine whether an order is for Scotland so MUP rules are applied only where required.
  4. Operate the app – Run cart transforms, checkout UI, region selector, health checks, and configuration (e.g. MUP settings, metafields, levy product).
  5. Support and debugging – Use logs and diagnostic data to troubleshoot issues, as referenced in our Troubleshooting and related documentation.

We do not use this data for advertising, profiling, or selling to third parties.

Where UK GDPR or the EU GDPR applies:

  • Contract – Processing is necessary to perform our contract with the merchant (providing the MUP Compliance App) and to support the contract between the merchant and the customer (e.g. correct pricing and checkout).
  • Legal obligation – To help merchants comply with Scotland’s Minimum Unit Pricing law.
  • Legitimate interests – Where relevant, for security, fraud prevention, and improving the app, in a way that does not override individuals’ rights.

Where we rely on consent (for example, for optional browser geolocation), we will only use that data in line with the consent given.

5. Data Sharing and Subprocessors

  • Shopify – The app runs on Shopify. Product, cart, checkout, order, and customer data are processed via Shopify’s APIs and infrastructure, in accordance with Shopify’s Privacy Policy and their role as a platform provider.
  • Hosting and infrastructure – We may use third-party hosting or development platforms (e.g. Gadget or similar) that act as subprocessors. These are chosen to keep data secure and to support app functionality only.
  • GeoIP / geolocation – If MaxMind or similar services are used for region detection, those providers process IP or location data according to their own privacy terms.

We do not sell or rent personal data. We only share data where necessary to run the app, to comply with law, or to protect rights and safety.

6. Data Retention

  • Active use – Data is retained while the app is installed and in use, as needed for MUP calculations, validation, and order tagging.
  • After uninstall – We do not retain copies of your store’s or your customers’ data longer than necessary for support, legal, or contractual requirements. Shopify’s own retention policies continue to apply to data held in your store.
  • Logs and diagnostics – Log and diagnostic data are retained only as long as needed for troubleshooting and security, in line with our internal policies.

7. Security

We take steps to protect the data we process, including:

  • Using Shopify’s secure APIs and following recommended practices for apps.
  • Limiting access to data to those who need it to operate and support the app.
  • Relying on encryption in transit and at rest as provided by Shopify and our infrastructure.

You are responsible for securing access to your Shopify admin and any customisations you add.

8. Your Rights (UK / EEA and similar laws)

Individuals whose data we process may have rights to:

  • Access – Request a copy of their personal data.
  • Rectification – Request correction of inaccurate data.
  • Erasure – Request deletion in certain situations.
  • Restriction – Request that we limit how we use their data.
  • Object – Object to processing in certain circumstances.
  • Data portability – Receive their data in a structured, machine-readable format where applicable.

These rights can be exercised against the merchant (the Shopify store) as the primary data controller for customer and order data. We will support merchants in responding to such requests where the data has been processed by our app.

For enquiries or to exercise your rights in relation to data we control, please use the contact details in Section 10.

9. International Transfers

Data may be processed in the United Kingdom, the European Economic Area, and in other countries where Shopify or our service providers operate. Where we transfer data outside the UK or EEA, we rely on appropriate safeguards such as:

  • UK and EU adequacy decisions
  • Standard contractual clauses
  • Other mechanisms permitted under UK GDPR and the EU GDPR

10. Contact Us

For privacy-related questions, requests, or complaints about the MUP Compliance App:

  • Operator: Underwaterpistol LTD
  • Email: [Insert your privacy contact email]
  • Postal address: [Insert your address, if you wish to receive formal requests by post]

We will respond within a reasonable time, and in any event within the period required by applicable law (e.g. one month under UK GDPR where it applies).

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will be revised when we make material changes. We encourage merchants to review this page periodically. Continued use of the app after changes constitutes acceptance of the updated policy, to the extent permitted by law.

12. Merchant Responsibilities

As the merchant and data controller for your store and your customers:

  • You must have your own privacy policy that explains to your customers how their data is used, including when they shop at your store and when apps such as ours process their data for MUP.
  • You are responsible for ensuring that your use of the app (including any optional features such as geolocation or GeoIP) complies with applicable privacy and data protection laws and with your own policies.
  • You should inform customers if you use region detection, postcodes, or optional geolocation as part of MUP compliance.

This privacy policy applies to the MUP Compliance App as used within the Shopify platform. It does not replace and should be read alongside your store’s privacy policy and Shopify’s policies.