PTESEN

Privacy Policy

Last updated: June 19, 2026

Ondasend is an email, WhatsApp and SMS marketing app for Shopify stores. This policy explains what data we access, what we use it for, and how we protect it, in compliance with Brazil's LGPD (Law 13.709/2018) and the GDPR.

1. Who we are and our role

Ondasend provides the app that merchants install on their Shopify stores. For end-customer data, the merchant is the Controller and Ondasend acts as the Processor, handling data only under the merchant's instructions and to operate the app. Questions: contato@ondasend.com.

2. Data we access

With your authorization and Shopify's Protected Customer Data approval, we access, through Shopify's APIs and webhooks:

  • Customer names;
  • Email address;
  • Phone number (when available);
  • Order history (purchases, amounts, dates);
  • Purchase behavior and engagement (abandoned carts, campaign opens and clicks).

We also process data entered in your store's signup forms (email, name, phone and marketing consent).

3. What we use data for

  • Send email, WhatsApp and SMS campaigns on your store's behalf;
  • Run automations (welcome, birthday, post-purchase) and abandoned-cart recovery;
  • Segment contacts by behavior and purchase history;
  • Generate real-time campaign reports (sends, opens, clicks, conversions and revenue);
  • Honor consent and unsubscribe requests.

We do not sell personal data.

4. Legal basis

We process data based on performance of the contract with the merchant, the legitimate interest of operating the service, and — for marketing to end customers — the consent obtained by the merchant (LGPD art. 7 and 11; GDPR art. 6). Customers can withdraw consent anytime via the unsubscribe link in every message.

5. Sub-processors

We share strictly necessary data with:

  • Neon (Neon, Inc.) — database hosting contacts, campaigns and metrics. United States.
  • Amazon SES (Amazon Web Services, Inc.) — email delivery. United States.
  • atende-tudo / Meta WhatsApp Cloud API — WhatsApp delivery to opted-in customers.
  • SMS partner provider — SMS delivery, when the channel is enabled.

Personal data stays in Shopify as the primary source; we keep only an operational copy of contacts in Neon.

6. International transfer

Because the sub-processors operate in the US, data may be processed outside Brazil and the EU, with safeguards under LGPD (art. 33) and GDPR (Chapter V).

7. Data retention and deletion

We keep data while the app is installed. On uninstall, Shopify sends the shop/redact webhook and we delete the store's data within 48 hours of receiving it.

  • The merchant can request deletion by uninstalling the app or via contato@ondasend.com.
  • The end customer requests access/deletion directly from the store; we process it via the mandatory webhooks.

8. Shopify privacy webhooks

  • customers/data_request — we gather the customer's data and make it available to the merchant;
  • customers/redact — we erase the specified customer's data;
  • shop/redact — we erase all of the store's data after uninstall.

9. Data subject rights

You and your customers have the right to access, correct, delete, port and object to processing (LGPD art. 18; GDPR art. 15–22). End customers exercise these with the store; merchants contact us directly.

10. Security

We use encryption in transit (TLS), restricted access control, and providers with recognized security certifications.

11. Minors

The app is not directed at minors and we do not knowingly collect children's data.

12. Changes to this policy

We may update this policy periodically; the "last updated" date at the top will be revised.

13. Contact

Privacy questions: contato@ondasend.com.