Privacy Policy
Last updated: July 2026
Protecting your data matters to us. This policy explains which personal data the 7ankyou app processes, for what purpose and on what legal basis. 7ankyou is a cross-promotion service for Shopify merchants: after a purchase in a participating store, the customer sees a selection of coupons from other, non-competing stores; in return, the merchant's own offer appears on the thank-you pages of those stores.
1. Data controller
The controller responsible for data processing within the meaning of the GDPR is:
OmniMain GmbH, Halbmondstr. 2, 74072 Heilbronn, Germany. You can find contact options at the bottom of this page.
For order data originating from a participating merchant's store we act partly as the merchant's processor and partly as an independent controller (see section 4).
2. Roles and data subjects
We process data of two groups of people: the merchants who install 7ankyou in their Shopify store (our customers), and the end customers who shop in a participating store and who may claim a coupon.
3. Merchant data
When a merchant installs 7ankyou, we process the data required to provide the service:
- store domain and Shopify store identifier
- the store's contact e-mail address
- the offer configuration set by the merchant (coupon/discount, industry/category, country, teaser style)
- aggregated statistics on the merchant's own reach (impressions, clicks, redemptions)
- an access token provided by Shopify so the app can read order data server-side
The legal basis is the performance of the usage contract (Art. 6(1)(b) GDPR).
4. Order and end-customer data from the store
When a purchase is made in a participating store, 7ankyou receives the following order data server-side via the Shopify interface and stores it:
- order number, country, language, currency and order value
- the purchased products including their category
- where available: the customer's name and e-mail address
The sole purpose is to match the order with a relevant ring of coupons assigned by country and category and - if the customer wishes - to deliver a coupon to them by e-mail. Name and e-mail are used server-side only (for example to pre-fill the redemption form and to send a claimed coupon).
This data is not passed on to other merchants or any other third parties. Other stores never see the customer data of another store's order.
The legal basis is our and the merchant's legitimate interest in cross-promotion and a post-purchase thank-you (Art. 6(1)(f) GDPR); for sending a coupon, the customer's consent or request (Art. 6(1)(a)/(b) GDPR). Shopify provides this data as part of "Protected Customer Data".
5. Coupon redemption on go.7ankyou.com
If an end customer voluntarily claims a coupon, we store their e-mail address and the chosen coupon, send them the coupon by e-mail, and record whether the link in that e-mail was clicked (for performance measurement). The legal basis is consent or the performance of the delivery requested by the customer (Art. 6(1)(a)/(b) GDPR).
6. Recipients and processors
To provide the service we use carefully selected service providers acting as processors (Art. 28 GDPR) on our behalf:
- Hosting: Hetzner Online GmbH, Germany (EU)
- E-mail delivery: Scaleway SAS, France (EU)
- Error and availability monitoring on our own infrastructure within the EU
- Shopify (Shopify International Ltd.) as the platform the order data originates from
No transfer to third countries takes place, with the exception of the processing inherent to Shopify (safeguarded by the standard contractual clauses).
7. Retention
We store personal data only for as long as necessary for the purposes stated above or required by statutory retention obligations. If a merchant uninstalls the app, the associated data is deleted or anonymised in accordance with Shopify's requirements. End customers may request deletion of their data at any time.
8. Cookies and similar technologies
We use only strictly necessary cookies that are required to operate the website. Information is stored on or read from your device only where this is strictly necessary to provide the service you requested; under Sect. 25(2) no. 2 TDDDG (the German implementation of the ePrivacy rules) no consent is required for this. The legal basis for the associated processing is our legitimate interest in a secure, functioning service (Art. 6(1)(f) GDPR).
Specifically, we set the following cookies:
- 7ankyou_session - session cookie: stores an encrypted session identifier used to associate server-side session data (e.g. the selected language and short-lived status messages). Lifetime: session. Strictly necessary.
- XSRF-TOKEN - security cookie: holds a token that protects against Cross-Site Request Forgery (CSRF), i.e. forged cross-site form requests; it is sent back on form submissions to verify their authenticity. Lifetime: session. Strictly necessary.
We do not use any advertising, tracking or analytics cookies and do not share data with third parties through these cookies. The embedded Shopify app uses Shopify's session. You can delete or block cookies in your browser at any time; the website may then only work with limitations. Fonts are embedded in a privacy-friendly way without Google Fonts.
9. Your rights
You have the right of access, rectification, erasure, restriction of processing, data portability and the right to object to processing. You may withdraw any consent given at any time with effect for the future. To do so, use the contact details at the bottom of this page.
10. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The authority competent for us is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Germany.
11. Changes to this policy
We update this privacy policy when the service or the legal situation changes. The version published on this page at any given time applies.