Regional Data Protection Policy
Effective date: March 6, 2026
This Regional Data Protection Policy ("Policy") supplements our Terms of Service and is incorporated by reference into them. It provides additional protections and rights for individuals in specific jurisdictions where we process personal data. Forest Valley Rocky Inc ("we," "us," or "our") is committed to complying with all applicable data protection laws based on your location.
1. Scope and Application
This Policy applies when we process personal data of individuals located in jurisdictions with specific data protection requirements, including:
- European Union (EU GDPR)
- United Kingdom (UK GDPR)
- Switzerland (Swiss FADP)
- Brazil (LGPD)
- United States state privacy laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, and others)
- Canada (PIPEDA and applicable provincial laws)
- Australia and New Zealand
This Policy covers data processed in connection with our applications. Personal data collected through our websites (such as contact form submissions and automatically collected browsing data) is governed by our Privacy Policy at https://apps.fv.dev/privacy, which provides equivalent protections and rights for all regions covered by this Policy.
2. Our Role in Data Processing
2.1 Data Processing Relationships
- When serving users of our apps: We act as a Data Processor (or Service Provider under applicable US state laws), processing personal data on behalf of app users who act as Data Controllers with respect to their own customers or end users.
- When processing app user account data: We act as a Data Controller for account information (such as account owner name, email address, and platform identifiers) used to provide, maintain, and improve the Services.
2.2 Lawful Basis for Processing
We process personal data based on:
- Contract performance: To install, operate, and deliver app functionality within the merchant's store on the applicable host platform.
- Legal obligations: To comply with applicable laws and regulations.
- Legitimate interests: For fraud prevention, security monitoring, and improving the reliability of our Services, where permitted by applicable law.
- Consent: We do not rely on consent as a basis for processing core app-related data. Consent is relied upon only where separately required by law or for optional features not related to core app functionality (e.g., optional communications).
3. Data We Process
3.1 Categories of Personal Data
In connection with our Services, we may process the following categories of personal data:
| Category | Examples | Purpose |
|---|---|---|
| Store profile & settings | Store ID, store URL, platform type, subscription plan | App authentication, feature gating, redirect rule delivery |
| Store owner contact data | Store owner email address | Service communications, activity log records |
| Store catalog data | Product/category names, URL slugs, entity IDs | Slug change detection, redirect rule generation |
| Storefront visitor behavior | 404 error URL paths, HTTP referrer headers, hit counts, timestamps | Broken URL detection and reporting to the merchant |
3.2 Data We Do Not Collect
We do not collect, store, or process:
- End-customer personal data (names, emails, payment details, shipping addresses)
- Biometric or health data
- Government-issued identification
- Financial data or payment card information
Storefront visitor behavior data (404 hits, referrers) is collected in aggregate form tied to URL paths and does not include personally identifiable information about individual visitors unless a referrer URL itself contains personal data (which is outside our control).
4. Data Location and Transfers
4.1 Primary Data Location
All personal data is hosted on infrastructure operated by our cloud service providers in the United States. We take appropriate steps to ensure that transfers of personal data outside the EEA, UK, or other restricted jurisdictions are carried out in accordance with applicable law.
4.2 International Data Transfers
When personal data is transferred outside the European Economic Area, United Kingdom, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission for EEA-to-third-country transfers.
- The UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom.
- The Swiss FDPIC-approved transfer mechanisms for transfers from Switzerland.
We conduct Transfer Impact Assessments where required by applicable law.
5. Data Retention
5.1 Standard Retention Periods
| Data Type | Retention Period |
|---|---|
| Store profile & settings | Duration of app installation + 90 days after uninstallation |
| Store owner email | Duration of app installation + 90 days after uninstallation |
| Redirect rules & slug history | Duration of app installation + 90 days after uninstallation |
| Storefront 404 logs | Rolling 90-day window; auto-purged |
| Activity log entries | Rolling 90-day window; auto-purged |
5.2 Retention Exceptions
- Legal requirements: Data may be retained longer if required by applicable law or regulation.
- Active disputes: Data relevant to ongoing disputes or investigations may be retained until resolution.
- Anonymized data: We may retain anonymized, non-identifiable aggregates for service improvement purposes indefinitely.
5.3 Data Not Covered by This Table
Personal data collected through our websites (such as contact form submissions) is not related to app functionality and is not covered by the retention periods above. Retention of website-collected data is governed by our Privacy Policy, available at https://apps.fv.dev/privacy.
6. Sub-Processors
We rely on the following categories of sub-processors to deliver our Services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Railway (railway.app) | Hosting backend services and PostgreSQL database | United States |
| Railway (railway.app) | Redis cache — temporary rule caching and rate limiting | United States |
| Cloudflare | CDN delivery of storefront JavaScript and network proxy | Global edge network |
We will provide reasonable advance notice of material changes to our sub-processors.
7. Regional Rights and Protections
7.1 European Union, United Kingdom, and Switzerland
Individuals whose personal data we process as a controller have the following rights:
- Access: Obtain a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal exceptions.
- Restriction: Request that we limit how we process your data in certain circumstances.
- Data portability: Receive your personal data in a structured, commonly used, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Automated decision-making: Not be subject to solely automated decisions that produce significant legal effects.
How to exercise these rights: Submit a request to legal@fv.dev. We will acknowledge your request within 5 business days and respond within 30 days (extendable by a further 60 days for complex requests).
Supervisory authority complaints: You have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. In the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk. In Switzerland, the relevant authority is the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.
EU Representative (Article 27 GDPR): Our designated representative in the European Union for the purposes of Article 27 GDPR is:
Aleksandr Kovalenko
Portugal
Email: gdpr@fv.dev
Phone: +351 913 670 426
EU and UK residents may contact our representative directly regarding any data protection matters, or contact us at legal@fv.dev.
7.2 Brazil (LGPD)
Brazilian residents have rights equivalent to those described in Section 7.1, plus:
- Anonymization or blocking: Request anonymization or blocking of unnecessary or excessive personal data.
- Portability: Request portability to another service or product provider.
- Review of automated decisions: Request review of decisions made solely by automated processing that affect your interests.
- Revocation of consent: Withdraw consent at any time where processing is based on consent.
Supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.
7.3 United States — State Privacy Laws
Residents of California, Virginia, Colorado, Connecticut, Texas, and other states with applicable privacy laws have the right to:
- Know and access: Request information about the categories and specific pieces of personal data we collect and how we use it.
- Delete: Request deletion of your personal data, subject to applicable exceptions.
- Correct: Request correction of inaccurate personal data we hold.
- Opt-out of sale or sharing: We do not sell personal data or share it for cross-context behavioral advertising purposes.
- Non-discrimination: We will not discriminate against you for exercising any of these rights.
California-specific rights (CCPA/CPRA):
- You may submit a "Shine the Light" request regarding the disclosure of personal information to third parties for their direct marketing purposes. We do not engage in such disclosures.
- You may designate an authorized agent to submit requests on your behalf.
How to exercise these rights: Submit a request to legal@fv.dev. We will respond within the timeframes required by applicable state law (45 days for most state laws, extendable once).
We will verify your identity before processing a request. Verification may involve confirming information associated with your app installation on the host platform.
7.4 Canada
Canadian residents have rights under PIPEDA (or applicable provincial privacy legislation) to:
- Access: Request access to personal information we hold about you and information about how it has been used and disclosed.
- Correction: Request corrections to inaccurate or incomplete personal information.
- Withdrawal of consent: Withdraw consent to collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
- Complaint: File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or with applicable provincial commissioners in Quebec, British Columbia, or Alberta.
We collect, use, and disclose personal information only for the purposes identified in this Policy and our Terms of Service, and only with your knowledge and consent (express or implied, as appropriate).
7.5 Australia and New Zealand
We comply with the Australian Privacy Act 1988 (including the Australian Privacy Principles) and the New Zealand Privacy Act 2020.
Residents have the right to:
- Access: Request access to personal information we hold about you.
- Correction: Request correction of personal information that is inaccurate, out of date, incomplete, or misleading.
- Anonymity: Where practicable and lawful, interact with us without identifying yourself.
- Overseas disclosure: Be informed about disclosures of personal information to overseas recipients, and to seek assurance that those recipients handle the information in accordance with applicable law.
We apply reasonable security safeguards to protect personal information and will notify you and the relevant authority of eligible data breaches in accordance with applicable law.
Supervisory authorities:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- New Zealand: Office of the Privacy Commissioner — privacy.org.nz
8. Security Measures
We implement technical and organizational measures to protect personal data, including:
- Encryption: Data in transit is protected using TLS 1.2 or higher. Sensitive data at rest (e.g., access tokens) is encrypted.
- Access controls: Access to personal data is restricted to personnel who require it to perform their duties.
- Monitoring: Error monitoring and logging to detect and respond to security incidents.
- Minimal data collection: We collect only data necessary to deliver the Services (data minimization principle).
9. Data Breach Notification
9.1 Notification Timelines
- To relevant supervisory authorities: Within 72 hours of becoming aware of a breach that poses a risk to individuals' rights, where required by law.
- To affected individuals: Without undue delay when a breach is likely to result in a high risk to their rights and freedoms.
- To affected merchants: As soon as reasonably practicable.
9.2 Notification Content
Breach notifications will include, to the extent known:
- The nature of the breach and categories of data affected
- Approximate number of individuals affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details for further information
10. Children's Data
Our Services are not directed at or intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at legal@fv.dev and we will promptly delete it.
11. Exercising Your Rights
To submit any data rights request, contact us at:
Email: legal@fv.dev
Mail: Forest Valley Rocky Inc, 30 N Gould St, Ste R, Sheridan, WY 82801, United States
We may request information to verify your identity before processing your request. Rights requests are generally free of charge. We reserve the right to charge a reasonable fee for requests that are manifestly unfounded or excessive.
12. Updates to This Policy
We may update this Policy from time to time to reflect changes in applicable law or our data practices. We will notify affected merchants of material changes by email (where we hold a store owner email address) or through a notice within the app. The effective date at the top of this Policy indicates when it was last revised. Continued use of our Services following notice of a material change constitutes acceptance of the updated Policy.
13. Relationship with Other Policies
This Policy supplements and should be read together with our Terms of Service (available at https://apps.fv.dev/terms) and our Privacy Policy (available at https://apps.fv.dev/privacy). In the event of any conflict between this Policy and our Terms of Service or Privacy Policy, the provision that is more protective of the individual's rights shall prevail.
14. Contact
For questions or concerns about this Policy or our data practices:
Forest Valley Rocky Inc
30 N Gould St, Ste R
Sheridan, WY 82801
United States
Email: info@fv.dev
Website: https://fv.dev