MapMigo Shopify App and Storefront Store Locator Widget
Last updated: June 3, 2026
This Privacy Policy explains how we process personal data in connection with the MapMigo Shopify app (“MapMigo” or the “App”) and related services.
Important: If you are a shopper using a store locator on a merchant’s website, the merchant is usually the “controller” for the merchant’s storefront. This Privacy Policy still explains our processing for transparency, but the merchant’s own privacy notice remains the primary notice for shoppers.
Tim Wessels UG (haftungsbeschränkt) Blockener Str. 38 28816 Stuhr Germany
Responsible person: Tim Wessels
Email (privacy inquiries): support@mapmigo.io
Email (support): support@mapmigo.io
Data Protection Officer (DPO): We have not appointed a Data Protection Officer. If you believe a DPO is required for our processing, please contact us at the privacy email above.
This Privacy Policy applies to personal data processing:
This Privacy Policy does not apply to:
Merchant/admin context: In operating the App relationship with merchants (account, billing-related app operations, support), we act as a data controller.
Storefront context: For store locator content and storefront widget functionality, we generally process data on behalf of the merchant as a data processor. The merchant decides which store data is published, which map provider is used, and whether optional features (such as geolocation) are enabled.
Sub-processors we engage under our own accounts: To deliver certain storefront features, we use our own provider accounts and therefore engage the following as our sub-processors (acting on our behalf):
Map display via the merchant’s own provider account: If the merchant selects a Mapbox map style, the map is displayed using the merchant’s own Mapbox account and API key. In that case the merchant maintains its own direct relationship with Mapbox and is responsible for that account and for Mapbox’s applicable terms; MapMigo only facilitates the technical integration.
If a shopper requests GDPR rights regarding a specific merchant storefront, the shopper should contact the merchant first. If we receive such a request directly, we may forward it to the merchant where appropriate.
Depending on how the merchant uses the App and what Shopify provides, we may process:
Shopify API scopes: Our App requests the following Shopify API scopes: write_app_proxy, write_content, read_themes, write_products. We do not request Shopify customer or order scopes.
Merchants can upload and manage store locator content such as:
Note: Store data is often business information. However, it can still be personal data if it relates to a natural person (e.g., sole proprietors) or contains personal contact details.
We design the store locator to minimize shopper personal data processing. Depending on merchant configuration and the shopper’s choices:
Map display
The map is rendered by one of two map providers, depending on the map style the merchant has selected:
In both cases, loading a map requires the shopper’s IP address to reach the relevant map provider as a technical necessity of delivering the requested content.
Search
Optional geolocation
If enabled by the merchant, the store locator may request the shopper’s location through the browser. If the shopper agrees, the location is used to display nearby stores. Nearest-store calculations are performed in the shopper’s browser, and we do not send shopper coordinates to our backend solely for distance calculations. If the shopper refuses location access, the store locator falls back to showing all stores and/or manual search.
We process personal data for the following purposes and legal bases (where applicable):
Purpose: App installation/operation, configuration, store locator publishing, import processing, map display via the selected provider, place/store search, and providing the features the merchant requests.
Legal basis: performance of contract (GDPR Art. 6(1)(b)).
For the storefront widget, loading the map (via Mapbox or Stadia Maps) and performing place search (via Mapbox) require transmitting limited technical data, including the shopper’s IP address, to the relevant provider. This is technically necessary to deliver the map and search functionality the merchant has chosen to make available, and is generally based on the merchant’s legitimate interests / performance of contract (GDPR Art. 6(1)(b) and (f)) in the merchant’s role as controller for the storefront.
Purpose: keeping the service secure and available, preventing abuse, troubleshooting, and maintaining backups.
Legal basis: legitimate interests (GDPR Art. 6(1)(f)) and, where applicable, compliance with legal obligations (GDPR Art. 6(1)(c)).
Purpose: handling support requests and service communications.
Legal basis: performance of contract (GDPR Art. 6(1)(b)) and/or legitimate interests (GDPR Art. 6(1)(f)).
Purpose: showing nearby stores when the shopper chooses to share location.
Legal basis: consent (GDPR Art. 6(1)(a)).
Consent is voluntary. The shopper can refuse without losing access to the store locator. Consent can be revoked by disabling location permissions in browser/device settings.
Storefront widget: The MapMigo storefront widget itself does not set its own cookies and does not use localStorage/sessionStorage for tracking. However, third-party map and search services (in particular Mapbox and Stadia Maps) may use cookies or similar technologies depending on the merchant’s storefront setup and the providers’ SDK behavior. Merchants are responsible for configuring their consent tools and notices on their storefront.
Merchant/admin context: We may use strictly necessary storage (e.g., a localStorage flag for an admin-side acknowledgement) to operate App UI features. This is not used for advertising or cross-site tracking.
We use service providers to operate the App. These providers may process personal data on our behalf (as our sub-processors) or as independent controllers for their own purposes.
Sub-processors engaged under MapMigo’s own accounts:
Provider engaged directly by the merchant:
Third-party privacy notices (for convenience):
We share personal data with providers only to the extent necessary to operate, secure, and support the App.
We primarily host and store App data in the EU/EEA (based on our current infrastructure configuration). However, some providers may process data outside the EU/EEA depending on their infrastructure and processing purposes. This is particularly relevant for:
Where we transfer personal data outside the EU/EEA (or where our vendors do so), we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or other lawful transfer mechanisms, as applicable.
We keep personal data only as long as necessary for the purposes described in this Privacy Policy.
Merchant data deletion after uninstall: Automated deletion takes place after app uninstall using Shopify’s mandatory compliance webhooks (including shop/redact). We delete merchant store locator data, settings, uploaded media, and import files within Shopify’s required timeframe unless legal retention obligations require otherwise.
Shopper search queries: We do not store or log shopper search queries within the App.
Logs and backups: Operational logs, provider logs, and backups may be retained for limited periods depending on the provider and security needs. Where possible, we minimize retention. Exact retention can vary by provider (see the providers’ privacy documentation).
Support communications: Support tickets/messages may be retained for as long as needed to resolve the request and for a reasonable period thereafter, unless deletion is requested and no legal obligations prevent deletion. Support tooling providers may have their own retention practices.
We use appropriate technical and organizational measures to protect personal data, such as:
No system is fully secure, but we work to protect data and reduce risk.
If we process personal data about you as a controller (e.g., merchant/admin context), you may have rights including:
To exercise rights, contact us at: support@mapmigo.io
Storefront/shoppers: If your request relates to a merchant storefront using MapMigo, please contact the merchant first. The merchant is typically the controller for storefront processing.
You have the right to lodge a complaint with a supervisory authority. If you are in Germany, you can contact the authority responsible for us:
Der Landesbeauftragte für den Datenschutz Niedersachsen Prinzenstraße 5 30159 Hannover Germany
Email: poststelle@lfd.niedersachsen.de Phone: +49 511 120-4500 Website: https://www.lfd.niedersachsen.de/
We may update this Privacy Policy to reflect changes in our processing or legal requirements. We will publish the updated version with an updated “Last updated” date.