Privacy Policy
Last updated: 30 June 2026
This Privacy Policy explains how Okwi collects, uses, shares, and protects personal data when you use the Okwi platform, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Okwi is a multi-tenant commerce platform that lets merchants create online shops served at addresses such as <slug>.okwi.com or on the merchant’s own custom domain. This policy applies to the merchants and staff who use Okwi, to visitors of our marketing site at okwi.com, and it explains how we handle a merchant’s shoppers’ data on the merchant’s behalf.
1. Who we are & our role (controller vs processor)
Okwi (“we”, “us”, “our”) operates a UK-based commerce platform. Our role under UK GDPR depends on whose data is being processed:
- We are the data controller for personal data about our merchants and their staff (account, profile, and business data), and about visitors to our own marketing website okwi.com.
- We are a data processor for the personal data of a merchant’s own shoppers (a shop’s customers). Each merchant is the controller of its customers’ personal data; we process that data only to provide the Service and on the merchant’s documented instructions.
Shoppers buying from a merchant. If you bought from a storefront hosted on Okwi, the merchant — not Okwi — is the controller of your personal data. The merchant is responsible for providing its own privacy notice and for having a lawful basis to process your data. Requests about that data should be sent to the merchant; see section 9.
You can reach us about privacy at legal@okwi.com.
2. What data we collect
- Account & profile data — name, email address, and the authentication identifiers used to sign in. Sign-in is provided through Firebase Authentication (Google sign-in or email and password); we do not store account passwords, which are handled by Firebase. Team sub-accounts include each member’s role and per-area permissions (RBAC).
- Shop & company data — your shop name, slug, plan, custom domain (if any), company details, and the content and settings you configure for your storefront.
- Order & shop-customer data — personal data about a merchant’s shoppers, such as names, email addresses, delivery and billing addresses, order history, customer-account credentials, and marketing-consent status. Each shop’s customer accounts are isolated to that shop, with passwords hashed using scrypt (we never store them in plain text) and sessions secured with HMAC-signed tokens. We process this data as the merchant’s processor.
- Payment metadata — information needed to record and reconcile orders, such as amounts, currency, status, and payment references. Card numbers are never stored by Okwi; card payments are handled by our payment provider (see section 4).
- Usage, device & log data — IP address, browser/device information, pages visited, and actions taken in the dashboard, together with server logs, used to operate, secure, and improve the Service.
- Cookies — strictly necessary session, authentication, cart, and cookie-consent cookies, as described in our Cookie Policy. We do not set third-party advertising or tracking cookies.
- Communications — messages you send us for support or enquiries, and our replies.
3. How & why we use data (lawful bases)
As a controller, we process personal data on the following lawful bases:
- Contract — to create and manage your account, provide the Service, host your shop, and administer plans and subscriptions.
- Legitimate interests — to secure, maintain, and improve the Service, prevent fraud and abuse, and send service and account communications, balanced against your rights and interests.
- Consent — for any marketing communications and for optional cookies, which you can withdraw at any time.
- Legal obligation — to comply with our accounting, tax, and other legal duties.
Where we act as a processor for a merchant’s customer data, we process it only on the merchant’s documented instructions and as necessary to provide the Service (for example fulfilling orders, sending the order and account emails the merchant configures, and operating customer accounts). The merchant is responsible for the lawful basis for that processing.
4. Sub-processors & sharing
We use trusted third-party providers (sub-processors) to run the platform. Each is bound by a contract requiring appropriate safeguards, and we share data with them only as needed to deliver the Service:
- Google Firebase — authentication for merchant and staff accounts.
- Neon — managed PostgreSQL database, hosted in the EU (AWS eu-west-2, London).
- Vercel — hosting and CDN for our marketing site, dashboards, and storefronts, plus DNS for custom domains.
- Render — hosting of our backend API and storage of merchant-uploaded images.
- Resend (with AWS SES) — delivery of transactional, account, and marketing email, sent in the EU (eu-west-1).
- Viva Wallet — card payment processing (used once payments go live; card details are handled by Viva Wallet, not Okwi).
We do not sell your personal data. We may disclose data where required by law, to comply with legal process, or to protect our rights and the safety of others. If Okwi is involved in a merger, acquisition, or sale of assets, data may be transferred as part of that transaction, subject to this policy.
5. Email & marketing
We send transactional and account emails that are part of the Service — for example order confirmations and shipping, cancellation, or refund updates, and account emails such as welcome and password-reset messages. These are sent on the basis of contract or legitimate interests, not marketing consent.
Marketing emails are only sent where there is a lawful basis to do so. For a shop’s customers, marketing is sent on explicit opt-in consent; a shop customer’s marketing-consent setting defaults to off. Every marketing email includes a one-click unsubscribe and a List-Unsubscribe header, and recipients can unsubscribe at any time via the link in the email. Merchant shops send from their own branded sending domain (for example noreply@<slug>.okwi.com or the merchant’s own domain).
6. Where your data is stored & international transfers
We aim to keep personal data within the UK and the EU. Our database is hosted by Neon in the EU (AWS eu-west-2, London), and our email infrastructure is operated by Resend / AWS SES in the EU (eu-west-1). Where a sub-processor processes data outside the UK (for example certain Firebase or hosting infrastructure), we rely on appropriate safeguards recognised under UK data protection law — such as UK adequacy regulations or the International Data Transfer Agreement and the UK Addendum to the EU Standard Contractual Clauses — so that your data remains protected to an equivalent standard.
7. Retention
We keep personal data only for as long as necessary for the purposes set out in this policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. When you close your account we will delete or anonymise your data within a reasonable period, except where we must retain certain records (for example for tax, accounting, or fraud-prevention purposes). For a merchant’s customer data, which we hold as a processor, retention follows the merchant’s instructions and the duration of our agreement with the merchant; on termination we delete or return that data as agreed.
8. Security
We use appropriate technical and organisational measures to protect personal data. These include tenant isolation enforced at the database level with Postgres Row-Level Security (RLS), hashing of shop-customer passwords with scrypt, HMAC-signed session tokens, encryption in transit over HTTPS (with automatic HTTPS on custom domains), role-based access controls, and least-privilege practices across our infrastructure. Uploaded images are re-encoded on the server before storage. No system is perfectly secure, but we work to protect your data and to respond promptly to any incident in line with our legal obligations, including notifying the ICO and affected individuals where required.
9. Your rights under UK GDPR
Subject to certain conditions, you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request erasure of your data;
- restrict or object to certain processing;
- data portability;
- withdraw consent at any time where we rely on consent.
To exercise any of these rights in relation to data for which Okwi is the controller, contact us at legal@okwi.com. If your request concerns data held by a merchant’s storefront, you should contact that merchant directly, as they are the controller of that data; we will assist the merchant in responding where appropriate.
Complaints. If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk. We’d appreciate the chance to address your concerns first.
10. Children & age-restricted products
The Okwi platform is intended for businesses and is not directed at children, and we do not knowingly collect personal data from children through our own services. Some merchants sell age-restricted products (for example vaping and nicotine products), which carry a per-product 18+ flag and a minimum-age requirement, and checkout runs an age-verification gate in line with UK law (including the Tobacco and Vapes Act 2026). Merchants selling age-restricted goods are responsible for their own age verification and for not collecting data from anyone below the applicable legal age.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here and, where changes are material, take reasonable steps to notify you. The “Last updated” date above shows when this policy was last revised.
12. Contact
For any privacy questions or to exercise your rights, contact us at legal@okwi.com.