Lecxa Pty Ltd - Internal Data Handling Policy
Last Updated: August 29, 2025
Policy Owner: Luke Howard
Policy Owner: Luke Howard
Version: 0.1
1.0 Purpose and Scope
This policy outlines the principles and procedures for the secure handling of all data processed by Lecxa Pty Ltd. Its purpose is to protect the data of our company, our merchants, and their customers, and to ensure we comply with legal and contractual obligations, including the Shopify App Developer terms and the Australian Privacy Principles.
This policy applies to all employees, contractors, and agents of Lecxa Pty Ltd.
2.0 Data Classification
All data at Lecxa is classified into one of three levels. Proper handling is determined by the data's classification.
- Public: Information intended for public consumption (e.g., marketing website content, press releases).
- Internal: Information that should not be shared publicly but is accessible to the team for business operations (e.g., project plans, internal chat).
- Restricted: Highly sensitive data that requires strict access control. All Customer/Account Data, Shopify Protected Customer Data (PII), and company secrets (API keys, passwords) are classified as Restricted.
3.0 Roles and Responsibilities
- All Staff: Are responsible for understanding and adhering to this policy in their daily work.
- Privacy Officer / Data Protection Lead (Luke Howard): Is responsible for maintaining this policy, providing training, responding to any data-related incidents or inquiries, and approving any new third-party sub-processors.
4.0 Rules for Handling Restricted Data
Handling Restricted Data requires the highest level of care. The following rules are mandatory:
4.1 Purpose Limitation
All data accessed via the Shopify API ("Protected Customer Data") is to be used exclusively for the purpose of providing the core, merchant-facing functionality of the Lecxa application as described in our public-facing Privacy Policy. Under no circumstances may this data be used for any secondary or undisclosed purposes, such as data mining, cross-merchant analytics, or marketing.
All data accessed via the Shopify API ("Protected Customer Data") is to be used exclusively for the purpose of providing the core, merchant-facing functionality of the Lecxa application as described in our public-facing Privacy Policy. Under no circumstances may this data be used for any secondary or undisclosed purposes, such as data mining, cross-merchant analytics, or marketing.
4.2 Data Minimization
Developers must ensure that all API calls, especially GraphQL queries to Shopify, only request data fields that are strictly necessary for a specific feature's functionality, as documented in the company's Data Mapping Document. Fetching extra data fields "just in case" is prohibited.
Developers must ensure that all API calls, especially GraphQL queries to Shopify, only request data fields that are strictly necessary for a specific feature's functionality, as documented in the company's Data Mapping Document. Fetching extra data fields "just in case" is prohibited.
4.3 Access Control
Access to Restricted Data is granted on a strict "need-to-know" basis, following the Principle of Least Privilege. Technical controls, such as database Row-Level Security (RLS), will be implemented to enforce these permissions.
Access to Restricted Data is granted on a strict "need-to-know" basis, following the Principle of Least Privilege. Technical controls, such as database Row-Level Security (RLS), will be implemented to enforce these permissions.
4.4 Data Retention
Protected Customer Data sourced from Shopify must not be retained indefinitely. Following the uninstallation of the app from a merchant's store, this data will be automatically and permanently deleted from our systems after a 90-day grace period. This process is automated, and staff must not interfere with or override it.
Protected Customer Data sourced from Shopify must not be retained indefinitely. Following the uninstallation of the app from a merchant's store, this data will be automatically and permanently deleted from our systems after a 90-day grace period. This process is automated, and staff must not interfere with or override it.
4.5 Third-Party Sharing
Restricted Data may only be shared with company-approved, third-party sub-processors (e.g., Xero) that are explicitly disclosed in our public Privacy Policy. Any new integration that involves sharing Restricted Data must be formally reviewed and approved by the Privacy Officer before implementation.
Restricted Data may only be shared with company-approved, third-party sub-processors (e.g., Xero) that are explicitly disclosed in our public Privacy Policy. Any new integration that involves sharing Restricted Data must be formally reviewed and approved by the Privacy Officer before implementation.
4.6 Prohibition of Unsecured Storage
Restricted Data must never be copied or stored on personal devices, unsecured cloud services (e.g., personal Google Drive), USB drives, or shared in public communication channels (e.g., general Slack channels).
Restricted Data must never be copied or stored on personal devices, unsecured cloud services (e.g., personal Google Drive), USB drives, or shared in public communication channels (e.g., general Slack channels).
4.7 Secure Transmission
All data, especially Restricted Data, must be transmitted over encrypted channels (e.g., TLS/HTTPS).
All data, especially Restricted Data, must be transmitted over encrypted channels (e.g., TLS/HTTPS).
4.8 Prohibition on Use of Production Data in Non-Production Environments
Under no circumstances may production data, especially Restricted data such as Shopify Protected Customer Data, be copied, cloned, or used in any non-production environment, including for development, testing, or staging purposes. All data used for testing must be synthetically generated or fully anonymized.
5.0 Procedures for Data Subject Requests & Record Anonymization
5.1 Shopify Automated Deletion Webhooks
Staff should be aware that Lecxa has a fully automated system to handle GDPR and CCPA data deletion requests received from Shopify's mandatory webhooks. These requests require no manual intervention. The system will automatically trigger the anonymization process described below.
Staff should be aware that Lecxa has a fully automated system to handle GDPR and CCPA data deletion requests received from Shopify's mandatory webhooks. These requests require no manual intervention. The system will automatically trigger the anonymization process described below.
5.2 The Anonymization Process
To preserve the integrity of our merchants' historical sales reporting while respecting privacy rights, we do not delete entire order records upon receiving a deletion request. Instead, the automated system performs an anonymization process, which permanently overwrites all PII (name, address, email, phone) with non-personal, placeholder values. The transactional data (date, products, value) remains intact for reporting purposes.
To preserve the integrity of our merchants' historical sales reporting while respecting privacy rights, we do not delete entire order records upon receiving a deletion request. Instead, the automated system performs an anonymization process, which permanently overwrites all PII (name, address, email, phone) with non-personal, placeholder values. The transactional data (date, products, value) remains intact for reporting purposes.
5.3 Access Logging and Monitoring
An immutable audit log is maintained for all
INSERT, UPDATE, and DELETE operations on tables containing Restricted data, including but not limited to customers and orders. This log records the user performing the action, the timestamp, the type of action, and the data that was changed.These logs will be reviewed on a quarterly basis to identify any anomalous or unauthorized access patterns.
6.0 Policy Enforcement
Violation of this policy may result in disciplinary action. All new staff will be trained on this policy as part of their onboarding process. This policy will be reviewed annually or whenever significant changes to our data handling practices occur.
Made with Bullet