Privacy Policy
This Privacy Policy explains how MilTwo (DK CVR: 36630930), doing business as Executly, processes personal data when merchants use the Executly Shopify app and when visitors use executly.io support and marketing pages.
Last updated February 25, 2026
Scope and Relationship
This policy applies to processing performed by MilTwo through the Executly app and website. It does not replace Shopify's own privacy terms, which apply to Shopify's platform services and payment systems.
For most merchant account data, MilTwo acts as an independent controller. For end-customer data processed on a merchant's behalf through app functionality, MilTwo acts as a processor under the merchant's instructions.
Controller Identity
Controller: MilTwo (DK CVR: 36630930). Contact: support@executly.io.
MilTwo is responsible for deciding how and why data is processed for product operations, support operations, fraud prevention, and legal compliance.
Data Categories We Process
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Merchant account and store metadata | Store domain, Shopify shop identifiers, install status, selected plan | Shopify APIs and merchant actions | Account provisioning, access control, plan enforcement, support |
| App configuration data | Checkout blocks, account blocks, rule conditions, feature settings | Merchant configuration within Executly | Delivering requested app behavior |
| Support data | Name, email, store URL, topic, priority, support message | Support form and direct support emails | Case handling, troubleshooting, service communication |
| Security and diagnostics | Request metadata, IP address, abuse-prevention counters, error logs | Website/API traffic | Security monitoring, fraud prevention, reliability |
| Billing metadata | Plan status, billing cycle state, billing events | Shopify billing interfaces | Subscription lifecycle management |
MilTwo does not collect or store full payment card numbers. Billing and payment data are handled by Shopify under Shopify terms.
Legal Bases for Processing
Where GDPR or equivalent laws apply, MilTwo relies on the following legal bases:
- Contract performance: to provide the Executly service requested by merchants.
- Legitimate interests: product security, abuse prevention, service improvement, and support quality.
- Legal obligation: retention and disclosure where required by law, regulation, or valid legal process.
- Consent: where consent is required for a specific processing activity, and only for that activity.
Shopify-First End-Customer Data Posture
Executly is designed to keep core checkout and customer account records within Shopify. MilTwo primarily processes limited end-customer data required to execute merchant-configured features and support incidents.
- MilTwo does not independently profile end customers for advertising.
- MilTwo does not sell end-customer personal data.
- Merchants remain responsible for lawful instructions and customer-facing notices in their storefronts.
- The Data Processing Addendum for merchant controller-to-MilTwo processor terms is available at /dpa.
International Data Transfers
If data is transferred outside the EEA, UK, or Switzerland, MilTwo applies appropriate safeguards, including the European Commission Standard Contractual Clauses (SCCs) and related transfer measures where required.
Transfer safeguards are referenced in the DPA and reflected in subprocessor agreements.
Data Retention Schedule
| Data class | Retention period | Deletion rule |
|---|---|---|
| Merchant account and app configuration data | Active subscription plus 30 days | Deleted or irreversibly anonymized within 90 days after the retention period unless law requires longer retention |
| Support requests and support correspondence | 24 months after last support activity | Deleted from active systems at end of period, subject to legal hold exceptions |
| Security and diagnostic logs | 30 days | Automatically rotated or deleted |
| In-memory rate-limit counters | 15 minutes | Automatically expired from memory |
Security Controls
MilTwo maintains technical and organizational measures designed to protect personal data against unauthorized access, misuse, alteration, or loss.
- Role-based access controls and least-privilege access practices.
- Network and infrastructure protections managed through trusted service providers.
- Logging and monitoring for abuse prevention and incident response.
- Access restrictions for support and operational personnel.
Your Privacy Rights
Depending on applicable law, individuals may have rights to access, correct, delete, restrict, object to processing, or receive a copy of personal data in portable format.
Rights requests can be submitted to support@executly.io. MilTwo may request verification details before acting and normally responds within 30 days, subject to lawful extension.
US Privacy Disclosures
MilTwo does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under applicable US state privacy laws.
Policy Updates
MilTwo may update this Privacy Policy to reflect product changes, legal requirements, or operational practices. Material updates will be posted on this page with an updated effective date.
Contact
Privacy and data protection requests: support@executly.io.