Overview
This article answers common questions about ReferralCandy’s data protection, privacy, and security practices.
It covers:
where personal data is stored and processed
what infrastructure and third-party providers are involved
who can access data internally
how deletion requests are handled
how ReferralCandy handles security incidents
If your team needs additional details for a security review or questionnaire, please contact Support using your registered merchant email.
How does ReferralCandy approach data protection and security?
ReferralCandy is designed with security and privacy in mind. We maintain formal policies and controls for protecting data and operating a secure application.
Our security posture is reviewed regularly through independent assessments, including annual penetration testing and an annual Shopify Security Audit performed by a third-party provider. We continually review and improve our practices in line with common SaaS industry standards.
Data storage and processing
Where is personally identifiable information (PII) stored and processed?
Customer PII is primarily stored and processed on infrastructure hosted in Amazon Web Services (AWS) in Singapore.
This includes the core data needed to operate ReferralCandy, such as information related to your store’s referral program and participants.
Does ReferralCandy process data outside of Singapore?
Yes.
As part of providing the service, ReferralCandy uses AWS Simple Email Service (SES) for referral-related email delivery. Email delivery through SES may be routed and processed through AWS infrastructure in the United States.
Aside from this email delivery flow within AWS, ReferralCandy aims to keep PII storage within its Singapore AWS environment.
Security testing and audits
Do you perform regular security testing?
Yes.
ReferralCandy undergoes annual penetration testing performed by an independent security firm. These tests are designed to identify and help remediate potential vulnerabilities in the application and infrastructure.
Are you audited by Shopify or third parties?
Yes.
ReferralCandy participates in an annual Shopify Security Audit conducted by a third-party provider. This audit evaluates the application against Shopify’s security requirements and industry best practices.
Infrastructure and sub-processors
What infrastructure providers does ReferralCandy use?
ReferralCandy is hosted on Amazon Web Services (AWS), which provides the underlying infrastructure for the application, including compute, storage, and networking.
What sub-processors are used to process personal information?
ReferralCandy uses a limited number of third-party service providers that may process personal data in order to deliver and support the service.
These include:
Amazon Web Services (AWS) – core hosting environment in Singapore, and AWS Simple Email Service (SES) for sending referral-related emails
PayPal – used to process cash payouts where you have enabled this payout method in your referral program
Intercom – used to provide customer support where a merchant or end customer has contacted our support team
These providers are selected based on their security, reliability, and compliance posture, and are contractually required to maintain appropriate safeguards for personal data they process on our behalf.
Access controls and employee access
Who has access to my data within ReferralCandy?
Access to customer data is restricted to authorized employees who need it to perform their job functions.
For example, this may include support or engineering staff investigating a specific issue.
ReferralCandy follows the principle of least privilege, which means employees are granted the minimum level of access required to carry out their responsibilities.
How is access to systems and data controlled?
Access is managed through authentication and authorization controls, role-based access where applicable, and periodic reviews of permissions.
Administrative access is limited and monitored to reduce the risk of unauthorized use.
Data retention and deletion
How long do you retain customer data?
ReferralCandy retains data for as long as it is necessary to provide the service, comply with legal obligations, or as otherwise permitted by applicable law.
Retention periods may vary depending on the type of data and the context in which it was collected.
Can I request deletion of my data or my customers’ data?
Yes.
Merchants can request deletion of their ReferralCandy account data, and ReferralCandy will delete or anonymize personal data associated with that account, subject to any legal or regulatory retention requirements.
ReferralCandy also supports privacy-driven deletion requests for individual customers or referrals where this is technically and legally feasible.
If you need to initiate a data deletion request, please contact Support using your registered merchant email and provide the relevant details.
Incident response and notifications
How does ReferralCandy handle security incidents or data breaches?
ReferralCandy maintains an incident response process to detect, investigate, and respond to security events.
If ReferralCandy becomes aware of an incident that affects the security of your data, the team will investigate promptly, take steps to mitigate potential impact, and implement corrective actions as needed.
Will I be notified if my data is affected by a security incident?
Yes.
If a data breach occurs that is likely to result in a risk to your rights or your customers’ rights, affected merchants will be notified in accordance with applicable laws and contractual commitments.
Notifications will include relevant information about the incident and any recommended next steps.
Privacy and compliance
Does ReferralCandy support privacy and data protection compliance requirements?
ReferralCandy is built with common privacy requirements in mind and is operated in line with widely adopted SaaS best practices.
ReferralCandy strives to support merchants in meeting their own privacy obligations, including transparency toward end customers, data minimization, and honoring data subject rights where applicable.
ReferralCandy supports compliance programs and reviews aligned to major privacy frameworks such as the EU General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA).
However, each merchant remains responsible for determining their own compliance requirements and for configuring and using the service appropriately.
What types of personal data does ReferralCandy process, and why is it needed?
ReferralCandy processes limited end-user personal data required to operate referral tracking, prevent abuse, and communicate on the merchant’s behalf.
Typical data elements include:
First and last name
personalization of emails and on-site messaging
fraud detection to help identify suspicious referral patterns
IP address
referral detection to help attribute referrals
fraud detection to help identify abnormal behaviour patterns
Email address
referral detection to identify and link participants to the correct referral journey
fraud detection to help identify duplicate or suspicious sign-ups
end-user communications on behalf of the merchant, such as referral invitations, reward notifications, and status updates, where configured
General invoice or order data, such as item ID, amount, currency, and date
referral detection to determine whether a referred purchase occurred
commission charging to calculate any applicable fees or commissions
campaign enrolment and rules, where purchases may qualify for different campaigns based on configured conditions
Getting help and more information
How can I ask additional questions about ReferralCandy’s security and privacy practices?
If you have questions about ReferralCandy’s data protection, privacy, or security practices, or if you need details for a security review or questionnaire, please chat with us through the messenger widget.