Privacy policy

Company: Artos Software Inc. (“Artos”, “we”, “us”, “our”) – a Delaware C-Corporation
Address: 1111B S Governors Ave STE 3617, Dover, DE 19904, USA
Contact: ops@artossoftware.com (privacy) • support@filemonk.io (support)

Services: Filemonk (filemonk.io) and related products/features for digital file delivery, license keys, and download management (“Services”)

Last updated: Oct 20, 2025

‍

What this policy covers

We explain how we handle merchant data (your business/account information) and merchant customer data (your shoppers’ personal data) when you use Filemonk.

‍

For shoppers

If you are a customer of a merchant using Filemonk, please contact the merchant directly for your privacy requests. We act on the merchant’s instructions.

‍

Our role vs. your role

For merchant customer data that flows from your store into Filemonk, you are the Controller/Business and Artos is your Processor/Service Provider. We process that data only to provide the Services and according to your instructions and our Data Processing Addendum (DPA).

‍
For merchant account data (e.g., your name, work email, billing details), Artos is a Controller and uses it to operate your account, billing, support, security, and compliance.

‍

Data Processing Addendum

Our DPA forms part of your agreement and covers security, subprocessors, international transfers, deletion, and assistance with privacy requests. Request a copy at ops@artossoftware.com.

‍

Data we process and why

‍

Merchant account & billing data (Controller)

What: Company and contact details, user logins, billing/subscription, support communications, limited product analytics/diagnostics.

‍
Why: Account creation/authentication, billing, service communications, detecting abuse/outages, reliability improvements, and legal/tax compliance.

‍
Typical legal bases: Contract (provide Services), legitimate interests (security/diagnostics), legal obligation (records).

‍

Merchant customer data (Processor/Service Provider)

What: Order-linked identifiers your store sends us (e.g., email for delivery, name as provided by the platform), purchased digital items/entitlements, license keys, fulfillment events (generated, delivered, downloaded), anti-abuse signals (e.g., device/download limits), unsubscribe/suppression states where applicable.

‍
Why (on your instructions): Generate and deliver digital files/keys, enforce download policies, send transactional delivery messages, maintain entitlement history, prevent abuse/fraud, and support you/your customers.

‍
What we don’t do: We do not sell or share merchant customer data for advertising or build profiles unrelated to providing Filemonk.

‍

Technical logs (Processor & Controller, context-dependent)

What: IP addresses/device identifiers, API call metadata, admin/dashboard usage, error traces.
Why: Security (rate-limiting, anomaly detection), troubleshooting, uptime, audit trail.

‍

Storefront/app scripts, cookies, and SDKs

Our storefront and post-purchase extensions use strictly necessary storage to operate secure digital delivery, license checks, and download limits. In the admin UI, we may use privacy-respecting analytics to improve features and reliability (no ad tracking).

‍

Messaging and notifications

Filemonk supports transactional messages (e.g., download links, key delivery, file updates). You control when and to whom messages are sent; we honor your suppression/unsubscribe settings and record relevant events to help you demonstrate compliance where required.

Your responsibilities

You are responsible for lawful use of messaging in your regions (e.g., CAN-SPAM, CASL, EU e-privacy). We provide the tools; you configure consent, content, and recipients.

‍

Your responsibilities as a merchant

Provide us with accurate, lawful instructions and data.
Configure consent/unsubscribe settings appropriate for your jurisdiction(s).
Do not transmit sensitive categories of personal data (e.g., health, government IDs, full payment card data, children’s data) through Filemonk.
Safeguard admin credentials, API tokens, and user access with least privilege.

‍

Our security

We apply industry-standard controls: encryption in transit and at rest; role-based access with least privilege; network isolation; audit logging and monitoring; vulnerability management and patching; employee security training; and regular backups. Further details are in our DPA and security overview (available on request).

‍

Subprocessors and hosting

We use vetted Subprocessors (e.g., cloud hosting, email delivery, file storage/CDN, error monitoring) under written data-protection terms. We maintain a current list with provider, purpose, and region, and we provide notice of material changes. Subscribe to updates via ops@artossoftware.com

‍

International data transfers

We may process data in the United States and other countries. Where applicable, we rely on recognized transfer mechanisms (e.g., Standard Contractual Clauses and the UK Addendum) and implement appropriate safeguards. See our DPA for details.

‍

Data retention

We keep data only as long as necessary to provide the Services, comply with law, and resolve disputes. Typical defaults include:

‍

Entitlement and delivery records (files/keys/download events): Until the termination of our Services by you.
Operational and security logs: 1 year (diagnostics/abuse prevention).
Billing and accounting records: retained by Shopify indefinitely.

‍

Uninstall and deletion

On uninstall, we revoke tokens immediately and schedule deletion of store-scoped personal data within 48 hours. This is in compliance with Shopify's Partner Program Agreement.

‍

Data subject requests (DSRs) and assistance

If a shopper contacts us directly, we will refer them to you and assist you in fulfilling access, correction, deletion, portability, and objection requests within legally required timeframes. We maintain tooling to locate, export, and delete data linked to common identifiers (e.g., email).

‍

Regional disclosures (overview)

‍

GDPR/UK GDPR

For merchant customer data, we act as Processor; for merchant account data, we act as Controller. Our DPA includes security commitments, subprocessor list, and transfer mechanisms (SCCs/UK Addendum).

‍

CCPA/CPRA (California)

We act as a Service Provider and do not sell or share merchant customer personal information for cross-context behavioral advertising.

‍

Children’s data

Filemonk is not directed to children under 13 (or the age defined by local law). Merchants should not transmit children’s data to the Services.

‍

How we share data

We share data only with:

‍

You and your authorized users (per your configuration).
Subprocessors under contract to run the Services.
Professional advisors (legal/accounting) under confidentiality.
Authorities when required by law or to protect rights, safety, and security.
In a corporate transaction (e.g., merger/acquisition); we will honor existing privacy commitments or provide notice of material changes.

‍

Incident response

We maintain an incident response program. If we become aware of a breach affecting personal data we process for you, we will notify you without undue delay and share information to support your legal obligations and remediation.

‍

Your choices and controls

Configure consent, unsubscribe defaults, and message templates in the dashboard.
Use admin tools or contact us to export or delete specific customer records.
Request adjustments to retention settings where technically feasible.

‍

Changes to this policy

We may update this policy to reflect operational, legal, or regulatory changes. We will post updates with a new “Last updated” date and, for material changes, notify admin users by email or in-app.