Privacy policy

Last updated: May 2026

This Privacy Policy describes how MUSHDESK, S.L. ("Mushdesk", "Orbe", "we", "us") collects, uses, and discloses personal data through the website https://orbe.app and the Orbe application available on the Shopify App Store.

This policy is not intended to provide legal advice. If you have concerns about how privacy laws apply to your specific situation, we recommend consulting a lawyer.

1. Who is responsible for processing your data?

The data controller for personal data collected through the website https://orbe.app and associated support channels is:

MUSHDESK, S.L.
Tax Identification Number: B09677048
Registered office: Paseo de la Castellana, 194, 28046, Madrid, Spain
Contact: support@orbe.app

Important: Data Controller vs. Data Processor

When Orbe processes personal data from visitors and end users of a merchant's Shopify store in order to provide geolocation, redirection and personalisation features, Mushdesk acts as the Data Processor and the merchant (owner of the Shopify store) acts as the Data Controller. This processing is governed by the Data Processing Agreement (DPA), which is automatically accepted by the merchant upon installation of Orbe.

Mushdesk acts as Data Controller only for data linked to its corporate website, communication with merchants, billing via Shopify, and support.

Orbe is a B2B solution for businesses and is not intended for minors. If, exceptionally, information on minors is processed at the merchant's request, the merchant shall guarantee the required legitimacy and consent.

2. Recommendations

Please read carefully and follow the recommendations below for safe use of the Orbe website and application:

Keep your equipment and devices updated with effective and properly configured antivirus software to protect yourself against malicious software, spyware, or unauthorised access that could put your Internet browsing or the information stored on your equipment at risk.
Periodically review this Privacy Policy and other legal texts made available by Mushdesk on the website https://orbe.app and in the Shopify App Store, as they may be updated to reflect legal, technical or operational changes.
Manage and configure your privacy and cookie preferences correctly in your browser and, if you are a merchant, ensure that you implement the appropriate privacy policies and consent mechanisms in your own Shopify store.
Do not share your Shopify or Orbe login credentials with unauthorised third parties and use strong, unique passwords.
If you detect any incident related to the security or privacy of Orbe, please notify us immediately at support@orbe.app.

3. What data do we collect?

For the proper functioning of the corporate website and the Orbe application integrated into Shopify, Mushdesk may have access to the following data, either provided directly by the Customer (merchant) or generated automatically through the use of the application:

Customer identification and contact details: name and surname of the legal representative, company name, address, postcode, country, telephone number and email address, within the framework of the B2B contractual relationship with Mushdesk.
Technical and connection data: IP address, country of connection, browser agent and language, operating system and approximate geolocation data. This data is anonymised and is not attributed to specific end users, and may include cookies or similar technologies necessary for the provision of redirection and personalisation features for the user experience.
Orbe application usage data on Shopify: information relating to display preferences (language, currency, selected market), redirection history within the store, welcome pop-up settings or market selectors. Under no circumstances does Mushdesk access the content of purchases, financial data or sensitive information of the merchant's end customers.
Communication and support data: contents of queries, support requests or incidents submitted to Mushdesk via email, support forms or any other enabled channel.
Data collected through integrations with Shopify Markets or Global-e: Orbe may receive limited technical information related to market settings, currencies, languages and redirection rules, for the sole purpose of providing the Services. This data does not allow for the individual identification of end users and remains under the control and responsibility of the merchant as Data Controller.

4. Data collected automatically through the website and Orbe

The Mushdesk corporate website and the Orbe application integrated into Shopify use cookies and similar technologies which, depending on the settings made by the User and/or the Customer, may result in the processing of certain technical data. Generally, the information collected automatically includes:

IP address of the device or server from which access is made (anonymised to prevent direct identification).
Country and approximate connection area.
Browser used, browser language and operating system.
Date and time of access to the website or use of Orbe.
Technical configuration preferences within Orbe (language, market or currency selected).
Data linked to the operation of redirects, market selectors, and welcome pop-ups.

This information is used exclusively to ensure the proper functioning of the website and the Orbe application, to improve the user experience and to offer geolocation and personalisation features. Under no circumstances is it used to personally identify end users or to create profiles with significant legal effects.

For detailed information about the use of cookies and how to configure your preferences, contact us at support@orbe.app.

5. How do we use your data?

Management of requests for information and support: to attend to and respond to queries, requests for information, technical or commercial incidents, complaints and claims submitted by Customers or Users through the forms provided, email or any other available contact channel.
Provision of service and technical support: to enable the installation, configuration, maintenance and updating of the Orbe application in the Customer's Shopify store, as well as to manage access to the support and technical assistance area.
Contract management: to comply with the obligations arising from the contractual relationship with merchants, including billing and subscription management through the Shopify App Store.
Compliance with legal obligations: to meet the legal, regulatory or administrative requirements applicable to Mushdesk in relation to tax, accounting, data protection or information society services.
Geolocation and technical customisation: processing technical data (such as anonymised IP addresses, browser language, country of connection or display preferences) for the sole purpose of enabling Orbe's geolocation, automatic redirection and user experience customisation features, without this implying the individual identification of end users.
Statistical and usage analysis: depending on the configuration of cookies and similar technologies, to carry out measurements and statistics on the use of the application and the website in order to improve its functionalities, as well as to produce aggregate metrics on browsing habits in an anonymised manner and not linked to specific users.

6. Legal basis for processing

The legal basis that legitimises Mushdesk to process personal data varies depending on the purposes described in this Policy:

Management of information and contact requests: pre-contractual measures or performance of a contract (Art. 6.1.b GDPR).
Technical support and assistance: performance of the contract or implementation of pre-contractual measures (Art. 6.1.b GDPR).
Contract management and access: performance of the contract entered into through the Shopify App Store (Art. 6.1.b GDPR).
Compliance with legal obligations: compliance with applicable tax, accounting, commercial and data protection obligations (Art. 6.1.c GDPR).
Geolocation and technical customisation: performance of the contract signed between Mushdesk and the merchant (Art. 6.1.b GDPR).
Use of cookies and statistical analysis: the user's informed, free, specific and unambiguous consent (Art. 6.1.a GDPR).

Mushdesk takes the protection of the privacy and personal data of its Customers and Users very seriously. Personal data is processed with the utmost care, in accordance with Regulation (EU) 2016/679 (GDPR), the LOPDGDD and other applicable regulations.

At any time, data subjects may withdraw their consent for processing based on this legal basis, without this affecting the lawfulness of the processing carried out previously. To exercise this right, send an email to: support@orbe.app.

7. Accuracy of data provided

The Customer guarantees that the personal and professional data provided to Mushdesk through the website or during the process of installing and using the Orbe application on Shopify is accurate, complete and truthful, and undertakes to keep it duly updated at all times.

The Customer shall be solely responsible for the accuracy of the data provided and for any direct or indirect damage or harm that may be caused to Mushdesk or third parties as a result of providing inaccurate, incomplete or false information.

Mushdesk reserves the right to deny or suspend access to the Services if it is detected that the Customer has provided false, inaccurate, outdated or inauthentic data, without prejudice to any other legal actions that may be applicable.

Customers and Users are advised to protect their credentials and data with the utmost diligence, using appropriate security measures (e.g., strong passwords, Shopify authentication systems). Mushdesk shall not be liable for unauthorised access, loss, theft or unlawful manipulation of data resulting from the Customer's negligence in managing their own information or the security of their Shopify store.

Any modification or update of data must be communicated to Mushdesk through the contact channels provided in this Privacy Policy or through the tools available in the Shopify App Store.

8. How long do we keep your data?

Personal data provided by Customers or collected in connection with the use of Orbe will be retained for the time strictly necessary to fulfil the purposes of processing described in this Policy and for as long as the contractual relationship between the Customer and Mushdesk remains active.

Customer identification and contact details (B2B): kept for the duration of the contractual relationship and, subsequently, for the periods necessary to meet any legal, administrative or tax liabilities (generally five (5) to six (6) years in accordance with tax and accounting regulations).
Technical data of end users processed through Orbe (anonymised IP address, country of connection, browser language, market preferences): stored only temporarily and deleted or anonymised once the purpose of geolocation and personalisation has been fulfilled. Orbe does not permanently store this data.
Data obtained through cookies or similar technologies: kept for the periods established in the cookie settings, depending on the nature of each cookie and always based on user consent.
Data processed for B2B commercial communications purposes: kept for as long as the Customer has not expressed their opposition or requested to be removed.

Once the contractual relationship has ended, Mushdesk will keep data blocked exclusively for the legally established periods in order to deal with any possible claims or liabilities. Once these periods have elapsed, data will be securely deleted or irreversibly anonymised. Mushdesk undertakes to comply at all times with its duty of confidentiality and secrecy with regard to personal data, in accordance with the provisions of Regulation (EU) 2016/679 (GDPR), the LOPDGDD and other applicable regulations.

In compliance with Shopify's data deletion requirements, Mushdesk responds to all mandatory compliance webhooks and deletes store data within 48 hours of a merchant uninstalling Orbe.

In compliance with Articles 12 to 22 of Regulation (EU) 2016/679 (GDPR) and the LOPDGDD, data subjects may exercise the following rights:

Access: obtain confirmation as to whether Mushdesk processes personal data concerning them and access to such data.
Rectification: request the correction of inaccurate data or the updating of incomplete data.
Erasure: request the deletion of data when it is no longer necessary for the purposes for which it was collected.
Restriction of processing: request that data be stored but not processed temporarily, in certain circumstances provided for in the GDPR.
Objection: object to the processing of personal data in certain circumstances and for reasons related to your particular situation.
Portability: request the direct transfer of data to another controller, where technically possible.
Not to be subject to automated individual decision-making: including profiling, except where legally permitted.
Withdrawal of consent: where processing is based on consent, data subjects may withdraw it at any time, without this affecting the lawfulness of prior processing.

How to exercise your rights

Data subjects may exercise their rights by sending a written request to Mushdesk via:

Email: support@orbe.app
Post: Mushdesk S.L., Paseo de la Castellana, 194, 28046, Madrid, Spain.

The communication must contain sufficient information to verify the identity of the applicant. If it cannot be reasonably verified, Mushdesk may request additional information to confirm the identity before processing the request.

Clarification of roles in processing

In the case of personal data of the Customer (B2B) provided within the framework of the contractual relationship with Mushdesk, the rights may be exercised directly before Mushdesk, in its capacity as Data Controller.

In the case of technical data of end users of Shopify stores in relation to geolocation or personalisation managed by Orbe, the Customer (owner of the Shopify store) acts as Data Controller. In these cases, Mushdesk will act as Data Processor, forwarding any requests it receives to the relevant Customer, in accordance with the DPA.

Right to lodge a complaint with the supervisory authority

Data subjects shall have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or another competent supervisory authority if they consider that the processing of their personal data infringes the applicable data protection regulations.

10. Data security

Mushdesk applies appropriate technical and organisational measures to ensure the security of the data processed through Orbe, including:

Encryption of data in transit (TLS/SSL).
Encryption of Shopify access tokens at rest.
Access control and least-privilege permissions.
Confidentiality commitments for all staff with access to personal data.
Daily encrypted incremental backups with off-site copy.
Regular security assessments and penetration testing by independent third parties.
Incident detection and response procedures with notification to merchants within 48 hours of becoming aware of a relevant breach.

Orbe does not permanently store end users' personal data, limiting itself to processing necessary and anonymised technical metadata (partial IP, browser language, country of connection).

The Customer is responsible for the security and configuration of their own Shopify store. Mushdesk will maintain its duty of confidentiality and notify the Customer of any relevant security incidents in accordance with the terms set out in the DPA.

11. Transfers and assignments to third parties

Personal data may be processed by third-party service providers engaged by Mushdesk to carry out the purposes described in this Policy. These include, among others:

Third parties who help us provide IT services, such as website providers, hosting services, maintenance and support for our databases, as well as our software and applications that may contain data about you.
Third parties who help us provide digital services, CRM, web analytics and search engines.
Third parties for compliance with legal regulations.

Data may also be transferred to competent authorities, courts or tribunals when required by applicable law.

User data may only be used by Mushdesk for purposes that serve to correctly fulfil the purposes of personal data processing set out in section 5 of this Privacy Policy. The full list of sub-processors, including their locations and applicable transfer safeguards, is available in the Data Processing Agreement (DPA).

GDPR compliance is not an afterthought for Orbe — it is the reason the product was built the way it was.

No automatic redirection on the first visit

Orbe never automatically redirects a visitor on their first visit to a store. Instead, on the first visit, Orbe shows an informational popup allowing the visitor to voluntarily choose their preferred country, language or market. Redirection only occurs on subsequent visits, once the visitor has made an explicit choice that is stored in a functional preference cookie.

This is a fundamental design decision. Automatically redirecting visitors without their consent — as many internationalisation tools do — is not compliant with GDPR. Orbe eliminates this risk by design.

Human consent stored in a functional cookie

Only after the visitor takes an explicit action in the popup (accepting or selecting a country, language or market) does Orbe generate a functional preference cookie. This cookie stores the human's explicit choice — not tracking data. Under applicable data protection regulations, including interpretative criteria from the Spanish Data Protection Agency (AEPD) and the general principles of EU privacy regulations, a functional cookie that exclusively remembers a choice made voluntarily by the user does not require specific prior consent, as it is a service expressly requested by the user.

Privacy-by-design technical architecture

The initial geolocation detection (before any popup interaction) uses the visitor's IP address and browser language on a one-time, non-persistent basis, for the sole purpose of recommending the most appropriate version of the store. This processing:

Does not install cookies or create persistent identifiers.
Does not store information for subsequent visits.
Does not track or profile visitors.
Is not used for advertising, analytics or marketing.
Is covered by the legitimate interest of the data controller (Art. 6.1.f GDPR) and falls outside the scope of cookie consent requirements.

Data minimization

Orbe processes only the minimum data strictly necessary: anonymised IP address, browser language, country of connection, and market/language preferences selected by the user. Orbe never accesses order content, payment information, financial data or any sensitive customer data.

DPA provided to all merchants

Every merchant who installs Orbe automatically accepts a Data Processing Agreement (DPA) as part of Orbe's Terms and Conditions. This DPA governs the conditions under which Mushdesk processes personal data on behalf of the merchant, in full compliance with GDPR. No separate bilateral contract or manual process is required.

Merchant remains in full control

The merchant acts as Data Controller at all times and Mushdesk as Data Processor. Merchants using Orbe can support their visitors' right to land on the correct country-specific storefront. Merchants are responsible for their own cookie banner, consent management platform, and compliance obligations towards their end customers.

Privacy regulations supported

Orbe's architecture supports merchants operating under the following regulations:

GDPR (EU/EEA and UK): data minimization, legitimate interest basis, functional cookie exemption, DPA included.
CCPA / CPRA (California): no sale of personal data, no cross-context behavioural advertising, data deletion on request.
VCDPA (Virginia) and similar US state laws: transparent data practices, data subject rights support.

13. Shopify mandatory compliance webhooks

In compliance with Shopify's requirements for apps listed on the Shopify App Store, Orbe responds to all mandatory compliance webhooks:

customers/redact: when a merchant requests deletion of a customer's personal data, Orbe deletes all associated data for that customer.
shop/redact: 48 hours after a merchant uninstalls Orbe, all data associated with that store is permanently deleted from Orbe's systems.
customers/data_request: when a customer requests access to their personal data stored by Orbe, we provide the relevant information to the merchant to fulfil the request.

14. Changes to this Privacy Policy

Mushdesk reserves the right to revise its Privacy Policy at any time it deems appropriate. We ask that you regularly check this Privacy Policy to read the most recent version. Any changes to this Privacy Policy will be communicated to the User. The conditions published at the time of access shall be applicable. Continued use of the service after publication of changes implies acceptance of those changes.

15. Links to websites

The Mushdesk/Orbe website may contain links to third-party websites (external companies, entities or platforms). Access to these links is the sole responsibility of the User.

Mushdesk does not control, supervise or take responsibility for the way in which these third parties treat the protection of privacy and personal data. We recommend that Users carefully read the corresponding Privacy Policies and Legal Notices before browsing or providing personal information on these websites.

The fact that the website includes links to third parties does not imply the existence of a relationship, recommendation, promotion or approval by Mushdesk with regard to the content of such sites, nor does it imply the assumption of liability for any damages that may arise from accessing or using them.

16. Contact and questions

If you have any questions about this Privacy Policy, or to exercise your data protection rights, contact us at:

Email: support@orbe.app
Post: Mushdesk S.L., Paseo de la Castellana, 194, 28046, Madrid, Spain.

If you consider that your rights are not properly safeguarded, you have the right to file a complaint with the Spanish Data Protection Agency (AEPD):
Telephone: 901 100 099 / 912 663 517
Postal address: C/Jorge Juan 6, 28001 Madrid
Electronic office: https://sedeagpd.gob.es/sede-electronica-web/
Website: www.agpd.es

17. Acceptance

The User acknowledges having read and understood this Privacy Policy, declaring that they are informed of the conditions applicable to the processing of their personal data and freely, specifically, knowingly and unequivocally accepting the processing thereof by MUSHDESK, S.L. in the manner and for the purposes described in this document.

Acceptance of this Privacy Policy is a necessary requirement for using the website and/or the features associated with Orbe's services. If the User does not agree, they must refrain from using the website or the linked services.