Privacy Policy

Last updated:

Read-only Shopify OAuth TLS + AES-256 at rest DPA available

Quick summary (for convenience only)

  • We analyze Shopify store data to generate weekly action plans. The merchant owns their store data.
  • We do not sell personal or store data. We share only with the subprocessors listed at /subprocessors.
  • Security: TLS in transit, AES-256 at rest, least- privilege access, webhook signature verification, and coarse IP-prefix storage instead of raw IP addresses.
  • Rights: access, correction, deletion, export, and withdrawal of consent. Submit at /data-request.
  • Retention: 90 days after uninstall (then full delete); raw Web Pixel events <36 hours; email logs 30 days.

This summary is non-binding. The full policy below governs.

1. Information we collect

DropifyXL receives data through two paths: the Shopify app (installed on a merchant's store) and the marketing site (dropifyxl.com).

From the Shopify app (merchant install)

  • Store profile: shop domain, owner email, currency, timezone, Shopify plan name.
  • Catalog: products, variants, inventory levels, collections.
  • Commerce data: last-90-days orders and customers (email, name, order count, total spent, first and last order dates).
  • Plus only — visitor analytics: when you enable the Web Pixel, we receive a narrow set of storefront events (page view, product view, add to cart, checkout started, checkout completed). Events are pseudonymized by a daily-rotating session ID — no cookies, no cross-session tracking.

From the marketing site

  • Newsletter signup: email address + the signup source ("footer", "newsletter-section", etc.).
  • Contact form: name, email, Shopify store domain, topic, message.
  • Data-request form: name, email, optional shop domain, request type, details.
  • Coarse IP prefix: for abuse-prevention only, we store the /24 (IPv4) or /48 (IPv6) network prefix — never the full IP address.

What we don't collect

We do not integrate with ad platforms (Meta, Google, TikTok) and we don't receive their data. We don't set cross-site tracking cookies. We don't process card or banking details — billing flows through Shopify Billing.

2. How we use information

Service delivery

  • Run the weekly rules engine to produce 3–5 prioritized recommendations.
  • Send transactional email (first-scan notification, weekly / daily digest, trial-ending reminder, unsubscribe confirmation) on paid plans.
  • Operate the in-app dashboard, action tracking, and onboarding state.

LLM polish

Recommendation copy is rewritten by an LLM (OpenAI or Google Gemini, selected via an internal config). We only send the rule-level structured output — product titles, counts, percentages, and fallback copy — never raw order records, customer names, or email addresses. Providers do not use our data to train their foundation models per their enterprise terms.

Analytics about the product

We track aggregated metrics about how the app is used (how many recommendations are completed, which types resonate) to improve the rules and the UX. These are de-identified and can't be traced back to individual merchants or customers.

Communication & admin

  • Service notifications and important updates.
  • Billing state managed through Shopify.
  • Support and troubleshooting you initiate.

3. Sharing & subprocessors

We do not sell personal or store data. We share only with the subprocessors required to deliver the Service, each bound by a written DPA. The full, current list is at /subprocessors — at the time of writing it covers Shopify (source platform), Supabase (Postgres), Vercel (app hosting), DigitalOcean (cron server), Resend (email), and one of OpenAI or Google Gemini (LLM polish).

Legal process

We may disclose information to comply with lawful requests, enforce our Terms, or protect the rights, property, or safety of users and the public.

Business transfers

In a merger, acquisition, or asset sale, data may transfer subject to this Policy. We'll notify merchants before any change in controller.

4. Security

Technical
  • TLS 1.2+ in transit; AES-256 at rest (Supabase)
  • Shopify webhook HMAC-SHA256 verification
  • Cron endpoints gated by rotating bearer secret
  • HMAC-signed unsubscribe tokens
  • Per-IP-prefix rate limits on public endpoints
Organizational
  • Least-privilege, 2FA-gated human access
  • Access reviews on role change
  • Breach response playbook (72-hour notification)
  • Server-only secrets never in the client bundle

The full technical summary is at /security. No method of transmission or storage is 100% secure, but we align our measures with industry best practice for apps handling commerce data.

Report a vulnerability via the contact form (topic: Technical Issue).

5. Retention

  • Shop data while installed: kept for the lifetime of the install, refreshed on webhook.
  • After uninstall: the shop row is marked inactive and all data is deleted 90 days later. Request earlier deletion via the contact form.
  • Web Pixel raw events (Plus): less than 36 hours, then rolled into anonymized daily summaries and deleted.
  • Email logs: 30 days for deliverability debugging.
  • Newsletter subscribers: until unsubscribe.
  • Contact & data-request messages: 2 years after the last correspondence, then deleted.

6. Your rights

Depending on where you live (EU/EEA, UK, California), you may have the right to:

  • Access and obtain a copy of your data (portability)
  • Correct inaccurate information
  • Request deletion of your personal data
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent

Submit a request at /data-request (or use the general contact form). We respond within 30 days and verify identity by email before acting.

Merchants

Export or delete your store data via the contact form — we'll match against your Shopify shop domain.

End customers

Start with the merchant directly — Shopify forwards their request to us automatically. If that fails, use our data-request form.

7. Cookies & tracking

DropifyXL uses only essential cookies on the marketing site — a CSRF token for the contact and data-request forms — and the session cookies Shopify itself manages inside the embedded admin app. We don't set analytics or advertising cookies, and we don't run cross-site trackers.

The Plus-plan Web Pixel on merchant storefronts sends anonymized events (no cookies, no PII, consent-aware via Shopify's Customer Privacy API).

8. International data transfers

Data may be stored and processed across multiple regions — the EU (Supabase Frankfurt), the US (Resend, OpenAI), or Google regions (Gemini) — depending on the subprocessor involved. Transfers from the EEA, UK, or Switzerland to third countries rely on the EU Standard Contractual Clauses and equivalent addenda, together with the technical measures described at /security.

9. Children

DropifyXL is a B2B product for Shopify merchants. We don't knowingly collect personal data from children under 16. If we learn we have, we delete it promptly.

10. GDPR webhooks (merchant obligations)

Shopify requires every app to implement three mandatory compliance webhooks. DropifyXL implements all three:

  • customers/data_request — forwarded to the merchant to fulfill.
  • customers/redact — we purge the identified customer's data within 48 hours.
  • shop/redact — triggered 48 hours after uninstall; we complete deletion within 10 days.

We also run an independent daily purge job: any shop inactive >90 days is fully deleted as described in section 5.

11. Changes to this policy

We may update this Privacy Policy. Material changes are announced inside the app and on this page at least 30 days before taking effect.

12. Contact

Reach us via the contact form for general questions, or the data-request form for GDPR / CCPA subject requests. One team handles privacy, security, billing, and support.