Privacy Policy

1. Who this applies to

• Merchant — the Shopify store owner who installs Staple.
• Buyer — a shopper who interacts with offers Staple displays on a Merchant's storefront (checkout, post-purchase, and thank-you / order-status pages).

2. Data we collect

Staple is built to store the minimum data needed to show offers and report results.

From the Merchant's store (via the Shopify API), we access and store:

• Product, variant, and collection data used to build and display offers (titles, images, prices, inventory/location availability).
• Order context needed to decide which offer to show and to attribute results: order value, currency, cart contents (product/variant IDs), order/checkout reference identifiers, and UTM parameters.
• Aggregate conversion events generated by the app: offer impressions, accepts, declines, and attributed revenue.
• App configuration the Merchant creates: funnels, offers, targeting rules, styling, and settings.

We do NOT collect or store:

• Buyer names, email addresses, phone numbers, or shipping/billing addresses.
• Payment card or financial information.
• Any "Protected Customer Data" beyond order/cart metadata, unless and until the Merchant's store is approved for, and the Merchant enables, features that require it.

3. How we use data

• To select and display relevant upsell / cross-sell offers.
• To verify product availability so out-of-stock items aren't offered.
• To create discounts that apply the Merchant's configured offer pricing.
• To provide analytics and an orders activity feed in the Merchant's admin (conversion rate, added revenue, revenue per visitor).
• To operate, secure, debug, and improve the app.

We do not sell or rent any data. We do not use buyer data for third-party advertising. We display no third-party ads in the app.

4. How data is shared

• With Shopify, through Shopify's APIs, to operate the app.
• With infrastructure providers that host our application and database, acting as processors under contract and only as needed to run the service.
• When required by law, or to protect rights, safety, and security.

5. Cookies and tracking

The embedded admin uses Shopify session tokens for authentication and does not rely on third-party cookies. Staple does not place advertising or cross-site tracking cookies on Buyers.

6. Data retention

We retain Merchant configuration and aggregate event data for as long as the app is installed, and delete it following the schedule in Section 7 after uninstallation.

7. Data deletion and Shopify GDPR webhooks

We honor Shopify's mandatory data-protection webhooks:

• shop/redact — on uninstall, we delete the store's data within 48 hours of Shopify's redaction request.
• customers/redact and customers/data_request — because Staple does not store buyer personal information, we have no buyer personal data to return or erase; we acknowledge these requests as required.

Merchants may also request deletion of their data at any time by contacting us.

8. Security

Data is transmitted over TLS/HTTPS. Access tokens are stored securely and use Shopify's expiring offline token model. Access to production data is limited to authorized personnel.

9. Merchant and Buyer rights

Depending on your location (including under GDPR and CCPA/CPRA), you may have the right to access, correct, delete, or restrict processing of personal data, and to data portability. Because we store no buyer personal data, most such requests are satisfied automatically. To exercise rights, contact us using Section 11.

10. International data transfers

Data may be processed in countries other than where you are located. Where required, we use appropriate safeguards for such transfers.

11. Contact

For privacy questions or requests:

• Email: hello@suitexa.com
• Operator: Suitexa

12. Changes

We may update this policy. Material changes will be reflected by updating the effective date above and, where appropriate, notifying Merchants in-app.