Privacy Policy Apps

`[ effective date: February 4, 2026 ]`

Introduction

REFACTOR PLUS SYSTEMS AND SOFTWARE LIMITED LIABILITY COMPANY, a company duly organised and existing under the laws of the United Arab Emirates (referred to as “the Company”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains when and why we collect personal information, how we use it, the conditions under which we may share it, and how we keep it secure. It applies to all of our websites, services, and applications (“Apps”) available on the Shopify App Store under our developer account (collectively, the “Services”). This Policy is provided in accordance with the highest privacy regulations, including but not limited to:

  • The Personal Information Protection and Electronic Documents Act (PIPEDA)
  • The General Data Protection Regulation (GDPR)
  • The Lei Geral de Proteção de Dados (LGPD)
  • The California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA)
  • The UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)
  • The Personal Data Protection Law of the Kingdom of Saudi Arabia (KSA PDPL)

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the data practices described herein, you should not use our Apps or Services.

Scope

This Privacy Policy covers personal information that we collect through our Shopify Apps and related Services. It does not apply to any third-party websites, services, or applications that you may access through links from our Services. Those third parties are independent and have their own privacy policies, for which we are not responsible. Additionally, if you are a customer of a merchant who uses our Apps (for example, you made a purchase from a Shopify store that has our App installed), please note that the merchant’s own privacy policy will also govern how your data is handled. We act as a service provider/processor for the merchant in those cases.

Personal Data We Collect

We collect several types of personal data from merchants (store owners) and, in some cases, from our merchants’ customers, as well as from visitors to our websites or users of our Services. The specific information collected may vary depending on which App or Service you use, but it generally includes:

  • Contact and account information. When a merchant installs or registers for our Apps, we may collect information such as the merchant’s name, store name, email address, phone number, login username, and password (or OAuth token). We also collect and store business-related information required to operate the App, including the Shopify store ID and domain, the Shopify offline access token, the store owner’s email address (used for billing or service updates), and the subscription status. If you contact our support or sign up for newsletters, we may collect your contact details for communication purposes.
  • End-customer data accessed via Shopify. Our Apps do not collect personal data directly from end customers via forms. For most Apps, customer and cart data processed by the App remains within Shopify and is stored only in Shopify’s infrastructure where applicable, including Shopify customer metafields. For the Persistent Cart App, we additionally store a limited mapping record in our own database to support the App’s cart restoration functionality. This mapping record contains the store URL, cart ID, an encrypted customer ID that only our App can decrypt, and the timestamp of the last cart update. The cart contents themselves remain stored only in a Shopify customer metafield. Due to the Shopify access scopes granted during installation, our Apps may technically have access to certain customer and order data stored in Shopify (first and last name, email address, phone number if provided, default address, and order history), but we do not store or use this data in our own systems.
  • Store and transaction data. Through Shopify’s platform, we receive data about the merchant’s store and transactions when our Apps are installed. This can include your Shopify store ID, store URL, and settings. If our App interacts with store orders or payments, we may receive order details (e.g., purchased items, order value, currency, and associated customer information) via Shopify’s API. We do not directly collect or store full payment card numbers or credentials; payment processing is handled securely by Shopify or the merchant’s chosen gateway.
  • Support and communications data. If you reach out to us for support, respond to a survey, or otherwise communicate with us, we will collect the information you choose to provide. This may include your name, contact information, and the content of your correspondence. We use this information to respond to you and to improve our Services.
  • Usage and device data. When you use our Apps or visit our websites, we may automatically collect certain technical information about your device and usage of our Services, such as IP address, time zone, browser type, device type, operating system, and network connection information. We also collect general interaction data (e.g., pages or features used, crash or error data). Our Shopify Apps do not set cookies or tracking scripts on the merchant’s storefront and rely on Shopify’s own session cookies

Sensitive personal data

We do not intentionally collect any sensitive personal data such as social security numbers, government IDs, financial account passwords, information about health or medical conditions, biometric identifiers, precise geolocation, or information about racial or ethnic origin, religious or philosophical beliefs, union membership, sexual orientation or other sensitive information. We ask that you (as a merchant or user) not send or store such sensitive categories of data through our Apps.

How We Use Personal Data

We process personal data for the following purposes, relying on the lawful bases described in the “Legal Basis” section below:

  • Providing and improving our Services. We use the collected information to operate our Apps and to fulfil our contractual obligations to you (the merchant). This includes using personal data to enable the features of our Apps on your Shopify store. We process the customer’s ID and Apps’ contents (products, variants, quantities, and related attributes) to save the information in Shopify. For the Persistent Cart App, we also store and update the mapping record described above in our database, linking the encrypted customer ID to the cart ID and store URL, together with the timestamp of the last update, so that the cart can be restored across sessions. We also use merchant data (store ID, token, subscription status) to identify and authenticate the store, manage billing, and ensure our Apps work as designed. We may also analyse aggregated usage data and feedback to understand performance, fix bugs, optimise the user interface, and develop new features.
  • Customer support and communications. We use contact information (like email and phone number) to communicate with you about support inquiries, updates, and important notifications about the Services. For instance, we may send you messages about critical security updates, respond to your support tickets, or inform you of changes to our terms or this Policy. We may also send you surveys or invite you to provide feedback to improve our offerings (participation is always optional).
  • Marketing and newsletters. We may use your email address and name to send you promotional emails about new features, other products or services we offer, or upcoming events and newsletters, only if you have given us consent or if otherwise permitted by law. These communications are sent only to merchants (store owners), not to end customers. Each promotional email will include an option to unsubscribe or opt out of further marketing. We will not send you marketing text messages or calls unless you have expressly agreed to that.
  • Compliance and legal obligations. We may process personal data as required to comply with applicable laws, regulations, and legal processes. This includes using data to respond to lawful requests by public authorities, meet national security or law enforcement requirements, or fulfil our financial record-keeping obligations. We may use personal data to enforce our agreements or protect our rights or the rights of our users, merchants, or the public (for example, detecting and preventing fraud, security abuse, or other harmful activities). If necessary, we may use personal information to pursue or defend legal claims.

We will ask for your permission before using your personal data for any purpose not covered above. If we rely on consent for a certain processing activity, you are free to withdraw that consent at any time, and we will honour your choice going forward.


We do not use data from merchants’ stores for advertising purposes or in any cross-site ad networks, and we do not create user profiles or engage in behavioural advertising using store customer data.

We do not use personal data for any automated decision-making or profiling that produces legal or similarly significant effects. Any profiling or analytics we perform (for example, to understand usage patterns) is done to improve our Services and not to make determinations about individuals in a way that would require consent or trigger additional legal rights under GDPR or similar laws.

If we introduce any additional analytics tools in the future, we will update this Privacy Policy to reflect any new data collection or processing activities.

If you are located in the European Economic Area, the United Kingdom, Brazil, the United Arab Emirates or another jurisdiction with comprehensive data protection laws, we must have a valid legal basis to process your personal data, depending on the context and purpose of processing. We generally rely on the following bases:

  • Contractual necessity. Much of our processing of merchant data is to fulfil our contractual obligations with you, the merchant, related to subscriptions, installation, and providing the Services. When you install or use our Apps, a contractual relationship is created. We need to process certain personal data (like account information, store data, and any customer data that you route through our Apps) to perform our obligations under that contract – for example, to provide the App’s functionality and support you. If you refuse to provide data that is necessary to perform our contractual obligations, we may not be able to provide the Service.
  • Your Consent. We rely on your consent when we use your personal data for purposes like sending you marketing or promotional emails, optimising our Services, developing new features, or providing you with relevant advertising materials (when allowed by your device or browser’s personalisation settings). You may withdraw your consent at any time (for example, by unsubscribing from a newsletter). The withdrawal of consent does not affect any processing done before withdrawal, and if consent is withdrawn, we may be limited in how we can continue to provide certain features. If we rely on consent for certain processing, we will inform you and obtain it (for example, if we were to use non-essential cookies on our website in jurisdictions where that is required).
  • Legitimate interests. We process certain data as necessary for our legitimate business interests, provided those are not overridden by your privacy rights. Our legitimate interests may include improving and personalising our Services, understanding how our Apps are used, securing our Services, preventing fraud, and marketing our Services to existing customers. For instance, using basic analytics on usage to improve user experience or analysing aggregated (non-identified) performance data is a legitimate interest. If we process personal data on the basis of legitimate interests, we have assessed and balanced the impact on your rights. You have the right to object to processing based on legitimate interests, as described below.
  • Compliance with legal obligations. We rely on this basis to identify you and verify your identity (when relevant), to prevent fraud or security issues, or to comply with applicable laws and regulations (for example, tax laws or financial reporting requirements). We may process data as necessary to satisfy such obligations.
  • Public interest. We rely on this basis when we have a legal obligation or need to cooperate with law enforcement or regulatory requests. For example, we may disclose personal data if required by a court order or to protect against fraud or other illegal activities.

If you have questions about the legal basis on which we process your personal data, please contact us using the information below.

How We Disclose or Share Personal Data

We value your privacy and will only share personal data in ways described in this Policy, or with your explicit consent. We do not sell personal information to third parties. However, we may share personal data in the following circumstances:

Service Providers (Processors). We employ third-party companies and individuals to help us operate the Services or perform functions on our behalf. These service providers may process personal data only as instructed by us and for the purposes in this Policy. Categories of service providers include:

  • Hosting and Infrastructure. We use Heroku (Salesforce, USA) to host our application servers and databases. For most Apps, customer app-related data processed by the App remains stored in Shopify’s own infrastructure (primarily in the USA and Canada). For the Persistent Cart App, our systems also store the limited mapping record described above in our database hosted on Heroku. Any monitoring or logging services we use (such as Mantle or Sentry) may process technical data in the United States.

Please refer to the privacy policies of Mantle and Sentry for more information: Sentry https://sentry.io/privacy/, Mantle

  • Analytics Providers. We use tools like Google Analytics and Google Tag Manager (Google LLC, USA) to understand usage on our websites. These providers collect usage data on our behalf to help us improve our site. They act as our processors in analysing this information (though Google may also use certain data for its own purposes; see Google’s privacy policy). We have data protection agreements in place with analytics providers as required.
  • Email and Communication Services. We may share your contact information with email service providers or CRM tools that assist with sending newsletters, support communications, or service updates. These third parties process your data under our instructions solely for sending emails or messages we have initiated.
  • Payment and Billing Processors. For handling subscription billing for our Apps, we rely on Shopify’s billing system or other PCI-compliant third-party payment processors. These entities handle your payment card information securely. We do not receive or store full credit card numbers or sensitive payment credentials; any payment details we receive (such as transaction IDs or last four digits) are only what’s necessary for record-keeping and are processed securely under the processor’s standards.
  • Other Third-Party Tools. Our Apps may integrate with tools that facilitate their functionality. For example, we may use Google Tag Manager (USA) on our site or integrate with Shopify Flow (operating within Shopify’s infrastructure) to allow merchants to automate certain actions (like clearing a saved cart in some Apps). Any such integrations are performed under your direction, and we share data only to the extent needed to enable that integration.

We contractually require all service providers to protect personal data and not to use it for any purposes other than delivering the services to us. A list of key sub-processors is provided in our Data Processing Addendum (DPA) available to merchants.

Shopify. Our Apps are built to work with your Shopify store, and we share data with Shopify as needed to provide the Services. For example, when you install an App, it connects to Shopify’s API to access your store data (products, orders, customers, etc.) as needed under the scopes you granted. Shopify itself acts as an independent data controller for much of the data involved in your store and our Apps. Personal data that passes through Shopify’s systems is subject to Shopify’s own privacy policy and security practices. For instance, if our App stores data in Shopify, Shopify hosts that data on its secure servers. We share information with Shopify for things like billing (Shopify processes app subscription charges), authentication, and complying with Shopify’s terms. Shopify also assists with data subject rights by sending us the mandated webhooks (customers/data_request, customers/redact, shop/redact) when a deletion or access request is initiated by a merchant or end-customer; we then act on those as described below.

Business transfers. If the Company is involved in a merger, acquisition, sale of assets, or reorganisation, your personal information may be disclosed and transferred as part of that transaction. We would ensure that the new owner or transferee remains bound to protect your personal data as described in this Privacy Policy (or you would be provided with notice and an opportunity to opt out of the transfer, if required by law).

Legal requirements and safety. We may disclose personal data if we believe it is necessary to comply with the law, respond to legal process (like a subpoena), defend our rights or the rights of our users, or to prevent fraud or security issues. Where possible and legally permissible, we will attempt to notify you if we have to disclose your data in such a manner. Please note that we do not voluntarily provide law enforcement or government agencies with access to personal data unless compelled by a valid legal order; see our DPA for more details on how we handle such requests. (hyperlink to DPA)

With your consent or at your direction. We will share your personal data with other third parties if you consent or direct us to do so. For instance, if you integrate one of our Apps with a third-party service (by connecting your account to that service), we will share data as needed to enable that integration. We may also share testimonials or case studies with your consent. You have the right to withdraw such consent at any time.

Do Not Sell or Share Personal Information

We do not sell personal data for monetary compensation. We also do not use customer data for cross-site behavioural advertising. We may share identifiers or usage information with advertising partners only if we later determine to run marketing campaigns, and in that case, California residents have the right to opt out. If you wish to opt out of any potential “sale” or “sharing” of your information for targeted advertising, you may use the “Do Not Sell or Share My Personal Information” link on our website or contact us directly; we will honour such requests. We do not knowingly sell or share the personal information of consumers under 16 years of age.

International Data Transfers

The Company is based in the United Arab Emirates (UAE), and our service providers may be located in various countries. Therefore, your personal data may be transferred to and processed in countries other than the one in which you reside. In particular, we may process and store information in the United States and Canada. For example, our app’s backend and database are hosted on Heroku in the United States (AWS infrastructure). For the Persistent Cart App, the limited mapping record described above is stored in that database. Cart contents remain stored in Shopify customer metafields hosted in Shopify’s data centres, primarily in the United States and Canada. Any third-party monitoring or error-logging services we use (such as Mantle or Sentry) also process data in the United States.

Transfers from the EEA/UK or other regions. Under GDPR, data transfers to third countries are only permitted when adequate safeguards are in place to protect your personal information. Whenever we transfer personal data out of the European Economic Area (EEA), the United Kingdom, Switzerland, or other regions with data transfer restrictions, we ensure adequate safeguards are in place. We rely on the following legally recognised mechanisms:

  • Adequacy Decisions: if the European Commission has deemed a country to provide an adequate level of data protection, we may transfer data based on this decision.
  • Standard Contractual Clauses (SCCs): where no adequacy decision exists (e.g., for data transfers to the U.S), we use Standard Contractual Clauses (SCCs), which are legally approved contractual terms ensuring that your data receives the same level of protection as within the EEA. For example, we rely on EU Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to the U.S. (with our processor obligations as described in the DPA). Similarly, we would use SCCs or other valid mechanisms for transfers from Brazil (LGPD) or other jurisdictions.
  • Binding Corporate Rules (BCRs): In cases where transfers occur within our corporate group, we may rely on Binding Corporate Rules to ensure compliance with EU data protection standards.
  • Other Lawful Mechanisms: if none of the above mechanisms applies, we will seek explicit consent from you or rely on specific derogations permitted under Article 49 GDPR, such as the necessity of the transfer for the performance of a contract.

In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data to third countries unless we can do so on the basis of an alternative mechanism permitted by data protection authorities.

We continually monitor legal developments around international data transfers and will implement supplementary measures if required. For transfers to a country without an adequacy decision, we ensure appropriate protections (e.g. SCCs or an equivalent lawful transfer mechanism like the EU-US Data Privacy Framework if applicable).

Information for Canadian users. Personal information transferred or stored outside of Canada may be subject to foreign laws and access by foreign authorities. However, our practices regarding your personal information remain governed by this Privacy Policy and applicable Canadian laws (including PIPEDA). By using our Services or submitting information, you consent to the transfer of your data to countries outside your residence, including the U.S.

If you have questions about our international data transfers or need more information about our safeguards, please contact us using the information below.

Data Retention and Deletion

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Merchant account data. If you are a merchant, we keep your account information (such as store ID, domain, access token, subscription status, and contact email) only while our App is installed on your store. Once you cancel your subscription or uninstall the App, Shopify typically sends our App a shop/redact webhook within 48 hours after uninstallation. Upon receiving the shop/redact webhook, we delete or anonymise the relevant store-related data we hold without undue delay, typically within minutes, subject to any legal retention requirements.

Customers’ data processed on behalf of merchants. Our Apps process customer data only as instructed by the merchant. We do not keep such data longer than needed to provide the Service. Customer data is saved in a Shopify customer metafield and cleared under two conditions: (1) when the customer completes an order, their saved information is automatically cleared; or (2) after the app is uninstalled or a deletion request is received. Where a merchant initiates deletion through Shopify, Shopify sends our App a customers/redact webhook in accordance with Shopify’s schedule (typically within 48 hours after uninstallation). Shopify controls when the customer's redact webhook is sent and may delay delivery based on its internal grace period and chargeback rules. Once we receive a customer's redact webhook, we delete the relevant data we hold without undue delay, typically within minutes. If a merchant or Shopify deletes a customer’s data, we will likewise delete or clear any corresponding data we hold. For the Persistent Cart App, this includes deleting the related mapping record stored in our database on the same triggers and within the same timeline.

For Apps that save cart state, cart contents are stored in a Shopify customer metafield and are cleared when the customer completes an order or when the merchant uninstalls the App. Where a merchant initiates deletion through Shopify, Shopify sends our App a customers/redact webhook in accordance with Shopify’s schedule, which may be delayed based on Shopify’s grace period and chargeback rules. Upon receiving a customer/redact or shop/redact webhook, we delete or anonymise the relevant data we hold without undue delay, typically within minutes. For the Persistent Cart App, we also delete any related cart mapping record stored in our database, while cart contents remain stored in Shopify customer metafields.

Support and communication data. If you contact us, we may retain correspondence (emails, support tickets, chat logs) for a limited period to manage our relationship and improve service (for example, up to 6 months). If you request deletion of this data and we have no legal obligation to retain it, we will delete it upon request.

Legal retention requirements. We may need to keep certain information after you delete your account or after we no longer provide Services to you, in order to satisfy legal requirements. For instance, we might retain invoices or payment records (which could include personal data) for the duration required by financial regulations (often up to 7 years). We may also retain minimal data to document that we have complied with a deletion or opt-out request (e.g. a record of the request itself) so we can demonstrate compliance with your instructions in the future.

When we no longer have a legitimate need or legal obligation to keep your personal data, we will securely erase it or irreversibly anonymise it. For example, we may aggregate or pseudonymize usage data so it cannot be associated with any individual. If immediate deletion is not possible (for instance, because the data is stored in an offline backup), we will isolate the data from any further processing until deletion is feasible.

Security Measures

The security of your personal information is a top priority for us. We implement and maintain appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption. We use industry-standard encryption protocols. Data transmitted between your device and our servers (and between our App and Shopify’s API) is protected using TLS/SSL encryption. Sensitive data (such as passwords or API credentials) is stored in encrypted form. We also use encryption for data at rest whenever possible (for example, our cloud storage provides AES-256 encryption). Credentials and API keys are stored securely, for instance, in encrypted configuration variables (such as Heroku Config Vars).
  • Access controls. We limit access to personal data to authorised personnel who need it to perform their job duties. All our employees, contractors, and service providers who may have access to personal data are subject to strict confidentiality obligations (contractual and/or statutory). Access to our backend systems is protected with strong authentication methods (such as multi-factor authentication), and we regularly review and restrict who has access.
  • Network and system security. Our servers and databases are secured behind firewalls and network controls. We regularly update our software, operating systems, and dependencies to address security vulnerabilities. We also use anti-malware, intrusion detection, and monitoring tools to prevent, detect, and respond to malicious activity on our network.
  • Application security. Our software is developed following secure coding practices to prevent common vulnerabilities (like SQL injection or cross-site scripting). We perform code reviews and use automated scanning tools to detect security issues. The Apps connect to Shopify via secure OAuth and API keys; these credentials are never stored in plaintext.
  • Infrastructure and data security. Our backend and databases are hosted on Heroku (Salesforce, USA) in a private cloud environment. We use strong security controls such as encrypted configuration storage for credentials and automated daily backups. Our production systems are not publicly accessible, and only authorised engineers can access them via secure methods. We do not store customer data on our servers. For the Persistent Cart App, we store a limited mapping record in our database consisting of the store URL, cart ID, encrypted customer ID, and the timestamp of the last cart update. Cart contents remain stored in Shopify’s secure infrastructure

For more information about how Heroku protects personal data, please refer to Heroku’s privacy and security documentation available at: https://www.heroku.com/policy/privacy.

  • Logging and monitoring. We maintain logs of key activities (API calls, errors, authentications, etc.) in our systems, which are monitored for anomalies. We may integrate logging and alerting with services like Sentry or Mantle to ensure prompt incident response. Access logs and system activity logs help us audit and troubleshoot as needed. We use technical monitoring tools (such as Mantle) to track system performance, errors, and stability. These tools are not configured to collect personal data of merchants or their customers.
  • Incident management. We have an incident response plan for handling security events. This includes procedures for identification, containment, investigation, and recovery. If a security incident occurs (for example, unauthorised access to systems), we will promptly contain it, investigate the scope, and notify affected users and authorities as required by law. We will describe the nature of the incident, data categories affected, potential consequences, and remediation steps.
  • Business continuity and backup. We perform regular backups of critical data (encrypted at rest) and store them securely. For example, our database is backed up daily via Heroku’s services, and we test our recovery procedures. Our application infrastructure is designed with redundancy and failover mechanisms to ensure availability in case of outages.
  • Testing and auditing. We periodically review and audit our information collection, storage, and processing practices, including physical security measures. We conduct security audits and risk assessments, and any identified issues are addressed. We may obtain third-party certifications or assessments (such as SOC 2 or ISO 27001) and can provide summaries of these reports to enterprise customers on request.
  • Employee training. Our team members are trained on data protection best practices and the importance of confidentiality and privacy. Employees undergo background checks (as permitted by law) and sign confidentiality agreements. We provide regular security awareness training, including phishing awareness and data handling procedures.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission or storage can be 100% secure. In the unlikely event of a data breach affecting your personal data, we will notify you and the appropriate authorities without undue delay (within 72 hours), and provide guidance on steps you can take to protect yourself.

Cookies

Our Shopify Apps do not set any cookies or tracking technologies on a store’s site. We rely entirely on Shopify’s existing cookies to manage sessions and other functionality on the merchant’s store. When we refer to sessions in this Policy, we mean sessions of store owners or their staff using our app interfaces, not the customers of the store.

On our own marketing website and in our app admin interfaces (used by store owners), we may use a limited number of cookies and similar technologies to ensure the site and app function correctly and to support basic configuration. These technologies fall into the following categories:

  • Necessary Cookies: Required for the operation of our websites or app admin interfaces (for example, to keep a store owner logged in to their admin session or to perform essential security checks).
  • Preference Cookies: Remember certain choices made by store owners (such as language or interface settings) to provide a more personalised experience.

We may also use technical monitoring tools, such as Mantle, which use pixels or similar technologies to help us understand the performance, stability, and usage of our Apps and admin interfaces (for example, error rates or general usage metrics). These tools are used for operational and security purposes only. They are not used to track store customers on storefronts, to build marketing profiles, or to serve cross-site advertising.

Cookies and similar technologies on our marketing site or admin interfaces may be first-party (set by us) or, where applicable, set by our service providers acting on our instructions. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies or to alert you when a cookie is being placed. Please note that disabling necessary cookies may affect some features of our Services. For more information on managing cookies, refer to your browser’s help documentation.

Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal data. We are committed to honouring these rights. Below, we outline key rights and how you can exercise them.

  • Right to access. You have the right to confirm whether we are processing your personal data and, if so, to obtain a copy of the data we hold about you. We will provide this information free of charge within a reasonable timeframe. For example, a merchant can request a copy of their account and store data from us. If you are an end-user (customer of a merchant’s store) and want to access your data, you should first contact the merchant (store owner), who can retrieve data from Shopify and our Apps; we will assist the merchant as needed to fulfil such requests.
  • Right to rectification. If you believe any personal data we hold about you is incorrect or incomplete, you have the right to request correction. For instance, if you’re a merchant and your contact email has changed, you can update it in your account settings or ask us to update our records. We will correct your data and notify any processors to whom we have sent the incorrect data, as required by law.
  • Right to deletion (erasure). You have the right to request that we delete the personal data we hold about you, subject to certain exceptions. If you are a merchant, you can uninstall our Apps at any time, and we will delete your account data as described in the Data Retention section above. You may also request the deletion of your data by contacting us. If we have legal obligations (for example, to retain certain records), we may not delete data until those obligations are satisfied. If you are a customer of a Shopify store using our App: please contact the store owner first. The merchant can then initiate a deletion request via Shopify. Shopify will send our App a customer/redact or shop/redact webhook in accordance with Shopify’s schedule (typically within 48 hours after receiving your request). Upon receiving the applicable webhook, we delete the relevant data we hold without undue delay, typically within minutes. Please note that Shopify may delay delivery of the customers/redact webhook based on its internal grace period and chargeback rules.
  • Right to restrict processing. You can request that we restrict or pause the processing of your personal data in certain situations (for example, if you contest the accuracy of the data, or if you have objected to our processing and we are reviewing our grounds). When processing is restricted, we will still store your data but will not use it (except for necessary compliance with legal obligations) until the issue is resolved. We will inform you when the restriction is lifted.
  • Right to data portability. To the extent you have provided personal data to us and we process it by automated means based on consent or contract, you have the right to receive that data in a structured, commonly used, machine-readable format (e.g., CSV or JSON) and to transmit it to another controller if technically feasible. For merchants, much of your data (e.g., store data) can be exported from Shopify directly; for any data stored in our systems, we will provide an export upon request.
  • Right to object. You have the right to object to our processing of your personal data when the processing is based on legitimate interests or for direct marketing. If you object, we will cease the processing unless we have compelling legitimate grounds to continue. For example, if you object to our use of analytics data under legitimate interest grounds, we will stop that processing unless we determine we have a stronger justification to continue.
  • Right to withdraw consent. If we rely on your consent for processing, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before the withdrawal. For instance, you can unsubscribe from our marketing emails or disable optional cookies to withdraw consent.

We intend to honour rights as required by applicable law, and we apply the same procedures described here to data subjects from all jurisdictions. To exercise any of your rights, please contact us as described below. Clearly describe your request and which right you wish to exercise. We will verify your identity before fulfilling your request to ensure we do not disclose or delete data in error. We may ask you to confirm information (such as an email address or recent transaction) to verify your identity, or to use an authorised agent with proof of authorisation.

We will do our best to answer to your requests as soon as possible or within a reasonable period, taking into account the complexity of the request, typically within 30 days from the date of request submission, unless the request is particularly complex or we are processing a high volume of requests. If we need more time, we will notify you of the reason and the expected extension. If we cannot comply with your request (for example, if a legal obligation prevents us), we will explain why as permitted by law.

You also have the right to lodge a complaint with a supervisory authority or data protection agency if you believe we have violated your privacy rights. For example, individuals in the EU/UK can complain to their national Data Protection Authority, and Canadians can complain to the Office of the Privacy Commissioner of Canada. We encourage you to contact us first so that we may address your concerns.

For individuals in the Kingdom of Saudi Arabia, we also comply with the Saudi Personal Data Protection Law (PDPL). You have rights broadly equivalent to those described in this section, and you may also lodge a complaint with the Saudi Data & AI Authority (SDAIA).

Notice For California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (“CCPA”), some of which overlap with those above, and provisions of the Privacy Policy will apply to you, subject to several additional things you need to know about the processing of your personal data pursuant to CCPA, which went into effect on January 1, 2020.

These include: (a) the right to know what categories of personal information we have collected about you in the past 12 months, the sources of that information, and the purposes for which it was collected or shared; (b) the right to request a disclosure of the specific pieces of personal information we have collected about you; (c) the right to know if we have “sold” or shared your information for cross-context behavioral advertising (as defined by CCPA) and the categories of third parties; (d) the right to opt-out of the “sale” or “sharing” of your personal information for targeted advertising; (e) the right to request deletion of your personal information (subject to exceptions); (f) the right to correct inaccurate personal information; and (g) the right to non-discrimination for exercising your CCPA rights (we will not deny you service or charge a different price for exercising your privacy rights). We do not sell personal data for money, and any data sharing for ads is explained in the “Behavioural Advertising” section above. If you wish to exercise any California privacy rights, please follow the instructions below or use the “Do Not Sell or Share My Personal Information” link if available on our website.

We will not discriminate against you for exercising any of your CCPA rights. Please contact us if you have any further questions regarding your rights under the CCPA (see the “Contact Information” section for contact details). This should be a verifiable consumer request related to your personal information. The verifiable consumer request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information or an authorised representative and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. All requests must be labelled “California Resident Request” on the email subject line.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We will reply within 45 days of receipt of the request. If we need more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response electronically.

Shopify App Privacy Compliance

As a developer on the Shopify platform, we adhere to Shopify’s requirements for data handling. We have implemented Shopify’s mandatory webhooks for data erasure and privacy requests, including customers/data_request, customers/redact, and shop/redact. This means that if a merchant’s customer requests to access or delete their data via Shopify, or if the store uninstalls our App, Shopify notifies us through these webhooks. Upon receiving a customers/data_request webhook, we will provide the store owner with all relevant personal data of the customer that our App has stored, so the merchant can fulfil the access request. Shopify controls when customers/redact and shop/redact webhooks are sent, including potential delays for customers/redact based on its grace period and chargeback rules and a typical delay of up to 48 hours after uninstallation for shop/redact. Upon receiving a customer's/redact or shop/redact webhook, we promptly delete the requested data from our systems without undue delay, typically within minutes. We always respond with the required 200 status to confirm receipt of these requests to Shopify.

Furthermore, we only request Shopify data that is necessary for our Apps to function, and we limit our access scopes to the minimum needed. For example, if an App only needs order data, we request only the orders scope. We abide by Shopify’s data use guidelines, using store data only to provide app functionality to that merchant and not for unrelated purposes. We do not use data from one merchant’s store for the benefit of another, and we do not mine or aggregate Shopify data outside the bounds of Shopify’s terms. If you have questions about what data a specific App accesses, please refer to that App’s Shopify listing (which details its access scopes) or contact us for clarification.

Children’s Privacy

Our Services are not directed to children under the age of 13, nor intended for individuals under the age of 16 in the EEA/UK (or under the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you are under 13 (or the relevant minimum age), please do not use our Apps or send us personal information. Merchants should not use our Services to intentionally collect data from children, and are responsible for complying with child privacy laws (such as COPPA) if their store is directed to children. If we become aware that we have inadvertently collected personal data from a child without parental consent, we will delete that information as soon as possible. If you are a parent or guardian and believe we might have information about a child, please contact us immediately to have it removed.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make changes, we will post the updated Policy on our website and update the “Last Updated” date above. If the changes are significant, we may also notify merchants via email or the Shopify App interface. We encourage you to review this Policy periodically. Continued use of our Services after we publish changes constitutes acceptance of those changes (where permitted by law). If you do not agree to the updated Policy, you should stop using the Services and can request deletion of your data as described above.

If the Company is acquired or merged with another entity, your information may be transferred to the new owner so that the Services can continue. If such a transfer materially affects how your data is used, we will give you notice and an opportunity to exercise your rights (such as opting out) as required by law.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us at:

Refactor Plus Systems and Software LLC

Email: support@refactorplus.com, legal@refactorplus.com

Data Protection Officer: Karyna Al-Reyahi, karina@refactorplus.com

For privacy-specific inquiries, please include “Privacy Request” in the subject line to ensure it reaches our data protection team. We will respond to your inquiries as promptly as possible, generally within 30 days, depending on the nature of your request. Your trust is important to us, and we welcome your feedback on our privacy practices.