Privacy Policy

1. Introduction

Profixo ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application and services.

2. Information We Collect

2.1 Shopify Store Data

When you connect your Shopify store, we collect:

• Store name, domain, and email
• Product information (names, prices, costs, variants)
• Order data (order history, revenue, customer information)

2.2 Account Information

We collect your email address and store owner name to create and manage your account.

2.3 Usage Data

We automatically collect information about how you interact with our service, including IP addresses, browser type, and usage patterns.

3. How We Use Your Information

We use your information to:

• Analyze your store's profitability and identify profit leaks
• Generate personalized alerts and recommendations
• Provide customer support and respond to inquiries
• Improve our service and develop new features
• Send important updates about our service
• Comply with legal obligations

4. Data Security

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit using HTTPS/TLS
• Access tokens are stored securely and encrypted
• We use Supabase for secure database hosting
• Regular security audits and updates
• Limited employee access to customer data

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in the following circumstances:

• Service Providers: We use third-party services (Shopify platform, Supabase, Railway) to operate our service
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

6. Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Object to processing of your data
• Export your data in a portable format
• Disconnect your store at any time

7. Data Retention and Deletion

We retain your data for as long as your account is active. Upon account closure, all personal data is deleted within 30 days. Aggregated, anonymized analytics data may be retained longer for service improvement purposes.

7.1 Automatic Deletion on App Uninstall

When you uninstall our app from your Shopify store, your store is immediately deactivated and your access token is revoked. All associated data (products, orders, refunds, alerts, and analysis history) is permanently deleted within 48 hours via Shopify's mandatory data erasure process.

7.2 Customer Data Requests

When a customer of your store requests their data or its deletion under GDPR or similar regulations, Shopify notifies us automatically via secure webhooks. We process these requests promptly: data exports are compiled from our records, and deletion requests result in the removal of all order and refund data associated with that customer.

7.3 Third-Party Data Processors

We use the following third-party services to process and store your data:

• Supabase: Database hosting and storage (encrypted at rest)
• Railway: Application hosting and deployment
• Sentry: Error monitoring and performance tracking
• Shopify Billing API: Subscription billing (handled entirely by Shopify; we never see or store payment card details)
• Resend: Transactional email delivery

8. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising cookies.

9. GDPR Compliance

For users in the European Economic Area (EEA) and United Kingdom, we comply with the General Data Protection Regulation (GDPR) and UK GDPR.

9.1 Legal Basis for Processing

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): Processing your store data (orders, products, inventory) is necessary to perform the profit analysis service you have contracted with us.
• Legitimate interests (Art. 6(1)(f)): We process usage data and service logs to maintain security and improve our service, balanced against your privacy rights.
• Legal obligation (Art. 6(1)(c)): We may process data where required to comply with applicable law.

9.2 Data Controller and Processor Roles

You (the merchant) are the data controller for your customers' personal data. Profixo acts as a data processor on your behalf when processing order data that contains customer information. We process such data solely to provide the contracted service and in accordance with your instructions.

9.3 International Data Transfers

Your data may be transferred to and processed in countries outside the EEA, including the United States, where our infrastructure providers (Supabase, Railway) are hosted. Such transfers are safeguarded by Standard Contractual Clauses (SCCs) as approved by the European Commission, or other appropriate transfer mechanisms under Chapter V of the GDPR.

9.4 Your EEA Rights

In addition to the rights listed in Section 6, EEA residents have the right to lodge a complaint with your local supervisory authority. To exercise any GDPR rights, contact us at [email protected].

10. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through our service.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at: