Bundleboost Bundle1. Who this policy covers
Bundleboost Bundle is an application for Shopify stores. There are two groups whose data we may process:
- Merchants — the store owners and staff who install and use the app.
- Customers — shoppers who interact with a merchant's storefront where Bundleboost is active.
For customer data, the merchant is the “data controller” and Bundleboost acts as a “data processor” — we only process customer data on the merchant's behalf to provide the app's features.
2. Information we collect
We collect only what we need to run the app's bundle, upsell, cart-drawer and analytics features.
From the merchant & store
- Store identifiers and profile: shop domain, store email, currency, locale, and your selected plan.
- App configuration you create: bundles, offers, cart-drawer blocks, templates, styling, and translations.
- Product and collection data needed to build and display offers (titles, images, variants, prices).
From orders & checkout
- Order and line-item data used to attribute bundle conversions and calculate revenue, conversion rate and average order value.
- Aggregated analytics events generated on your storefront, such as widget impressions and add-to-cart actions.
Customer data
- We do not build marketing profiles of shoppers. Limited customer-related data (for example, an email associated with an order) may be processed only where required to deliver a feature or to honor a data-subject request, and is handled per Section 9.
Technical data
- Standard request metadata (such as IP address, browser/user agent and timestamps) and app logs used for security, debugging and abuse prevention.
3. How we use information
- To provide, operate and maintain the app's features for your store.
- To render storefront widgets (bundles, cart drawer, upsells) and post-purchase offers.
- To calculate and display analytics (impressions, conversion rate, AOV, hourly trends).
- To manage your subscription, plan limits and billing through Shopify.
- To provide support and respond to your requests.
- To secure the service, prevent fraud/abuse, and comply with legal obligations.
We do not sell personal information, and we do not use shopper data for advertising.
4. Legal bases (GDPR)
Where the EU/UK GDPR applies, we rely on:
- Contract — to provide the app you (the merchant) installed.
- Legitimate interests — to secure, improve and analyze the service in a privacy-respecting way.
- Legal obligation — to meet Shopify platform requirements and applicable law.
- Consent — where required, for example certain non-essential storefront storage.
6. Sub-processors
We use the following categories of sub-processors to deliver the app:
| Provider | Purpose |
|---|---|
| Shopify | App platform, store data access, and billing |
| Cloud hosting & database provider | Application hosting and storage of app configuration/analytics |
| Cloudinary | Hosting and delivery of images used in your offers |
We can provide an up-to-date list of sub-processors on request.
7. Data retention
We retain data only as long as needed to provide the app or as required by law:
- App configuration & analytics — kept while your store has the app installed.
- On uninstall — your store record and access tokens are removed and configuration is scheduled for deletion.
- Compliance requests — handled within the timeframes described in Section 9.
- Logs — kept for a limited period for security and debugging, then deleted or anonymized.
8. Security
We use industry-standard measures to protect data, including encryption in transit (HTTPS), access controls, and verification of inbound webhooks using Shopify's HMAC signatures. No method of transmission or storage is 100% secure, but we work to protect your information and review our practices regularly.
9. Shopify compliance & data deletion
As a Shopify app, we honor Shopify's mandatory privacy/compliance webhooks:
- customers/data_request — when a shopper requests their data, we surface any customer data we hold so the merchant can fulfill the request.
- customers/redact — we delete customer-related data we hold for that shopper.
- shop/redact — about 48 hours after a store uninstalls, we delete that store's data from our systems.
Shoppers should direct privacy requests to the store (merchant) they purchased from. Merchants can contact us at any time to assist with a request.
10. Your rights
Depending on your location, you may have rights to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing. To exercise these rights, contact us using Section 15 — for shopper data, we will coordinate with the relevant merchant. You may also have the right to lodge a complaint with your local data protection authority.
12. International data transfers
Your data may be processed in countries other than where you are located. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers.
13. Children's privacy
The app is intended for businesses and is not directed to children. We do not knowingly collect personal data from children under the age required by applicable law.
14. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify merchants. Continued use of the app after changes take effect constitutes acceptance of the updated policy.
15. Contact us
Questions about this policy or your data? Reach out:
- Email: support@bundleboost.cloud
- App: app.bundleboost.cloud