Ape-X Free Shipping Bar Privacy Policy

1. Information We Collect

1.1 Store Information

When you install our App, we collect and store:

• Store Domain: Your Shopify store URL (e.g., yourstore.myshopify.com)
• Store Owner Information: Name, email address, and user ID of the Shopify store administrator
• Installation Data: Date and time of app installation and uninstallation
• Subscription Information: Your current plan (Free or Premium), billing status, and subscription history

1.2 Authentication Data

To securely connect to your Shopify store, we collect:

• Access Tokens: OAuth tokens to access your Shopify store data
• Session Data: Authentication state, scope permissions, and session expiration information
• API Credentials: Encrypted credentials to communicate with Shopify's API

1.3 App Configuration Data

We store your shipping bar configurations, including:

• Bar Settings: Threshold amounts, currencies, messages, colors, fonts, and positioning
• Premium Features Settings: Gradient colors, progress bar settings, motion effects, customer targeting rules, and market targeting preferences
• Display Rules: Page exclusion lists, product exclusions, and clickable link URLs

1.4 Analytics Data (Premium Feature Only)

For Premium subscribers, we collect aggregated performance metrics:

• Session Metrics: Number of sessions where shipping bars were displayed
• Interaction Metrics: Number of clicks on shipping bars
• Device Information: Aggregated counts of desktop vs. mobile impressions and interactions
• Order Tracking: Order IDs, order values, order creation dates, currency codes, and the shipping bar context at time of purchase
• Date-Based Aggregation: Daily summaries of the above metrics

1.5 Promo Code Usage

We track promotional code redemption to prevent duplicate usage:

• Store domain
• Promo code used
• Subscription ID
• Usage status (pending/confirmed)
• Redemption timestamp

1.6 Technical Information

We automatically collect:

• Error Logs: Application errors and debugging information for troubleshooting
• Performance Metrics: App response times and system health data

2. How We Use Your Information

2.1 Core App Functionality

• Authenticate your store and maintain secure sessions
• Display shipping bars on your storefront according to your configuration
• Process subscription payments and manage your plan
• Apply promotional codes and track their usage

2.2 Premium Features (Premium Plan Only)

• Generate analytics dashboards showing shipping bar performance
• Track order conversions attributed to shipping bar interactions
• Enable geotargeting based on Shopify Markets
• Provide customer segmentation capabilities

2.3 Service Improvement

• Diagnose and fix technical issues
• Monitor app performance and uptime
• Improve app features and user experience

2.4 Communication

• Send transactional emails related to your subscription (e.g., trial reminders, billing confirmations)
• Respond to your support requests
• Notify you of important app updates or security issues

2.5 Legal Compliance

• Comply with GDPR, CCPA, and other data protection regulations
• Respond to legal requests and prevent fraud
• Enforce our Terms of Service

3. Information Sharing and Disclosure

We do NOT sell, rent, or trade your information to third parties. We only share information in the following limited circumstances:

3.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our App:

• Shopify: We use Shopify's API and infrastructure to integrate with your store. Shopify's own Privacy Policy governs their data practices.
• Fly.io: Our hosting provider where app infrastructure and databases are located (servers in United States - IAD region).
• Google Gmail SMTP: Used to send transactional and support emails.

All service providers are contractually bound to maintain the confidentiality and security of your information.

3.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or abuse
• Respond to emergencies

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice in the App before your information becomes subject to a different privacy policy.

4. Data Retention

We retain your information for as long as necessary to provide the App services and comply with legal obligations:

4.1 Active Accounts

• Store Data: Retained for the duration of your app installation
• Analytics Data: Retained for 60 days after each activity
• Session Data: Retained for 60 days after each activity

4.2 Deleted Accounts

• Automatic Deletion: When you uninstall the App, we automatically delete all your data within 48 hours via our GDPR compliance webhooks
• Data Included in Deletion: Sessions, shop installation records, analytics data, order tracking data, and promo usage records

4.3 Backup Retention

• Database Backups: Encrypted backups are retained for 30 days for disaster recovery purposes
• Backup Deletion: Backups containing deleted data are permanently removed after 30 days

5. Data Security

We implement industry-standard security measures to protect your information:

5.1 Technical Safeguards

• Encryption in Transit: All data transmitted between your browser, our servers, and Shopify uses TLS 1.2+ encryption
• Encryption at Rest: Database files are encrypted using AES-256 encryption
• Access Controls: Multi-factor authentication and role-based access for our team
• Secure Hosting: Infrastructure hosted on Fly.io with SOC 2 compliance
• SQL Injection Prevention: All database queries use parameterized statements via Prisma ORM

5.2 Operational Safeguards

• Security Headers: Content Security Policy (CSP), HSTS, X-Content-Type-Options, and other protective headers
• Rate Limiting: Protection against brute force attacks and API abuse
• Regular Security Audits: Periodic vulnerability assessments and code reviews
• Minimal Data Collection: We only collect data necessary for app functionality
• No Root Access: Application runs as non-privileged user in production environment

5.3 Authentication Security

• OAuth 2.0: Secure token-based authentication with Shopify
• Short-Lived Tokens: Session tokens expire after inactivity
• No Password Storage: We never store or have access to your Shopify password

5.4 Incident Response

In the unlikely event of a data breach:

• We will notify affected users within 72 hours
• We will report the breach to relevant authorities as required by law
• We will take immediate action to contain and remediate the breach

6. Your Rights and Choices

6.1 Access and Portability

You have the right to:

• Access all data we store about your store
• Request a copy of your data in machine-readable format (JSON)
• Review analytics and configuration data via the App dashboard

How to Exercise: Contact us at iain@ape-x.shop with your store domain

6.2 Correction and Modification

You have the right to:

• Update your shipping bar configurations at any time via the App interface
• Modify subscription settings and billing information
• Correct inaccurate store information

How to Exercise: Make changes directly in the App or contact support

6.3 Deletion (Right to Be Forgotten)

You have the right to:

• Delete all your data by uninstalling the App (automatic within 48 hours)
• Request immediate deletion by contacting support
• Request deletion of specific data categories (e.g., analytics only)

How to Exercise: Uninstall the App from your Shopify admin, or contact iain@ape-x.shop

6.4 Objection and Restriction

You have the right to:

• Opt out of analytics tracking by downgrading to the Free plan
• Disable email notifications (except critical billing and security emails)
• Object to automated decision-making (we do not use automated profiling)

How to Exercise: Contact iain@ape-x.shop

6.5 Complaint

If you believe we have violated your privacy rights, you may file a complaint with:

• Our team: iain@ape-x.shop
• Your local data protection authority: Contact information available at https://edpb.europa.eu/about-edpb/board/members_en

7. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

7.1 Legal Basis for Processing

We process your data based on:

• Contract Performance: To provide the App services you requested (Art. 6(1)(b) GDPR)
• Legitimate Interests: To improve our services, prevent fraud, and ensure security (Art. 6(1)(f) GDPR)
• Consent: For optional features like analytics (Art. 6(1)(a) GDPR)
• Legal Obligation: To comply with tax and financial regulations (Art. 6(1)(c) GDPR)

7.2 Data Transfers

Your data may be transferred to and processed in countries outside the EEA, specifically the United States (Fly.io IAD region). We ensure adequate protection through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission
• Service Provider Commitments: Contractual obligations to maintain GDPR-level protection
• Encryption: All data encrypted in transit and at rest

7.3 Data Protection Officer

For GDPR-related inquiries, contact our team at:

• Email: iain@ape-x.shop
• Subject Line: "GDPR Inquiry"

7.4 GDPR Compliance Features

We have implemented:

• Automated Data Deletion: Webhooks that automatically delete data upon app uninstallation
• Data Request Handling: Ability to export all your data within 30 days
• Customer Data Redaction: Automatic deletion of customer order data upon request
• Privacy by Design: Minimal data collection architecture

8. CCPA Compliance (California Users)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

8.1 Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers: Store domain, email address, user ID
• Commercial Information: Subscription plan, billing information, promo code usage
• Internet Activity: Session data, app usage patterns, error logs
• Professional Information: Store owner name and role

8.2 California Consumer Rights

You have the right to:

• Know: Request disclosure of the categories and specific pieces of information we collect
• Delete: Request deletion of your personal information (with limited exceptions)
• Opt-Out: Opt out of the sale of personal information (we do NOT sell your information)
• Non-Discrimination: Exercise your rights without discriminatory treatment

How to Exercise: Contact iain@ape-x.shop with "CCPA Request" in the subject line

8.3 Do Not Sell My Personal Information

We do NOT sell your personal information to third parties. We have not sold personal information in the past 12 months.

8.4 Authorized Agent

You may designate an authorized agent to make requests on your behalf. We may require proof of authorization.

9. Children's Privacy

The App is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at iain@ape-x.shop, and we will delete it promptly.

10. Cookies and Tracking Technologies

10.1 Storefront Tracking (Customer-Facing)

On your customers' browsers, we use:

• Session IDs: Temporary identifiers stored in sessionStorage to track bar interactions during a browsing session
• No Third-Party Cookies: We do not use cookies or third-party tracking on customer storefronts
• No Cross-Site Tracking: We do not track customers across different websites
• Automatic Expiration: Session data expires when the browser session ends

10.2 App Admin Interface

For store administrators using the App dashboard:

• Authentication Cookies: Shopify manages authentication cookies in the embedded app interface
• Session Management: We store a session ID to maintain your logged-in state

10.3 Your Cookie Choices

• Customers can clear sessionStorage by closing their browser
• Store administrators can clear browser cookies through browser settings
• Disabling cookies may affect App functionality

11. Third-Party Links

The App may contain links to third-party websites or services (e.g., documentation, support resources). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

12. International Data Transfers

Our App is hosted in the United States (Fly.io IAD region). If you access the App from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the App, you consent to this transfer, subject to the protections described in Section 7.2 (GDPR) and this Privacy Policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

13.1 Notification

• We will update the "Last Updated" date at the top of this policy
• We will notify you via email at least 30 days before changes take effect
• We will display a notice in the App dashboard

13.2 Your Acceptance

• Continued use of the App after changes take effect constitutes acceptance of the updated policy
• If you do not agree with changes, you may uninstall the App

13.3 Version History

You can request previous versions of this Privacy Policy by contacting iain@ape-x.shop

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Ape-X Performance and Fitness Limited
Email: iain@ape-x.shop
Subject Line: "Privacy Policy Inquiry"

Response Time: We aim to respond to all inquiries within 48 hours (business days).

For GDPR-specific inquiries, please include "GDPR Inquiry" in the subject line.
For CCPA-specific inquiries, please include "CCPA Request" in the subject line.

15. Data Processing Summary

For transparency, here is a summary of our data processing activities: