Privacy Policy

Effective Date: April 28, 2026

1. Introduction

SupaPop ("we," "us," or "our") provides a Shopify application that enables merchants to create interactive popups with quiz-based routing, survey collection, and analytics. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our application, whether as a merchant installing the app or as an end user (visitor or customer) interacting with popups on a merchant's store.

By using SupaPop, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

2.1 End User Data (Store Visitors and Customers)

When you interact with a SupaPop popup on a merchant's online store, we may collect the following information:

• Contact information: Email address, phone number, and custom form fields including first name, last name, and city, as provided by you through popup forms.
• Survey responses: Answers you provide to quiz or survey questions within popups.
• Visitor identifier: A randomly generated UUID stored in your browser's localStorage. This is not a cookie, does not persist across browsers, and cannot be used to track you across websites.
• Interaction data: Page URL where the popup was displayed, impression timestamps, step view timestamps, and dismiss timestamps.
• Conversion data: If a merchant has conversion tracking enabled, we may associate your popup submission with a Shopify order to measure popup effectiveness. See section 3 (Shopify Protected Customer Data) for the full list of order fields we access and how they are used.

2.2 Merchant Data

When a merchant installs SupaPop, we collect:

• Shopify store information: Store domain and store name, obtained through the Shopify OAuth flow.
• Shopify session tokens: Encrypted OAuth access tokens required to operate within the Shopify admin.
• Klaviyo API key: Provided by the merchant and stored in encrypted form, used solely to sync data to the merchant's Klaviyo account.
• App configuration: Popup designs, survey questions, routing rules, and analytics settings configured by the merchant.

2.3 Information We Do NOT Collect

• We do not use cookies or any cookie-based tracking.
• We do not use browser fingerprinting.
• We do not embed third-party tracking scripts (no Google Analytics, Facebook Pixel, or similar).
• We do not collect payment or financial information directly.

3. Shopify Protected Customer Data

SupaPop requests the read_orders scope from Shopify to enable revenue attribution analytics for popup conversions. This section discloses, in detail, the protected customer data fields we access from Shopify, why we access them, and how they are stored and retained, in accordance with Shopify's Protected Customer Data Policy.

3.1 Order Fields We Access

We access the following fields from Shopify orders via the orders/create, orders/cancelled, and refunds/create webhooks, and via the Shopify Admin REST API for historical backfill when a merchant first installs the app:

• Order ID: Used to deduplicate conversion records and to link refunds to the original order.
• Customer email (primary email and contact_email fields): Used solely to match an order to a popup submission for revenue attribution. Customer email from the order object is processed in-memory at the time of webhook receipt and is not stored in our database.
• Order total: Used to calculate popup-attributed revenue.
• Order creation timestamp: Used to associate orders with the correct attribution time window.
• Custom cart attributes (the supapop_visitor_id note attribute only): Used as a fallback attribution method when email matching does not find a corresponding popup submission.
• Customer order count: Used to flag whether the order is from a new or returning customer for cohort analytics.
• Refund ID, refund's order ID, and refund line item subtotals: Used to adjust attributed revenue when an order is refunded or cancelled.

3.2 Customer Data We Do Not Access

In keeping with the principle of data minimization, SupaPop does not access, request, store, or process the following protected customer data fields, even though they may be available under the read_orders scope:

• Customer first or last name
• Customer phone number (except via the customers/redact webhook payload, which we use solely to comply with deletion requests)
• Shipping addresses
• Billing addresses
• Line items, products, SKUs, or quantities
• Order status, payment status, or fulfillment status
• Customer IP address, user agent, or device data
• Any other customer or order field not explicitly listed in section 3.1

3.3 What We Store vs. What We Process Transiently

Of the fields listed in section 3.1, only the following are persisted to our database:

• Shopify order ID
• Order total
• Order creation timestamp
• New-vs-returning customer flag (boolean)
• Refund ID, refund amount, and refund timestamp

Customer email from the order object is used at the moment of webhook receipt to find a matching popup submission and is then discarded; it is not written to our conversion records. The corresponding popup submission record contains the email originally provided by the end user through the popup form, linked to the conversion record by foreign key.

3.4 Purpose Limitation

We use protected customer data exclusively for the following purposes:

• Generating revenue attribution analytics for the installing merchant
• Calculating cohort metrics, including new-vs-returning customer revenue breakdowns
• Adjusting analytics for refunds and cancellations

We do not sell, rent, share, or otherwise disclose protected customer data to any third party, and we do not aggregate it across merchants. Each merchant's analytics are siloed at the database level.

3.5 Retention and Deletion of Protected Customer Data

Order and refund records are retained only as long as the installing merchant's account remains active. When a merchant uninstalls SupaPop, we honor Shopify's shop/redact webhook (delivered 48 hours after uninstall) by performing a full cascade deletion of all associated order and conversion records. Individual customer redaction requests delivered via the customers/redact webhook are processed within 30 days of receipt by anonymizing the corresponding popup submission and any linked conversion data.

3.6 Data Subject Rights for Protected Customer Data

Because SupaPop acts as a data processor on behalf of the merchant (data controller), individual customers wishing to exercise rights of access, correction, or deletion regarding protected customer data should contact the merchant whose store they interacted with. The merchant can initiate the request through the Shopify platform, which delivers it to our customers/data_request or customers/redact webhook handlers. We respond to such requests within the timeframes required by Shopify's Protected Customer Data Policy and applicable law.

4. How We Use Information

We use the information we collect for the following purposes:

• Providing our service: Displaying popups, processing form submissions, routing survey answers to the appropriate Klaviyo lists and flows.
• Analytics and reporting: Generating aggregated analytics dashboards for merchants, including impression counts, conversion rates, revenue attribution, step funnels, and cohort analysis.
• Service improvement: Understanding usage patterns to improve our application's features and performance.
• Compliance: Responding to GDPR data requests, legal obligations, and Shopify platform requirements.

5. Information Sharing and Third Parties

We share information only in the following circumstances:

• Klaviyo: End user contact information and survey responses are sent to the merchant's Klaviyo account via the merchant's own API key. This data sharing is initiated and controlled by the merchant.
• Shopify: We interact with the Shopify platform via OAuth for authentication and to access store data necessary for our service.
• Infrastructure providers: We use Supabase for database hosting and Railway for application hosting. These providers process data on our behalf under appropriate data processing agreements.
• Legal requirements: We may disclose information if required by law, regulation, or legal process.

We do not sell, rent, or trade personal information to third parties for marketing purposes.

6. Data Retention

• End user submission data: Retained for as long as the merchant's account is active with SupaPop.
• Analytics data: Impression, step view, dismiss, and conversion records are retained for as long as the merchant's account is active.
• GDPR data request responses: Compiled data request files are stored for 30 days and then automatically deleted.
• After merchant uninstall: When a merchant uninstalls SupaPop, we process a shop redaction that performs a full cascade deletion of all merchant data and associated end user data.

7. Data Security

We implement appropriate technical and organizational measures to protect the information we process:

• Klaviyo API keys are stored in encrypted form.
• All data transmission uses HTTPS/TLS encryption.
• Database access is restricted and authenticated.
• Shopify session tokens are managed through Prisma with secure storage.
• Our storefront script includes XSS protection helpers (URL sanitization, color sanitization, style value sanitization).

8. Your Rights

7.1 GDPR Rights (European Economic Area)

If you are located in the EEA, you have the following rights under the General Data Protection Regulation:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your personal data. Our customer redact handler anonymizes email, phone, and custom form fields.
• Right to restrict processing: Request limitation of how we process your data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing of your data in certain circumstances.

SupaPop acts as a data processor on behalf of merchants (data controllers). To exercise your rights regarding data collected through a merchant's popup, please contact the merchant directly. The merchant can initiate GDPR data requests through the Shopify platform, which we handle via our customer data request and customer redact webhook handlers.

7.2 CCPA Rights (California)

California residents have the right to:

• Know what personal information is collected about them.
• Know whether their personal information is sold or disclosed and to whom.
• Request deletion of personal information.
• Not be discriminated against for exercising their CCPA rights.

We do not sell personal information. To make a CCPA request, contact us at privacy@supapop.io.

9. Children's Privacy

Our service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

10. Cookies and Tracking Technologies

SupaPop does not use cookies. We use a randomly generated UUID stored in the browser's localStorage as a visitor identifier. This identifier:

• Is generated locally in the browser and is not a cookie.
• Cannot track you across different websites or browsers.
• Is used solely to associate popup interactions with a single browsing session on a specific store.
• Can be cleared by the end user at any time by clearing browser storage.

We do not use any third-party tracking scripts, pixels, or beacons.

11. International Data Transfers

Our infrastructure is hosted in the United States. If you are accessing our service from outside the United States, your information may be transferred to, stored, and processed in the United States. We ensure appropriate safeguards are in place in accordance with applicable data protection laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify merchants of any material changes through the SupaPop application or via email. The "Effective Date" at the top of this policy indicates when it was last revised.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

SupaPop
Email: privacy@supapop.io