Privacy Policy

2. Who we are

Data Controller for soptim.app website visitors: SOptim, Singapore.

Data Processor for Shopify merchant data: SOptim acts as a Processor on behalf of the merchant (Controller). See our Data Processing Agreement.

Contact: [email protected]

3. Information we collect

3.1 Information you provide directly

• Shopify shop domain and shop ID (when you install the app)
• App settings and preferences you configure
• Support communications (email, in-app messages)

3.2 Information collected automatically when you use the SOptim app

• Store metadata: products count, theme, installed apps (via Shopify Admin API)
• Audit data: storefront HTML content (temporary, used for app fingerprint detection and discarded within 24 hours), Lighthouse performance scores, detected third-party apps, estimated monthly subscription costs
• Bot Shield event data: IP addresses (hashed using SHA-256 with a rotating salt — never stored in plaintext), user agent strings, HTTP referer, browser fingerprint hash, behavioral signals (screen size, navigator plugins, mouse-move patterns), timestamps
• Subscription status and plan history

3.3 Information about your customers (where applicable)

• Customer IDs (Shopify-assigned, when Bot Shield blocks suspicious accounts)
• Email addresses (only when blocking accounts via Shopify customer tags — we never read merchant customer emails for marketing or other purposes)

3.4 Information collected on soptim.app website

• Standard server logs: IP address, browser type, pages visited, time of visit
• Cookies: we use a single essential cookie for session management. No third-party tracking cookies.
• We do NOT use Google Analytics, Facebook Pixel, or similar tracking on the marketing site.

4. How we use information

• Operate the SOptim app features (audit, bot detection, blocking)
• Generate audit reports and PDF deliverables
• Detect and prevent bot traffic, card testing, fake signups, and fraud
• Build cross-shop intelligence (anonymous, aggregated patterns only — no merchant-identifiable data shared)
• Process payments via Shopify Billing API
• Send transactional emails (account, billing, security alerts)
• Provide customer support
• Improve the Service via aggregated, de-identified analytics
• Comply with legal obligations

We do NOT:

• Sell your data or your customers' data to third parties
• Use merchant data for advertising or marketing other products
• Train AI models on merchant or customer data
• Share merchant store performance data with competitors or other merchants individually

5. Legal bases for processing (GDPR)

For EU/EEA/UK merchants and their customers, we process personal data under these legal bases:

• Contract: processing necessary to provide the Service you've installed
• Legitimate interests: bot detection and security (Article 6(1)(f))
• Consent: where required, e.g. for non-essential cookies on marketing site
• Legal obligation: to comply with applicable laws

6. Information sharing

We share information only with:

6.1 Sub-processors (service providers acting on our behalf)

• Shopify Inc. (USA / Canada) — required for app operation
• DigitalOcean Inc. (USA) — infrastructure hosting (US-East region)
• Cloudflare Inc. (USA) — CDN, DDoS protection, WAF
• Resend Inc. (USA) — transactional email delivery
• Sentry (USA) — error monitoring (no personally identifiable data sent)
• PostHog Inc. (USA / EU) — product analytics (anonymized events only)
• Better Stack (Czech Republic / EU) — uptime monitoring

Full sub-processor list: soptim.app/dpa.

6.2 Legal compliance

We may disclose information if required by law, court order, or government request, or to protect rights, safety, and property.

6.3 Business transfers

If we are acquired or merge with another company, your information may be transferred. We will notify you before this happens and you'll have the opportunity to delete your data.

6.4 Aggregate benchmarking data

SOptim may publish aggregated, anonymized data derived from merchant audits in the form of industry benchmarks, theme comparisons, app performance rankings, and similar research content on our public website ("SOptim Hub"). This published data:

• Is fully aggregated across many merchants (no individual store identifiable)
• Contains NO personal information (no customer data, no contact details, no specific revenue figures)
• Contains NO shop-identifying information (shop names, URLs, or unique identifiers)
• Includes only statistical patterns: average performance scores, app adoption rates, theme popularity, cost benchmarks by industry

Examples of permitted aggregate publishing:

• "Dawn theme has average Lighthouse score of 87 across 500+ stores"
• "Beauty category stores average $156/month on apps"
• "Stores using Klaviyo show 12% better email engagement than Mailchimp"

Merchants may opt out of aggregate benchmark inclusion at any time via app Settings. Opting out:

• Removes your shop data from future aggregate calculations
• Does NOT remove already-published aggregate research (no individual identification possible)
• Does NOT affect Service functionality

6.5 Affiliate links and recommendations

SOptim may earn affiliate commissions when merchants click certain product links in the app or on our website. This includes:

• App recommendations in the SOptim app interface
• Theme suggestions in audit reports
• Featured listings in SOptim Hub articles
• Outbound links to Shopify partner products

Commission earnings do NOT influence:

• Audit results or scoring
• Bot detection logic
• Performance recommendations objectivity
• Pricing for SOptim subscriptions

All affiliate links are clearly disclosed in context. Merchants may dismiss recommendation suggestions at any time. SOptim's primary revenue source remains merchant subscription fees.

6.6 Affiliate payout data

If you participate in the SOptim Affiliate Program and request a cash payout, we collect your PayPal email address or Wise account details solely to process your payment. This information is not shared with third parties beyond the payment processor required to complete your transaction. We retain these details only for the duration of your active participation in the program plus the legal record-retention period for financial transactions.

7. Data retention

• Shop account data: retained while the app is installed + 48 hours after uninstall (then automatically deleted)
• Audit data: 90 days from creation, then deleted
• Bot Shield events: 30 days (Free tier: 7 days), then deleted
• Subscription history: 7 years (for tax / compliance), then deleted
• Support communications: 2 years from last contact
• Customer redact requests (GDPR Article 17): processed and deleted within 30 days

8. Data security

We implement appropriate technical and organizational measures including:

• TLS 1.3 encryption in transit
• AES-256 encryption at rest for sensitive fields
• IP address hashing (never stored plaintext)
• Database access controls and audit logging
• Quarterly security reviews
• Bcrypt password hashing for any admin auth
• HTTPS-only with HSTS + Cloudflare WAF
• Regular backups with encryption

No system is 100% secure. We will notify affected users and Shopify within 72 hours of discovering any data breach affecting personal data.

9. International data transfers

SOptim primarily stores data in the United States (US-East region). For EU / UK merchants:

• Transfers rely on Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914
• Additional safeguards: encryption in transit and at rest, access controls, sub-processor due diligence
• Cloudflare and DigitalOcean both maintain GDPR-compliant data processing terms

You may request a copy of the SCCs by emailing [email protected].

10. Your rights

10.1 EU / EEA / UK residents (GDPR) — you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent at any time
• Lodge a complaint with your supervisory authority

10.2 California residents (CCPA / CPRA) — you have the right to:

• Know what personal information is collected, used, shared, or sold
• Delete personal information collected
• Opt-out of sale (we do not sell personal information)
• Non-discrimination for exercising rights

10.3 Singapore residents (PDPA) — you have the right to:

• Access your personal data held by us
• Correct or update inaccurate data
• Withdraw consent for processing (where consent is the basis)
• File a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg

We comply with the Singapore Personal Data Protection Act 2012. Our Data Protection Officer can be reached at [email protected].

10.4 How to exercise your rights

Email [email protected] with your request. We will respond within 30 days (GDPR) or 45 days (CCPA).

For merchants: most data rights can be exercised directly through the SOptim app settings (export, delete account). For customers of merchants using SOptim: please contact the merchant first, as they are the Data Controller. We will assist the merchant in fulfilling your request.

11. Shopify GDPR webhooks

SOptim implements all required Shopify mandatory webhooks:

• customers/data_request — we provide merchant data within 30 days
• customers/redact — we delete customer data within 30 days of request
• shop/redact — we delete all shop data 48 hours after app uninstall, with full purge within 30 days

12. Children's privacy

SOptim is not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child, contact [email protected] immediately.

13. Changes to this Policy

We may update this Policy from time to time. We will notify merchants via in-app notice and email at least 30 days before material changes take effect. Continued use after changes constitutes acceptance.

14. Contact

For privacy questions, data access requests, or complaints:

Email: [email protected]
Mail: SOptim, Singapore

EU representative (if required by GDPR Article 27): to be appointed once EU merchant base exceeds threshold.