SyntaxRepairs

Popup Scheduler — Privacy Policy

Effective:

This Privacy Policy explains how the Popup Scheduler Shopify app (the “App”) collects, uses, and protects information when merchants install or use the App and when visitors interact with popups on a storefront.

TL;DR: We store campaign configuration only in your Shopify store metafields and a small, non‑personal plan cache metafield to reduce cold starts. We do not profile customers, we do not sell or share personal information, and the only storefront cookie we set is a functional dismissed flag for the popup.

1) Who we are

Controller (merchant‑facing data): Syntax Repairs, UK.
Processor (storefront data on behalf of the merchant): We act as a data processor/service provider to the merchant for storefront interactions.
Contact: info@syntaxrepairs.co.uk

2) Scope

This Policy covers data handled about merchants and their staff when using the App inside Shopify Admin, and limited technical data about storefront visitors needed to show/dismiss popups. It does not cover a merchant’s own use of customer data in their Shopify store (governed by the merchant’s privacy policy) or Shopify’s processing as platform provider.

3) Data we collect

3.A From Shopify Admin APIs (merchant/staff data)

  • Shop metadata: shop ID (GID), shop domain, shop name, primary locale, store timezone (IANA), and the API scopes granted.
  • Billing status: current app subscription name(s) and status (used to derive a plan and limit for gating popups). We store only the derived plan key and limit in a cache metafield; detailed billing stays within Shopify.
  • Campaign configuration: popup campaigns (schedules, content blocks, styling) saved in the shop metafield pps/campaigns (type JSON).
  • Plan cache: non‑personal JSON written to pps/plan_cache — typically { plan, limit, checkedAt, expiresAt, v } — to allow fast plan checks and mask cold starts.

3.B From storefront runtime (visitors)

  • Functional cookie: ps_dismissed_<campaignId> set to "1" to remember a visitor’s dismissal for the configured snooze days.
  • Runtime debug (optional): When a merchant appends ?pps_debug=1 to a page URL, we log diagnostic values in the browser console (not transmitted to our servers).
  • No tracking: We do not collect personal identifiers, contact details, or behavioral profiles via the App.

3.C Server telemetry

Server logs (standard web logs): request timestamps, IP address, user agent, URL path (e.g., /apps/pps/status), and error stacks for debugging and security.

4) Sources of data

  • You/your staff: through the App’s admin UI (campaign content, schedules, settings).
  • Shopify APIs: Admin GraphQL/REST for shop/billing/metadata; Theme App Extension for theme blocks/metafields.
  • Automatically: storefront cookie for dismissal; app proxy status checks.

5) How we use data

  • Provide and operate the App: render popups according to saved campaigns and schedules.
  • Plan gating: determine whether a popup is permitted under the active plan/limit. The App writes a 24‑hour plan cache to pps/plan_cache to improve storefront performance.
  • Support & troubleshooting: investigate errors (using server logs) and respond to support requests.
  • Security & abuse prevention: monitor for misuse and secure our infrastructure.
  • Legal compliance: meet obligations under applicable laws and agreements.

Legal bases (EU/UK GDPR): contractual necessity (to provide the App), legitimate interests (performance optimization, security), and where applicable, consent (managed by the merchant for their storefront).

6) Cookies and similar technologies

Set by the App on storefronts:

Name Purpose Type Duration
ps_dismissed_<campaignId> Remember a visitor’s dismissal to avoid re‑showing the popup within the snooze window Functional Configurable (snooze days)

The App does not set analytics or advertising cookies.

7) Sharing & disclosures

We do not sell personal information. We may disclose limited data to Shopify (platform provider), hosting/infrastructure providers (e.g., Fly.io/CDN) for secure operation, support tools (if used), and legal authorities if required.

8) International transfers

We may process data on servers located outside your country. Where required, we rely on standard contractual clauses or equivalent safeguards. Hosting regions: [insert region(s), e.g., EU, UK, US].

9) Retention

  • Campaign data (pps/campaigns): retained while the App is installed and until you delete campaigns or uninstall the App.
  • Plan cache (pps/plan_cache): auto‑rotated/overwritten (typical TTL 24h).
  • Server logs: retained for ~[30] days unless needed longer for security/legal reasons.
  • Support communications: retained as needed to service your request.

Upon uninstallation or written request, we will delete app‑side data we control within a reasonable period (typically within 30 days), and we will stop writing to your shop metafields. You can delete the metafields at any time within Shopify.

10) Data subject rights

Merchants/staff: access, correction, deletion, portability, objection/restriction. Contact info@syntaxrepairs.co.uk.
Storefront visitors: direct rights requests to the merchant (store owner). We support merchants by honoring Shopify privacy webhooks and by minimizing data collection.

11) Security

We use industry‑standard safeguards: HTTPS in transit; principle of least privilege; scoped API tokens; minimal data storage (campaigns in Shopify metafields; no customer PII collected by the App); monitoring and logging for anomalies.

12) Children

The App is not directed to children. Merchants should not use the App to knowingly target children under the age of 13 (or the applicable age of consent in their jurisdiction).

13) Changes to this Policy

We may update this Policy to reflect improvements or legal requirements. We will post the updated version with a revised effective date. Material changes will be communicated via the Shopify app listing or in‑app notice.

14) Contact

[Syntax Repairs]

Email: info@syntaxrepairs.co.uk

Appendix: Shopify‑specific details

  • Metafields we use:
    • pps/campaigns (JSON): stores popup campaigns (content, styles, schedules).
    • pps/plan_cache (JSON): { plan, limit, checkedAt, expiresAt, v } for fast gating; contains no customer PII.
  • App Proxy endpoint: /apps/pps/status returns { ok, plan, limit } and refreshes pps/plan_cache on success.
  • Theme App Block anchors: inline JSON scripts #ps-campaigns and #ps-status so the storefront can render without extra network roundtrips.
  • Storefront cookie: ps_dismissed_<campaignId> (functional only).