Privacy Policy

1. Introduction

This Privacy Policy describes how ChromaRise ("we", "us", "our") collects, uses, and protects information when you install or use any application, website, or service we provide (collectively, the "Services"), including any apps we publish on the Shopify App Store. By installing or using the Services, you agree to the practices described below.

2. Scope

This policy applies to all Shopify apps and websites operated by ChromaRise. Where a specific app has materially different processing activities, an app-specific addendum will be linked from this page.

3. Information We Collect

3.1 Information from Shopify (merchant data)

When you install one of our apps, Shopify provides us with information about your store, including: store name, myshopify.com domain, primary domain, store owner name, email address, country, currency, locale, timezone, billing address, and Shopify plan.

3.2 Information you authorize via Shopify API scopes (store data)

Each app requests specific Shopify API scopes during installation. Depending on scopes granted, this may include: products, variants, collections, inventory, orders, draft orders, fulfillments, shipping data, customers, customer addresses, themes, scripts, metafields, files, content (blogs/pages), discounts, price rules, gift cards, and similar resources. We only request the scopes the relevant app needs to function, and you can review them on the install screen.

3.3 Your store's customer personal data

Some apps process your customers' personal data on your behalf (acting as a data processor under GDPR while you act as the data controller). This may include customer names, email addresses, phone numbers, shipping/billing addresses, order history, and IP addresses. We process this data only to perform the services you've configured.

3.4 Usage and device data

When you use our admin interface or website, we automatically collect: IP address, browser type and version, operating system, device identifiers, referring URL, pages viewed, actions taken in-app, timestamps, error logs, and similar diagnostic data.

3.5 Communications

If you contact support, we store the contents of those communications and any attachments.

3.6 Billing

Charges are processed through Shopify's Billing API. We do not receive or store payment card numbers, CVV codes, or bank account details. Shopify provides us only the metadata necessary to reconcile charges (charge ID, amount, status).

4. How We Use Information

• Provide, operate, maintain, and improve the Services.
• Authenticate your store and authorize API requests to Shopify on your behalf.
• Process subscription billing via Shopify.
• Respond to support requests and send service-related communications.
• Monitor performance, detect and prevent abuse, debug errors.
• Comply with legal obligations and enforce our Terms of Service.
• Send infrequent product announcements (you can opt out — see §14).
• Generate anonymized, aggregated statistics about Service usage. Aggregated data cannot reasonably identify any individual or store and may be retained and used indefinitely.

5. Legal Basis for Processing (GDPR)

Where GDPR applies, our legal bases are:

• Contract (Art. 6(1)(b)) — to deliver the Services you installed.
• Legitimate interests (Art. 6(1)(f)) — to secure, monitor, debug, and improve the Services, and to communicate with merchants about service operation.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and law-enforcement requirements.
• Consent (Art. 6(1)(a)) — where consent is required (e.g. optional marketing communications).

When we process your customers' personal data, we act as a processor on your behalf; you are the controller and are responsible for establishing your own legal basis with your customers.

6. Automated Decision-Making

We do not make decisions about you that produce legal effects or similarly significant effects using solely automated processing.

7. Sharing & Sub-processors

We do not sell personal data, and we do not share it for cross-context behavioral advertising.

We share data only with the sub-processors necessary to deliver the Services:

• Shopify Inc. (Canada / United States) — platform integration, OAuth authentication, webhook delivery, and billing via the Shopify Billing API.
• Railway Corp. (United States) — application hosting and managed database hosting for the Services.

This list reflects all sub-processors currently in use. If we engage additional sub-processors in the future, this Policy will be updated and the Effective date at the top revised.

We may also disclose information when (a) required by law, subpoena, or court order; (b) necessary to protect our rights, safety, or property, or those of others; or (c) in connection with a merger, acquisition, or sale of assets, with notice to affected merchants.

8. International Transfers

Data may be processed in countries outside the European Economic Area, including the United States. Where transfers occur, we rely on lawful transfer mechanisms such as the EU Standard Contractual Clauses or adequacy decisions (e.g. the EU–US Data Privacy Framework where applicable).

9. Data Retention

• While installed: data is retained for as long as you have the relevant app installed.
• On uninstall: Shopify sends app/uninstalled immediately. We delete or anonymize merchant and store data within 30 days.
• Customer redaction: Shopify sends customers/redact 48 hours after a customer-deletion request; we delete the customer's data within 30 days of receipt.
• Shop redaction: Shopify sends shop/redact 48 hours after uninstall; we delete remaining store data within 30 days of receipt.
• Data requests: customers/data_request is handled within 30 days by providing the requested data to you (the merchant) so you can fulfill the customer's request.
• Backups: residual data may persist in encrypted backups for up to 90 days before automatic deletion.
• Legal holds: data subject to a legal obligation to retain (tax records, ongoing disputes) is kept only as long as required by law.

10. Your Rights (EEA / UK)

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate data.
• Erasure ("right to be forgotten").
• Restriction of processing.
• Objection to processing based on legitimate interests.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). You may also complain to the authority in your country of residence.

To exercise any right, email privacy@chromarise.com. We respond within 30 days.

11. Your Rights (California — CCPA/CPRA)

California residents have additional rights:

• Right to know what personal information we collect, use, disclose, and sell/share.
• Right to delete personal information.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" of personal information — we do not sell or share personal information as defined under the CPRA.
• Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Services.
• Right to non-discrimination for exercising your rights.

To exercise these rights, email privacy@chromarise.com.

12. Security

We apply industry-standard safeguards including: encryption in transit (TLS 1.2+), encryption at rest, scoped Shopify access tokens, principle of least privilege, audit logging, dependency monitoring, and regular security reviews. We restrict access to personal data to staff who need it to operate the Services. No system is perfectly secure; we cannot guarantee absolute security.

13. Data Breach Notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, and notify affected merchants without undue delay where the risk is high, in accordance with GDPR Art. 33–34.

14. Communications & Marketing

We send service-related communications (security notices, billing notices, material policy changes) that you cannot opt out of while you have an active install. Any product-update or marketing emails are optional and include an unsubscribe link.

15. Cookies & Similar Technologies

Our app interfaces load inside the Shopify admin and use only the cookies strictly necessary for authentication and session management. We do not use analytics cookies or cross-site advertising trackers. We honor Global Privacy Control (GPC) signals where applicable.

16. Children

The Services are intended for businesses and are not directed to children under 16. We do not knowingly collect personal data from children. If we learn we have, we will delete it.

17. Third-Party Links

The Services may link to third-party websites or services we do not control. This Policy does not apply to those third parties; review their policies separately.

18. Changes to This Policy

We may update this Policy. The "Effective date" at the top reflects the most recent revision. Material changes will be announced via in-app notice, email, or both. Continued use of the Services after the effective date constitutes acceptance.

19. Contact

Questions about this Policy or your data: