Privacy Policy

Last updated: January 2025

1. Introduction

Laparaneza ("we," "our," or "us") operates the Social Proof Popup application for Shopify. We are committed to protecting your privacy and the privacy of your customers.

This Privacy Policy explains how we collect, use, store, and protect information when you use our Shopify application. It applies to merchants who install our app and covers our role as a data processor for end-customer data.

By installing and using Social Proof Popup, you agree to the collection and use of information in accordance with this policy. We encourage you to read this policy carefully and contact us if you have any questions.

2. Definitions

For the purposes of this Privacy Policy:

  • App refers to Social Proof Popup, our Shopify application
  • Merchant or You refers to the Shopify store owner who installs and uses our App
  • End-Customer refers to visitors and customers of the Merchant's online store
  • Personal Data means any information relating to an identified or identifiable natural person
  • Processing means any operation performed on Personal Data
  • Data Controller means the entity that determines the purposes and means of processing Personal Data
  • Data Processor means the entity that processes Personal Data on behalf of the Data Controller

3. Data Controller and Processor

Understanding who is responsible for data is important under GDPR:

Merchants (Data Controllers)

As a Merchant using our App, you are the Data Controller for your end-customers' Personal Data. You determine why and how end-customer data is collected and displayed through our App. You are responsible for:

  • Ensuring you have a lawful basis to display customer purchase information
  • Updating your own privacy policy to reflect use of our App
  • Responding to data subject requests from your customers

Laparaneza (Data Processor)

We act as a Data Processor when handling end-customer data on your behalf. We process this data only according to your instructions (by enabling the App features) and as described in our Data Processing Agreement.

Sub-processors

We use the following sub-processors to deliver our service:

  • Shopify - Platform provider, OAuth authentication, Billing API, Admin API
  • Supabase (AWS) - Database hosting (PostgreSQL, AWS ap-south-1 Singapore region)

4. Information We Collect

4.1 From Shopify Orders (via webhook)

When an order is placed on your store, we receive and store:

  • Order ID - Internal reference number
  • Product title - Name of the purchased product
  • Product featured image - Image URL for display
  • Customer city and country - Geographic location only
  • Order timestamp - When the purchase occurred

4.2 What We DO NOT Collect

We deliberately exclude sensitive personal information:

  • Customer names
  • Email addresses
  • Phone numbers
  • Full street addresses
  • Payment or credit card information
  • IP addresses
  • Any other personally identifiable information (PII)

4.3 From Merchants

When you install and configure the App, we collect:

  • Shopify shop domain - Your store's URL
  • OAuth access tokens - To access Shopify APIs on your behalf
  • App settings and preferences - Your popup configuration choices

5. How We Use Information

We use the collected information exclusively to:

  • Display purchase notification popups - Show recent purchases to store visitors (social proof)
  • Show product purchase counters - Display how many times products have been bought
  • Provide analytics dashboard - Help you understand popup performance
  • Manage billing and subscriptions - Process payments through Shopify Billing
  • Improve and maintain the service - Fix bugs, enhance features

We do not use your data for advertising, marketing to your customers, or selling to third parties.

6. Lawful Basis for Processing (GDPR)

Under GDPR, we rely on the following lawful bases for processing:

For Merchants

  • Contractual Necessity - Processing is necessary to provide the App service you requested when installing
  • Legitimate Interest - To maintain and improve the App, prevent fraud, and ensure security

For End-Customer Data (processed on behalf of Merchants)

  • Legitimate Interest - You (the Merchant) have a legitimate interest in displaying social proof to improve conversions. The processing is minimal (city/country only), expected by customers in e-commerce contexts, and does not override data subject rights

As a Merchant, you should ensure this processing aligns with your own privacy policy and legal requirements.

7. Data Storage and Retention

Where We Store Data

  • Database: PostgreSQL hosted on Supabase (AWS ap-south-1, Singapore region)
  • Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest

Retention Periods

  • Order Data: We retain the last 100 orders per shop. When a new order arrives and you already have 100 orders stored, the oldest order is automatically deleted. This ensures we only keep recent, relevant data.
  • Merchant Account Data: Retained while you have the App installed
  • Upon Uninstall: All data associated with your shop (orders, settings, tokens) is deleted immediately when you uninstall the App

Data Minimization

We practice data minimization by only collecting and retaining the minimum data necessary to provide the service. We do not retain historical data beyond what is needed for active popup display.

8. Data Sharing and Sub-processors

Public Display

The following information may be displayed publicly on your storefront through popup notifications:

  • Product name and image
  • Customer city and country
  • Time since purchase

Sub-processors

We share data only with the following service providers, who are bound by data protection agreements:

Sub-processorPurposeLocation
Shopify Inc.OAuth, Billing, Order webhooksCanada/USA
Supabase (AWS)Database hostingSingapore (ap-south-1)

What We Do NOT Do

  • We do not sell Personal Data to third parties
  • We do not use data for advertising or marketing
  • We do not share data with data brokers
  • We do not create profiles of end-customers

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence:

  • Primary Storage: AWS Singapore (ap-south-1)
  • Shopify Services: Canada and United States

For transfers from the European Economic Area (EEA), UK, or Switzerland to countries without an adequacy decision, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Our sub-processors' compliance certifications and data protection agreements

10. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

  • Right to Access - You can request a copy of the Personal Data we hold about you
  • Right to Rectification - You can request correction of inaccurate Personal Data
  • Right to Erasure ("Right to be Forgotten") - You can request deletion of your Personal Data. Note: Uninstalling the App automatically deletes all your data
  • Right to Restrict Processing - You can request that we limit how we use your data
  • Right to Data Portability - You can request your data in a structured, machine-readable format
  • Right to Object - You can object to processing based on legitimate interests
  • Right to Withdraw Consent - Where processing is based on consent, you can withdraw it at any time
  • Right to Lodge a Complaint - You have the right to lodge a complaint with a supervisory authority in your country of residence

To exercise any of these rights, please contact us at support@laparaneza.com. We will respond within 30 days.

11. End-Customer Rights

If you are an end-customer who has made a purchase on a store using our App:

  • The Merchant (store owner) is the Data Controller for your data
  • Please contact the Merchant directly to exercise your GDPR rights
  • The Merchant can request that we delete your specific order data

We will assist Merchants in responding to data subject requests. As a Processor, we only retain city and country information (not your name, email, or full address), and this data is automatically deleted as orders cycle out (we keep only the last 100 orders per store).

12. Data Security

We implement appropriate technical and organizational measures to protect Personal Data:

Technical Measures

  • HTTPS/TLS encryption for all data in transit
  • Encryption at rest for database storage
  • Secure OAuth 2.0 authentication with Shopify
  • Regular security updates and patches
  • Webhook signature verification

Organizational Measures

  • Access controls limiting data access to authorized personnel
  • Data minimization practices
  • Regular review of security practices

13. Cookies

Storefront Popup: The popup script loaded on your storefront does not set any cookies on your visitors' browsers. We do not track visitors across sites or use advertising cookies.

Admin Dashboard: We use essential session cookies within the Shopify admin dashboard for authentication purposes only. These are required for the App to function.

For more details, please see our Cookie Policy.

14. Children's Privacy

Our App is designed for use by Shopify merchants (businesses) and is not directed at individuals under the age of 16. We do not knowingly collect Personal Data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

  • We will update the "Last updated" date at the top of this page
  • For material changes, we will notify you through the App or via email
  • Your continued use of the App after changes constitutes acceptance

16. Contact Information

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Laparaneza

Email: support@laparaneza.com

We aim to respond to all inquiries within 30 days.

Related Documents