PopupShop
Coming soon

Privacy Policy

PopupShop helps Shopify merchants embed a popup storefront on any site. This Privacy Policy explains how we handle information when you install or use the PopupShop app or widget. It is written for merchants who use the app; if you are a shopper buying from a merchant using PopupShop, please refer to that merchant’s privacy policy because they control your data.

1. Our role

When we process information about your Shopify store to run PopupShop, we act as an independent controller. When our widget facilitates your customers’ shopping activity, we act as your processor and only handle that data under your instructions.

2. Information we collect

A. Information you provide via Shopify

When you install the app, Shopify sends us data needed to authenticate and support your account:

  • Store domain, shop URL, API scopes, and access tokens.
  • Shopify user metadata (ID, first and last name, email, locale, collaborator status) when Shopify makes it available.

B. Widget configuration data

Creating or editing a widget stores:

  • Widget title and generated client key.
  • Storefront API access token (used in the browser to load products).
  • Optional branding and call-to-action settings (colors, message, store link preferences).
  • Associated shop domain and URL.

C. Automatically collected information

  • Our Cloudflare Worker serves configuration data and uses standard access logs and short-term caching that may include IP address and user-agent.
  • The admin dashboard runs on Render (https://popup-0g1q.onrender.com) and inherits standard request logs.
  • The public widget loads fonts from Google Fonts, so Google receives the visitor’s IP and browser details for that asset.

D. Data received for compliance requests

Shopify sends mandatory GDPR/CCPA webhooks containing customer emails or order IDs so we can help you answer data requests. We log them for troubleshooting but do not persist the payload beyond processing them.

E. Information we do not collect

  • We do not store your customers’ cart, checkout, payment, or personal details. Those flow directly between the shopper and Shopify through Shopify’s Storefront API and checkout.
  • We do not set tracking cookies or analytics pixels within the widget.

3. How we use information

  • Authenticate your store with Shopify and maintain secure sessions.
  • Create and serve widget configurations to your sites.
  • Provide support, troubleshoot issues, and comply with legal obligations.
  • Verify and act on Shopify’s mandatory data-subject webhooks.

4. Legal bases (EEA/UK/Swiss merchants)

We process data to perform our contract with you (running the app), to comply with legal duties, and for our legitimate interests in securing and improving the service. We rely on your instruction to process shopper data.

5. How we share information

We share data only as needed to operate the service:

  1. Shopify – to authenticate, issue Storefront API tokens, and honour mandatory webhooks.
  2. Cloudflare – hosts api.getpopup.shop and cdn.getpopup.shop and caches widget configuration responses that include the storefront token.
  3. Render – runs the admin app.
  4. Database host – our managed PostgreSQL provider (via Prisma) stores session and widget records.
  5. Service providers/contractors bound by confidentiality and data-processing agreements.

We do not sell personal information.

6. Cookies and similar technologies

  • The admin dashboard relies on Shopify’s session cookies for authentication.
  • The shopper-facing widget uses local state and Shopify’s Storefront APIs; it does not set its own cookies. Shopify may set cart or checkout cookies when a shopper proceeds to checkout.

7. Data retention

  • Shopify session records are kept while your shop is connected and removed automatically when we receive an app/uninstalled webhook. You can request earlier deletion.
  • Widget configurations remain until you delete the widget or uninstall the app.
  • Log data is retained for up to 30 days unless needed to investigate security issues.
  • We do not retain customer data after fulfilling a data request.

8. Security

We use TLS for data in transit, limit token access to authorised staff, rely on Prisma’s parameterised queries, and run infrastructure on providers with established security programs (Cloudflare, Render, managed PostgreSQL). No method is perfectly secure; please notify us promptly if you believe your account has been compromised.

9. International transfers

Our infrastructure is currently hosted in the United States. By using PopupShop, you authorise us to transfer, store, and process information in the US or other countries that may have different data-protection laws.

10. Your rights

Depending on your location, you may have rights to access, rectify, port, or delete your data, object to or restrict processing, or lodge a complaint with a supervisory authority. Contact us to exercise these rights. We will help you meet customer requests we receive from Shopify’s compliance webhooks.

11. Customer data processed for you

When shoppers interact with the widget:

  • We access products, variants, and cart operations through Shopify’s Storefront API on your behalf.
  • Checkout occurs directly on Shopify, outside of our systems.

We do not independently use or disclose customer data and will follow your instructions or Shopify’s requirements if you disable the app or request deletion.

12. Changes to this policy

We may update this policy to reflect new features or legal requirements. We will post the revised date and, if changes are material, notify you through the app or email.

13. Contact us

Email: lukas@lukasb.tech

If you have questions or need to submit a data request, please contact us using the details above.

Try it now!