Cart Permalinks ("we", "our", or "the App") is a Shopify application that generates shareable cart links for products, including support for selling plans (subscriptions). This privacy policy explains how we collect, use, and protect data in compliance with Shopify's protected customer data requirements.
2. Data We Collect
Our app processes the minimum amount of data necessary to provide cart permalink functionality to merchants.
2.1 Data Collected from Merchants
Shop Information: Store domain, shop name, and authentication tokens
Product Data: Product variants, selling plans, and pricing information
Our app does not collect or store protected customer data such as customer names, email addresses, phone numbers, shipping addresses, or payment information. The cart permalinks function by encoding product variant IDs and quantities in URLs - they do not contain any personally identifiable information (PII).
3. How We Use Data
We use the collected data solely for the following purposes:
Permalink Generation: To create shareable cart links with selected products, variants, quantities, discount codes, and tracking parameters
Analytics: To provide merchants with insights about permalink creation and usage (stored in our PermalinkLog database table)
App Functionality: To authenticate merchants and provide the Admin Action extension on product pages
Service Improvement: To maintain and improve app performance and features
4. Data Storage and Security
4.1 Encryption
Data in Transit: All data transmitted between your store and our app is encrypted using TLS/SSL
Data at Rest: All stored data is encrypted using industry-standard encryption methods
Backups: Data backups are encrypted to prevent unauthorized access
4.2 Access Controls
Access to production data is strictly limited to authorized personnel only
Staff accounts require strong passwords and multi-factor authentication
We maintain comprehensive access logs for all data access activities
Test and production environments are completely separated
4.3 Data Loss Prevention
We implement technical controls, policies, and standards to protect against unauthorized data extraction or loss.
5. Data Retention
Session Data: Authentication tokens are retained only as long as the app is installed
Permalink Analytics: Analytics logs are retained for 365 days, after which they are automatically deleted
App Uninstall: Upon app uninstallation, all merchant data is deleted within 30 days
6. Data Sharing
We do not sell, rent, or share your data with third parties for marketing purposes. Data may only be shared in the following circumstances:
Service Providers: Trusted service providers who assist in app operations (e.g., hosting providers) under strict confidentiality agreements
Legal Requirements: When required by law, regulation, or legal process
Protection of Rights: To protect the rights, property, or safety of our app, merchants, or others
7. Merchant Responsibilities
As a merchant using this app, you are responsible for:
Ensuring you have the right to create and share cart links for your products
Complying with applicable privacy laws when sharing cart permalinks with customers
Providing appropriate privacy notices to your customers about data collection on your store
8. Security Incident Response
We maintain a comprehensive security incident response policy. In the event of a data breach or security incident:
We will investigate and contain the incident immediately
Affected merchants will be notified within 72 hours
We will provide details about the incident and steps taken to resolve it
We will comply with all applicable breach notification requirements
9. Your Rights
Merchants have the following rights regarding their data:
Access: Request a copy of your data stored in our app
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data (by uninstalling the app)
Data Portability: Request export of your permalink analytics data
10. Compliance
This app complies with:
Shopify Partner Program Agreement
Shopify API License and Terms of Use
Shopify Protected Customer Data Requirements (Level 0 - No customer data)
General Data Protection Regulation (GDPR) principles
California Consumer Privacy Act (CCPA) requirements
11. Children's Privacy
Our app is intended for use by merchants (businesses) and does not knowingly collect information from children under 13 years of age.
12. International Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this privacy policy.
13. Changes to This Policy
We may update this privacy policy from time to time. We will notify merchants of any material changes by updating the "Last Updated" date and, if required, by sending notice through the app or email.
14. Contact Us
If you have questions about this privacy policy or our data practices, please contact us at:
Email: mikacodeapps@gmail.com
15. Data Protection Officer
For data protection inquiries, you can contact our Data Protection Officer at: Email: mikacodeapps@gmail.com