GDPR & Data Processing

Popchime · Last updated June 17, 2026

How Popchime processes personal data on behalf of merchants under the GDPR — roles, subprocessors, data subject rights, security, and deletion.

1. Roles

Under the EU General Data Protection Regulation (GDPR) and equivalent regimes, the merchant who installs Popchime is the data controller for the shopper data collected through their popups. Popchime is a data processor, acting only on the merchant’s documented instructions to provide the service. The merchant is responsible for the lawful basis on which shopper data is collected; Popchime processes it on their behalf.

2. Scope of processing

On the merchant’s behalf, Popchime processes only the data necessary to deliver the service:

  • Shopper email addresses and phone numbers submitted through popup forms.
  • Choice tags and rating values (e.g. an NPS score) when those elements are included.
  • Marketing-consent state when a popup includes a consent checkbox.
  • Anonymized analytics — SHA-256 hashed session tokens, device type, and country code (where geolocation rules are configured) for impression, dismiss, and conversion counts, with no shopper PII.

Popchime does not collect shopper IP addresses, browser fingerprints, or payment data, and never sends shopper PII to the AI provider.

3. Subprocessors

Popchime uses the following subprocessors to operate the service. Each merchant’s data is sent only to the subprocessors that merchant has configured.

  • Shopify Inc. (Canada) — host of the merchant’s store and the parent platform.
  • Vercel Inc. (USA) — application hosting and serverless compute.
  • Neon Inc. (USA) — managed Postgres database where encrypted data is stored.
  • Klaviyo, Inc. (USA) — when the merchant connects Klaviyo, captured emails and phones are sent to the merchant’s Klaviyo list.
  • Mailchimp / Intuit Inc. (USA) — when the merchant connects Mailchimp, captured emails are sent to the merchant’s Mailchimp audience.
  • Anthropic, PBC (USA) — powers AI features; prompts are anonymized and contain no shopper PII.
  • Merchant-configured webhook receivers — when the merchant configures a custom webhook URL, captured data is POSTed to that endpoint with optional HMAC-SHA-256 signing.

4. Data subject rights

Because Popchime processes shopper data on behalf of the merchant, data subjects exercise their rights (access, correction, erasure, restriction, portability, objection) through the merchant. To support this, Popchime implements Shopify’s mandatory data-protection webhooks:

  • customers/data_request — returns the data held for a given shopper.
  • customers/redact — erases a given shopper’s data.
  • shop/redact — erases all data for a shop after uninstall.

Requests are fulfilled within 48 hours of the merchant’s instruction.

5. Security

  • Encryption at rest: shopper email and phone are encrypted with AES-256-GCM using a per-shop key derived via HKDF from a master key stored separately from the database.
  • Hashed indices: deterministic per-shop HMAC-SHA-256 indices enable dedup queries without ever storing or returning plaintext.
  • Encryption in transit: all communication uses TLS 1.2+.
  • Per-shop isolation: every query is scoped by shop ID, with ownership checks on every action to prevent cross-shop access.

6. International transfers

Popchime’s servers and primary subprocessors are located in the United States. Personal data transferred from the EU/EEA is protected by Standard Contractual Clauses (SCCs) under GDPR Article 46.

7. Data breach notification

In the event of a personal-data breach affecting data we process, Popchime will notify affected merchants without undue delay upon becoming aware of the breach, providing the information needed for the merchant to meet their own controller notification obligations.

8. Data deletion

All data tied to a shop is hard-deleted within 48 hours of the app being uninstalled or upon an explicit shop-deletion (shop/redact) request. Merchants can also delete individual shopper captures from the captures viewer at any time.

9. Contact & DPA requests

For data-processing questions or to request a signed Data Processing Agreement (DPA), contact [email protected]. Merchants who require a signed DPA for their own compliance can request one and we will provide it.