Privacy Policy
How Popchime collects, uses, encrypts, and protects data — for the merchants who install it and the shoppers who interact with popups on their stores.
1. Who we are
Popchime (“Popchime,” “we,” “us”) is a Shopify-embedded application that lets merchants build popups for their storefronts and sync captured contact information to email/SMS marketing providers. This policy covers data we process from two parties: merchants who install Popchime on their Shopify store, and shoppers who interact with popups on those stores.
2. Data we collect
From merchants (Shopify install)
- Shop domain (e.g. example.myshopify.com)
- Shopify access tokens (stored encrypted, used only to call Shopify APIs on your behalf)
- Plan tier + billing status (read from the Shopify Billing API)
- Provider integration credentials (Klaviyo / Mailchimp / Webhook), encrypted at rest
- Popup configuration (templates, triggers, exclusion rules) you create
From shoppers (popup submissions)
- Email address (when the popup includes an email field and the shopper submits)
- Phone number (when the popup includes a phone field and the shopper submits)
- Choice tag and rating value (e.g. an NPS score) when the popup includes those elements
- Marketing-consent state, when the popup includes a consent checkbox
- Anonymous session token (SHA-256 hashed, no PII) for impression / dismiss / conversion analytics
- Country code (when geolocation rules are configured by the merchant)
- Device type (mobile vs desktop, derived from viewport width)
We do NOT collect: shopper IP addresses, browser fingerprints, names (unless explicitly entered into a name field), payment information, or any data the shopper has not voluntarily submitted via a popup form.
3. How we use the data
- Service delivery: render popups on the storefront and store captured contact information for merchant retrieval and CRM sync.
- Provider sync: when a merchant connects Klaviyo, Mailchimp, or a webhook URL, captured contact data is sent to that provider on the merchant’s behalf. When a shopper declines marketing via the consent checkbox, the capture is kept for the merchant but not pushed to marketing lists.
- Analytics for merchants: aggregate impression / conversion / dismiss counts so merchants can measure popup performance.
- AI features: when a merchant uses the AI copilot or AI image tools, their instructions and popup content (never shopper PII) are sent to our AI provider to generate copy, layouts, and imagery.
- Service quality: error logs and performance metrics (no shopper PII).
- Billing: usage counts (popup impressions, AI image generations, AI copilot turns) reported to Shopify Billing for plan enforcement.
We do not use shopper data for advertising, sell it to third parties, or share it across merchants.
4. Legal basis (GDPR)
- Consent — shopper-submitted data is collected only when the shopper voluntarily submits a popup form, which constitutes consent for the merchant’s stated marketing purposes.
- Contractual necessity — merchant data (Shopify tokens, integrations) is processed to deliver the service the merchant has installed.
- Legitimate interest — anonymized analytics for service improvement.
5. Data sharing (subprocessors)
We share data only with the providers necessary to operate the service. Each merchant’s data is sent only to the providers that merchant has explicitly configured.
- Shopify Inc. (Canada) — host of the merchant’s store and the parent platform; we exchange merchant + popup config + billing data through Shopify’s APIs.
- Vercel Inc. (USA) — application hosting and serverless compute.
- Neon Inc. (USA) — managed Postgres database where encrypted data is stored.
- Klaviyo, Inc. (USA) — when a merchant connects Klaviyo, captured emails + phones are sent to the merchant’s Klaviyo list.
- Mailchimp / Intuit Inc. (USA) — when a merchant connects Mailchimp, captured emails are sent to the merchant’s Mailchimp audience.
- Anthropic, PBC (USA) — powers AI-assisted popup design features. AI prompts are anonymized and contain no shopper PII.
- Generic webhook receivers — when a merchant configures a custom webhook URL, captured data is POSTed to that URL with optional HMAC-SHA256 signing.
6. Data retention
- Shopper captures — retained until the merchant deletes them or uninstalls the app. Merchants can delete individual captures from the captures viewer at any time.
- Merchant data — retained while the app is installed. Within 48 hours of uninstall or upon explicit shop-deletion request, all data tied to that shop is hard-deleted.
- Analytics events — retained for up to 13 months for trend analysis, then aggregated and the row-level data deleted.
- Backups — encrypted backups are retained for up to 30 days for disaster recovery.
7. Encryption + security
- At rest: shopper email + phone are encrypted with AES-256-GCM using a per-shop key derived via HKDF from a master key stored separately from the database.
- Hashing: deterministic per-shop HMAC-SHA-256 indices on email + phone enable dedup queries without ever storing or returning plaintext.
- In transit: all communication uses TLS 1.2+ (HTTPS).
- Provider credentials: Klaviyo / Mailchimp API keys + webhook secrets are encrypted at rest with the same per-shop encryption.
- Cross-shop isolation: every database query is scoped by shop ID; ownership checks on every action prevent any cross-shop data access.
8. Your rights (GDPR Articles 15–22)
Shoppers in the EU/EEA, UK, and California have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Erase your data (“right to be forgotten”)
- Object to or restrict processing
- Port your data to another service
- Withdraw consent at any time
Because Popchime processes shopper data on behalf of the merchant (the data
controller), the fastest way to exercise these rights is to contact the
merchant whose store you submitted the popup on. Popchime implements
Shopify’s mandatory customers/data_request,
customers/redact, and shop/redact webhooks to
fulfill these requests within 48 hours of the merchant’s instruction.
You can also contact us directly at [email protected].
9. Cookies + tracking
- localStorage on the storefront for popup suppression keys (so a shopper isn’t shown the same popup repeatedly) and an opaque visitor identifier used only client-side for A/B variant stickiness — never sent to our servers.
- No third-party tracking cookies. No cross-site fingerprinting. No advertising pixels.
10. Children’s data
Popchime is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has submitted data, contact [email protected] and we will erase it.
11. International data transfers
Our servers and primary subprocessors are located in the United States. Data transferred from the EU/EEA is protected by Standard Contractual Clauses (SCCs) under GDPR Article 46. By submitting a popup, the shopper consents to this cross-border transfer.
12. Changes to this policy
We may update this policy as features, subprocessors, or legal requirements change. The “Last updated” date at the top reflects the most recent revision; material changes are communicated to merchants via the app’s embedded admin.
13. Contact
Questions, complaints, or requests: [email protected]. EU/EEA residents may also lodge a complaint with their local data protection authority; UK residents may contact the ICO; California residents may contact the California Attorney General.