Security & Trust

Built to handle your shoppers' data carefully.

Popups touch real customer data. Here's exactly how Popchime protects it, who it shares it with, and how you stay in control.

Encrypted at rest

Sensitive captured data is encrypted with AES-256-GCM. Encryption keys are derived per-record with HKDF, so a single key never protects everything.

Data minimization

We store what's needed to run your popups and deliver your leads — nothing more. Captured contacts flow to your own destinations (Klaviyo, Mailchimp, webhook).

GDPR-ready by default

Add a consent checkbox to any capture popup, and Popchime honors Shopify's GDPR webhooks: data-request, customer redaction, and shop redaction.

You stay in control

Your data is yours. Request export or deletion at any time and we'll act on it — see how below.

Subprocessors

The third parties that may process data on our behalf. We add a subprocessor only when it's needed to run the product.

Provider Role Data
Shopify App platform & hosting Store + order context
Klaviyo Email/SMS sync (if connected) Captured contacts you send
Mailchimp Email sync (if connected) Captured contacts you send
Anthropic AI copilot & image generation Your prompts + popup content

GDPR webhooks

Popchime implements Shopify's mandatory compliance webhooks, so shopper and store requests are handled automatically.

  • customers/data_request A shopper asks for their data — we return what we hold.
  • customers/redact A shopper asks to be deleted — we erase their captured data.
  • shop/redact A store uninstalls — we erase that store's data after the grace period.

Export or delete your data

Want a copy of your data, or want it erased? Email [email protected] and we'll handle it. For the full detail, read our Privacy Policy and Data Processing statement.