This Privacy Policy explains how DevCloud LLC (“we”, “us”, “our”) collects, uses, stores, and protects information when you install and use the Upsell & Cross-Sell application (“the App”) available on the Shopify App Store. By installing the App, you acknowledge and agree to the practices described in this policy.
🌐
1. Scope & Applicability
This policy applies to all merchants who install and use the App on their Shopify store. It covers data collected through:
What we do NOT collect: We do not collect personal information from your end customers such as names, email addresses, physical addresses, phone numbers, payment details, or browsing history. Analytics are aggregated at the product/offer level, not at the individual customer level.
⚙️
3. How We Use Your Data
We process your data exclusively to provide and improve the App’s functionality:
Product Recommendations: Display upsell, cross-sell, frequently-bought-together, bundle, and add-on recommendations on your storefront
AI Recommendations: Analyze product attributes (titles, tags, descriptions) to generate intelligent recommendation pairings
Analytics & Reporting: Provide dashboards showing offer performance, conversion rates, and revenue attribution
Widget Rendering: Apply your design settings, custom CSS, and targeting rules to display widgets correctly
Offer Targeting: Evaluate cart value, device type, and scheduling rules to show relevant offers
Support: Respond to your support inquiries and troubleshoot issues
Service Improvement: Analyze aggregate usage patterns to improve recommendation algorithms and App performance
🔒
We will never use your data for advertising, profiling, or any purpose unrelated to delivering the App’s core functionality.
⚖️
4. Legal Basis for Processing
We process your data under the following legal bases (as defined by GDPR Article 6):
Contractual necessity (Art. 6(1)(b)): Processing required to deliver the service you signed up for by installing the App
Legitimate interest (Art. 6(1)(f)): Improving our recommendation algorithms and App reliability, where such interests are not overridden by your rights
Legal obligation (Art. 6(1)(c)): Compliance with applicable laws, including responding to GDPR data requests
🤖
5. AI-Powered Features
The App offers optional AI-powered product recommendation generation. When you use this feature:
Data Sent to AI Providers
Product titles, descriptions, tags, and categories
Product type and collection information
Data NOT Sent to AI Providers
Customer personal information (names, emails, addresses)
Order or payment data
Store credentials or API keys
Customer browsing or purchase history at the individual level
AI Provider
We use OpenAI (GPT-4o-mini model) for recommendation generation. OpenAI processes data under their Enterprise Privacy policy, which states that API inputs are not used to train their models.
💡
You control this feature. AI recommendations are optional. You can use manual product selection, rule-based matching, or frequently-bought-together analysis instead. No data is sent to AI providers unless you explicitly trigger recommendation generation.
👥
6. Data Sharing & Third Parties
We do not sell, rent, license, or trade your data. We share data only with the following categories of service providers, strictly as needed to operate the App:
Provider Type
Purpose
Data Shared
Hosting & Infrastructure
Application hosting, database, file storage
All App data (encrypted at rest and in transit)
AI Provider (OpenAI)
Product recommendation generation
Product metadata only (opt-in)
Error Monitoring (Sentry)
Bug tracking and performance monitoring
Error logs, stack traces (no PII)
Email (SendGrid)
Transactional emails, support responses
Store email, message content
Task Queue (Redis)
Background job processing
Job payloads (product sync, recommendations)
We may also disclose data when required by law, court order, or governmental authority, or to protect our legal rights.
📅
7. Data Retention & Deletion
Scenario
Retention Period
Details
App installed
Active
All data retained while the App is installed and in use
App uninstalled
30 days
All store data, offers, analytics, and cached products permanently deleted within 30 days
Encrypted backups
90 days
Residual copies in encrypted backups automatically expire within 90 days
GDPR erasure request
30 days
Data deleted upon request even if the App is still installed
Aggregated, anonymized analytics data (e.g., total impressions across all stores) may be retained indefinitely for internal reporting, but cannot be linked back to any individual store.
🛡️
8. Data Security
We implement industry-standard technical and organizational measures to safeguard your data:
Encryption in transit: All data transmitted via HTTPS/TLS 1.2+ encrypted connections
Encryption at rest: Database and backup encryption using AES-256
Authentication: Shopify session token validation + HMAC signature verification on all webhooks
Authorization: Shop-scoped data access — merchants can only access their own store data
Rate limiting: API rate limiting with Redis sliding-window algorithm to prevent abuse
Input validation: Server-side sanitization and XSS protection on all user inputs
CSRF protection: Django CSRF middleware on all authenticated endpoints
Minimal scopes: We only request Shopify API scopes we need (read_products, write_products)
Dependency management: Regular updates and vulnerability scanning of all dependencies
Monitoring: Error tracking via Sentry with real-time alerting
🔐
While no system is 100% secure, we continuously review and improve our security posture. If you discover a security vulnerability, please report it to sales@devcloudsoftware.com and we will investigate promptly.
🍪
9. Cookies & Tracking Technologies
Storefront (Your Customers)
The App does not place any cookies, pixels, or tracking scripts on your customers' browsers. All analytics (impressions, clicks, conversions) are collected server-side through API calls triggered by widget interactions. No fingerprinting, localStorage tracking, or cross-site tracking is performed.
Admin Interface (Merchants)
Within the Shopify Admin embedded app, we use:
Session tokens: Shopify App Bridge session tokens for authentication (not traditional cookies)
Local state: React in-memory state for form data and UI preferences (cleared on page close)
We do not use any third-party analytics, advertising, or tracking SDKs in the admin interface.
🇪🇺
10. GDPR Rights (EEA/UK)
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:
Right of AccessRequest a copy of all data we hold about your store
Right to RectificationRequest correction of inaccurate or incomplete data
Right to ErasureRequest permanent deletion of your data at any time
Right to PortabilityReceive your data in a structured, machine-readable format (JSON)
Right to RestrictRestrict processing of your data under certain conditions
Right to ObjectObject to processing based on legitimate interest
To exercise any right, email us at sales@devcloudsoftware.com. We will respond within 30 days as required by law.
Shopify GDPR Webhooks
We fully implement Shopify's mandatory GDPR webhooks:
customers/data_request — We respond with all data associated with the requesting customer
customers/redact — We delete all customer-related data upon request
shop/redact — We delete all store data within 30 days of app uninstallation
🇺🇸
11. CCPA Rights (California)
Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the right to:
Know: Request disclosure of the categories and specific pieces of personal information we collect, the sources, purposes, and third parties with whom we share it
Delete: Request deletion of personal information we hold about you
Correct: Request correction of inaccurate personal information
Opt-out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising
Non-discrimination: We will not discriminate against you for exercising your CCPA rights
To submit a CCPA request, email sales@devcloudsoftware.com with the subject line “CCPA Request”. We will verify your identity and respond within 45 days.
🌎
12. International Data Transfers
Our servers are located in the United States. If you access the App from outside the US, your data will be transferred to and processed in the US.
For EEA/UK merchants, we rely on the following transfer mechanisms as permitted under GDPR Chapter V:
Standard Contractual Clauses (SCCs): Our infrastructure providers maintain EU-approved SCCs for cross-border data transfers
EU-US Data Privacy Framework: Where applicable, our sub-processors are certified under the DPF
👶
13. Children's Privacy
The App is a business-to-business tool designed exclusively for Shopify merchants. It is not directed at, and we do not knowingly collect personal information from, individuals under the age of 16.
If we learn that we have inadvertently collected data from a child under 16, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us immediately.
📝
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
The “Last updated” date at the top of this page will be revised
For material changes, we will notify you via the App's admin interface or by email
Continued use of the App after changes take effect constitutes acceptance of the revised policy
We encourage you to review this policy periodically.
15. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a concern, reach out to us: