Legal

Privacy Policy

Effective date: April 26, 2026Applies to: Nudge - Checkout Optimizer

Contents

1. Overview
2. Data We Collect
3. How We Use Data
4. Data Sharing & Third Parties
5. Data Retention
6. Security
7. Merchant Rights
8. Shopper / End-Customer Rights
9. Cookies & Tracking
10. Children's Privacy
11. Changes to This Policy
12. Contact Us

1. Overview

Nudge ("we", "us", or "our") is a Shopify application that adds AI-personalised checkout blocks, a post-purchase engagement game, and conversion analytics to Shopify stores. This Privacy Policy explains what personal data we collect, why we collect it, how it is used, and the rights available to merchants and their customers.

By installing and using Nudge, the merchant ("you") agrees to the practices described in this policy. If you do not agree, please uninstall the application.

Nudge acts as a data processor on behalf of the merchant, who is the data controller for their customers' personal data. Merchants are responsible for ensuring their use of Nudge complies with applicable data protection laws in their jurisdiction.

2. Data We Collect

2.1 Merchant Account Data

When you install Nudge we receive and store:

Your Shopify store domain and shop identifier
OAuth access token required to operate the app on your behalf
Billing and subscription status (plan name, subscription ID)
App configuration and settings you create (block content, AI rules, game settings)
AI provider API keys you optionally supply (Anthropic, OpenAI, Google Gemini) — stored encrypted at rest

2.2 Shopper / End-Customer Data

When a shopper interacts with your checkout or post-purchase page, Nudgemay receive and transiently process:

Customer ID (Shopify GID, if the shopper is logged in)
First name, last name (for AI personalisation context only)
Country code and city (for localisation and AI context)
Cart contents: product titles, variants, quantities, and prices
Order history: up to 100 prior orders (titles, amounts, dates) for logged-in customers
IP address (used to derive an anonymous session key; not stored in plaintext)
Post-purchase game interactions: swipe choices linked to an anonymous session key
Email address, if provided during a game reward redemption flow

2.3 Analytics Data

Block impression records: block type, session key (hashed), date, whether AI personalisation was applied
Order analytics: order ID, order value, currency, which blocks were shown, upsell acceptance
AI + Game session counts per shop per month (for plan limit enforcement)

2.4 Support & Enquiry Data

Support messages submitted through the in-app help form (type, subject, message, optional email)
Custom plan enquiries submitted via the contact form (business name, email, business details)

3. How We Use Data

Purpose	Data used	Legal basis
Deliver checkout blocks to shoppers	Block settings, shop identifier	Contract performance
AI personalisation of block content and placement	Cart contents, order history, customer name and location	Legitimate interests / contract
Post-purchase game rewards (gift cards, discount codes)	Session key, customer email, Shopify admin API	Contract performance
Plan limit enforcement	Anonymised session counts per shop per month	Contract performance
Analytics dashboard shown to the merchant	Impression records, order analytics	Legitimate interests
Billing and subscription management	Shop domain, Shopify billing API	Contract performance
Security, fraud prevention, rate limiting	IP address, shop domain	Legitimate interests
Responding to support requests and enquiries	Support messages, contact form submissions	Legitimate interests
Improving the application	Aggregated, anonymised usage data	Legitimate interests

Shopper data passed to AI providers for personalisation is used solely to generate a response for that individual request. It is not used to train AI models, build advertising profiles, or shared with any other party.

4. Data Sharing & Third Parties

We do not sell personal data. We share data only with the sub-processors listed below, and only to the extent necessary to deliver the service.

Sub-processor	Purpose	Data shared	Location
Shopify Inc.	Store authentication, billing, order data API	Store domain, access token, order history queries	USA / Global
Cloud infrastructure provider	Persistent storage and hosting of all app data	All data described in Section 2	USA
Anthropic PBC	AI personalisation (if Anthropic is the active provider)	Cart contents, order history, customer name & location	USA
OpenAI LLC	AI personalisation (if OpenAI is the active provider)	Cart contents, order history, customer name & location	USA
Google LLC	AI personalisation (if Gemini is the active provider)	Cart contents, order history, customer name & location	USA / Global
Content delivery network	CDN delivery of merchant-uploaded product images	Image files only — no personal data	Global edge network

Shopper data is sent to an AI provider only when Nudge Assist is enabled on a block and a session is within the plan's AI session allowance. Merchants on the Spark plan (no AI) have no shopper data transmitted to AI providers. Merchants who supply their own API key control which provider is used.

We may disclose data if required by law, court order, or to protect the rights, property, or safety of Nudge, its users, or the public.

5. Data Retention

Data type	Retention period
Merchant account, settings, subscription	Duration of app installation + 30 days after uninstall
AI session usage records (UsageSession)	3 months (automated cleanup runs daily)
Block impression records	90 days (automated cleanup runs daily)
Order analytics	Duration of app installation
Error logs	60 days (automated cleanup runs daily)
Game rewards and outcomes	Duration of app installation
Support messages and enquiries	2 years or until you request deletion
Shopper data sent to AI providers	Not stored by us — transmitted per-request only; subject to each provider's retention policy

Upon uninstall, we delete all personally identifiable merchant and shopper data within 30 days, in compliance with Shopify's Partner Program requirements. Aggregated, non-identifiable analytics data may be retained longer for service improvement purposes.

6. Security

We implement industry-standard technical and organisational measures to protect personal data, including:

All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted by our database host
AI provider API keys are stored encrypted and never returned in full to the client (only masked hints are displayed)
Shopify session tokens are verified using HMAC-SHA256 with constant-time comparison before any privileged action
Per-shop rate limiting is applied to all public API endpoints
Access to production infrastructure is restricted to authorised personnel only

No method of transmission or storage is 100% secure. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

7. Merchant Rights

As a merchant (data controller), you have the right to:

Access — request a copy of the personal data we hold about your store and account
Rectification — update or correct your account data at any time through the app settings
Erasure — request deletion of your data by uninstalling the app or contacting us directly; we will process deletion within 30 days
Portability — request an export of your configuration data in a machine-readable format
Restriction — request that we restrict processing of your data in certain circumstances
Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at info@tactech.tech. We will respond within 30 days.

8. Shopper / End-Customer Rights

Shoppers whose data is processed via Nudge should direct privacy requests to the merchant (the store they purchased from), as the merchant is the data controller for their personal data.

If a shopper believes their data has been mishandled and cannot resolve it with the merchant, they may contact us at info@tactech.tech and we will assist in facilitating a resolution.

Shoppers in the European Economic Area (EEA) and United Kingdom have additional rights under GDPR / UK GDPR, including the right to lodge a complaint with their local supervisory authority. California residents have rights under CCPA, including the right to know, delete, and opt-out of the sale of personal information (we do not sell personal information).

9. Cookies & Tracking

The Nudge admin application (this website and the Shopify embedded app) uses strictly necessary session cookies required for authentication with Shopify. No advertising, analytics, or third-party tracking cookies are set.

The checkout extension and post-purchase extension run inside Shopify's checkout iframe and do not set cookies independently. Session keys used for rate limiting and deduplication are derived from existing Shopify-provided identifiers and are not persisted as cookies.

10. Children's Privacy

Nudge is a business-to-business service intended for Shopify merchants. We do not knowingly collect personal data from children under the age of 13 (or the applicable age of digital consent in your jurisdiction). If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable legal requirements. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify you by email or through a notice in the Nudgeadmin interface.

Continued use of Nudge after changes become effective constitutes your acceptance of the revised policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: info@tactech.tech
Subject line: "Privacy Policy — [your store domain]"

Have a privacy question?

We typically respond within 2 business days.

Contact privacy team →