Qia for Shopify

1. Scope – Shopify merchants and their customers

This privacy statement describes how our app (“the App”) processes personal data when it is installed on a Shopify store (“the Store”).

The App is provided to Shopify merchants by Targetta OÜ. When we process information about customers of a Store, we do so as a processor (or service provider) on behalf of the merchant, who acts as the controller (or business) of that customer data.

2. Data we process

Shop / merchant data

When a merchant installs and configures the App on their Shopify store, we receive and process:

• Shop domain (for example, example-shop.myshopify.com)

• Shop contact details, such as:

  • The primary shop or administrative email address (for example, the store owner’s or admin’s email)

  • Other contact information that Shopify exposes to apps or that the merchant provides to us (for example, during onboarding or support interactions)

  • App configuration and preferences, such as:

    • Feature flags and options selected in the App

    • Filters, date ranges, and other analytics settings

    • Billing or subscription information necessary to operate the App, such as:

    • Plan type and billing status

    • Subscription start/end dates

    • Billing contact details, where applicable

We use the shop’s administrative email address and related contact details only for operational purposes, including:

• Providing access to App features (for example, sending login or verification links, if applicable)

• Informing the merchant when requested exports or reports (such as responses to Shopify’s customers/data_request webhooks) are ready

• Sending important service notices (for example, security incidents, breaking changes, deprecations, or other critical updates about the App)

• Providing support and responding to merchant inquiries

We do not use the shop’s administrative email address for marketing emails unrelated to the App unless the merchant has separately consented to receive such communications, where required by law.

Order and transaction data

To provide analytics and reporting, we may receive order-level data from Shopify, including:

• Order identifiers

• Product identifiers and quantities

• Order timestamps

• Order-level monetary amounts (for example, item prices, taxes, discounts, shipping amounts)

• Other order-level attributes, as exposed by Shopify and scoped by the merchant’s app permissions

• Customer identifiers (via Shopify)

To calculate per-customer analytics, we may receive a Shopify customer identifier (for example, a GID such as gid://shopify/Customer/1234567890). We do not store this identifier directly. Instead, we compute a one-way cryptographic hash using a secret salt and store only the resulting value (our internal “customer ID”).

The salt is stored separately from our analytics data and access to it is restricted. This approach allows us to associate events with the same customer without storing the raw identifier.

Although this process reduces identifiability, the resulting data remains pseudonymized (not anonymous). In certain cases, individuals may still be indirectly identifiable when combined with additional information.

The App does not store customer passwords, payment card numbers, or other payment instrument details. Payment processing is handled by Shopify and/or the merchant’s payment provider.

Some data we process for analytics (such as timestamps, order values, and geographic indicators) may constitute personal data under applicable law when combined or analyzed, even if it does not directly identify an individual.

Technical logs and security/audit data

Technical access and application logs

Like most cloud‑hosted services, we maintain standard access and application logs for the App and its underlying infrastructure. These logs might include:

• IP addresses and timestamps

• URLs or API endpoints accessed

• HTTP status codes and error messages

• User agent and basic device or browser information

We use these logs for purposes such as:

• Operating, securing, and monitoring the App

• Detecting and investigating abuse or technical issues

• Debugging and performance analysis

We retain access and application logs (which may include IP addresses and other technical identifiers that can qualify as personal data) for a limited period, typically up to 90 days, unless longer retention is required for security investigations, fraud prevention, or to comply with legal obligations.

Audit and activity logs (for fraud prevention and security)

We also maintain separate audit and activity logs related to how merchants and their authorized users access and use the App’s features. These logs can include:

• The shop domain (for example, example-shop.myshopify.com)

• A masked or partially redacted username or email (for example, m***m@s*y.c*m), where available

• Timestamps and descriptions of key actions in the App (for example, configuration changes, export requests, or access to specific reports)

We use these logs to:

• Provide an audit trail for merchants (for example, who changed a setting and when)

• Detect and prevent fraud, abuse, and unauthorized access

• Support security monitoring and incident response

These audit and activity logs are stored separately from our main analytics datasets and are retained only for as long as reasonably necessary to support the security, integrity, and proper functioning of the App.

We take reasonable steps to reduce the risk of sensitive information being written to logs, including implementing log‑sanitization measures that are designed to detect and mask common patterns for secrets and credentials (such as API tokens).

3. How we use information

We use the information described above to provide analytics and reporting functionality to the merchant, for example:

• Calculating order counts, sales, taxes, shipping amounts, and related metrics.

• Aggregating results by product, date, or other dimensions configured by the merchant.

• Providing per-customer analytics to the merchant (such as number of orders or total spend) where the merchant has configured the App to enable customer-level reporting.

Per-customer analytics in our internal systems are keyed by a hashed customer identifier derived from the Shopify customer ID. This allows us to group events that belong to the same customer without storing the raw Shopify customer ID in our analytics database.

4. Legal basis for processing (where applicable)

Where required by law (for example, for merchants established in the EU/EEA or UK), we rely on the following legal bases for processing:

• Performance of a contract – to provide the App’s functionality to the merchant under our terms of service.

• Legitimate interests – to maintain and improve the App, prevent fraud and abuse, and secure our services.

5. How we handle Shopify’s mandatory compliance webhooks

5.1 Customer info

Customer data access (customers/data_request)

When we receive a customers/data_request webhook from Shopify, we:

• Verify the authenticity of the request using Shopify’s HMAC signature.

• Use the Shopify customer ID provided in the webhook payload to compute our internal hashed customer identifier.

• Query our analytics database for all records associated with that internal customer identifier for the requesting Store.

• Prepare those records (for example, as a downloadable file) so that the merchant can access and, if needed, provide them to the customer as part of the merchant’s response to the data access request.

We do not send data directly to end customers; instead, we make the relevant records available to the merchant through the App.

5.2 Customer deletion

Customer data erasure (customers/redact)

When we receive a customers/redact webhook from Shopify, we:

• Verify the authenticity of the request using Shopify’s HMAC signature.

• Use the Shopify customer ID provided in the webhook payload to compute our internal hashed customer identifier.

• Delete any and all analytics records in our systems that are associated with that internal customer identifier for the requesting Store, within the required time window. This includes per-customer order-level and line item-level data that we store for analytics purposes.

As a result, the metrics we provide to the merchant (for example, order counts, revenue, or tax totals) might change over time, because our analytics no longer include contributions from the deleted customer. From the perspective of the analytics dataset maintained by the App, it is as if the deleted customer’s activity had not been recorded.

5.3 Shop deletion

Shop data erasure (shop/redact)

When we receive a shop/redact webhook (for example, after a merchant uninstalls the App), we:

• Verify the authenticity of the request using Shopify’s HMAC signature.

• Delete all analytics data associated with that Store from our systems within the required time window, including any per-customer analytics keyed by our internal hashed identifiers.

6. Data retention

Analytics data

We retain analytics data for as long as the merchant uses the App, unless we receive a valid deletion request via Shopify’s compliance webhooks.

We may periodically review our retention practices and, where appropriate, delete or aggregate older data that is no longer necessary for providing the App.

When we receive a customers/redact request for a specific customer, we delete all analytics records associated with that customer for the relevant Store.

When we receive a shop/redact request, we delete all analytics data associated with that Store.

Because we actively delete per-customer records when instructed to do so, the aggregate analytics (such as total orders or sales figures) visible in the App may change over time as customers exercise their data protection rights.

No legal/accounting/tax record-keeping

The App is not designed or intended to serve as a system of record for legal, accounting, or tax purposes. We do not retain transactional data for the purpose of satisfying statutory record-keeping requirements. Merchants are responsible for maintaining their own accounting and tax records outside of the App.

7. How customers exercise their rights

If you are a customer of a Shopify store that uses the App and you wish to exercise your privacy rights (such as the right to access or delete your personal data), you should contact the store owner (merchant) directly.

When a store owner initiates a data request through Shopify (for example, using Shopify’s tools to request data access or data erasure), Shopify sends us the corresponding compliance webhooks (customers/data_request, customers/redact, and/or shop/redact). We then process the data we hold in accordance with this privacy statement and our agreement with the merchant.

8. Security

We use technical and organizational measures to protect the data we process, including:

• Limiting access to production systems to authorized personnel.

• Using HTTPS/TLS for communication with Shopify APIs and the merchant’s browser.

• Verifying Shopify webhook events using Shopify’s HMAC mechanism before acting on them.

• Using one-way cryptographic hashes for internal per-customer identifiers in our analytics database, rather than storing raw Shopify customer IDs.

9. Use of AI and Large Language Models (LLMs)

To provide intelligent insights, natural‑language narration, and automated reporting, the App uses Large Language Models (“LLMs”) and other generative AI services. We apply the following privacy‑first AI principles to protect your data:

Non‑training guarantee

We use enterprise-grade AI API services configured not to use customer data to train shared or global models. Data is processed only to generate responses (inference), in accordance with our providers’ enterprise commitments.

Controlled, analytics‑only inputs

We do not expose the raw Shopify Admin API or your full analytics database directly to AI providers. Instead:

• For query generation, we provide a sanitized “Analytics Schema” that describes the structure of your analytics data (for example, table names, column names such as order_date, total_price, shipping_country, and their meanings). The LLM uses this schema to generate SQL queries or similar instructions, but doesn’t receive full tables or arbitrary dumps of your data.

• For narration and explanations (for example, when you click “Explain what I see”), we send only the limited slice of analytics results that is needed to describe the specific report or visualization you are viewing—such as a summary table of revenue by country, a cohort matrix, or a small list of recent orders with fields like order_date, total_price, shipping_country, product or variant identifiers, and hashed customer identifiers.

We do not send directly identifying information (such as customer names, email addresses, postal addresses, payment details, or raw Shopify customer IDs) to AI providers.

In limited cases, the data shared (such as aggregated or pseudonymized analytics results) may still qualify as personal data under applicable law.

On‑demand processing only

Data is sent to AI providers only when you explicitly trigger an AI‑driven feature within the App, such as:

• Generating or refining an analytics query in natural language

• Requesting a narrative explanation of a specific chart, table, or report

In those cases, the relevant schema information and/or limited analytics results are processed by the AI provider to return an immediate response. We don’t use AI providers to run broad, background processing on your data outside of these explicit requests.

Internal debugging and prompt improvements

To improve the accuracy and reliability of our AI features, we may occasionally use sanitized, non‑identifiable portions of your analytics schema and example outputs (for example, table and column names, aggregate metrics, or de‑identified summaries) to:

• Debug failed or incorrect queries

• Refine our internal system prompts and templates

This work is done in a controlled environment, does not involve raw customer‑level identifiers such as names or emails, and remains subject to the same non‑training protections described above.

Human‑in‑the‑loop for support only

If you request technical support related to AI‑generated reports or insights, our personnel may review:

• The SQL queries, prompts, or analytics configurations generated for your store, and

• The corresponding AI outputs (for example, narrative explanations of a cohort report), solely for the purpose of diagnosing and resolving your issue. We don’t use this information for unrelated purposes, such as advertising or profiling, and access is restricted to authorized personnel.

AI inputs and outputs may be temporarily processed and retained by our AI service providers for operational purposes (such as abuse monitoring or system reliability) in accordance with their policies. We do not use AI providers to store or build long-term profiles about merchants or their customers.

We apply data minimization principles to ensure that only the smallest necessary subset of data is shared with AI providers for each request.

10. Important disclaimer about legal/accounting/tax use

The App and its analytics are not intended for use as a system of record for legal, accounting, or tax purposes.

Because we respect customer data deletion requests and actively remove per-customer analytics data when instructed (for example, via Shopify’s customers/redact and shop/redact webhooks), the aggregated results and statistics shown by the App may change over time.

Merchants must not rely on the App’s analytics as their sole source of truth for legal, accounting, or tax reporting, and should maintain their own records and backups independently of the App.

Subprocessors:

• Google Cloud (GCP): Primary Hosting, Data Storage, & Infrastructure [US/EU]

• AWS / IBM Cloud: Redundant Infrastructure & Background Processing [US/EU/UK]

• OpenAI (GPT): Analysis & Narration (Non-training Tier) [GLOBAL]

• Brevo: Customer support and marketing (subject to appropriate consent) [EU]

Where personal data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent legal mechanisms.