Adalore Privacy Policy

Effective date: September 20, 2025

This Privacy Policy explains how Adalore ("Adalore", "we", "us", "our") collects, uses, and protects information when merchants install and use the Adalore Shopify app and its related extensions. It also explains our role relative to a merchant’s customers and how we meet Shopify’s platform and privacy requirements.

Contact: support@adalore.com
Mailing address: 3909 S Maryland Pkwy Ste 314 PMB 1 Las Vegas, NV 89119

1. Scope

This policy applies to:

• Merchants who install or use Adalore and its Checkout UI extension and web pixel integration.
• Data we process in connection with click and conversion attribution, billing, accounting, and support.

It does not apply to the data practices of Shopify or other third parties. Please review Shopify’s privacy documentation for information about its processing.

2. Roles and Responsibilities

• Merchant as Controller: For any data about a merchant’s end customers (for example, click or conversion events associated with a Shopify order), the merchant is the data controller. We process such data solely on the merchant’s instructions to provide the Services.
• Adalore as Processor: We act as the data processor for customer event data that the merchant causes to be sent to us.
• Adalore as Controller: We act as an independent controller for our own business records, such as merchant account data, operational logs, financial ledgers, and payout records.

3. Information We Collect

We design Adalore to operate without customer PII. The core functionality relies on IDs and metadata.

• Merchant Account Data (Controller).
  • Shopify shop domain, contact email, installation status, app configuration flags (e.g., publisher/advertiser enabled), pairing and creative approval statuses.
  • Shopify tokens and sessions required to operate the app (stored securely; see Security).
• Service Events (Processor).
  • Click events: generated click ID, campaign and participant identifiers (publisher/advertiser merchant IDs), timestamps. No customer PII.
  • Conversion events: Shopify order identifier (numeric or a GID reduced to numeric), order/commission amounts, timestamps, and the click ID. No customer names, emails, addresses, or line-item PII are required or stored.
• Billing and Accounting (Controller).
  • Usage charges (IDs returned by Shopify Billing), ledger entries for commissions and app fees, payout records for publishers/agents.
• Technical Metadata.
  • Standard HTTP request metadata (timestamps, user agent). We don’t purposely store IP addresses or device fingerprints in persistent domain data; transient logs may contain them and are retained only as needed for security/operations.

What We Don’t Collect

• We do not collect or store customer names, emails, postal addresses, phone numbers, or payment card details.
• We do not inject storefront script tags or place third-party cookies. Our extension and pixel run within Shopify’s sandboxed environments.

4. Sources of Data

• Shopify Admin APIs, app installation and OAuth flows, and Shopify webhooks.
• Shopify Checkout UI extension and Web Pixel events configured by the merchant.
• Our app and API endpoints called from Shopify Admin, Checkout, or Order Status surfaces.

5. How We Use Information

• Provide and operate the service: serve placements, perform click redirects, attribute conversions, compute commissions, and reconcile billing and payouts.
• Improve reliability and security: monitor performance, detect and prevent fraud/abuse, debug issues.
• Comply with legal, regulatory, platform, and accounting obligations.

6. Legal Bases (EEA/UK)

• Processor activities: performed under the merchant’s instructions (controller–processor).
• Controller activities: performance of a contract (merchant relationship), legitimate interests (fraud prevention, service reliability), and legal obligations (financial record retention).

7. Retention

• Operational data (pairings, creatives, clicks, conversions) is retained for the period needed to provide the service and to audit commissions.
• Ledger and payout records are retained as required by applicable accounting and tax laws.
• Upon uninstall or shop/redact (Shopify privacy webhook), we deactivate the shop, purge operational data, and retain only accounting records or minimal “accounting-only” merchant identifiers required for legal compliance.

8. Sharing and Transfers

• Shopify: We exchange data with Shopify via APIs and hosted flows (OAuth, billing, webhooks, pixels).
• Subprocessors/Service Providers: Hosting (e.g., Vercel), managed databases (e.g., Postgres/Neon), logging/monitoring, and payout processors (e.g., Stripe). We bind providers via appropriate data protection terms.
• No Sale: We do not sell or rent personal data. We do not "share" personal information for cross-context behavioral advertising under California law.
• Cross-border Transfers: Where hosting or subprocessors are located outside your region, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) where required.

9. Security

• Encryption in transit (HTTPS) and at rest where supported by our infrastructure.
• Secrets management, least-privilege access, and monitoring for anomalous behavior.
• Embedded app session tokens (Shopify App Bridge v4); HMAC verification for webhooks; opinionated CORS and CSP on public endpoints.

10. Data Subject Rights

Because we process customer event data on behalf of merchants, requests from data subjects regarding customer data should be directed to the relevant merchant. We honor Shopify mandatory privacy webhooks:

• customers/data_request, customers/redact, shop/redact — we log, act on, and/or purge operational data pursuant to the webhook.

For business contact data we control (merchant user information), you may have rights under applicable law (for example, GDPR/UK GDPR):

• Rights of access, rectification, erasure, restriction, portability, and objection. To exercise these rights, contact us at support@adalore.com. We may need to verify your identity and the relationship to the relevant shop.

California (CCPA/CPRA):

• We do not sell or share personal information. We use personal information for business purposes described above.
• You may request access or deletion of your business contact information by emailing support@adalore.com. We will not discriminate against you for exercising your rights.

11. Children’s Data

Our Services are B2B and not directed to children. We do not knowingly process children’s personal data.

12. International Transfers

If information is transferred across borders, we use appropriate safeguards where required by law and ensure our subprocessors provide adequate protections.

13. Changes to This Policy

We may update this policy to reflect operational, legal, or regulatory changes. We will update the “Effective date” above and, where required, provide notice.

14. Contact

Adalore
support@adalore.com
3909 S Maryland Pkwy Ste 314 PMB 1 Las Vegas, NV 89119

Last reviewed: September 20, 2025
For details about how Adalore handles uninstall and GDPR webhooks, see the project’s data lifecycle guide.