Privacy policy — Product Recommendations

DRAFT. This privacy policy is a draft pending legal review. It has not been finalized and should not be relied on for compliance decisions. The final version will replace this page before the app is listed on the Shopify App Store.

Last updated: DRAFT, not yet published.

This policy describes how Nacelle (“Nacelle”, “we”, “us”) collects, uses, and shares information in connection with the Product Recommendations Shopify app (the “App”). It covers the App only; Nacelle's other Shopify apps each have their own privacy policy linked from help.nacelle.com.

Who this policy is for

“Merchant” means a Shopify store owner or staff member who installs and configures the App from the Shopify App Store. “Shopper” means an end customer who visits the merchant's storefront and may see the recommendation carousel the App renders.

Merchants are our direct customers. Shoppers are customers of the merchant. We do not have a direct relationship with shoppers.

Personal information we collect

From merchants

When a merchant installs and uses the App, we collect:

Shop identifiers: the Shopify shop domain (e.g. example.myshopify.com) and a Shopify-issued OAuth access token that authorizes the App to act on the shop's behalf.
Shop profile information provided by Shopify: the merchant's name, email address, store currency, country, and other store-level metadata returned by Shopify's API during install.
Product catalog data: product titles, descriptions, images, prices, variants, and availability, retrieved from Shopify so the App can surface recommendations.
App configuration: settings the merchant chooses in the App (brand-voice copy, carousel placement, visual preferences, etc.).
Support correspondence: messages the merchant sends us through the contact form or to support@nacelle.com, and our replies.

From shoppers

We do not intentionally collect personal information about shoppers. When a shopper views a page where the App's carousel is rendered, the App receives anonymous, session-scoped interaction events — for example, which products were viewed, added to cart, or clicked within the carousel — so that it can render relevant recommendations.

These events are tied to a short-lived session identifier, not to a named person, email address, or other direct identifier. We do not collect shopper names, email addresses, shipping addresses, payment information, or order-history linked to an identifiable person.

Automatic technical data

Our servers automatically log technical information when the App is used — for example, IP addresses, user-agent strings, timestamps, and request paths — for security, abuse prevention, and debugging. We treat IP addresses as personal information under applicable law.

How we use personal information

We use the information described above to:

Provide, operate, and improve the App.
Render product recommendations in the merchant's storefront.
Authenticate requests to Shopify's API on the merchant's behalf.
Respond to merchant support requests.
Monitor the App for security issues, prevent abuse, and debug errors.
Comply with our legal obligations, including responding to Shopify's mandatory GDPR webhooks.

We do not sell personal information, and we do not use it for advertising purposes.

How we share personal information

We share personal information only with:

Shopify, as required to operate as a Shopify app and to send and receive data covered by the merchant's use of Shopify.
Service providers (subprocessors) that host and operate the App on our behalf. Each is bound by contract to use personal information only to provide services to us.
Authorities and others when required by law, for example in response to a valid subpoena, court order, or comparable legal process.
An acquirer, in the event of a merger, acquisition, financing, or sale of assets, subject to confidentiality and a continuation of this policy.

How long we keep personal information

We retain merchant information for as long as the merchant has the App installed, and for a limited period afterwards to comply with legal obligations and Shopify's data-deletion requirements.

When a merchant uninstalls the App:

We revoke and delete the Shopify OAuth access token immediately.
Shopify sends a shop/redact webhook 48 days after uninstall. When we receive it, we delete the shop's configuration and any remaining shop-scoped data from our systems.
If Shopify sends a customers/redact webhook for a specific shopper, we delete any data we hold about that shopper. In practice, because we do not store shopper-identifying data, this typically confirms that no such data exists.

Aggregated or de-identified data that cannot reasonably be linked to an individual may be retained for analytics and product improvement.

Your rights

Depending on where you live, you may have rights under laws such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), including the right to access, correct, delete, or restrict our use of personal information we hold about you, and to object to certain processing.

Merchants can exercise these rights by emailing support@nacelle.com.

Shoppers should contact the merchant whose store they visited; that merchant is the data controller for their interaction with the storefront. We will assist the merchant in fulfilling valid requests.

Security

We use administrative, technical, and physical safeguards intended to protect personal information — including encryption in transit (TLS) and encryption at rest for stored data. No security measures are perfect, and we cannot guarantee the security of information.

Children

The App is not directed to children under 13 (or the equivalent minimum age in other jurisdictions), and we do not knowingly collect personal information from them.

Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date above and, for material changes, take additional steps required by law.

Contact us

For privacy questions, email support@nacelle.com or write to us at [Nacelle registered business address — pending].