Privacy Policy

Last updated: 2026-04-26

1. Who we are

Rulehop ("we", "us", "our") operates the Rulehop Shopify App ("the App"). Contact: legal@rulehop.com.

2. Data we collect

The App collects only the following data from a merchant's Shopify shop:

• Shop identifiers (shop domain, Shopify shop ID, currency, plan name) provided by Shopify during OAuth.
• Authenticated session tokens issued by Shopify, used solely to call Shopify Admin APIs on the merchant's behalf.
• Discount-rule definitions written by the merchant inside the App admin UI. These are stored as JSON metafields on the merchant's shop, plus an encrypted copy of the original Ruby Script source (where the merchant pasted one) for migration audit.
• Operational logs and error traces (no PII other than shop domain).

The App does not collect end-customer PII. Discount rules reference customer-tag names; the actual tag values and customer records remain in the merchant's Shopify admin and are never copied to our database.

3. How we use data

• To install and operate the App on the merchant's Shopify shop.
• To compile merchant-authored discount rules into Shopify Functions.
• To diagnose errors and respond to support requests.
• To comply with Shopify's GDPR webhooks and Partner Program terms.

4. Subprocessors

We use the following third-party services to operate the App. Each one processes only the data necessary for its role:

• Anthropic (US) — LLM inference for the Script-to-rule migration. We send the merchant-pasted Ruby Script source and receive a structured rule. No customer PII is sent.
• Fly.io (US) — application hosting and runtime compute.
• Neon (US) — managed Postgres database (encrypted at rest).
• Sentry (US) — error tracking and performance monitoring.
• Cloudflare (US) — DNS, CDN, and Pages hosting for this marketing site.
• Crisp (FR) — in-app live chat support (added in a later release; not active at launch).
• Loops (US) — transactional and lifecycle email for support and onboarding.
• Purelymail (US) — inbound and outbound email for rulehop.com mailboxes (support@, legal@, hello@).

5. Data retention

We retain shop and rule data for as long as the App is installed on a merchant's shop, plus 48 hours after uninstall to allow re-install restoration. After 48 hours, we cascade-delete all shop-scoped rows and crypto-shred the shop's data-encryption key (DEK), making any residual ciphertext unrecoverable.

6. GDPR webhooks

The App implements Shopify's three GDPR compliance webhooks:

• customers/data_request — returns "no customer data stored" because the App does not store customer-level data.
• customers/redact — no-op (no customer data to redact).
• shop/redact — no-op idempotent acknowledgement; the 48h cron has already purged shop data by the time Shopify fires this.

7. Your rights

Merchants and end-customers in scope of GDPR, CCPA, or similar regulations may exercise their rights to access, deletion, or rectification by emailing legal@rulehop.com. We respond within 30 days.

8. Changes to this policy

We will publish material changes to this page and update the "Last updated" date above. Subscribed merchants will additionally receive email notification.

9. Contact

Privacy / legal inquiries: legal@rulehop.com
Support: support@rulehop.com