Privacy Policy

Last updated: March 5, 2026

Social Plug ("we", "our", or "the App") is a Shopify app that lets merchants display social media icons and embedded content on their online stores. This policy explains what data the App collects, why, and how it is handled.

1. Data We Collect

From Merchants (store owners who install the App):

Shopify store domain (e.g., yourstore.myshopify.com)
Social media usernames you enter in settings (Threads, Instagram, etc.)
Display preferences and configuration choices
Email address (if you opt in to weekly analytics reports)

From Storefront Visitors (your customers):

Which social icon was clicked and on which product page
Approximate geographic location (country and city), derived from IP address
Timestamp of the click

What we do NOT collect:

Customer names, email addresses, or account information
Payment or financial information
Browsing history beyond social icon clicks
Cookies or cross-site tracking data

2. How We Use Data

Click analytics — aggregated click data is shown to merchants in their dashboard so they can understand which social platforms drive the most engagement.
Weekly reports — if a merchant opts in, we send a summary email with click totals for the past week.
App functionality — social usernames and display settings are used to render icons and feeds on the storefront.

3. IP Address Handling

When a storefront visitor clicks a social icon, we briefly read their IP address to determine approximate country and city. The IP is then anonymized (last octet zeroed for IPv4) before anything is stored. The full IP address is never written to our database.

4. Data Sharing

We do not sell, rent, or share any collected data with third parties. Click analytics are visible only to the merchant who owns the store. The only external service we use is Resend for sending optional weekly report emails.

5. Data Retention

Click event data is retained for up to 12 months, then automatically purged.
Merchant configuration is retained for as long as the App is installed.
When a merchant uninstalls the App, all associated data (sessions, configuration, click events, and daily metrics) is permanently deleted via our SHOP_REDACT webhook handler.

6. GDPR & Data Rights

Since we do not store personal customer data (no names, emails, or identifiable information), there is generally no customer personal data to access, correct, or delete. However, we fully support Shopify's mandatory GDPR webhooks:

Customer Data Request — we confirm no customer PII is held.
Customer Redact — acknowledged; no customer data to erase.
Shop Redact — all merchant data is permanently deleted.

Merchants can contact us at any time to request a full export or deletion of their data.

7. Security

All data is transmitted over HTTPS. Admin endpoints require Shopify session authentication. Public endpoints are rate-limited and validated against known installed stores. We follow Shopify's security best practices for app development.

8. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top will reflect any changes. Continued use of the App after changes constitutes acceptance of the updated policy.

9. Contact

If you have questions about this privacy policy or your data, please contact us at: support@codeformarley.com