THE small PRINT

Privacy Policy

Last updated March 21, 2024

Your privacy is important to us, and we are committed to protecting it. This Privacy Policy explains how we collect, use, and disclose your personal information when you visit our website.

What information do we collect?

When you visit our website, we may collect certain information about you, such as your name, email address, phone number, and any other information you choose to provide to us through contact forms or email communications.

We also collect information automatically through cookies and similar tracking technologies. This may include your IP address, browser type, operating system, referring URLs, and other usage information.

How do we use your information?

We may use the information we collect from you for the following purposes:

  1. To respond to your inquiries and provide customer support.
  2. To improve our website and services.
  3. To send you promotional emails about our services, special offers, or other information we think you may find interesting.
  4. To comply with legal and regulatory requirements.

Do we share your information?

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent. However, we may share your information with trusted third parties who assist us in operating our website or conducting our business, as long as those parties agree to keep your information confidential.

We may also disclose your information when we believe it is appropriate to comply with the law, enforce our website policies, or protect our or others' rights, property, or safety.

How do we protect your information?

We take reasonable precautions to protect your personal information from unauthorized access, use, or disclosure. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

Your Consent

By using our website, you consent to the terms of this Privacy Policy.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page, and the date of the last update will be indicated at the top of the page.

Advanced Theme Preview ("we", "our", or "us") is a Shopify app built for development agencies and merchants. This policy explains what information we collect, why we collect it, how long we keep it, and how you can reach us.

Advanced Theme Preview

Advanced Theme Preview ("we", "our", or "us") is a Shopify app built for development agencies and merchants. This policy explains what information we collect, why we collect it, how long we keep it, and how you can reach us.

1. Information We Collect Through Shopify's APIs

When you install Advanced Theme Preview, we request access to your Shopify store through the Shopify OAuth flow. Through Shopify's APIs we collect and store:

  • Shop domain and Shopify store ID — to identify your store across sessions
  • Offline OAuth access token (encrypted at rest using AES-256-GCM) — to make authenticated Admin API calls on your behalf
  • Theme and template metadata (template names, IDs, handles) — to build the template index that powers preview sessions
  • Active Shopify billing subscription state — to enforce your plan limits

We do not read order data, customer personally identifiable information (PII), or payment data through the API.

2. Information We Collect Directly from Merchants

When you use the app we also collect:

  • Preview session configuration — names, template overrides, and expiry settings you create inside the app
  • Signed preview tokens — HMAC-SHA256 tokens we generate when you create shareable preview URLs, including the expiry timestamp and the resource overrides encoded in each token
  • Usage logs — server-side access logs (IP address, timestamp, endpoint, HTTP status code) retained for operational troubleshooting
  • Billing plan selection — which subscription tier you are on and the date it was activated

3. Information Collected from Your Storefront Visitors

When you install the Theme App Extension (storefront widget), the extension reads a preview token from the URL query string for visitors who open a shared preview link. No cookies, tracking pixels, or persistent identifiers are set on storefront visitors. The only data processed is:

  • The preview token present in the URL (validated server-side; discarded after validation)
  • Embed heartbeats — anonymous pings from active preview sessions used solely to determine whether a session is still in use (no visitor identity is stored)

We do not build profiles of your customers, use tracking technologies for advertising, or share storefront visitor data with any third party.

4. How We Use This Information

We use the data we collect exclusively to provide and operate the app:

  • Authenticating API requests between the app frontend and our backend
  • Generating, validating, and expiring shareable preview URLs
  • Enforcing plan limits via the Shopify Billing API
  • Diagnosing server errors and performance issues
  • Communicating critical service notices to the store owner email on file with Shopify

We do not sell, rent, or use your data for advertising, profiling, or any purpose unrelated to providing the Advanced Theme Preview service.

5. Data Retention

  • OAuth tokens and shop record — retained until you uninstall the app. We delete the shop record and all associated data within 48 hours of receiving the mandatory shop/redact webhook from Shopify.
  • Theme indexes — retained until you manually re-index or uninstall
  • Preview sessions and overrides — retained until you delete them or uninstall
  • Preview tokens — retained until the token expires (max 30 days) or you delete the session
  • Embed heartbeats — purged automatically after 24 hours of inactivity
  • Server access logs — rolling 30-day window
  • Billing records — 7 years, to satisfy accounting obligations

6. Data Sharing and Sub-processors

We share data only with the infrastructure providers required to run the service:

  • Render (render.com) — application hosting and PostgreSQL database, located in the United States
  • Shopify Inc. — app platform, billing, and API access, located in Canada with a global CDN

No other third parties receive your data. We do not use analytics services, advertising networks, or data brokers.

7. International Data Transfers

Our primary infrastructure is hosted in the United States (Render). If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to the US. We rely on Shopify's Data Processing Addendum and Render's Standard Contractual Clauses (SCCs) as the legal basis for these transfers.

We do not currently operate servers within Europe. If you require a Data Processing Agreement (DPA) for your own GDPR compliance obligations, please contact us at the address below.

8. Security

Access tokens are encrypted at rest using AES-256-GCM before being written to the database. API calls from the frontend are authenticated using Shopify App Bridge session tokens (short-lived JWTs). Preview share URLs are signed with HMAC-SHA256 and validated server-side on every request; expired tokens are rejected regardless of signature validity.

9. Your Rights

Depending on your jurisdiction you may have rights to access, correct, delete, or port the personal data we hold about you. To exercise any of these rights, or to request deletion of your store's data ahead of the standard retention schedule, contact us at the address in Section 10. We will respond within 30 days.

Shopify merchants in the EEA or UK may also lodge a complaint with their local data protection authority.

11. Changes to This Policy

We will post any material changes to this policy with a new effective date at the top of this page. Continued use of the app after the effective date constitutes acceptance of the updated policy.

Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us here.