This Privacy Notice for Promly ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

Visit our website at https://promly.app or any website of ours that links to this Privacy Notice
Install or use PromoOS, our promotional campaign management app for Shopify stores
Join our waitlist or engage with us in other related ways, including any marketing or events

Questions or concerns? Please contact us at contact@promly.app.

What information do we collect?
How do we process your information?
What legal bases do we rely on?
When and with whom do we share your personal information?
Do we use cookies and other tracking technologies?
Shopify platform and data
How long do we keep your information?
How do we keep your information safe?
Do we collect information from minors?
What are your privacy rights?
Controls for do-not-track features
Do United States residents have specific privacy rights?
Do we make updates to this notice?
How can you contact us?
How can you review, update, or delete your data?

1. What Information Do We Collect?

Store data (via Shopify OAuth)

When you install PromoOS from the Shopify App Store, Shopify provides us with:

Store information: Shop domain, store name, and email address
Shopify access token: Encrypted at rest using AES-256-GCM and used to make authorized API calls to your store on your behalf
Store metadata: Plan type, currency, and timezone
Product catalog: Product titles and IDs (read-only, to configure promo targeting)
Theme data: Theme configuration for displaying promotional content via app blocks
Order data: Aggregate order information via webhooks (discount usage, revenue totals) — we do not store individual customer details from orders
Discount codes: We create and manage discount codes on your behalf as part of promo campaigns

Data you create in the app

Promo configurations: Campaign names, discount settings, start/end dates, placement content, and uploaded images
Deployment history: Records of when promotions were activated or deactivated on your store
Aggregate metrics: Daily totals for orders, revenue, and discount usage per promo (not linked to individual customers)
Event logs: Promo lifecycle events (created, scheduled, deployed, deactivated) for audit and debugging
Access audit logs: Records of when order data is processed (store scope and resource ID only — no customer PII)

Waitlist data

If you join our waitlist, we collect: name, email address, website URL, and company size.

Information automatically collected

Log and usage data: IP address, browser type, device information, pages viewed, features used, and timestamps
Session data: Encrypted HTTP-only session cookies used to keep you authenticated while using the app

What we do NOT collect

Promly does not store customer personally identifiable information (PII). We do not collect or retain:

Individual customer names, emails, or contact information
Payment or credit card details
Customer shipping or billing addresses
Individual order details (only aggregate metrics)

2. How Do We Process Your Information?

To provide and deliver the Services: We use your Shopify access token to read and write discount codes, products, and themes on your store as directed by your actions within PromoOS
To manage your account and subscription: We use your store and billing information to manage your plan and process subscription payments through Shopify Billing
Performance tracking: Displaying aggregate promo performance metrics on your dashboard
To improve our Services: We may use aggregated, non-identifiable usage data to understand how the app is used and improve its features
To communicate with you: We may contact you via email for service updates, important notices, or (with your consent) marketing communications
For security and fraud prevention: We monitor usage to detect abuse and unauthorized access
To comply with legal obligations: We process data as required by applicable law

3. What Legal Bases Do We Rely On?

We only process your personal information when we have a valid legal reason to do so.

If you are located in the EU or UK, this section applies to you.

The GDPR and UK GDPR require us to explain the legal bases we rely on:

Performance of a Contract: We process your information to fulfill our contractual obligations — providing the PromoOS service you have installed and subscribed to
Legitimate Interests: We process certain data (such as usage analytics and security monitoring) based on our legitimate interest in operating and improving our service
Legal Obligations: We may process data to comply with applicable laws and regulations
Consent: We may process your information for marketing communications where you have given consent — you can withdraw consent at any time by contacting us

This Privacy Notice is governed by the laws of Israel. Israeli privacy law (Protection of Privacy Law, 5741-1981) and the Israeli Privacy Protection Regulations (Data Security) apply to our processing activities.

4. When and With Whom Do We Share Your Personal Information?

We use the following third-party services to operate Promly. These providers process your data only as necessary to deliver the service:

Shopify: Platform integration for store data, discounts, and theme management. Shopify's own privacy policy governs how they process your data as a platform.
Render.com: Application hosting and managed PostgreSQL database (Oregon, US)
Cloudflare: Frontend hosting and CDN
Resend: Transactional email delivery
Business transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
Legal requirements: We may disclose your information where required by law or to protect our legal rights.

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

5. Do We Use Cookies and Other Tracking Technologies?

The Promly app uses essential session cookies to maintain your authenticated session. These are HTTP-only, secure cookies with SameSite protection that cannot be accessed by client-side scripts. We do not use tracking or advertising cookies.

We may use analytics tools on our marketing website (promly.app) to understand visitor behaviour. Most browsers allow you to refuse or delete cookies. Refusing session cookies will prevent you from using the authenticated portions of PromoOS.

6. Shopify Platform and Data

Platform dependency

PromoOS operates as a third-party application on the Shopify platform. Service availability depends on the availability of Shopify's platform and APIs. We are not liable for interruptions, changes, or discontinuation of services caused by Shopify. Users must comply with Shopify's Terms of Service in addition to ours.

Shopify API scopes we use

PromoOS requests the following Shopify API access, used solely to provide the promotional campaign features of the app:

Read and write discount codes and price rules
Read and write theme assets (for banner display via app blocks)
Read products and collections (for promo targeting)
Read store information and settings
Read aggregate order data via webhooks (no customer PII)

GDPR compliance

Shopify sends us mandatory GDPR webhooks. Here is how we handle each:

Customer data access requests: Acknowledged and confirmed as containing no customer-identifiable data (we store only aggregate metrics)
Customer data erasure requests: Acknowledged and confirmed — no customer PII to erase
Shop data deletion (on uninstall): Upon receiving this webhook, all store data is permanently deleted within 48 hours. This includes shop domain, access token, promo configurations, metrics, and all associated campaign data.

To request early deletion of your data, contact us at contact@promly.app.

7. How Long Do We Keep Your Information?

We retain data only as long as necessary. Automated purge jobs run daily to enforce these retention windows:

Active stores: Promo configurations, uploaded assets, and store settings are retained while the app is installed and your store is active
Aggregate promotional metrics (daily revenue, order counts, discount usage per promo): retained for 730 days (2 years), then automatically purged
Event logs (promo creation, deployment, status changes): retained for 365 days (1 year), then automatically purged
Access audit logs (records of order data processing): retained for 365 days (1 year), then automatically purged
Uninstalled stores: All store data is permanently deleted within 48 hours of receiving the Shopify shop data deletion webhook
Waitlist data: Retained until you unsubscribe or request deletion

8. How Do We Keep Your Information Safe?

All merchant data is stored and processed in Oregon, United States (Render.com US-West region).

Encryption at rest: Your Shopify access token is encrypted using AES-256-GCM before storage. Database backups are encrypted by the hosting provider.
Encryption in transit: All data transmitted between your browser, our servers, and Shopify uses TLS/SSL
Session security: HTTP-only, secure session cookies with SameSite protection and CSRF middleware
Webhook verification: All Shopify webhooks are verified using HMAC-SHA256 timing-safe signatures with 24-hour replay prevention
Access logging: Every access to order data is logged in an audit trail with store scope, resource type, and timestamp — no customer PII is recorded
Access controls: Access to production systems and databases is restricted to authorized personnel only

No electronic transmission over the internet can be guaranteed to be 100% secure. You should only access the Services within a secure environment.

9. Do We Collect Information from Minors?

PromoOS is intended for use by Shopify store owners and operators, who must be at least 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a minor, please contact us at contact@promly.app.

10. What Are Your Privacy Rights?

Depending on your location, applicable data protection laws may give you the following rights:

Right to access — request a copy of the personal information we hold about you
Right to rectification — request correction of inaccurate information
Right to erasure — request deletion of your personal information (uninstalling the app triggers automatic deletion)
Right to restrict processing — request that we limit how we use your data
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, withdraw it at any time
Unsubscribe from marketing — click the unsubscribe link in any email we send, or contact us directly

If you are located in the EEA or UK and believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

To exercise any of these rights, contact us at contact@promly.app.

11. Controls for Do-Not-Track Features

Most web browsers include a Do-Not-Track ("DNT") feature. As no uniform technology standard for recognizing DNT signals has been finalized, we do not currently respond to DNT signals. If a standard is adopted that we must follow, we will update this Privacy Notice accordingly.

California law requires us to let you know how we respond to web browser DNT signals. Because there currently is no industry or legal standard for honoring DNT signals, we do not respond to them at this time.

12. Do United States Residents Have Specific Privacy Rights?

If you are a resident of California, Colorado, Connecticut, or another US state with applicable privacy legislation, you may have additional rights. PromoOS does not sell personal information.

Category	Examples	Collected
A. Identifiers	Shop domain, store owner name and email, IP address	YES
B. Personal information (California Customer Records)	Name, email address	YES (via Shopify OAuth)
C. Protected classification characteristics	Gender, age, race, ethnicity	NO
D. Commercial information	Transaction history, financial details	NO (handled by Shopify)
E. Biometric information	Fingerprints, voiceprints	NO
F. Internet or network activity	App usage, features used, log data	YES
G. Geolocation data	Precise device location	NO
H. Sensitive personal information	Health, financial, or biometric data	NO

To exercise your rights, email us at contact@promly.app.

13. Do We Make Updates to This Notice?

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top. If we make material changes, we will notify you by email or through a notice in the app. We encourage you to review this Privacy Notice periodically.

14. How Can You Contact Us?

If you have questions about this privacy policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us at:

Promly
Israel
Email: contact@promly.app

15. How Can You Review, Update, or Delete the Data We Collect From You?

Based on the applicable laws of your country or state, you may have the right to request access to the personal information we collect from you, correct inaccuracies, or delete your personal information. To submit a request:

Email us at contact@promly.app
Uninstall the PromoOS app from your Shopify store (this triggers automatic deletion of all your store data within 48 hours)

Privacy Policy

Table of Contents