Privacy Policy
Oak Apps (“Oak Apps”, “we”, “us”, or “our”) is the developer and operator of Oak Post Purchase, a Shopify app that lets merchants present post-purchase offers to their buyers (the “App”). This Privacy Policy explains what information we collect when a merchant installs and uses the App, how we use that information, and the choices available to merchants and their buyers.
By installing or using the App, you consent to the collection and use of information as described in this Policy. This Policy does not apply to Shopify itself, to the merchant’s own storefront, or to any third-party services linked from the App — those are governed by their own privacy policies.
1. Information we collect
We collect three categories of information.
1.1 Merchant information
When a merchant installs the App through the Shopify App Store, we receive and store information needed to operate the App, including:
- Store identifiers — Shopify shop domain, shop ID, and shop owner email.
- Authentication data — OAuth access tokens issued by Shopify so the App can call the Shopify Admin API on the merchant’s behalf.
- Account and configuration data — funnel definitions, offer rules, product selections, settings, and other content the merchant creates inside the App.
- Billing data — subscription and charge records returned by Shopify Billing. We do not see or store payment card numbers; payment is handled entirely by Shopify.
- Support correspondence — emails or messages the merchant sends to us.
1.2 Buyer information (via the post-purchase extension)
The App’s post-purchase extension runs between checkout completion and the Shopify thank-you page. To decide which offer to show and to apply that offer to the order, we receive customer order data from Shopify, which may include order identifiers, line items, totals, currency, and limited customer identifiers associated with the order. We do not collect payment card details, passwords, or any data beyond what Shopify provides for the post-purchase flow.
We use this information solely to render the offer, sign and apply the resulting changeset, and produce internal analytics on offer performance for the merchant. We do not sell buyer data, and we do not use it to contact buyers directly.
1.3 Automatically collected information
When the App is used, our servers automatically log non-personally-identifiable information such as request timestamps, IP addresses, browser/user-agent strings, referring URLs, error stack traces, and feature-usage events. We use this information to operate, secure, and improve the App.
2. How we use information
We use the information described above to:
- Provide, maintain, and operate the App.
- Authenticate merchants and authorize Shopify API calls on their behalf.
- Render post-purchase offers and apply approved offers to orders.
- Produce performance analytics (impressions, conversions, revenue) for the installing merchant.
- Respond to support inquiries.
- Detect, investigate, and prevent fraud, abuse, or violations of our Terms.
- Comply with legal obligations and Shopify’s Partner and App Store requirements.
- Improve the App and develop new features.
3. Disclosure of information
We do not sell personal information. We share information only in the limited circumstances described below.
3.1 Service providers (sub-processors)
We rely on a small number of third-party service providers to run the App. These providers process data on our behalf, only to perform the functions we contract them for, and are bound by confidentiality and data-protection terms. They include, among others:
- Hosting — Render.com hosts our backend services and database.
- Error monitoring — a third-party error-tracking provider receives stack traces and limited request metadata when exceptions occur.
- Product analytics — a third-party analytics provider receives non-identifying usage events from the App.
We review our sub-processors and may add, replace, or remove them over time as the App evolves.
3.2 Shopify
The App is built on Shopify. Operating the App necessarily involves exchanging data with Shopify (orders, products, customers, billing). Shopify’s handling of that data is governed by Shopify’s own privacy policy.
3.3 Legal and protective disclosures
We may disclose information if we believe in good faith that disclosure is necessary to (i) comply with a court order, subpoena, or other legal process, (ii) protect our rights, property, or safety, or that of our merchants or the public, (iii) enforce our Terms of Service, or (iv) facilitate a sale, merger, financing, change of control, or transfer of substantially all of our assets, in which case we will require the recipient to honor this Policy.
4. Data retention and deletion
We retain merchant configuration and operational data for as long as the App is installed on the merchant’s store, and for a limited period after uninstall to support reinstallation and to meet our legal and accounting obligations.
For buyer (customer) data, we honor Shopify’s mandatory privacy webhooks:
customers/data_request— on receipt, we provide the requested customer data to the merchant within 30 days.customers/redact— on receipt, we delete the relevant customer data from our systems.shop/redact— on receipt (sent by Shopify 48 hours after a merchant uninstalls), we delete the shop’s data from our systems.
The merchant can also request deletion at any time by emailing us at the address in Section 9.
5. Security
We use reasonable administrative, technical, and physical safeguards to protect the information we hold, including encryption in transit (HTTPS/TLS), encryption at rest for our managed database, scoped access controls, and short-lived OAuth credentials issued by Shopify. No system is perfectly secure, however, and we cannot guarantee that information will never be subject to unauthorized access. Merchants are responsible for protecting their Shopify staff account credentials and for choosing which staff members may install or configure the App.
6. Your rights
Depending on the jurisdiction the merchant or buyer resides in (for example, the EU/EEA under GDPR, the United Kingdom under UK GDPR, or California under CCPA/CPRA), you may have the right to:
- Access the personal information we hold about you.
- Request correction of inaccurate information.
- Request deletion of your personal information.
- Object to or restrict certain processing.
- Receive a portable copy of your personal information.
- Withdraw consent where processing relies on consent.
To exercise any of these rights, contact us at the address in Section 9. For buyer rights, the merchant who installed the App is the data controller; we will work with the merchant to fulfill the request. We will respond within the timeframe required by applicable law.
7. International data transfers
Our servers and sub-processors may be located outside the country in which the merchant or buyer is resident. By using the App, you understand that your information may be transferred to, stored in, and processed in jurisdictions whose data-protection laws may differ from those of your own. Where required, we put in place appropriate safeguards (such as Standard Contractual Clauses) for such transfers.
8. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this document and, where appropriate, notify installed merchants by email or via an in-app notice. Your continued use of the App after the updated Policy takes effect constitutes acceptance of the changes.
9. Contact us
Questions about this Policy, requests to exercise any of the rights in Section 6, or data-protection inquiries can be sent to:
- Email: oak.apps1@gmail.com
10. Applicable law and jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of the Republic of India, without regard to its conflict-of-laws principles. Any dispute arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Bengaluru, Karnataka, India.