Privacy Policy
Save That Cart ("we", "our", "the app") is a Shopify app published by The Click Collective that helps merchants recover abandoned carts through tiered discount offers and conversion tracking.
Last updated: May 27, 2026
1. Overview
This Privacy Policy describes how Save That Cart collects, uses, stores, and protects information when you install and use the app on your Shopify store. By installing the app you agree to the practices described below.
We have built Save That Cart to be data-minimal by design: we do not collect, store, or process personal data belonging to your store's shoppers.
2. Information We Collect
2.1 Store information (merchant data)
When you install Save That Cart, we collect the following information about your Shopify store:
- Shop identifier: your
.myshopify.comdomain (e.g.your-store.myshopify.com) - Shop contact email: pulled from Shopify Admin and used only for support communication
- Shopify session and access token: stored to authenticate API calls back to your store on your behalf
- Theme metadata: the ID and role of the live theme, so we can deep-link you into the correct theme editor
2.2 Configuration data
Information you create inside the app:
- Bonus tier configuration (cart-value ranges, offer type, offer value, promo code labels, active/inactive state)
- Welcome discount and free-shipping settings
- Visual style settings for the on-storefront widget
- Activation state of the app on your storefront
2.3 Order and conversion data
When a customer completes an order that originated from a Save That Cart offer, Shopify sends us the orders/create webhook. From that payload we read only:
note_attributes— specifically the_tcc_stc_discount_timestampmarker we wrote to the cart, used to confirm the order was driven by our apptotal_price— to increment your aggregate revenue countername— the order name, used only for log lines, not persisted
We do not store any customer-identifying fields from order webhooks: no names, emails, phone numbers, addresses, line-item detail, or payment information.
2.4 Aggregate metrics
We store rolling counters per shop:
- Number of times offers were viewed
- Number of times offers were clicked
- Number of converted orders
- Total converted revenue (sum of order totals)
These counters are not tied to any individual shopper.
2.5 Subscription data
Billing is handled by Shopify. We store a non-sensitive record of your app subscription (plan name, status, price, currency, interval) so the app knows whether to render premium features. We never see or store your payment method.
2.6 Information we explicitly do NOT collect
- Customer names, emails, phone numbers, IP addresses, or shipping addresses
- Customer order history or line-item detail
- Payment card or banking information
- Shopper browsing behavior beyond the anonymous view/click counters above
- Any data from customer accounts in your store
3. How We Use Information
We use the information we collect solely to:
- Authenticate your store with the Shopify Admin API
- Render your bonus tiers, styling, and configuration inside the app's admin UI
- Apply discounts via Shopify's discount functions when a cart matches your configured tiers
- Display conversion analytics in your dashboard
- Process and bill for the app subscription via Shopify's Billing API
- Respond to support requests at the email address you contact us from
We do not sell, rent, or share your data with third parties for marketing or advertising.
4. Shopify Permissions (Access Scopes)
Save That Cart requests the following Shopify access scopes. Each is required to deliver the app's functionality:
| Scope | Why we need it |
|---|---|
read_app_proxy, write_app_proxy |
Serve dynamic offer logic to your storefront through Shopify's App Proxy |
read_themes |
Detect your live theme and deep-link you into the correct theme editor |
write_discounts |
Create and manage the discounts that power your bonus tiers |
write_products |
Attach the app's discount function to products where applicable |
read_orders |
Receive orders/create webhooks so we can count conversions |
You can review and revoke these scopes at any time by uninstalling the app.
5. Data Storage and Security
- Where data lives: Application data is stored in Supabase (PostgreSQL) in encrypted-at-rest databases. Shopify session tokens are stored separately in our session-storage adapter.
- In transit: All connections between your store, the app, and our backend use TLS (HTTPS).
- Hosting: The app is hosted on Fly.io.
- Authentication: All requests between the embedded admin and our backend are authenticated using Shopify's session token flow plus an HMAC signature derived from your shop domain.
- Access: Internal access to production data is limited to the app's developers on a least-privilege basis.
No system is perfectly secure. If we become aware of a breach that affects you, we will notify you without undue delay.
6. Data Retention and Deletion
- While the app is installed: We retain your store configuration, bonuses, and aggregate metrics for as long as the app is installed.
- On uninstall: When you uninstall the app, Shopify sends us the
app/uninstalledwebhook. We mark your store as uninstalled and revoke session access immediately. - 48 hours after uninstall: Shopify sends the
shop/redactcompliance webhook. On receipt we delete your store configuration, bonuses, metrics, and subscription record from our database. - Customer data requests: Because we do not store customer personal data, the
customers/data_requestandcustomers/redactGDPR webhooks return a 200 response confirming we hold no data for the customer in question.
You can also request manual deletion at any time by emailing the address in Section 9.
7. Sub-processors
We rely on the following service providers to run the app. They process data only on our behalf:
| Provider | Purpose |
|---|---|
| Shopify | Source of merchant authentication, order webhooks, and billing |
| Supabase | Database hosting for store configuration and aggregate metrics |
| Fly.io | Application hosting |
Each of these providers maintains its own security and privacy program.
8. International Data Transfers and Legal Bases
Save That Cart is operated from Canada and may transfer data to data centers in the United States and other regions where our sub-processors operate. Where applicable laws (GDPR, UK GDPR, PIPEDA, CCPA) require a legal basis, we rely on:
- Contractual necessity — to provide the app you installed
- Legitimate interest — to operate, secure, and improve the app
- Consent — where required by your jurisdiction; installing the app from the Shopify App Store constitutes consent to this policy
9. Your Rights and Contact
If you are a merchant using Save That Cart, you may:
- Request a copy of the data we hold about your store
- Request correction or deletion of your store's data
- Withdraw consent by uninstalling the app
To exercise any of these rights, or for any privacy-related question, email us at:
theclickcollectiveio@gmail.com
We aim to respond within 1 business day.
10. Children's Privacy
Save That Cart is a B2B tool for Shopify merchants. It is not directed at children under 13, and we do not knowingly process data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the app's admin UI or by email to the shop contact on file. The "Last updated" date at the top of this document reflects the most recent revision.