Privacy Policy

Last updated: June 10, 2026

At Revenuu we take your data privacy seriously. This policy describes what information we collect, how we use it, who we share it with, and how we protect it.

1. Data Controller

The data controller for your personal data is Revenuu, based in Santiago, Chile. When you connect your Shopify store, you (the merchant) are the controller of your end-customers' data, and Revenuu acts as a data processor, processing data exclusively according to the instructions derived from the use of the Service. You can contact us at jorge@revenuu.app.

2. Data We Collect

Merchant data

When you install Revenuu in your Shopify store, we receive the data Shopify transmits to us via OAuth Token Exchange and via the app webhooks: your store domain (.myshopify.com), the internal Shopify identifier, the configured currency, the granted permission scope, and the contact email associated with the Merchant's Shopify Billing account. We do not receive the name or photo of the Shopify account holder.

Shopify data

To operate the Service, we access and store the following data from your Shopify store:

Your Shopify store name and domain.
Order data: number, date, amount, products, discounts, refunds and status.
Discount codes created through Revenuu (code, value, link to campaign and influencer).
Internal Shopify identifiers associated with orders (including Shopify's internal customer ID, without name, email or address).
Data the Merchant enters into the Service: campaigns, influencers and their social handles, commissions per influencer and per campaign, payouts and associated notes.

Shopify webhooks (orders/paid and orders/cancelled) deliver in their payload personal data of the end customer such as name, email and address. Our backend discards those fields when processing the webhook: we do not persist them in the database and we do not expose them in the Merchant's dashboard. The only identifier we retain associated with an order is the internal Shopify ID.

Usage data

We collect information about how you interact with the Service using product analytics and session-recording tools, including pages visited, actions performed, technical browser data and session recordings. Event payloads sent to PostHog are scrubbed of customer-identifying fields before transmission; we do not forward end-customer names, emails, or addresses to analytics providers. We detail each tool and cookie in our Cookies Policy.

3. Purpose of Processing

We use your data to:

Provide the Service: authentication, Shopify connection, sales attribution, report generation.
Improve the Service: usage analysis to identify improvements and solve problems.
Communicate with you: account notifications, Service changes, support.
Comply with applicable legal obligations.

4. Legal Basis

The processing of your data is based on:

Contract performance: the processing necessary to provide the Service you contracted.
Consent: by registering and connecting your store, you consent to the processing described in this policy.
Legitimate interest: Service improvement and fraud prevention.

5. Data Sharing

We do not sell or commercialize your personal data. We only share information with:

Shopify Inc. (Canada): Service integration (Shopify API) and billing through Shopify Billing.
Vercel Inc. (United States): hosting of the website and the application infrastructure.
Railway Inc. (United States): hosting of the Service backend.
Supabase Inc. (United States): provision and hosting of the Service's PostgreSQL database.
PostHog Inc. (United States): product analytics, error monitoring and telemetry.
Microsoft Corporation (United States): session recording and analysis through Microsoft Clarity.
Authorities: when required by applicable law or legal process.

6. International Data Transfers

Your data may be processed on servers located outside your country of residence, including the United States and other countries where our infrastructure providers operate. In these cases, we apply appropriate security measures to protect your data in accordance with applicable regulations.

7. Data Retention

Merchant data: while the app is installed in your Shopify store.
Shopify data: while the app is installed in your Shopify store.
After app uninstall: data is retained for 90 days to allow reinstallation without data loss. After that period it is automatically deleted by a periodic process.
If Shopify sends the GDPR shop/redact request (48 hours after uninstall, when the Merchant explicitly requests deletion), data is deleted immediately, without waiting for the 90-day period.
Analytics data: retained in aggregated form and anonymized in accordance with each provider's practices.

8. Security

We protect your data through:

Encryption of data in transit (HTTPS/TLS).
Encryption of Shopify access tokens at rest (AES-256).
Authentication-based restricted data access.
Periodic review of security measures.

No system is 100% secure. In the event of a security breach affecting your personal data, we will notify you within 72 hours of detection.

9. Shopify GDPR requests

As an app distributed through the Shopify App Store, Revenuu exposes the three mandatory GDPR compliance webhooks defined by Shopify, which are handled by our backend:

customers/data_request: Shopify sends this when an end customer requests a copy of their data. Since Revenuu does not store identifiable personal data of end customers (name, email, address, payment data), we confirm receipt of the webhook and respond without additional information, since we do not hold the data subject's data in our records.
customers/redact: Shopify sends this when a merchant requests deletion of an end customer's data. For the same reason above, we confirm receipt of the webhook without performing deletion of end-customer data, since we do not store it.
shop/redact: Shopify sends this 48 hours after app uninstall, when the Merchant explicitly requests deletion of their data. Upon receipt, we immediately delete all data associated with your store, without waiting for the 90-day grace period.

10. Your Rights (ARCOB)

Under applicable law, you have the right to:

Access: request a copy of the personal data we hold about you.
Rectification: correct inaccurate or incomplete data.
Erasure: request deletion of your personal data when it is no longer needed for the purpose for which it was collected.
Objection: object to the processing of your data in certain circumstances.
Restriction: request temporary suspension of data processing while a rectification or erasure request is resolved.
Portability: receive your data in a structured, readable format.
Withdrawal of consent: withdraw your consent at any time.
Lodge a complaint: file a complaint with a supervisory data protection authority in your jurisdiction (particularly relevant for users located in the European Economic Area, the United Kingdom, or Switzerland).

To exercise any of these rights, write to us at jorge@revenuu.app. We will respond within 15 business days.

11. Minors

Revenuu is not directed at persons under 18 years of age. We do not intentionally collect data from minors. If we detect that a minor has created an account, we will delete it.

12. Changes to this Policy

We may update this policy periodically. We will notify you of significant changes by email or via a notice on the platform. The date of last update is indicated at the beginning of this document.

13. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the Republic of Chile, in particular Law No. 19,628 on the Protection of Private Life and Law No. 21,719 that modernizes it, without prejudice to Revenuu's obligations under Regulation (EU) 2016/679 (GDPR) with respect to data subjects in the European Economic Area. Any disputes arising from this Policy shall be subject to the jurisdiction of the competent courts of Santiago, Chile, without prejudice to the rights that may correspond to the user under applicable consumer protection law in their country of residence.

14. Contact

For any questions about privacy or data protection, write to us at jorge@revenuu.app.