Privacy Policy

This page explains what data the Warranty Upsell Shopify app (“the app,” “we,” “our”) collects when a Shopify merchant installs and uses it, how we use that data, and the rights you have under GDPR and CCPA. The app is operated by Hi Ecom. If anything here is unclear, email contact@hiecom.co.

1. What we collect

The app stores only what it needs to render the warranty upsell on a merchant’s product pages and report on its performance:

• Shop domain — e.g. your-store.myshopify.com. Used as the primary key for everything else we store.
• Shopify-issued offline access token — needed to read your products and orders on your behalf via the Shopify Admin API. Stored encrypted at rest in our database; never shown back to you in the app UI; never sent to any third party.
• Per-variant warranty configuration — the warranty tiers and prices you assign to product variants. Stored as Shopify metafields under the warranty_upsell namespace and mirrored in our database for fast lookup.
• Plan selection and subscription state — which plan (Free, Basic, Pro) your shop is on, the Shopify subscription ID, and whether the charge is a test or live charge.
• Aggregate analytics on warranty sales (Pro plan only) — counts and totals computed from your orders to populate the in-app Analytics page. We do not store individual order line items in our database; the Analytics page reads them on demand from Shopify and aggregates the result for display.

The app does not collect or store names, email addresses, phone numbers, billing addresses, or any other directly identifying customer information.

2. How we use it

• To render the warranty upsell widget on your product pages.
• To add the chosen warranty product to a customer’s cart at checkout.
• To populate the Analytics page in the embedded admin (Pro plan).
• To enforce plan limits (e.g. the 3-product limit on the Free plan).
• To process subscription approvals, cancellations, and renewals via Shopify’s Billing API.

We do not use any of your data for advertising, profiling, training machine learning models, or any purpose unrelated to operating the app.

3. Sharing & selling

We do not sell, rent, or share your data, your shop’s data, or your customers’ data with any third party for any purpose. We use Shopify itself (where the app runs) and a small number of infrastructure providers strictly to operate the service:

• Railway — application hosting (United States / EU regions).
• PostgreSQL on Railway — database storage for the data listed in section 1.

These providers act as data processors under our instruction. They do not have an independent right to use your data.

4. Retention & deletion

We keep the data above for as long as the app is installed on your shop. When you uninstall, Shopify sends us a shop/redact webhook 48 hours later; on receipt we delete every database row keyed to your shop — sessions, plan record, and any cached configuration. You can also request immediate deletion at any time by emailing contact@hiecom.co.

5. GDPR & CCPA

The app implements Shopify’s mandatory privacy webhooks (customers/data_request, customers/redact, shop/redact) and processes them within the 30-day window Shopify requires.

If you are a resident of the European Economic Area, the United Kingdom, or California, you have the right to:

• Request a copy of the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (the “right to be forgotten” / right to erasure).
• Object to or restrict our processing of your data.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email contact@hiecom.co from the email address associated with your Shopify account. We respond within 30 days.

6. Security

All traffic between your browser, Shopify, and the app is encrypted via TLS. Access tokens are stored encrypted at rest. We rotate to Shopify’s expiring offline access tokens (issued December 2025 onward) so that a leaked token cannot grant indefinite access.

7. Children

The app is a B2B tool for Shopify merchants and is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect data from children.

8. Changes to this policy

If we change this policy materially we will update the “Last updated” date at the top and, for active installations, surface the change inside the app before applying it.