Privacy Policy

Effective date: April 3, 2026 · Last updated: April 3, 2026

1. Who We Are

Mailcommerce Limited (trading as "Mailcommerce AI"), a company registered in England and Wales.

• Company number: 15920684
• Registered address: Unit A, 82 James Carter Road, Mildenhall Industrial Estate, Suffolk, United Kingdom, IP28 7DE
• Privacy inquiries: [email protected]

In this policy, "we", "us", and "our" refer to Mailcommerce Limited. "You" refers to the merchant who installs our Shopify app, and "customer" or "buyer" refers to a visitor or shopper on the merchant's online store.

We comply with the Shopify Partner Program Agreement and the Shopify API License and Terms of Use.

2. Data Minimisation

We follow the principle of data minimisation: we only collect and retain the minimum personal data necessary to provide, operate, and improve Mailcommerce AI's email-marketing services. We do not collect data speculatively or retain it longer than required for its stated purpose. Each Shopify API scope we request corresponds to a specific feature, as detailed below.

3. What Information We Collect

3.1 Information collected through Shopify's APIs

When a merchant installs our app and grants the requested access scopes, we read the following from the merchant's Shopify store:

Data category	Examples	Shopify scope
Customer records	Email address, first name, tags	read_customers, write_customers
Product catalogue	Title, price, images, inventory levels, variants	read_products, read_inventory
Orders	Order ID, line items, total, currency, customer email	read_orders, read_all_orders
Checkouts	Checkout token, email, line items, total price	read_checkouts
Discounts	Price rules, discount codes	read_discounts, write_discounts
Theme settings (read-only)	Whether our App Embed block is enabled	read_themes
Files	Merchant-uploaded images (for email design)	read_files

We also receive Shopify webhook events for orders/create, checkouts/create, refunds/create, and app/uninstalled.

3.2 Information collected directly from the merchant

• Account credentials: Email address and password used to sign up at mailcommerce.ai.
• Store connection details: Shopify store domain (provided during OAuth or manual connection).
• Email campaign content: Subject lines, body text, images, and design choices created in the email editor.
• Billing information: App charges are processed through Shopify's billing system. We do not store payment card details.
• Support communications: Messages sent to our support channels.

3.3 Information collected from merchants' customers (storefront)

Our Theme App Extension and Web Pixel Extension run on the merchant's online store. They collect the following:

Data point	Collection method	Purpose
Email address	Popup signup form submission; email link click parameter (_mcid); checkout email (via Web Pixel)	Subscriber identification, email campaign attribution
First name, last name	Popup signup form (optional fields)	Email personalisation
Product views	Theme App Extension detects product pages	Behavioural segmentation, campaign targeting
Cart activity	Theme App Extension intercepts /cart/add, /cart/change	Abandoned-cart triggers
Checkout start & completion	Web Pixel Extension (checkout_started, checkout_completed)	Revenue attribution to email campaigns
Quiz / survey answers	Popup signup form (optional custom fields)	Segmentation based on zero-party data

3.4 Cookies and tracking technologies

Our storefront extension sets the following cookie on the customer's browser:

Cookie	Domain	Duration	Purpose
_mc_attr	Merchant's store domain (first-party)	30 days	Stores an attribution identifier linking the customer to the email campaign they clicked. Used to attribute subsequent orders to the correct campaign.

We also use the browser's sessionStorage (key: mc_sid) for a session identifier that groups page views within a single visit. This is not persisted across sessions and is not used for cross-site tracking or shared with third parties for their own purposes.

We respect the customer's browser Do-Not-Track signal and Shopify's customer privacy consent API. If a customer has not granted marketing consent, our tracking scripts do not set cookies or send behavioural events.

4. How We Use the Information

We use the collected data solely to provide, operate, and improve Mailcommerce AI's email-marketing services for the merchant:

1. Email campaign delivery: Sending marketing emails on behalf of the merchant via our email service provider (SparkPost/MessageBird).
2. Campaign attribution: Connecting email clicks to store orders so merchants can see revenue generated by each campaign.
3. Behavioural triggers: Using product-view and cart events to trigger automated email flows (e.g. abandoned-cart reminders).
4. Audience segmentation: Grouping subscribers by behaviour, purchase history, or form responses so merchants can send relevant emails.
5. AI-powered content generation: Using the merchant's product data to generate email copy and subject lines via Google Gemini. Only product catalogue data (titles, descriptions, prices, images) is sent to the AI model — never customer personal data.
6. Store insights dashboard: Displaying product counts, low-stock alerts, and discount summaries to the merchant.
7. Marketing event reporting: Reporting campaign-driven signups and conversions back to Shopify's Marketing Events dashboard.
8. Customer tagging: Tagging subscribers in the merchant's Shopify customer records (e.g. mc_subscriber) so merchants can use Shopify's native segmentation tools.
9. Service improvement: Aggregated, de-identified analytics to improve deliverability, UI design, and feature prioritisation.

We do not:

• Sell, rent, or trade personal data to third parties.
• Use merchant or customer data for our own marketing to those individuals.
• Use customer personal data to train AI models (only product catalogue data is used for content generation).
• Mix or share data between different merchants' accounts under any circumstances.
• Perform automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

5. AI Processing

Mailcommerce AI uses Google Gemini to help merchants generate email content. We want to be explicit about what data is and is not involved:

• Data sent to AI: Product catalogue data only — titles, descriptions, prices, and images. This is commercial data created by the merchant, not customer personal data.
• Data never sent to AI: Customer email addresses, names, order details, browsing behaviour, or any other personal data.
• No automated decision-making: AI-generated content is always presented to the merchant for review and editing before being sent. No email is sent without merchant approval.
• No model training: Customer and merchant data is not used to train, fine-tune, or improve any AI or machine-learning model.

6. Third-Party Service Providers (Sub-processors)

We share data with the following categories of processors, solely to deliver our services:

Provider	Purpose	Data shared	Region
Google Cloud Platform (Firebase, Cloud Run)	Application hosting, database, task scheduling	All application data	EU (europe-west1)
SparkPost / MessageBird	Email delivery (ESP)	Recipient email, campaign content	EU/US
Google Gemini	AI content generation	Product catalogue data only (titles, descriptions, prices, images). No customer personal data.	US
Cloudflare	CDN, edge workers	HTTP requests (transient)	Global

Each provider is bound by a Data Processing Agreement (DPA) or equivalent contractual terms. We do not permit any provider to use merchant or customer data for their own purposes.

Sub-processor updates: We will update this list when we add or replace a sub-processor. If you would like to be notified of sub-processor changes, email [email protected] to subscribe to updates.

7. International Data Transfers

Our primary data storage is in the EU (Google Cloud europe-west1, Belgium). However, some sub-processors operate in or transfer data to the United States or other countries outside the EEA:

• Google Gemini (US): Product catalogue data only. Google operates under the EU-US Data Privacy Framework and we rely on Standard Contractual Clauses (SCCs) as an additional safeguard.
• SparkPost / MessageBird (EU/US): Recipient email and campaign content for delivery. Protected by Standard Contractual Clauses (SCCs) and their DPA.
• Cloudflare (Global): Transient HTTP request data only. Cloudflare maintains SCCs and Binding Corporate Rules for international transfers.

Where an adequacy decision by the European Commission applies to the recipient country, we rely on that decision. In all other cases, we ensure that Standard Contractual Clauses (SCCs) approved by the European Commission are in place before any transfer occurs.

8. Data Storage and Retention

8.1 Where we store data

All application data is stored in Google Cloud Platform's europe-west1 (Belgium) region. This includes Firebase Firestore, Firebase Realtime Database, and Cloud Run services. We do not maintain separate backups or log archives outside of these systems.

8.2 How long we keep data

Data type	Retention period
Subscriber records	Until the merchant deletes them, or the merchant uninstalls the app (deleted within 30 days of shop/redact webhook)
Storefront behavioural events (product views, cart activity)	90 days (automatic TTL deletion)
Order attribution records	Duration of the merchant's subscription
Campaign content and analytics	Duration of the merchant's subscription
Form analytics (aggregate)	Duration of the merchant's subscription
GDPR audit logs	3 years (for legal compliance)

8.3 Account deletion

Automatic (via Shopify): When a merchant uninstalls the app, Shopify sends a shop/redact webhook. We mark the account for deletion and, after a 24-hour grace period (to allow accidental-uninstall recovery), permanently delete all merchant and customer data across all collections within 30 days.

Manual request: Merchants may also request deletion of their data at any time by emailing [email protected]. We will process the request and confirm deletion within 30 days.

Inactive accounts: Merchant accounts remain active until the merchant uninstalls the app or requests deletion. We do not automatically delete inactive accounts.

9. Data Security

We implement the following security measures:

• Encryption in transit: All data transmitted between Shopify, our servers, and the merchant's browser uses TLS (HTTPS).
• Encryption at rest: Firebase Firestore and Cloud Storage encrypt all data at rest using AES-256.
• Access token security: Shopify OAuth access tokens are stored in Firestore with access restricted to our backend service account.
• Webhook verification: All Shopify webhooks are verified using HMAC-SHA256 signatures with timing-safe comparison. Invalid signatures receive a 401 Unauthorized response.
• Replay protection: Webhook deliveries are deduplicated using Shopify's X-Shopify-Webhook-Id header.
• OAuth state protection: OAuth callback requests are protected with HMAC-signed, single-use state tokens that expire after 15 minutes.
• App Proxy validation: All storefront App Proxy requests are validated using Shopify's signature scheme.
• Data isolation: Each merchant's data is logically isolated by a unique brand identifier. We do not mix or share data between merchants under any circumstances.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected merchants without undue delay so they can inform their customers as appropriate.
• Document the breach, its effects, and the remedial actions taken in our internal incident log.

11. Your Rights (Merchants)

As a merchant using Mailcommerce AI, you can:

• Access your data: View your subscribers, campaign analytics, and store insights in the Mailcommerce AI dashboard at any time.
• Export your data: Export subscriber lists from the dashboard.
• Delete your data: Uninstall the app from Shopify (automatic deletion within 30 days), or email [email protected] to request manual deletion.
• Disconnect your store: Use the disconnect feature in the dashboard to remove the Shopify connection and stop all data collection, while keeping your Mailcommerce AI account.
• Rectify your data: Contact us to correct any inaccurate information we hold about you.
• Restrict processing: Request that we limit how we process your data while a complaint or correction request is being resolved.
• Contact us: Email [email protected] for any data-related request. We will respond within 30 days.

12. Customer Rights (Buyers on Merchant Stores)

If you are a customer (buyer) on a store that uses Mailcommerce AI:

• Unsubscribe: Every marketing email sent through Mailcommerce AI contains an unsubscribe link. Clicking it immediately removes you from future campaigns.
• Data access or deletion: Contact the store owner (merchant) directly. The merchant can request deletion of your data through Shopify, which triggers our customers/redact webhook. We delete all personal data associated with your email address within 30 days of receiving the request.
• Cookies: You can clear the _mc_attr cookie through your browser settings. Our scripts respect Do-Not-Track signals and Shopify's customer privacy consent API.
• Right to object: Under GDPR and similar laws, you may object to the processing of your personal data. Contact the store owner, who will relay the request to us.
• Direct contact: You may also contact us directly at [email protected] if you are unable to reach the store owner.

13. GDPR Compliance

For merchants and customers in the European Economic Area (EEA), United Kingdom, or Switzerland:

13.1 Lawful bases for processing

Processing activity	Lawful basis	Detail
Providing the email-marketing service (campaign delivery, subscriber management)	Contract (Art. 6(1)(b))	Necessary to perform the service the merchant has contracted for.
Storefront tracking & attribution (product views, cart events, order attribution)	Consent (Art. 6(1)(a))	Customer consent is obtained by the merchant via Shopify's customer privacy consent API. Our scripts only activate when consent is granted.
Direct email marketing to customers	Consent (Art. 6(1)(a))	The merchant is responsible for obtaining appropriate marketing consent from their customers before sending campaigns.
Aggregated analytics and service improvement	Legitimate interest (Art. 6(1)(f))	De-identified, aggregate data used to improve deliverability and service quality. No individual-level profiling.
GDPR compliance audit logs	Legal obligation (Art. 6(1)(c))	Required to demonstrate compliance with data protection law.

13.2 Controller and processor roles

The merchant is the data controller for their customers' personal data. Mailcommerce Limited acts as a data processor on the merchant's behalf. We process customer data only on the merchant's instructions and for the purposes described in this policy.

13.3 Data processing location

All data is stored and processed within the EU (Google Cloud europe-west1, Belgium). International transfers are covered in Section 7.

13.4 Sub-processors

Listed in Section 6. Where a sub-processor operates outside the EEA, we ensure that appropriate safeguards are in place: either an adequacy decision by the European Commission, Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework certification.

13.5 Mandatory compliance webhooks

We subscribe to and respond to all three Shopify mandatory compliance webhooks: customers/data_request, customers/redact, and shop/redact.

13.6 Privacy inquiries

For privacy inquiries, contact [email protected].

14. CCPA / US State Privacy Laws

For California residents and residents of other US states with privacy legislation (Colorado, Virginia, Connecticut, etc.):

• We do not sell personal information as defined by the CCPA or other US state privacy laws.
• We do not share personal information for cross-context behavioural advertising.
• We do not use sensitive personal information for purposes beyond providing the service.
• You may request access to or deletion of your personal data by contacting us at [email protected] or by contacting the store owner.

15. Marketing Consent

Mailcommerce AI provides tools for merchants to collect marketing consent from their customers:

• Popup signup forms include an optional consent checkbox that merchants can enable and customise.
• We record the source and timestamp of each subscription.
• We tag subscribers in Shopify's customer records so that consent status is visible in Shopify Admin.
• Merchants are responsible for ensuring that their use of our email-marketing tools complies with applicable marketing laws (e.g. GDPR, CAN-SPAM, CASL, PECR) in their jurisdiction and the jurisdiction of their customers.

16. Children's Privacy

Mailcommerce AI is a business-to-business service for Shopify merchants. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child, we will delete it promptly.

17. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify active merchants via email. We encourage merchants to review this policy periodically. Continued use of Mailcommerce AI after changes are posted constitutes acceptance of the updated policy.

18. Contact Us

If you have questions about this privacy policy or our data practices, contact us:

• Email: [email protected]
• Postal address: Mailcommerce Limited, Unit A, 82 James Carter Road, Mildenhall Industrial Estate, Suffolk, United Kingdom, IP28 7DE
• Company number: 15920684 (England and Wales)