Seaside StudioContact
Premium Drop a Hint

Premium Drop a HintShopify app

Privacy Policy

Last updated 2026-04-28

Effective 2026-04-28.

This Privacy Policy describes how Seaside Studio Ltd. ("we", "us", "our") collects, uses, and shares personal information in connection with the Premium Drop a Hint Shopify app (the "App"), our marketing website at seasideapps.co, and the email and tracking services provided through the App (collectively, the "Services").

If you are a shopper or recipient interacting with the App on a merchant's storefront, the merchant operating that storefront is the data controller of your personal information, and we act as a data processor on their behalf. This policy describes the practices we follow as that processor, in addition to our own collection of information directly from merchants and website visitors.

Who this policy applies to

  • Merchants who install the App on their Shopify store.
  • Shoppers who use the "Drop a Hint" widget on a merchant's product page to send an email.
  • Recipients who receive a hint email originating from a merchant's store.
  • Visitors to our marketing website.

Information we collect

From merchants (when you install the App)

Through the Shopify OAuth installation flow, we receive:

  • Shop identifier, shop domain, store name, owner name, email address, country, currency, and other shop-level metadata provided by Shopify.
  • Read-only access to products, orders, and themes under the scopes the App requests at install (read_products, read_orders, read_themes). We do not request write scopes.
  • Billing information processed through Shopify's billing API. We do not see or store payment-card data — Shopify handles all payment processing.
  • App configuration data you create, including your email template, brand assets you upload or reference, and integration credentials (e.g., a Klaviyo API key) if you choose to connect a third-party integration.

From shoppers using the "Drop a Hint" widget

When a shopper submits the widget on a merchant's product page, we collect and process on the merchant's behalf:

  • The sender's name and email address.
  • The recipient's name and email address.
  • The optional personal message the sender writes.
  • The product the hint is about, the storefront the hint originated from, and the timestamp.
  • A unique attribution token we generate to associate the hint with a later visit, cart, or order.

From recipients of hint emails

When a recipient interacts with the email we deliver on the merchant's behalf:

  • Email engagement events (delivered, opened, clicked, bounced, complained) provided by our email delivery subprocessor.
  • If the recipient clicks through to the merchant's storefront, the attribution token is appended to the URL and may be stored in the recipient's browser local storage on the merchant's domain to enable conversion attribution.
  • If the recipient places an order, we receive the order from Shopify via webhook and record the order ID, financial status, and order value to attribute the conversion back to the original hint.

Automatically collected information

  • Standard server logs (IP address, user agent, timestamp, request path) for security, abuse prevention, and debugging.
  • Application logs of API calls and webhook events.

Information we do not collect

  • We do not collect customer data beyond what is described above. We do not request access to Shopify customer profiles, customer PII outside of the email-hint flow, or payment information.
  • We do not use third-party advertising trackers, analytics that build cross-site profiles, or session replay tools inside the App's admin UI.

How we use information

We use the information described above to:

  • Provide, operate, secure, and improve the App and our Services.
  • Send hint emails on the merchant's behalf to the recipient address the sender provides.
  • Track delivery, opens, and clicks of hint emails for the merchant's analytics.
  • Attribute later orders back to the originating hint so merchants can measure performance.
  • Enforce per-plan usage limits and process Shopify billing.
  • Provide customer support, respond to inquiries, and detect or prevent fraud and abuse.
  • Comply with legal obligations, including responding to lawful requests and Shopify's mandatory data-subject webhooks (customers/data_request, customers/redact, shop/redact).

Legal bases for processing (EEA / UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract — to provide the App to merchants and to deliver the email a sender has requested.
  • Legitimate interests — to secure and improve the Services, to prevent abuse, and to operate basic email-engagement analytics. We balance these interests against the rights of data subjects.
  • Consent — where required, for example when a recipient opts in to a merchant's Klaviyo list.
  • Legal obligation — to comply with applicable law and Shopify's data-protection requirements.

For shoppers and recipients, the merchant operating the storefront is generally the controller and is responsible for establishing the appropriate lawful basis.

Sharing and subprocessors

We do not sell personal information. We share personal information only with the following categories of recipients:

| Subprocessor | Purpose | Data shared | Location | | --- | --- | --- | --- | | Shopify Inc. | Hosts the merchant's store, provides OAuth, billing, and order webhooks | Shop, order, and product data per the App's scopes | Global | | Gadget (Gadget Software Inc.) | Application backend, database, and serverless hosting for the App | All data described above | United States | | Resend (Resend, Inc.) | Transactional email delivery and engagement tracking | Sender name, recipient email, recipient name, email subject and body, click and bounce events | United States | | Klaviyo, Inc. (optional) | Syncs senders and recipients into a merchant's Klaviyo list — only if the merchant enables this integration | Sender and recipient email addresses and names | United States |

We require subprocessors to provide appropriate safeguards for the personal information they process on our behalf, including data-processing agreements where required.

We may also disclose information when required by law, to enforce our terms, to protect our rights, property, or safety, or to the rights, property, or safety of others, and in connection with a corporate transaction such as a merger or asset sale (in which case we will notify affected merchants).

Cookies, local storage, and similar technologies

The App's storefront widget stores a small attribution token (_hint_id) in the recipient's browser local storage on the merchant's domain when they arrive via a hint link. This token is later attached as a cart line-item property to support conversion attribution. The token is opaque, contains no personal information, and is scoped to the merchant's storefront.

We do not set cookies in the App's admin UI beyond what Shopify and our backend require to authenticate your session.

The merchant is responsible for disclosing this storage in any cookie banner or consent flow operated on the storefront.

International data transfers

The App is hosted in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our subprocessors operate. Where required, we rely on Standard Contractual Clauses or another lawful transfer mechanism for transfers from the EEA, UK, or Switzerland.

Data retention

  • Merchant shop data is retained for the duration of the App installation. If you uninstall the App, we delete or anonymize shop-level data within 30 days, unless we are required to retain it longer for legal, tax, or fraud-prevention purposes.
  • Email hint records (sender, recipient, product, status) are retained for 24 months by default to support attribution reporting, after which they are deleted or anonymized.
  • Unsubscribe records are retained indefinitely so we can continue to honor opt-outs.
  • Logs are retained for up to 90 days.
  • We respond to Shopify's customers/redact and shop/redact webhooks by deleting the relevant records on the timelines Shopify requires.

Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your personal information.
  • Restrict or object to certain processing.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data-protection authority.

If you are a shopper or recipient, please direct rights requests to the merchant whose storefront sent the hint — they are the controller of that data. We will support the merchant in responding.

If you are a merchant, contact us using the details below.

California residents (CCPA/CPRA): You have the right to know, delete, correct, and limit the use of sensitive personal information, and a right not to be discriminated against for exercising these rights. We do not "sell" personal information or "share" it for cross-context behavioral advertising as those terms are defined under California law.

Email recipients: Every hint email contains a one-click unsubscribe link. Once you unsubscribe, your address is added to a global suppression list and you will not receive further hint emails from any merchant using the App.

Security

We use industry-standard administrative, technical, and physical safeguards to protect personal information, including encryption in transit (TLS), encryption at rest at our hosting provider, scoped API access, signed webhooks (Svix-verified Resend webhooks, Shopify HMAC-verified webhooks), and the principle of least privilege for internal access.

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you in accordance with applicable law.

Children

The Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify merchants via email or an in-app notice. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

Contact us

For questions about this policy or to exercise your rights:

Seaside Studio Ltd. Shipka St. 18, office 203, Varna, Bulgaria Email: seaside@seasideapps.co

If you are not satisfied with our response, you have the right to contact your local data-protection authority. A list of EU/EEA authorities is available at edpb.europa.eu/about-edpb/board/members_en. UK users can contact the ICO at ico.org.uk.