How we handle your data.

Sellers — Shopify merchants who install signup.sale on their store. Buyers — people who enter a sign-up sale through a public signup.sale page. Both are covered here.

• Shopify store identity. The store domain (e.g. your-shop.myshopify.com), the OAuth access token granted on install, and your selected app plan.
• Shop settings. Display name, brand color, timezone, and (optionally) a webhook URL you configure for outgoing notifications.
• Drop configuration. The product variants you bind to drops, spot counts, signup window times, access codes, and similar.

• Email address. Required to enter a drop. We normalize it (lowercase, strip gmail dots and plus-tags for gmail addresses) for deduplication.
• Phone number. Optional. If provided, used only as an additional dedupe signal. Not used for SMS.
• IP address and browser user-agent. Captured on signup submission for rate-limiting and abuse detection.
• Entry timestamp and which drop you entered. Recorded so the seller can run a fair draw and audit it.
• Shipping address (if you win and complete checkout). Collected by Shopify, not by us. We may store a hash of it for cross-drop deduplication if the seller enables that gate.

• Run drops. Match buyers to drops, run random draws, send claim emails, expire and reroll unclaimed spots.
• Hand off to Shopify checkout. When a buyer wins, we create a Shopify draft order with their email and the variant they won, and redirect them to Shopify-hosted checkout. We do not process payment.
• Maintain the fairness audit log. Every state transition is recorded so sellers can demonstrate their draws weren't cooked. The fairness page on each drop shows masked emails (first two characters + asterisks) so buyers can verify the ranking without doxxing entrants.
• Send transactional email. Through Resend. Buyers receive an email when they win a spot. We do not send marketing email.
• Forward events to seller integrations. If the seller configured an outgoing webhook URL (e.g. Discord), we POST drop and claim events to it.

• We do not sell data to anyone.
• We do not use buyer data for advertising.
• We do not share buyer data across shops. Each shop's buyer list is isolated.
• We do not access Shopify customer data beyond what the seller's OAuth scopes grant, and only when needed to run a drop or honor a webhook.
• We do not run third-party tracking, advertising pixels, or analytics on the public buyer pages. Server logs only.

We retain seller and drop data for as long as the app is installed on a Shopify store. When a seller uninstalls, Shopify fires the shop/redact webhook 48 hours later and we delete the shop and all its associated drops, entries, allocations, and audit events.

Buyer-specific data (entries on a particular shop) is deleted when the seller deletes their shop, when the seller blocklists and removes a participant, or on receipt of a Shopify customers/redact webhook scoped to that buyer.

• Access. You can request a copy of any data we hold about you. Email privacy@signup.sale.
• Deletion. Buyers can request deletion at any time. The Shopify-mandated customers/redact flow also covers this — your seller can trigger it from their Shopify customer record.
• Opt out of a future drop. Buyers can ask a seller to add them to that shop's blocklist; they'll be ineligible for future drops on that shop.

Data is stored in a managed Postgres database with TLS connections, encrypted at rest. Session cookies and claim- link tokens are signed with HMAC-SHA256 and HttpOnly. We follow Shopify's OAuth and webhook signing requirements for all communications with the platform.

We use the following service providers to operate the app. Each handles data only as required to deliver the service.

• Shopify — OAuth, product/order data, checkout. Bound by your existing relationship with Shopify.
• Neon — managed Postgres hosting (US East).
• Fly.io — application hosting.
• Resend — transactional email delivery.
• Sentry — error monitoring (no PII included in error reports).

If we change how we handle data in a material way, we update this page and announce the change in the embedded admin for installed shops. Sellers continue using the app under the updated terms or can uninstall to opt out.

Questions, requests, or concerns: privacy@signup.sale.