Legal

Privacy policy.

Last updated · 4 Jun 2026

Clevyre, Inc. ("Clevyre", "we", "our", or "us") respects your privacy and is committed to protecting your personal data. This policy explains how we collect, use, disclose, and protect information when you use our Shopify apps — the Clevyre EU Withdrawal Button and the Clevyre Accessibility Widget — and our website at clevyre.com (together, the "Services").

1. Who we are & our role

The Services are operated by Clevyre, Inc., Whitefield, Bengaluru, Karnataka 560066, India. You can reach us at privacy@clevyre.com.

Our role under data-protection law depends on the data:

  • For consumer personal data processed through the apps on a merchant's store (for example, a shopper's withdrawal request), the merchant is the controller and Clevyre acts as a processor on the merchant's behalf, under our Data Processing Agreement.
  • For merchant account data and data we collect through our website, Clevyre is the controller.

2. Information we collect

Personal data is any information that can identify a natural person. Depending on how you use the Services, we may process:

From merchants

  • Store name and store URL (shop domain)
  • Contact information and account details
  • Billing information provided through Shopify
  • App configuration and settings, theme information, and the permissions each app needs

From consumers (Clevyre EU Withdrawal Button)

  • First and last name
  • Email address and telephone number
  • Postal address
  • Order number and order information
  • Withdrawal request content

Technical & usage data

  • IP address, browser type, and device information
  • Log data, timestamps, and diagnostic information
  • Usage information about how the Services are accessed

We do not collect special categories of data — race or ethnicity, religious beliefs, sex life, sexual orientation, political opinions, trade-union membership, health, genetic, or biometric data. We do not sell personal data, and we do not use it for advertising or marketing.

3. How we collect it

  1. Direct interactions. You provide information when you install our apps, configure settings, submit a withdrawal request, or contact support.
  2. From Shopify. We receive store name, URL, and contact details from your Shopify account and the app installation flow.
  3. Automatically. Our infrastructure and analytics providers collect technical and usage data (such as IP address and log data) needed to run, secure, and improve the Services.

4. Legal bases for processing

Where the GDPR applies, we rely on the following lawful bases:

  • Performance of a contract — to provide and operate the Services.
  • Compliance with a legal obligation — for example, supporting merchants' regulatory record-keeping.
  • Legitimate interests — to keep the Services secure, prevent abuse, and improve reliability, where these are not overridden by your rights.
  • Consent — where required, for example for non-essential cookies and analytics on our website. You may withdraw consent at any time.

5. How we use information

  • Provide and operate the Services and process withdrawal requests
  • Deliver accessibility functionality and maintain settings
  • Communicate with merchants and provide customer support
  • Monitor and improve performance, reliability, and security
  • Prevent fraud, abuse, and security incidents
  • Comply with legal obligations

6. Cookies & website analytics

Our Shopify apps load as App Embeds and do not set cookies on your storefront. On our website we use cookies and analytics to understand usage and manage consent, through:

  • Google Analytics (Google LLC) — website usage and traffic analytics.
  • Mixpanel (Mixpanel, Inc.) — product and engagement analytics.
  • Cookiebot (Cybot A/S) — cookie consent management.

Non-essential cookies load only with your consent. For the full list and how to manage them, see our Cookie Policy.

7. Subprocessors & data sharing

We do not sell personal data. We share information only with trusted service providers ("subprocessors") who process it solely to help us deliver the Services, under appropriate data-protection terms. These include Amazon Web Services, PlanetScale, Cloudflare, and Resend for the apps, and Google Analytics, Mixpanel, and Cookiebot for the website.

For the current, detailed list — including each provider's purpose, the data processed, and processing location — see our Subprocessor List.

We may also disclose data to professional advisors (lawyers, auditors, insurers), and to regulators or authorities where reporting is legally required.

8. International transfers

We host the apps' core infrastructure and databases in the European Union (Ireland region), within the European Economic Area (EEA).

Some subprocessors (for example, email and analytics providers) may process limited data outside the EEA. Where that happens, we rely on appropriate safeguards — a European Commission adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses (SCCs) — to protect your data.

9. Data security

We implement appropriate technical and organisational measures, including encryption of data in transit using TLS, access controls and least-privilege management, security monitoring and logging, backups and disaster recovery, and incident-response procedures. Access is limited to personnel with a business need to know, who are bound by confidentiality obligations.

No method of transmission or storage is completely secure, but we apply strict controls to protect your data once we receive it.

10. Data retention

We keep personal data only as long as necessary for the purpose it was collected, then delete or anonymise it. In practice:

DataRetention
Merchant account & configuration dataKept while the app is installed; deleted within 48 hours of uninstallation via Shopify's shop/redact webhook.
Consumer & withdrawal-request dataKept while needed to process the request and provide support; deleted on a verified request or via Shopify's customers/redact webhook (within 30 days). Withdrawal records may be kept up to 12 months to resolve disputes and meet record-keeping obligations, unless earlier deletion is requested.
Technical & log dataRetained up to 12 months, then deleted or anonymised.
Website analytics dataRetained per provider defaults (e.g. up to 14 months) and subject to your consent.
BackupsOverwritten on a standard rotation schedule.

We may retain data longer where law, tax, accounting, or fraud-prevention obligations require it, or where there is a prospect of litigation.

11. Your rights

Depending on your jurisdiction, you have the right to:

  1. Be informed about how we collect and use your personal data.
  2. Access the personal data we hold about you.
  3. Rectify inaccurate or outdated information.
  4. Erasure — ask us to delete your data (subject to exemptions).
  5. Restrict processing of your personal data.
  6. Data portability — receive your data in a machine-readable format.
  7. Object to processing, including automated processing.
  8. Withdraw consent at any time, where processing is based on consent.

Where Clevyre acts as a processor on a merchant's behalf (for example, for consumer withdrawal requests), we will refer your request to the relevant merchant, who is the controller, and assist them in responding. To exercise your rights, contact us or email privacy@clevyre.com. We aim to respond within 30 days, and there is no charge unless a request is clearly unfounded or excessive.

12. Complaints

If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with your local data-protection supervisory authority — in the EEA, this is the authority in the country where you live or work, or where the issue arose.

13. Children's privacy

Our Services are not directed to individuals under 16 years of age, and we do not knowingly collect their personal data. If you believe a child has provided us data, please contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date above reflects the most recent version, and changes take effect when posted on this page. Where appropriate, we will notify you by email. This version supersedes any prior version.

15. Contact

For questions about this policy or our privacy practices, contact Clevyre, Inc., Whitefield, Bengaluru, Karnataka 560066, India, or email privacy@clevyre.com. You can also reach us via our contact page.

Need a copy for your records? Print this page or save it as a PDF from your browser. See also our Data Processing Agreement and Subprocessor List.