Privacy Policy

Last updated: February 17, 2026

This Privacy Policy describes how Checkout Reward ("we", "us", or "our"), operated by Kore Business, collects, uses, and shares information when you install and use our Shopify application ("App"). This policy applies to merchants who install the App and to their customers whose data is processed through the App.

1. Information We Collect

We collect and store the following categories of data:

1.1 Merchant Data

• Shopify store ID, store domain, store name, and Shopify plan type.
• App configuration settings: discount percentage, minimum order value, reward validity period, redemption clearance window, and branding preferences (sender name, store logo URL).
• Billing status and subscription records.

1.2 Customer Data

We collect customer data only for customers who place qualifying orders on a merchant's store:

• Shopify customer ID, email address, first name, and last name.
• Phone number — only if the customer has explicitly opted in to receive SMS notifications.
• SMS opt-in status and timestamp.

1.3 Order Data

• Order ID and total order value for qualifying purchases (used to calculate reward amounts).
• We do not store product details, shipping addresses, or payment information.

1.4 Reward and Redemption Data

• Reward amounts, remaining balances, creation dates, availability dates, and expiration dates.
• Reward status (active, redeemed, expired, cancelled, recovery).
• Redemption history and associated billing records.

1.5 Communication Data

• Records of emails and SMS messages sent: message type, channel, scheduled time, sent time, and delivery status.
• We do not store the content of individual messages after they are sent.

2. How We Use Information

We use collected information solely for the following purposes:

• Create, manage, and apply customer rewards based on qualifying orders.
• Write customer-level metafields on Shopify (e.g., active reward balance) so that checkout extensions can display and apply rewards automatically.
• Write shop-level metafields on Shopify to configure checkout and cart extensions.
• Send transactional communications (reward earned notifications, mid-life reminders, urgency alerts) via email and SMS on behalf of the merchant.
• Calculate and charge usage-based fees to merchants when rewards are redeemed.
• Display analytics and statistics in the merchant dashboard.
• Maintain, monitor, and improve the App's functionality and performance.

3. How We Share Information

We do not sell, rent, or trade personal information to third parties. We share data only with the following service providers, strictly as required for the App to function:

• Shopify: We read and write data via the Shopify Admin API (orders, customers, discounts, metafields) as required for reward creation, redemption, and checkout integration.
• SendGrid (Twilio Inc.): Customer email addresses and first names are shared with SendGrid solely to deliver transactional email communications on behalf of the merchant.
• Twilio: Customer phone numbers are shared with Twilio solely to deliver transactional SMS messages on behalf of the merchant. SMS is only sent to customers who have explicitly opted in.
• Vercel: Application hosting and serverless function execution. Vercel processes requests on our behalf under their privacy policy.
• Neon (PostgreSQL): Database hosting and storage. All data is stored in encrypted databases under Neon's privacy policy.

4. Shopify Metafields

The App writes data to Shopify metafields to enable checkout and cart functionality:

• Shop-level metafield (checkout_reward.store_config): Contains the merchant's reward configuration (discount percentage, minimum order value, branding settings). This metafield has storefront read access so that checkout and cart extensions can render reward information.
• Customer-level metafield (checkout_reward.active_discount): Contains the customer's active reward balance and next expiration date. This metafield has storefront read access so that checkout extensions can display and apply rewards automatically.

These metafields are managed entirely by the App and are removed or cleared when a merchant uninstalls or when a customer's rewards expire.

5. Data Retention

We retain merchant and customer data for as long as the App is installed and active. When a merchant uninstalls the App:

• All active rewards are immediately cancelled.
• Shopify authentication sessions are deleted.
• The merchant's system status is set to inactive.

When we receive GDPR webhooks from Shopify:

• Shop data erasure (shop/redact): All merchant data — including customer records, rewards, redemptions, communications, billing records, and message templates — is permanently and irrecoverably deleted.
• Customer data erasure (customers/redact): The specific customer record and all associated data (rewards, redemptions, communications) is permanently deleted.
• Customer data request (customers/data_request): We compile all stored data for the requested customer and make it available to the merchant.

6. SMS Communications

The App sends SMS messages only to customers who have explicitly opted in through the merchant's Shopify store (e.g., during checkout or account registration). We enforce the following safeguards:

• SMS is never sent to customers whose smsOptedIn flag is not set to true.
• SMS is never sent to customers who have not provided a phone number.
• Customers can opt out at any time by replying STOP to any message.
• SMS messages are transactional in nature (reward notifications, reminders, expiration alerts) and are not used for marketing or promotional purposes.

7. Data Security

We implement industry-standard security measures to protect stored data:

• All database connections use TLS/SSL encryption.
• All webhook payloads are verified using Shopify's HMAC signature verification.
• API keys, database credentials, and secrets are stored as encrypted environment variables — never in source code.
• The App uses Shopify's session token authentication for all embedded admin requests.
• Access to production systems is restricted to authorized personnel only.

8. Cookies and Tracking

Checkout Reward does not use cookies, pixels, or third-party tracking technologies. The App operates entirely within the Shopify ecosystem (admin panel, checkout, and cart) and does not track customers across websites or sessions.

9. International Data Transfers

Our servers and service providers (Vercel, Neon, SendGrid, Twilio) may process data in the United States and other jurisdictions. By using the App, you consent to the transfer and processing of data in these locations. We ensure all service providers maintain appropriate data protection safeguards.

10. Your Rights (GDPR, CCPA, and Other Regulations)

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the data we hold about you.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your data.
• Right to restrict processing: Request limitation of how we use your data.
• Right to data portability: Request your data in a machine-readable format.
• Right to object: Object to the processing of your data for specific purposes.

For merchants: You can export or delete your data by contacting us at the address below.

For customers: Please contact the merchant (the store where you made your purchase) to exercise your data rights. The merchant will forward applicable requests to us, and we will process them promptly.

California residents (CCPA): We do not sell personal information. You have the right to know what data we collect, request its deletion, and not be discriminated against for exercising your rights.

11. Merchant Responsibilities

Merchants using Checkout Reward are responsible for:

• Ensuring their use of the App complies with their own privacy policy and all applicable data protection laws (GDPR, CCPA, PIPEDA, etc.).
• Informing customers about the reward program, how their data is used, and the existence of automated communications.
• Obtaining explicit, documented consent from customers before enabling SMS communications, in compliance with TCPA, GDPR, and other applicable regulations.
• Providing customers with a clear mechanism to opt out of SMS messages.
• Responding to customer data access and deletion requests in a timely manner.

12. Children's Privacy

The App is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify merchants of significant changes via the App dashboard or email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the App after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise any of your rights, contact us at:

Kore Business
Email: rafael@korebusiness.com
Website: www.checkoutreward.com