AppThrive
Legal

Privacy policy

How AppThrive collects, stores, and uses data about developers and the merchants their apps serve.

Draft — in review with legal counsel

The text below is AppThrive's internal draft of this document. It has not been reviewed by qualified legal counsel yet and is not binding. We're publishing it in-place so reviewers and interested readers can see our direction; final binding text replaces this once counsel signs off.

Effective date: on publication · Last updated: on publication

1. Introduction

AppThrive (“AppThrive”, “we”, “us”, or “our”) is operated by EFOLI (“EFOLI”). This Privacy Policy explains how we collect, use, share, and protect personal information when you use our merchant success platform at appthrive.io and related services (the “Service”).

Our commitment: AppThrive is built for Shopify app developers to help them serve their merchants better. We believe privacy is fundamental. We collect only what we need to provide the Service, we never sell personal data, and we give you full control over your information.

2. Who we are

  • Data Controller: EFOLI (for AppThrive’s own users — you, the developer)
  • Data Processor: EFOLI (for data you provide about your merchants)
  • Contact: privacy@appthrive.io
  • Address: [EFOLI business address — to be populated on publication]

3. Information we collect

Account information (from you)

  • Name, email address, company name
  • Password (hashed, never stored in plaintext)
  • Authentication tokens (encrypted)
  • Billing information (processed by Stripe; we never store full card numbers)
  • Profile picture (optional)

Operational data (you provide about your merchants)

  • Shopify shop data (via Partner API with your authorization)
  • Merchant events, subscriptions, and engagement data
  • Custom fields, tags, and notes you create
  • Email templates, campaigns, and segments

Usage data (collected automatically)

  • Pages viewed, features used, session duration
  • IP address, browser type, operating system, device type
  • Referrer URL and campaign tracking parameters
  • Error logs and performance metrics

Cookies and similar technologies: see our Cookie Policy.

4. How we use information

We use information to:

  • Provide the Service: authenticate you, sync merchant data, compute scores, dispatch communications through your connected providers
  • Improve the Service: analyze usage patterns, identify bugs, measure feature adoption
  • Communicate with you: service updates, security alerts, billing notices, occasional product news (opt-out available)
  • Enforce our policies: detect abuse, prevent fraud, enforce our Terms of Service
  • Comply with law: respond to legal requests, protect rights, comply with regulations

We do NOT:

  • Sell your data or your merchants’ data to anyone
  • Use your data to train AI models without your explicit consent
  • Share your data with your competitors
  • Send marketing emails to your merchants on our behalf (we only orchestrate — you own the sending relationship)

5. Legal basis for processing (GDPR)

PurposeLegal basis
Providing the ServiceContract (Art. 6(1)(b))
Security, fraud preventionLegitimate interest (Art. 6(1)(f))
Service improvement analyticsLegitimate interest (Art. 6(1)(f))
Marketing communications to youConsent (Art. 6(1)(a)) — opt-in only
Legal complianceLegal obligation (Art. 6(1)(c))

6. How we share information

We share information ONLY with:

  1. Sub-processors who help us operate the Service — see our Sub-processor list
  2. Your authorized integrations (ESPs, AI providers you connect)
  3. Legal authorities if required by valid legal process
  4. Successors in the event of a merger, acquisition, or sale of assets (with advance notice to you)

We NEVER share:

  • Your password or full authentication tokens
  • Your billing card details (handled by Stripe)
  • Your merchants’ data with other AppThrive customers
  • Your data with advertisers or data brokers

7. International data transfers

AppThrive is based in [country — determined by EFOLI incorporation at publication]. Data may be processed in:

  • United States (primary infrastructure: Vercel, Neon, Upstash)
  • European Union (optional, on request for EU customers)

For transfers out of the EU, we use Standard Contractual Clauses (SCCs) as the legal mechanism.

8. Data retention

Data typeRetention
Account dataDuration of account + 30 days after closure
Operational data (events, scores)Per your plan (90 days — 5 years)
Audit logs1 year minimum, or per plan
Billing records7 years (legal requirement)
Support conversations2 years

After retention expires, data is cryptographically erased (destroying encryption keys) or deleted from all systems.

9. Your rights

Depending on your jurisdiction, you have the right to:

  • Access — request a copy of your data
  • Rectification — correct inaccurate data
  • Erasure / “right to be forgotten” — delete your data
  • Restriction — limit how we process your data
  • Portability — receive your data in a portable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent where we rely on consent

How to exercise: email privacy@appthrive.io or use the in-app privacy controls at Settings → Privacy.

Response time: within 30 days (GDPR) or 45 days (CCPA) of request.

10. Security

We implement industry-standard measures including:

  • TLS 1.3 for data in transit
  • AES-256-GCM encryption for sensitive data at rest
  • MFA required for admin access
  • Regular security audits and penetration testing
  • SOC 2 Type I compliance (target: 6 months post-launch)

11. Children’s privacy

AppThrive is not intended for users under 18. We do not knowingly collect information from children.

12. Changes to this policy

We’ll notify you of material changes via email and in-app notice at least 30 days before they take effect.

13. Contact us

← Back to homeEmail us a question