VEBIGO Cart Recovery

Privacy Policy

Your data and your customers’ data matter. Vebigo (“we,” “us,” or “our”) provides Cart Recovery (“the App”) to merchants who use Shopify to power their stores. This Privacy Policy explains what personal data we collect, why we use it, how we protect it, how long we keep it, and how merchants and individuals can exercise privacy rights. It works together with our Terms of Service and, where we process personal data on a merchant’s behalf, our Data Processing Agreement (“DPA”). By installing or continuing to use the App, you acknowledge that you have reviewed this Privacy Policy and the Terms.

The App processes Shopify protected customer data at Level 2 (including customer email and phone number). See Shopify’s overview: Work with protected customer data. Our practices also align with Shopify’s protected customer data requirements. Use of Shopify’s APIs is subject to the Shopify API License and Terms of Use.

Privacy and data protection agreements with merchants

Shopify expects app developers who access protected customer data to maintain a clear privacy and data protection framework with merchants. For Cart Recovery, that framework includes:

  • this Privacy Policy (public, and suitable to link from your Shopify App listing as your privacy policy URL);
  • our Terms of Service, which you accept by installing or using the App; and
  • our Data Processing Agreement, which applies where we process personal data about your customers on your instructions and describes controller/processor roles, security expectations, subprocessors, international transfers, and assistance with requests.

Together, these documents describe what we collect (for example, customer email and phone from Shopify, and technical data such as IP address, country, referrer, and user agent stored with App activity), what we do with it (for example, cart upsell and re-marketing features you configure), how we protect it, retention and deletion (including after uninstall), and how you can request access, export, or deletion assistance.

Who this policy covers

This policy applies to merchants who install the App and to end customers of those merchants where the App processes their personal data. It also covers visitors to our corporate site at https://vebigo.com where relevant (for example, marketing and support pages).

Personal data we collect

Merchant (you). When you install or use the App, we collect information needed to operate the App and your account, such as your store identifiers, shop name, staff or contact email, billing relationship with Shopify where visible to us, and App settings. We may also collect technical data (for example, diagnostics, error logs, and usage signals) to secure and improve the Service.

Customers (your customers). To provide cart upsell, re-marketing, and related features you enable, we collect and store personal data obtained from Shopify (for example, via the Admin API or webhooks), including at minimum email address and phone number where you and Shopify make those fields available to the App. We also store the following technical or contextual data in our application database (for example, via Prisma), associated with storefront or App activity: IP address, country (such as a country code or country inferred or supplied at collection), referrer (for example, the HTTP referer or referring page URL where available), and user agent (browser or client user-agent string). We use these fields to operate and secure the App, understand attribution and traffic context, support analytics and troubleshooting, and tailor functionality where you enable it. We may also process limited related context (for example, identifiers or order-related data) needed to run those features. We process only the minimum data reasonably necessary for the functionality you use.

Storage and infrastructure. Customer and merchant data are stored in our application database (accessed through our ORM layer, for example Prisma) on infrastructure provided by our hosting subprocessors (for example, cloud servers and managed databases). A current list of subprocessor categories is in our DPA.

Why and how we use personal data

We use personal data to:

  • provide, maintain, and secure the App (including authentication, support, troubleshooting, and abuse prevention);
  • deliver cart upsell and related storefront experiences you configure;
  • use IP address, country, referrer, and user agent to secure the Service, prevent abuse, understand how visitors reach the storefront, debug issues, and support analytics or localization consistent with your configuration;
  • enable re-marketing and follow-up communications you configure, including making contact data available for Shopify Flow or other tools you connect, so those tools can send email or SMS in line with your settings and applicable law;
  • communicate with you about the App, security, and (where permitted) product updates;
  • comply with law, enforce our terms, and protect rights, safety, and security.

Purpose limitation. We process personal data only for the purposes described in this policy, in the Partner Dashboard Data protection details you submit for the App, and in our agreements with you, unless a different use is required or permitted by law.

Consent, marketing, and opt-out. You are responsible for lawful bases, consent, notices, and honoring opt-outs for your customers, including for marketing and SMS. Where applicable law gives individuals rights regarding “sale,” “sharing,” or targeted advertising, we assist you as described in the DPA and this policy.

What we do not do with customer contact data

We do not sell your customers’ personal information. We do not use your customers’ email addresses or phone numbers collected through the App to run our own independent marketing campaigns unrelated to providing the App and the features you configure. Commercial email or SMS to your customers is driven by your configuration, Shopify, and the messaging providers or automations you use.

Marketing communications and consent

Our App enables merchants to collect customer consent for marketing communications (such as email or SMS) through the merchant’s online store, for example by displaying a consent checkbox in a modal or form.

When our App makes customer contact information (such as email address and phone number) available to workflows or third-party tools that you configure (for example, Shopify Flow or external email/SMS providers), we do so on the understanding that you have a valid legal basis to use that information for marketing (for example, the customer has opted in to receive such communications).

We store and apply customers’ consent preferences (for example, whether they have opted in or out of marketing emails or SMS) and do not intentionally enable marketing communications to be sent via the App where the customer has not consented or has withdrawn consent. Customers can typically withdraw consent or change their marketing preferences using the mechanisms provided by the merchant (for example, unsubscribe links in emails, replying STOP to SMS, or updating preferences in their account), and our App respects these updated preferences when processing data for the merchant.

Default consent label (customizable). Merchants may customize the consent text shown to customers. Unless you change it, the App may display the following default checkbox label:

Yes, I’d like to receive exclusive deals, restock alerts, and personalized offers via email and SMS. See {policy} for more information.

Automated decision-making

Our App uses certain automated logic to help merchants with marketing and upsell activities (for example, identifying products to recommend or triggering workflows in third-party tools based on customer actions). However, the App does not use personal data to make automated decisions that have legal or similarly significant effects on individuals, such as creditworthiness, employment eligibility, or access to essential services.

Any automated email or SMS campaigns run using data from our App are carried out by the merchant and their chosen third-party providers (for example, marketing platforms such as Klaviyo) under their own configurations and policies. We do not control or operate those third-party automated decision-making systems.

Shopify API access

The App may request these Shopify API scopes (or subsets, depending on your build and installation): write_products, write_app_proxy, write_customers, read_customers, read_orders, read_locales, and read_themes. We use them only as needed for features you enable—for example, products and storefront configuration, customer and order data for upsell and re-marketing, locales and themes where relevant to presentation, and app proxy behavior.

Cookies, local storage, and similar technologies

We and subprocessors may use cookies, local storage, pixels, and similar technologies for sessions, preferences, security, and analytics. For general information about cookies, see https://www.allaboutcookies.org/.

Log files and analytics

In addition to the fields we store in our database as described above (including IP address, country, referrer, and user agent), we may collect similar information in ephemeral server or application logs (such as timestamps and route information) to operate, secure, and improve the Service and to investigate abuse. Log retention for such ephemeral logs may differ from the retention of records in our application database.

Sharing and subprocessors

We share personal data with subprocessors that host, secure, or operate the App (for example, cloud hosting, databases, logging, and email for transactional notices to you). When you enable Shopify Flow or third-party email/SMS or marketing tools, those providers process data under their terms and your configuration. We disclose information when required by law or to protect rights and safety. Details are in the DPA.

International transfers

We may process data in countries other than yours or your customers’. Where required, we use appropriate safeguards (such as standard contractual clauses). See the DPA.

Retention and deletion

We retain personal data only as long as needed for the purposes in this policy and our agreements. After you uninstall the App, we will delete or irreversibly anonymize customer personal data within ninety (90) days, except where a longer period is required by law or to resolve disputes you are involved in, as described in the DPA. You may request earlier deletion or export where applicable.

Security and encryption

We use technical and organizational measures designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include using industry-standard encryption technologies to protect data in transit (for example, TLS/HTTPS connections) and storing data on encrypted infrastructure at our hosting providers where possible.

We also limit access to personal data to authorized personnel who need it to operate the App and who are bound by confidentiality obligations. We use separate environments for development/testing and production so that real customer data is processed only in the production environment, and we minimize the copying and logging of personal data in non‑production systems.

Use of identifiers for analytics and advertising

Our App may enable merchants to use certain customer data for analytics and advertising purposes, such as by sending identifiers to advertising or analytics platforms (for example, via tags or a data layer on the merchant’s storefront). Where we do so, we typically use hashed or otherwise pseudonymized identifiers (such as hashed email addresses), and we only do this on behalf of merchants who configure such integrations in their own tools (such as Google Tag Manager or other pixels).

Merchants are responsible for configuring their own third-party tools and obtaining all necessary consents from customers to use personal data for advertising and analytics in accordance with applicable law and the third parties’ terms and policies.

Technical and organizational safeguards

We implement measures consistent with Shopify’s protected customer data requirements (Level 1 and Level 2), including the encryption practices described under Security and encryption above. These measures include, as appropriate:

  • Infrastructure. Using hosting providers that support encrypted storage and secure network configurations.
  • Backups. Where we or our hosting providers maintain backup copies or snapshots of data, ensuring they are protected by appropriate access controls and, where available, encryption at rest, and subject to the same retention and deletion principles described in this policy and the DPA.
  • Environments. Separation of production and non-production environments so that real customer data is processed only in production, with test and development using synthetic or minimized data.
  • Data loss prevention. Controls to reduce unauthorized export or misuse of personal data, including minimizing copying of personal data into non-production systems and limiting the amount of personal data written to logs.
  • Access control. Need-to-know access to systems that store personal data, strong authentication for staff and systems, and confidentiality obligations for authorized personnel.
  • Monitoring and incident response. Monitoring of our systems for anomalous behavior and a documented process to detect, contain, investigate, and notify in the event of a security incident affecting personal data, as required by law and the DPA.

No method of storage or transmission is perfectly secure; you should also protect your Shopify admin and connected accounts.

Your rights and requests

Individuals (customers): If you are a customer of a merchant using Cart Recovery, contact the merchant first to exercise privacy rights (access, correction, deletion, etc.). We process much of this data only as a processor for the merchant.

Merchants: To request access, export, correction, or deletion of personal data we hold in connection with the App, email [email protected] from your store’s primary contact and describe the request. We will respond in line with applicable law and the DPA.

If you are in the EEA, UK, or Switzerland, you may have additional rights; you may also lodge a complaint with a supervisory authority.

Children

The App is not directed at children. We do not knowingly collect personal information from children. Contact us if you believe we have done so in error.

Changes to this policy

We may update this Privacy Policy to reflect changes to the App, our practices, or legal requirements. We will post the updated version on this page and update the “Last updated” date below. Material changes may also be communicated through the App or by email where appropriate.

Contact

Privacy questions: [email protected]. Support: https://vebigo.com/apps/contact.

Last updated

April 13, 2026