Privacy policy
Powerful personalization. Responsible data handling.
Operated by: HelloDevs · [REGISTERED ADDRESS TO CONFIRM]
Contact: privacy@salesq.io
Effective date: [DATE TO CONFIRM]
Last updated: [DATE TO CONFIRM]
Download
Plain-Language Summary
Before the full policy — here is what SalesQ does with data in plain terms.
If you are a merchant (a Shopify store owner who has installed SalesQ): We collect your account information and store configuration to provide the service. Your billing is handled by Shopify — we never see your payment card details. We use your data to run SalesQ, notify you about your account, and improve the product. If you are a shopper (someone who took a quiz on a merchant's Shopify store): The merchant who owns the store you visited is responsible for your data — they are the Data Controller. SalesQ processes your data on the merchant's behalf as a Data Processor. If you have questions about how your data is used, or want to exercise your rights, contact the merchant first. You can also reach us at privacy@salesq.io and we will assist.
What we never do:
- We never sell your data to anyone.
- We never share your data with advertisers.
- We never use shopper data from one merchant's store for another merchant's benefit.
1. WHO WE ARE
SalesQ is a Shopify application built and operated by HelloDevs, a software development company registered at [REGISTERED ADDRESS TO CONFIRM].
SalesQ provides Shopify store owners with a quiz builder, email automation system, and revenue attribution dashboard — allowing them to guide shoppers to the right products, follow up with personalised automated emails, and track which quiz interactions generate sales.
Data Controller for merchant data: HelloDevs (operating SalesQ)
Data Processor for shopper data: HelloDevs (operating SalesQ), acting on behalf of each merchant who is the Data Controller for their shoppers' data
Contact: HelloDevs / SalesQ
Email: privacy@salesq.io
Website: salesq.io
2. KEY DEFINITIONS
'SalesQ' means the quiz, email automation, and attribution platform operated by HelloDevs at salesq.io and available through the Shopify App Store.
'Merchant' means a Shopify store owner or business that has installed and uses SalesQ.
'Shopper' means an individual who visits a merchant's Shopify store and interacts with a quiz built using SalesQ.
'Quiz Data' means all data generated when a shopper takes a quiz: questions shown, answers given, result paths reached, products recommended, email address provided, and device and session information.
'Email Data' means data generated when a SalesQ automated email is sent to a shopper: send timestamp, open events, click events, and which links were clicked.
'Attribution Data' means data connecting quiz interactions and email events to commerce events including cart additions, checkout starts, and order confirmations.
'Protected Customer Data' has the meaning given by Shopify's Partner Program requirements — personal information about a merchant's customers that SalesQ accesses through Shopify APIs.
'Personal Data' means any information relating to an identified or identifiable natural person as defined under applicable data protection law.
'GDPR' means the EU General Data Protection Regulation (2016/679).
'UK GDPR' means the UK General Data Protection Regulation as retained in UK law after 31 January 2020.
3. WHO THIS POLICY COVERS
This Privacy Policy covers two distinct groups:
Merchants: Shopify store owners and their team members who install and use SalesQ. HelloDevs is the Data Controller for merchant personal data.
Shoppers: Individuals who visit a merchant's Shopify store and take a quiz built with SalesQ. For shopper personal data, the merchant is the Data Controller and HelloDevs (operating SalesQ) is the Data Processor, acting strictly on the merchant's instructions. Merchants are responsible for having their own privacy policies in place for their shoppers and for ensuring their data collection practices comply with applicable law.
4. DATA WE COLLECT — FROM MERCHANTS
Account and Authentication Data
- Shopify store URL and store name
- Shopify account email address
- Name (if provided in Shopify account)
- Authentication tokens provided by Shopify to enable API access
We do not collect passwords. Authentication is handled by Shopify.
Store Configuration Data
- Quiz configurations you build (questions, answer choices, branching logic, result page designs)
- Email automation settings you configure (templates, timing, stop trigger rules)
- Product data synced from your Shopify catalogue (names, descriptions, images, prices — read from your store to power quiz recommendations)
- Shopify customer tags created through SalesQ
- Discount codes created through SalesQ
Billing Data
All subscription payments are processed by Shopify's native billing system. SalesQ does not receive, store, or process your payment card details. We receive only subscription status (active, trial, cancelled) and plan tier from Shopify.
Usage and Analytics Data
- Features used and how they are used
- Quiz performance data in aggregate (completions, views, conversion rates)
- Log data: IP address, browser type, pages accessed, timestamps
- Support communications
5. DATA WE COLLECT — FROM SHOPPERS (AS DATA PROCESSOR)
SalesQ collects the following data from shoppers on behalf of merchants. The merchant is the Data Controller. SalesQ processes it only as instructed through the merchant's SalesQ configuration.
Quiz Interaction Data
- Which quiz a shopper started and when
- Each question shown and each answer selected
- The result path reached and products recommended
- Whether the shopper skipped questions
- Time spent per question
Contact Data (if shopper provides it)
- Email address (voluntarily provided as part of the quiz flow)
- First name (if the quiz requests it for email personalisation)
Email capture is configurable by the merchant. The merchant determines the email capture approach and is responsible for the associated consent practices under applicable law.
Email Engagement Data
- Whether an email was delivered, opened, or bounced
- Whether any links were clicked and which specific links
- Time of each engagement event
Attribution Data (Quiz + Email + Revenue plan and above)
- Cart addition events connected to quiz sessions
- Checkout start events connected to quiz sessions
- Order completion events connected to quiz sessions
- Order value and products of attributed orders
Technical Data
- Device type (desktop, mobile, tablet)
- Browser type and version
- Approximate geographic location derived from IP address (country and region level)
- Referral source
- Session timestamp and duration
6. HOW WE USE MERCHANT DATA
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the SalesQ service | Contract performance |
| Processing subscription through Shopify billing | Contract performance |
| Sending service communications (plan limit notifications, critical updates) | Contract performance |
| Syncing Shopify product catalogue to power quiz recommendations | Contract performance |
| Providing customer support | Contract performance |
| Improving SalesQ features using aggregate usage data | Legitimate interests |
| Complying with legal obligations (tax, accounting) | Legal obligation |
| Sending product update emails about new SalesQ features | Legitimate interests (opt-out available at any time) |
We do not use merchant data for advertising, profiling, or any purpose unrelated to providing and improving SalesQ.
7. HOW WE USE SHOPPER DATA
SalesQ uses shopper data exclusively in accordance with merchant instructions as expressed through their SalesQ configuration.
| Purpose | Who Controls It |
|---|---|
| Displaying personalised quiz results | Merchant-configured |
| Sending automated email sequences | Merchant-configured |
| Tracking email opens and link clicks | Merchant-configured |
| Attributing sales to quiz and email events for merchant reporting | Merchant-configured (attribution plan only) |
| Providing the merchant with quiz performance analytics | Merchant-configured |
SalesQ does not:
- Use shopper data from one merchant's store for any other merchant's benefit
- Use shopper data for SalesQ's own marketing
- Combine shopper data across merchants to build cross-store profiles
- Sell, rent, or share shopper data with any third party for their own purposes
8. LEGAL BASIS FOR PROCESSING (GDPR / UK GDPR)
This section applies to individuals in the European Economic Area (EEA) and the United Kingdom.
For Merchant Data
Contract performance is the primary legal basis. Processing account, configuration, and billing data is necessary to fulfil the subscription contract.
Legitimate interests applies to product improvement using aggregate anonymised usage data and to sending feature update emails (opt-out available at any time).
Legal obligation applies to data retained for tax and accounting purposes.
For Shopper Data
SalesQ processes shopper data as a Data Processor on behalf of merchants. The merchant, as Data Controller, is responsible for establishing and documenting the lawful basis for processing shoppers' personal data through SalesQ.
For merchants' reference, the likely applicable bases are:
Email result delivery — sending quiz results by email: Legitimate interests. The shopper actively requested personalised recommendations and provided their email to receive them.
Automated email sequences — follow-up emails after the initial results: Merchants should take care here. Under UK PECR and the EU ePrivacy Directive, electronic direct marketing to individuals generally requires consent. Merchants using SalesQ's email automation for sequences that constitute direct marketing should ensure they have obtained appropriate consent from shoppers. SalesQ provides the technical capability; the merchant is responsible for the lawful basis.
Attribution tracking — connecting quiz and email events to purchase events: Legitimate interests of the merchant in understanding their commercial performance.
Note to merchants: If you serve customers in the UK or EU, review your SalesQ quiz configuration with your legal advisor to ensure your email capture and automation practices comply with UK PECR, the EU ePrivacy Directive, and applicable GDPR requirements.
9. DATA SHARING AND SUB-PROCESSORS
Shopify Inc.
SalesQ is built on the Shopify platform. Shopify processes certain data as part of providing infrastructure for SalesQ, including app installation, authentication, and billing. Shopify's privacy practices are governed by Shopify's Privacy Policy at shopify.com/legal/privacy.
Shopify GDPR Mandatory Webhooks
SalesQ implements all three Shopify-mandatory GDPR webhooks required of all Shopify apps that access customer data:
- customers/data_request — When a merchant receives a customer data access request, Shopify sends this webhook. SalesQ responds by providing all data held for that customer within Shopify's required timeframe.
- customers/redact — When a customer requests deletion of their data from a merchant's store, Shopify sends this webhook. SalesQ processes the deletion of that customer's quiz data, subscriber profile, email engagement data, and attribution data within 30 days of receipt.
- shop/redact — When a merchant uninstalls SalesQ, Shopify sends this webhook. SalesQ permanently deletes all data associated with that merchant's store within 30 days of receipt.
These webhooks are the primary technical mechanism through which customer data subject rights requests are processed. Merchants do not need to contact SalesQ directly to initiate these processes — they are triggered automatically through Shopify.
Infrastructure and Hosting Provider
[TO CONFIRM — e.g., DigitalOcean, AWS, Hetzner] SalesQ's infrastructure is hosted on [HOSTING PROVIDER]. This provider processes data on our behalf and is contractually required to process data only on our instructions and to maintain appropriate security measures. All data is stored in [DATA CENTRE REGION TO CONFIRM].
Email Delivery Provider
[TO CONFIRM — e.g., Brevo, SendGrid, AWS SES] SalesQ's automated emails are sent through [EMAIL DELIVERY PROVIDER]. This provider processes shopper email addresses and email content on behalf of SalesQ and the merchant, for the sole purpose of delivering quiz result emails and automated email sequences.
Analytics
We use aggregate, anonymised analytics to understand how SalesQ is used and to improve the product. No personally identifiable information is shared with analytics providers.
Legal Requirements
We may disclose data to law enforcement or other authorities if required by law, court order, or where disclosure is necessary to protect legal rights or the safety of others.
Business Transfers
If HelloDevs is acquired, merged, or undergoes a significant business transfer, merchant and shopper data may be transferred as part of that transaction. We will notify affected merchants in advance and ensure continuity of privacy protections.
What We Never Do
- We do not sell personal data to any third party.
- We do not share personal data with advertisers or for advertising purposes.
- We do not share personal data for purposes unrelated to providing SalesQ.
Full Sub-Processor List
| Sub-Processor | Purpose | Location |
|---|---|---|
| Shopify Inc. | Platform infrastructure, billing, customer data | USA / Global |
| [HOSTING PROVIDER TO CONFIRM] | Server infrastructure and data storage | [LOCATION TO CONFIRM] |
| [EMAIL DELIVERY PROVIDER TO CONFIRM] | Email delivery for quiz result and automation emails | [LOCATION TO CONFIRM] |
SalesQ will notify merchants at least 30 days in advance of any addition or change to sub-processors, giving merchants the opportunity to object. Full sub-processor details including data processing agreements are available on request at privacy@salesq.io.
10. SHOPIFY PROTECTED CUSTOMER DATA
When SalesQ operates as a Shopify app, the personal information we process about a merchant's customers constitutes Protected Customer Data as defined by Shopify's Partner Program requirements.
SalesQ meets Shopify's Level 1 and Level 2 requirements for handling Protected Customer Data, which include:
Level 1 Requirements:
- Requesting only the minimum Shopify API scopes necessary for SalesQ's quiz, email automation, and attribution features to function
- Encrypting Protected Customer Data in transit using TLS 1.2 or higher
- Restricting staff access to Protected Customer Data on a least-privilege basis with role-based access controls
- Retaining Protected Customer Data only for as long as necessary to deliver the service or as required by applicable law
- Supporting customer data subject requests originating from merchants via Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact)
Level 2 Requirements:
- Encrypting Protected Customer Data at rest using AES-128 or higher
- Enforcing multi-factor authentication (MFA) for all personnel who have access to systems containing Protected Customer Data
- Conducting annual security assessments of SalesQ's software, including vulnerability assessments and penetration testing
- Maintaining a documented incident response plan for security breaches affecting Protected Customer Data
- Maintaining documented data retention and deletion policies
Our Data Processing Agreement (DPA) is published in full at salesq.io/dpa. Merchants who require a signed copy can request one at privacy@salesq.io. The DPA covers our role as a processor under GDPR and UK GDPR, our role as a service provider under CCPA/CPRA, and our obligations under VCDPA, CPA, CTDPA, and UCPA, including Standard Contractual Clauses for cross-border transfers and our sub-processor list.
11. INTERNATIONAL DATA TRANSFERS
HelloDevs is based in [COUNTRY]. If you are located in the UK or EU, your personal data may be transferred to and processed in a country that does not have equivalent data protection laws.
Where we transfer data internationally, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
- UK International Data Transfer Agreement (IDTA), where applicable for transfers from the UK
- Transfers to countries with an adequacy decision from the relevant supervisory authority
For questions about international transfers and the specific safeguards in place, contact privacy@salesq.io.
12. DATA RETENTION
Merchant Data
| Data Category | Retention Period |
|---|---|
| Account and authentication data | Duration of active subscription + 30 days post-cancellation |
| Quiz and email template configurations | Duration of active subscription + 30 days post-cancellation |
| Billing confirmation data | 7 years (legal/accounting requirement) |
| Support communications | 3 years from the date of the communication |
| Aggregate usage analytics | Indefinitely (fully anonymised) |
After the retention period, merchant data is permanently deleted or irreversibly anonymised.
Shopper Data (held on behalf of merchants)
| Data Category | Retention Period |
|---|---|
| Quiz answer and session data | 24 months from collection |
| Email address and subscriber profile | 24 months from collection, or until unsubscribed |
| Email engagement data (opens, clicks) | 24 months from collection |
| Attribution data (cart, checkout, order events) | 24 months from collection |
Merchants can request deletion of all shopper data within their SalesQ account at any time by contacting privacy@salesq.io. We will process deletion requests within 30 days.
Individual shoppers can request deletion through the merchant (as Data Controller) or directly through us at privacy@salesq.io. We will coordinate with the merchant and process within 30 days.
When a merchant uninstalls SalesQ, all their data and their shoppers' data is deleted within 30 days via Shopify's shop/redact webhook.
13. YOUR RIGHTS — MERCHANTS
If you are a merchant in the UK or EU, you have the following rights under GDPR / UK GDPR:
Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Ask us to correct inaccurate or incomplete data.
Right to erasure: Ask us to delete your personal data. Note: some data must be retained for legal or accounting purposes.
Right to restrict processing: Ask us to limit how we use your data in certain circumstances.
Right to data portability: Request your personal data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent, you can withdraw at any time.
How to exercise your rights: Email privacy@salesq.io with 'Data Rights Request' in the subject line. We will respond within 30 days and may need to verify your identity before processing the request.
Right to complain: You have the right to lodge a complaint with your relevant supervisory authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- EU: Your national data protection authority
14. YOUR RIGHTS — SHOPPERS
If you are a shopper who took a quiz on a merchant's Shopify store powered by SalesQ, the merchant who operates that store is the Data Controller for your data.
To exercise your rights: Contact the merchant first — through the privacy policy or contact details on their Shopify store.
If you cannot reach the merchant, or if your request relates specifically to SalesQ's processing, contact us at privacy@salesq.io. We will assist you and coordinate with the merchant.
Rights available to shoppers:
- Access the data SalesQ holds about you in relation to a specific quiz interaction
- Correction of inaccurate data
- Deletion of your data from SalesQ systems (processed via Shopify's customers/redact webhook)
- Objection to or restriction of processing
- Complaint to the relevant supervisory authority
Unsubscribe from automated emails: Every automated email sent through SalesQ includes a legally required unsubscribe link. Clicking this link stops all further automated emails immediately.
15. FOR CALIFORNIA RESIDENTS (CCPA / CPRA)
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents specific rights regarding their personal information. We honour these rights for all California residents whose personal information we process.
Categories of Personal Information Collected
- Identifiers (name, email address, IP address)
- Commercial information (quiz interactions, product recommendations received, purchase history attributed through the quiz)
- Internet or electronic activity information (email opens, clicks, pages viewed on the quiz)
- Inferences drawn from this information (recommended product profile based on quiz answers)
We Do Not Sell or Share Your Personal Information
SalesQ does not sell personal information for monetary consideration, and we do not 'share' personal information for cross-context behavioural advertising as defined under CPRA.
Your CCPA / CPRA Rights
Right to know: Request the categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties with whom we have shared it in the preceding 12 months.
Right to delete: Request deletion of personal information we have collected, subject to legal retention requirements.
Right to correct (CPRA): Request correction of inaccurate personal information we hold about you.
Right to opt out of sale or sharing: We do not sell or share personal information. If this changes, we will provide a 'Do Not Sell or Share My Personal Information' link before any such activity begins.
Right to limit sensitive personal information (CPRA): We do not use sensitive personal information for purposes beyond those permitted under CPRA.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise CCPA / CPRA rights: Email privacy@salesq.io with subject line 'California Privacy Request'. We will verify your identity and respond within 45 days (extendable by a further 45 days with notice if reasonably necessary).
You may designate an authorised agent to make a request on your behalf. The agent must provide written authorisation from you.
16. FOR COLORADO, CONNECTICUT, UTAH, AND VIRGINIA RESIDENTS
The Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) give residents of those states rights regarding their personal data.
We extend the following rights to residents of these states:
Right of access: Request confirmation of whether we are processing your personal data and, if so, a copy of that data.
Right to correct inaccuracies (Virginia, Colorado, Connecticut): Request correction of inaccurate personal data we hold about you.
Right to delete: Request deletion of personal data we hold about you, subject to legal retention requirements.
Right to data portability: Receive a copy of your personal data in a portable, machine-readable format where technically feasible.
Right to opt out of targeted advertising, sale of personal data, and profiling: SalesQ does not engage in targeted advertising, sale of personal data, or profiling for decisions that produce legal or similarly significant effects. The opt-out right is available regardless.
Right to appeal (Virginia, Colorado, Connecticut): If we decline to take action on a privacy request, you have the right to appeal our decision. To appeal: email privacy@salesq.io with subject line 'Privacy Request Appeal — [State]' and include details of your original request and our response. We will respond to appeals within:
- Virginia (VCDPA): 60 days of receipt
- Colorado (CPA): 45 days of receipt
- Connecticut (CTDPA): 45 days of receipt
If your appeal is denied, you may contact the relevant state Attorney General to submit a complaint.
To exercise these rights: Email privacy@salesq.io with subject line 'State Privacy Request' and identify the state you reside in. We will respond within the timeframe required by the applicable law, typically 45 days from a verified request.
18. CHILDREN'S PRIVACY
SalesQ's service is intended for Shopify merchants — businesses and adults. We do not knowingly collect personal data from children under 16.
If a merchant operates a store serving children, they must not use SalesQ's email automation features without appropriate legal advice and consent mechanisms in place.
If you believe we have inadvertently collected data about a child, contact privacy@salesq.io immediately and we will delete it promptly.
19. CHANGES TO THIS POLICY
We may update this Privacy Policy to reflect changes in our data practices, applicable law, or SalesQ's features.
When we make changes:
- We update the 'Last updated' date at the top of this page
- For material changes that affect merchants: we notify you by email to your Shopify account email address at least 14 days before the changes take effect
- For minor changes (corrections, clarifications): the updated policy replaces the previous version on the effective date
Continued use of SalesQ after a change takes effect constitutes acceptance of the updated Privacy Policy.
20. CONTACT US
For all privacy-related questions, requests, or concerns:
HelloDevs / SalesQ
Email: privacy@salesq.io
Subject line: 'Privacy Request' or 'Data Rights Request'
Response time: We aim to respond within 5 business days and to resolve requests within 30 days.
For Data Processing Agreement (DPA) requests: privacy@salesq.io — reference 'DPA Request' in the subject line. Our full DPA is published at: salesq.io/dpa
FIXES APPLIED — VERSION HISTORY
| Version | Date | Changes |
|---|---|---|
| v1.0 | [DATE] | Initial draft |
| v2.0 | [DATE] | Fix 1: Shopify GDPR mandatory webhooks added (Section 9). Fix 2: Shopify Protected Customer Data Level 1+2 added (Section 10). Fix 3: Colorado, Connecticut, Utah, Virginia residents section added (Section 16). Fix 4: DPA reference added pointing to salesq.io/dpa. Fix 5: Sub-processor table structured with named roles and [TO CONFIRM] placeholders. Fix 6: Right to appeal added for VCDPA/CPA/CTDPA states. Fix 7: Download links added in document header. |