Privacy policy

Powerful personalization. Responsible data handling.

Operated by: HelloDevs · [REGISTERED ADDRESS TO CONFIRM]

Contact: privacy@salesq.io

Effective date: [DATE TO CONFIRM]

Last updated: [DATE TO CONFIRM]

Download

Plain-Language Summary

Before the full policy — here is what SalesQ does with data in plain terms.

If you are a merchant (a Shopify store owner who has installed SalesQ): We collect your account information and store configuration to provide the service. Your billing is handled by Shopify — we never see your payment card details. We use your data to run SalesQ, notify you about your account, and improve the product. If you are a shopper (someone who took a quiz on a merchant's Shopify store): The merchant who owns the store you visited is responsible for your data — they are the Data Controller. SalesQ processes your data on the merchant's behalf as a Data Processor. If you have questions about how your data is used, or want to exercise your rights, contact the merchant first. You can also reach us at privacy@salesq.io and we will assist.

What we never do:

  • We never sell your data to anyone.
  • We never share your data with advertisers.
  • We never use shopper data from one merchant's store for another merchant's benefit.

1. WHO WE ARE

SalesQ is a Shopify application built and operated by HelloDevs, a software development company registered at [REGISTERED ADDRESS TO CONFIRM].

SalesQ provides Shopify store owners with a quiz builder, email automation system, and revenue attribution dashboard — allowing them to guide shoppers to the right products, follow up with personalised automated emails, and track which quiz interactions generate sales.

Data Controller for merchant data: HelloDevs (operating SalesQ)

Data Processor for shopper data: HelloDevs (operating SalesQ), acting on behalf of each merchant who is the Data Controller for their shoppers' data

Contact: HelloDevs / SalesQ

Email: privacy@salesq.io

Website: salesq.io

2. KEY DEFINITIONS

'SalesQ' means the quiz, email automation, and attribution platform operated by HelloDevs at salesq.io and available through the Shopify App Store.

'Merchant' means a Shopify store owner or business that has installed and uses SalesQ.

'Shopper' means an individual who visits a merchant's Shopify store and interacts with a quiz built using SalesQ.

'Quiz Data' means all data generated when a shopper takes a quiz: questions shown, answers given, result paths reached, products recommended, email address provided, and device and session information.

'Email Data' means data generated when a SalesQ automated email is sent to a shopper: send timestamp, open events, click events, and which links were clicked.

'Attribution Data' means data connecting quiz interactions and email events to commerce events including cart additions, checkout starts, and order confirmations.

'Protected Customer Data' has the meaning given by Shopify's Partner Program requirements — personal information about a merchant's customers that SalesQ accesses through Shopify APIs.

'Personal Data' means any information relating to an identified or identifiable natural person as defined under applicable data protection law.

'GDPR' means the EU General Data Protection Regulation (2016/679).

'UK GDPR' means the UK General Data Protection Regulation as retained in UK law after 31 January 2020.

3. WHO THIS POLICY COVERS

This Privacy Policy covers two distinct groups:

Merchants: Shopify store owners and their team members who install and use SalesQ. HelloDevs is the Data Controller for merchant personal data.

Shoppers: Individuals who visit a merchant's Shopify store and take a quiz built with SalesQ. For shopper personal data, the merchant is the Data Controller and HelloDevs (operating SalesQ) is the Data Processor, acting strictly on the merchant's instructions. Merchants are responsible for having their own privacy policies in place for their shoppers and for ensuring their data collection practices comply with applicable law.

4. DATA WE COLLECT — FROM MERCHANTS

Account and Authentication Data

  • Shopify store URL and store name
  • Shopify account email address
  • Name (if provided in Shopify account)
  • Authentication tokens provided by Shopify to enable API access

We do not collect passwords. Authentication is handled by Shopify.

Store Configuration Data

  • Quiz configurations you build (questions, answer choices, branching logic, result page designs)
  • Email automation settings you configure (templates, timing, stop trigger rules)
  • Product data synced from your Shopify catalogue (names, descriptions, images, prices — read from your store to power quiz recommendations)
  • Shopify customer tags created through SalesQ
  • Discount codes created through SalesQ

Billing Data

All subscription payments are processed by Shopify's native billing system. SalesQ does not receive, store, or process your payment card details. We receive only subscription status (active, trial, cancelled) and plan tier from Shopify.

Usage and Analytics Data

  • Features used and how they are used
  • Quiz performance data in aggregate (completions, views, conversion rates)
  • Log data: IP address, browser type, pages accessed, timestamps
  • Support communications

5. DATA WE COLLECT — FROM SHOPPERS (AS DATA PROCESSOR)

SalesQ collects the following data from shoppers on behalf of merchants. The merchant is the Data Controller. SalesQ processes it only as instructed through the merchant's SalesQ configuration.

Quiz Interaction Data

  • Which quiz a shopper started and when
  • Each question shown and each answer selected
  • The result path reached and products recommended
  • Whether the shopper skipped questions
  • Time spent per question

Contact Data (if shopper provides it)

  • Email address (voluntarily provided as part of the quiz flow)
  • First name (if the quiz requests it for email personalisation)

Email capture is configurable by the merchant. The merchant determines the email capture approach and is responsible for the associated consent practices under applicable law.

Email Engagement Data

  • Whether an email was delivered, opened, or bounced
  • Whether any links were clicked and which specific links
  • Time of each engagement event

Attribution Data (Quiz + Email + Revenue plan and above)

  • Cart addition events connected to quiz sessions
  • Checkout start events connected to quiz sessions
  • Order completion events connected to quiz sessions
  • Order value and products of attributed orders

Technical Data

  • Device type (desktop, mobile, tablet)
  • Browser type and version
  • Approximate geographic location derived from IP address (country and region level)
  • Referral source
  • Session timestamp and duration

6. HOW WE USE MERCHANT DATA

PurposeLegal Basis (GDPR)
Providing the SalesQ serviceContract performance
Processing subscription through Shopify billingContract performance
Sending service communications (plan limit notifications, critical updates)Contract performance
Syncing Shopify product catalogue to power quiz recommendationsContract performance
Providing customer supportContract performance
Improving SalesQ features using aggregate usage dataLegitimate interests
Complying with legal obligations (tax, accounting)Legal obligation
Sending product update emails about new SalesQ featuresLegitimate interests (opt-out available at any time)

We do not use merchant data for advertising, profiling, or any purpose unrelated to providing and improving SalesQ.

7. HOW WE USE SHOPPER DATA

SalesQ uses shopper data exclusively in accordance with merchant instructions as expressed through their SalesQ configuration.

PurposeWho Controls It
Displaying personalised quiz resultsMerchant-configured
Sending automated email sequencesMerchant-configured
Tracking email opens and link clicksMerchant-configured
Attributing sales to quiz and email events for merchant reportingMerchant-configured (attribution plan only)
Providing the merchant with quiz performance analyticsMerchant-configured

SalesQ does not:

  • Use shopper data from one merchant's store for any other merchant's benefit
  • Use shopper data for SalesQ's own marketing
  • Combine shopper data across merchants to build cross-store profiles
  • Sell, rent, or share shopper data with any third party for their own purposes

9. DATA SHARING AND SUB-PROCESSORS

Shopify Inc.

SalesQ is built on the Shopify platform. Shopify processes certain data as part of providing infrastructure for SalesQ, including app installation, authentication, and billing. Shopify's privacy practices are governed by Shopify's Privacy Policy at shopify.com/legal/privacy.

Shopify GDPR Mandatory Webhooks

SalesQ implements all three Shopify-mandatory GDPR webhooks required of all Shopify apps that access customer data:

  • customers/data_request — When a merchant receives a customer data access request, Shopify sends this webhook. SalesQ responds by providing all data held for that customer within Shopify's required timeframe.
  • customers/redact — When a customer requests deletion of their data from a merchant's store, Shopify sends this webhook. SalesQ processes the deletion of that customer's quiz data, subscriber profile, email engagement data, and attribution data within 30 days of receipt.
  • shop/redact — When a merchant uninstalls SalesQ, Shopify sends this webhook. SalesQ permanently deletes all data associated with that merchant's store within 30 days of receipt.

These webhooks are the primary technical mechanism through which customer data subject rights requests are processed. Merchants do not need to contact SalesQ directly to initiate these processes — they are triggered automatically through Shopify.

Infrastructure and Hosting Provider

[TO CONFIRM — e.g., DigitalOcean, AWS, Hetzner] SalesQ's infrastructure is hosted on [HOSTING PROVIDER]. This provider processes data on our behalf and is contractually required to process data only on our instructions and to maintain appropriate security measures. All data is stored in [DATA CENTRE REGION TO CONFIRM].

Email Delivery Provider

[TO CONFIRM — e.g., Brevo, SendGrid, AWS SES] SalesQ's automated emails are sent through [EMAIL DELIVERY PROVIDER]. This provider processes shopper email addresses and email content on behalf of SalesQ and the merchant, for the sole purpose of delivering quiz result emails and automated email sequences.

Analytics

We use aggregate, anonymised analytics to understand how SalesQ is used and to improve the product. No personally identifiable information is shared with analytics providers.

We may disclose data to law enforcement or other authorities if required by law, court order, or where disclosure is necessary to protect legal rights or the safety of others.

Business Transfers

If HelloDevs is acquired, merged, or undergoes a significant business transfer, merchant and shopper data may be transferred as part of that transaction. We will notify affected merchants in advance and ensure continuity of privacy protections.

What We Never Do

  • We do not sell personal data to any third party.
  • We do not share personal data with advertisers or for advertising purposes.
  • We do not share personal data for purposes unrelated to providing SalesQ.

Full Sub-Processor List

Sub-ProcessorPurposeLocation
Shopify Inc.Platform infrastructure, billing, customer dataUSA / Global
[HOSTING PROVIDER TO CONFIRM]Server infrastructure and data storage[LOCATION TO CONFIRM]
[EMAIL DELIVERY PROVIDER TO CONFIRM]Email delivery for quiz result and automation emails[LOCATION TO CONFIRM]

SalesQ will notify merchants at least 30 days in advance of any addition or change to sub-processors, giving merchants the opportunity to object. Full sub-processor details including data processing agreements are available on request at privacy@salesq.io.

10. SHOPIFY PROTECTED CUSTOMER DATA

When SalesQ operates as a Shopify app, the personal information we process about a merchant's customers constitutes Protected Customer Data as defined by Shopify's Partner Program requirements.

SalesQ meets Shopify's Level 1 and Level 2 requirements for handling Protected Customer Data, which include:

Level 1 Requirements:

  • Requesting only the minimum Shopify API scopes necessary for SalesQ's quiz, email automation, and attribution features to function
  • Encrypting Protected Customer Data in transit using TLS 1.2 or higher
  • Restricting staff access to Protected Customer Data on a least-privilege basis with role-based access controls
  • Retaining Protected Customer Data only for as long as necessary to deliver the service or as required by applicable law
  • Supporting customer data subject requests originating from merchants via Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact)

Level 2 Requirements:

  • Encrypting Protected Customer Data at rest using AES-128 or higher
  • Enforcing multi-factor authentication (MFA) for all personnel who have access to systems containing Protected Customer Data
  • Conducting annual security assessments of SalesQ's software, including vulnerability assessments and penetration testing
  • Maintaining a documented incident response plan for security breaches affecting Protected Customer Data
  • Maintaining documented data retention and deletion policies

Our Data Processing Agreement (DPA) is published in full at salesq.io/dpa. Merchants who require a signed copy can request one at privacy@salesq.io. The DPA covers our role as a processor under GDPR and UK GDPR, our role as a service provider under CCPA/CPRA, and our obligations under VCDPA, CPA, CTDPA, and UCPA, including Standard Contractual Clauses for cross-border transfers and our sub-processor list.

11. INTERNATIONAL DATA TRANSFERS

HelloDevs is based in [COUNTRY]. If you are located in the UK or EU, your personal data may be transferred to and processed in a country that does not have equivalent data protection laws.

Where we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
  • UK International Data Transfer Agreement (IDTA), where applicable for transfers from the UK
  • Transfers to countries with an adequacy decision from the relevant supervisory authority

For questions about international transfers and the specific safeguards in place, contact privacy@salesq.io.

12. DATA RETENTION

Merchant Data

Data CategoryRetention Period
Account and authentication dataDuration of active subscription + 30 days post-cancellation
Quiz and email template configurationsDuration of active subscription + 30 days post-cancellation
Billing confirmation data7 years (legal/accounting requirement)
Support communications3 years from the date of the communication
Aggregate usage analyticsIndefinitely (fully anonymised)

After the retention period, merchant data is permanently deleted or irreversibly anonymised.

Shopper Data (held on behalf of merchants)

Data CategoryRetention Period
Quiz answer and session data24 months from collection
Email address and subscriber profile24 months from collection, or until unsubscribed
Email engagement data (opens, clicks)24 months from collection
Attribution data (cart, checkout, order events)24 months from collection

Merchants can request deletion of all shopper data within their SalesQ account at any time by contacting privacy@salesq.io. We will process deletion requests within 30 days.

Individual shoppers can request deletion through the merchant (as Data Controller) or directly through us at privacy@salesq.io. We will coordinate with the merchant and process within 30 days.

When a merchant uninstalls SalesQ, all their data and their shoppers' data is deleted within 30 days via Shopify's shop/redact webhook.

13. YOUR RIGHTS — MERCHANTS

If you are a merchant in the UK or EU, you have the following rights under GDPR / UK GDPR:

Right of access: Request a copy of the personal data we hold about you.

Right to rectification: Ask us to correct inaccurate or incomplete data.

Right to erasure: Ask us to delete your personal data. Note: some data must be retained for legal or accounting purposes.

Right to restrict processing: Ask us to limit how we use your data in certain circumstances.

Right to data portability: Request your personal data in a structured, machine-readable format.

Right to object: Object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

Right to withdraw consent: Where processing is based on consent, you can withdraw at any time.

How to exercise your rights: Email privacy@salesq.io with 'Data Rights Request' in the subject line. We will respond within 30 days and may need to verify your identity before processing the request.

Right to complain: You have the right to lodge a complaint with your relevant supervisory authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • EU: Your national data protection authority

14. YOUR RIGHTS — SHOPPERS

If you are a shopper who took a quiz on a merchant's Shopify store powered by SalesQ, the merchant who operates that store is the Data Controller for your data.

To exercise your rights: Contact the merchant first — through the privacy policy or contact details on their Shopify store.

If you cannot reach the merchant, or if your request relates specifically to SalesQ's processing, contact us at privacy@salesq.io. We will assist you and coordinate with the merchant.

Rights available to shoppers:

  • Access the data SalesQ holds about you in relation to a specific quiz interaction
  • Correction of inaccurate data
  • Deletion of your data from SalesQ systems (processed via Shopify's customers/redact webhook)
  • Objection to or restriction of processing
  • Complaint to the relevant supervisory authority

Unsubscribe from automated emails: Every automated email sent through SalesQ includes a legally required unsubscribe link. Clicking this link stops all further automated emails immediately.

15. FOR CALIFORNIA RESIDENTS (CCPA / CPRA)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents specific rights regarding their personal information. We honour these rights for all California residents whose personal information we process.

Categories of Personal Information Collected

  • Identifiers (name, email address, IP address)
  • Commercial information (quiz interactions, product recommendations received, purchase history attributed through the quiz)
  • Internet or electronic activity information (email opens, clicks, pages viewed on the quiz)
  • Inferences drawn from this information (recommended product profile based on quiz answers)

We Do Not Sell or Share Your Personal Information

SalesQ does not sell personal information for monetary consideration, and we do not 'share' personal information for cross-context behavioural advertising as defined under CPRA.

Your CCPA / CPRA Rights

Right to know: Request the categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties with whom we have shared it in the preceding 12 months.

Right to delete: Request deletion of personal information we have collected, subject to legal retention requirements.

Right to correct (CPRA): Request correction of inaccurate personal information we hold about you.

Right to opt out of sale or sharing: We do not sell or share personal information. If this changes, we will provide a 'Do Not Sell or Share My Personal Information' link before any such activity begins.

Right to limit sensitive personal information (CPRA): We do not use sensitive personal information for purposes beyond those permitted under CPRA.

Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise CCPA / CPRA rights: Email privacy@salesq.io with subject line 'California Privacy Request'. We will verify your identity and respond within 45 days (extendable by a further 45 days with notice if reasonably necessary).

You may designate an authorised agent to make a request on your behalf. The agent must provide written authorisation from you.

16. FOR COLORADO, CONNECTICUT, UTAH, AND VIRGINIA RESIDENTS

The Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) give residents of those states rights regarding their personal data.

We extend the following rights to residents of these states:

Right of access: Request confirmation of whether we are processing your personal data and, if so, a copy of that data.

Right to correct inaccuracies (Virginia, Colorado, Connecticut): Request correction of inaccurate personal data we hold about you.

Right to delete: Request deletion of personal data we hold about you, subject to legal retention requirements.

Right to data portability: Receive a copy of your personal data in a portable, machine-readable format where technically feasible.

Right to opt out of targeted advertising, sale of personal data, and profiling: SalesQ does not engage in targeted advertising, sale of personal data, or profiling for decisions that produce legal or similarly significant effects. The opt-out right is available regardless.

Right to appeal (Virginia, Colorado, Connecticut): If we decline to take action on a privacy request, you have the right to appeal our decision. To appeal: email privacy@salesq.io with subject line 'Privacy Request Appeal — [State]' and include details of your original request and our response. We will respond to appeals within:

  • Virginia (VCDPA): 60 days of receipt
  • Colorado (CPA): 45 days of receipt
  • Connecticut (CTDPA): 45 days of receipt

If your appeal is denied, you may contact the relevant state Attorney General to submit a complaint.

To exercise these rights: Email privacy@salesq.io with subject line 'State Privacy Request' and identify the state you reside in. We will respond within the timeframe required by the applicable law, typically 45 days from a verified request.

17. COOKIES AND TRACKING

Strictly Necessary Cookies

Used to maintain quiz session state while a shopper is taking a quiz. These are essential for the quiz to function and cannot be disabled.

Attribution Tracking

When a shopper completes a quiz and provides their email address, SalesQ sets a first-party identifier that enables attribution tracking — connecting subsequent cart additions, checkout events, and orders to the original quiz session.

This tracking is:

  • First-party (set on the merchant's domain, not SalesQ's domain)
  • Linked to the shopper's email address provided during the quiz
  • Used only to attribute commerce events to the quiz interaction for the merchant's analytics

Merchants are responsible for disclosing SalesQ's tracking in their own cookie policy and obtaining any required consent from shoppers under applicable law (UK PECR, EU ePrivacy Directive, US state law as applicable).

Analytics

SalesQ uses aggregate, anonymised analytics on its own website (salesq.io) to understand how the marketing site is used.

18. CHILDREN'S PRIVACY

SalesQ's service is intended for Shopify merchants — businesses and adults. We do not knowingly collect personal data from children under 16.

If a merchant operates a store serving children, they must not use SalesQ's email automation features without appropriate legal advice and consent mechanisms in place.

If you believe we have inadvertently collected data about a child, contact privacy@salesq.io immediately and we will delete it promptly.

19. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes in our data practices, applicable law, or SalesQ's features.

When we make changes:

  • We update the 'Last updated' date at the top of this page
  • For material changes that affect merchants: we notify you by email to your Shopify account email address at least 14 days before the changes take effect
  • For minor changes (corrections, clarifications): the updated policy replaces the previous version on the effective date

Continued use of SalesQ after a change takes effect constitutes acceptance of the updated Privacy Policy.

20. CONTACT US

For all privacy-related questions, requests, or concerns:

HelloDevs / SalesQ

Email: privacy@salesq.io

Subject line: 'Privacy Request' or 'Data Rights Request'

Response time: We aim to respond within 5 business days and to resolve requests within 30 days.

For Data Processing Agreement (DPA) requests: privacy@salesq.io — reference 'DPA Request' in the subject line. Our full DPA is published at: salesq.io/dpa

FIXES APPLIED — VERSION HISTORY

VersionDateChanges
v1.0[DATE]Initial draft
v2.0[DATE]Fix 1: Shopify GDPR mandatory webhooks added (Section 9). Fix 2: Shopify Protected Customer Data Level 1+2 added (Section 10). Fix 3: Colorado, Connecticut, Utah, Virginia residents section added (Section 16). Fix 4: DPA reference added pointing to salesq.io/dpa. Fix 5: Sub-processor table structured with named roles and [TO CONFIRM] placeholders. Fix 6: Right to appeal added for VCDPA/CPA/CTDPA states. Fix 7: Download links added in document header.