Terms & Privacy

Shopify App Privacy Policy and Terms of Service

This Shopify App Privacy Policy and Terms of Service (The Shopify App Policy) applies specifically to Clients and users of the Maestra which are using the Maestra: CDP Companion App for Shopify.

The Shopify App Policy is introduced as supplement to the general Privacy Policy , as well as  Privacy Policy with provisions specific to the European Union and Terms of Service .

1. Overview

When the Maestra: CDP Companion App is installed and used, Maestra CDP receives and processes certain data from the connected Shopify store of Maestra Client to enable seamless marketing automation, segmentation, and audience sync within the corresponding Maestra workspace.

2. Data Processed

Upon authorization, the following types of information are accessed from the Shopify store and synced to the merchant’s Maestra CDP:

  • Customer information:

    full name, email address, phone number, billing address (street, city, zip/postal code, country), shipping address, customer tags, customer note, Shopify customer ID, account creation date, and other customer metadata.

  • Marketing consent status:

    email marketing opt-in status, SMS opt-in status, timestamp of consent, consent source (e.g. checkout or newsletter form).

  • Order details:

    order ID, order date, order status, line items (product names, variants, SKUs), quantity, total amount, discount codes used, fulfillment and payment status, and associated product/order metadata.

  • Store metadata:

    Shopify shop domain (e.g. mystore.myshopify.com), store name, store locale (language), store currency (e.g. USD, EUR), time zone, plan type.

  • Customer activity events: product viewed, product added to cart, product removed from cart, cart viewed, checkout started, shipping or contact information submitted, customer identified, checkout completed, collection viewed.

No payment data, customer passwords, or sensitive personal identifiers are collected.

3. Purpose of Processing

The purpose of processing is to collect data from the website and transfer it to Maestra, specifically:

  • Segment customers based on attributes like purchase frequency, tags, and total spend

  • Automatically sync contacts and their order behavior to the linked Maestra account

  • Trigger marketing workflows such as welcome series, abandoned cart flows, or upsell campaigns
  • Track engagement and deliver analytics for campaign optimization

4. Sharing and Disclosure

Shopify store data is not sold, rented, or shared with any third parties except:

  • Trusted partners (a full list is available in the Privacy Policy )
  • Where required by applicable law or regulation

5. Customer Consent & Shopify Customer Privacy API

Customer privacy preferences, as defined in Shopify, are respected. If the store uses Shopify’s Customer Privacy API, all data tracking and marketing actions are deferred until valid consent is provided by the customer.

Implementation and enforcement of consent logic in the storefront is the sole responsibility of the store owner, in accordance with Shopify’s requirements.

6. Data Storage

Data is stored securely in accordance with industry best practices. All transmissions are encrypted, and access is strictly limited based on authorization scopes.

In compliance with the GDPR and Shopify’s Customer Privacy Policy, customer data is deleted within 30 days in the following cases, unless shorter periods are stipulated by applicable law:

  • When the customer explicitly requests data erasure
  • When Maestra: CDP Companion App is uninstalled from the Shopify Admin
  • When the merchant requests to delete all the stored data
  • When the merchant terminates the contract or relationship with Maestra

7. Legal Basis for Processing and Storage of Personal Data

We process and store personal data based on a contractual relationship established with the merchant. By installing and using the Maestra: CDP Companion App, the merchant enters into a data processing agreement with Maestra, under which the merchant authorizes Maestra to collect, process, and store customer data originating from their Shopify store.

This legal basis aligns with Article 6(1)(b) and 6(1)(f) of the General Data Protection Regulation (GDPR), as the processing is necessary for the performance of a contract and for the merchant’s legitimate business interests, such as marketing automation, customer segmentation, and analytics.

The data is retained in accordance with the merchant contract and is deleted within 30 days or upon contract termination, app uninstallation, or valid data erasure request, or within shorter periods, if stipulated by applicable law.

8. Customer Rights

The following actions may be requested at any time:

  • Deletion of App-related data
  • Export of collected data
  • Reporting of suspected misuse
  • Other rights in accordance with applicable data protection laws, including GDPR and relevant US legislation

All privacy-related inquiries should be directed to support@maestra.io .