Privacy Policy

When you (a Shopify merchant) use Kovyo, you are the data controller of your customers' personal data. Kovyo is the data processor. We process customer data only on your instructions, as documented in our service.

From merchants (you):

• Account email and authentication tokens
• Connected Shopify store domains and access tokens
• Billing information (handled by our payment processor)
• App usage logs (which features you click, when)

From your customers (storefront visitors and Shopify customers):

• Email addresses (when submitted in popups or imported from Shopify)
• Behavioral events: page views, product views, add-to-cart, popup views/conversions
• Shopify customer data (name, email, order history) when synced via Shopify webhook
• Email engagement data: opens, clicks, bounces (via our email provider)

• To send marketing emails on your behalf to your customers, based on automations you configure
• To track conversions and attribute revenue to your campaigns
• To provide reports and analytics in your Kovyo dashboard
• To improve Kovyo (aggregated, anonymized usage analytics)
• To comply with legal obligations

We do not sell your data, your customers' data, or any subset of it to third parties. We do not use customer data to train machine learning models or share it across merchants.

• Database: Supabase (AWS, primary region us-east-1)
• Email delivery: Resend (AWS SES, US regions)
• Hosting: Vercel (CDN edges global)
• Backups: daily, encrypted, 30 days retention

All data in transit is encrypted via TLS. All data at rest is encrypted using AES-256.

When a customer requests their data or asks for deletion, you (the merchant) are responsible for honoring the request. Shopify forwards three GDPR webhook topics to Kovyo automatically:

• customers/data_request: when a customer asks for their data, we compile all events, emails, and profile data we hold for them and email it to you within 30 days.
• customers/redact: when you confirm a deletion request, we delete that customer's personal data from our database within 30 days.
• shop/redact: 48 hours after you uninstall Kovyo from your store, we delete all of your store's data (popups, automations, contacts, logs).

Merchants can also export their full contact list as CSV at any time, on any plan, including Free.

• Active accounts: data is retained as long as the account is active
• Cancelled accounts: data is retained for 30 days, then permanently deleted
• Email logs (sent, opened, clicked): 12 months
• Shopify orders synced for attribution: 24 months
• Billing records: 5 years (legal requirement)

We use the following subprocessors. Each is bound by a Data Processing Agreement.

• Supabase Inc. (USA) — database, authentication, file storage
• Resend Inc. (USA) — transactional & marketing email delivery
• Vercel Inc. (USA) — application hosting
• Shopify Inc. (Canada) — source of merchant store data via Admin API; processes all paid-plan billing through the Shopify Billing API (charges appear on the merchant's regular Shopify invoice)

The Kovyo admin dashboard uses essential cookies for authentication. The Kovyo storefront tracker (installed on your Shopify theme) uses sessionStorage and localStorage on visitors' browsers to identify sessions and avoid showing the same popup twice. No third-party advertising cookies are set.

For privacy questions, email privacy@kovyo.co. For account deletion or data export requests, log into Kovyo → Settings, or email us.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders at least 30 days before taking effect.