Privacy Policy

Effective Date: January 26, 2026 | Last Updated: January 26, 2026

TL;DR - Key Points

What we collect: We collect your Shopify store's order data (customer emails, purchase history, amounts, addresses) and basic store information to power our predictive segmentation.
Why we collect it: We use machine learning to analyze purchasing patterns and create customer segments (high/medium/low intent) to help you target marketing more effectively.
What we share with marketing platforms: When you connect Klaviyo or Google Ads, we sync only customer email addresses and their segment membership. We do NOT share full order history, addresses, phone numbers, or other transaction details.
What we don't do: We do not sell personal data. We do not use your customers' data to market our own products to them.
Your control: You can request data deletion at any time. When you uninstall the app, we delete your data within 30 days.
Security: All data is transmitted over HTTPS/TLS and stored securely on AWS infrastructure.

1. Overview and Scope

This Privacy Policy describes how Lapio.ai ("Lapio," "we," "us," or "our") collects, uses, shares, and protects information when you use our Shopify application and related services (collectively, the "Service").

This policy applies to:

Shopify merchants who install and use the Lapio.ai app ("Merchants" or "you")
Customers of those merchants whose data is processed through our Service ("End Customers")

By installing or using our Service, you agree to the collection and use of information in accordance with this policy.

Website: https://lapio.ai
Support: support@lapio.ai

2. Information We Collect

2.1 Information Collected via Shopify APIs

When you install and connect Lapio.ai to your Shopify store, we request access to the following Shopify API scopes:

read_orders - Access to your store's order data
read_all_orders - Access to historical orders beyond the default 60-day window

Through these scopes, we collect and store:

Order Information:

Order IDs and timestamps (creation and processing dates)
Order financial data (subtotals, discounts, duties, fees, currency codes)
Fulfillment status
Line items (product names and quantities)
Discount codes applied
Cancellation information (if applicable)

Customer Information (from orders):

Customer email addresses
Billing address (country code, province/state code)
Shipping address (city)
Customer marketing acceptance status (opt-in/opt-out)

Store Information:

Shop ID and domain
Store name
Timezone
Shopify plan information

2.2 Information Collected Directly from Merchants

When you create an account and use our Service, we collect:

Your email address and name (for authentication)
Account preferences and settings
Marketing channel connection credentials (OAuth tokens for Klaviyo, Google Ads)
Information you provide in support requests

2.3 Information from End Customers

We do not collect information directly from your customers. All End Customer data is obtained through the Shopify APIs as described above, based on the permissions you grant when installing the app.

2.4 Automatically Collected Information

When you access our Service dashboard, we automatically collect:

Log data (IP addresses, browser type, access times)
Session information for authentication
Usage patterns within our application

3. How We Use Information

3.1 Predictive Segmentation Using Shopify Data

Lapio.ai processes Shopify transactional data (including order history and purchase behavior) to generate predictive customer segmentation insights for the specific merchant's store.

Predictive models are trained and executed using Shopify-provided transactional data only.
Google API data is not used for model training, model improvement, or predictive analytics.
All segmentation outputs are generated solely to provide user-facing functionality within the merchant's store.

3.2 Marketing Channel Synchronization

When you connect marketing platforms, we use customer segments to:

Sync customer email addresses and segment membership to Klaviyo (creating lists like "[Lapio] high_intent", "[Lapio] medium_intent", "[Lapio] low_intent")
Sync hashed customer email addresses to Google Ads Customer Match audiences

Important: When syncing to marketing platforms, we share ONLY:

Customer email addresses (hashed for Google Ads)
Segment/audience membership

We do NOT share: full order history, product purchase details, addresses, phone numbers, or other personal information with these platforms.

3.3 Service Operation and Improvement

We also use information to:

Provide, maintain, and improve our Service
Respond to your support requests
Send Service-related communications (updates, security alerts)
Conduct A/B testing and incrementality measurement (using holdout groups)
Monitor and analyze usage patterns
Detect and prevent fraud or security issues

3.4 Service Performance and Analytics

We may use aggregated and de-identified Shopify transactional data to evaluate, maintain, and improve the performance, reliability, and accuracy of the Service.

Such data:

Cannot be used to identify individual customers
Is not derived from Google API data
Is not used to train generalized artificial intelligence systems
Is used solely to improve user-facing functionality within the Service

Google API data is excluded from aggregation and model improvement processes.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions requiring a legal basis, we process personal data under the following grounds:

Performance of Contract: Processing necessary to provide the Service you requested (segmentation, audience syncing)
Legitimate Interests: Processing for our legitimate business interests (improving our Service, security, analytics) where these interests are not overridden by your rights
Consent: Where you have given explicit consent (e.g., connecting optional marketing channels)
Legal Obligations: Processing necessary to comply with applicable laws

5. Sharing and Disclosure

5.1 Marketing Platforms (at Your Direction)

When you connect marketing channels, we share limited data with:

Klaviyo:

Customer email addresses
Segment membership (list assignments)
OAuth tokens are stored securely and used only to sync on your behalf

Google Ads:

When a merchant connects Google Ads, Lapio.ai:

Transmits hashed customer email addresses
Transmits audience membership information
Creates and updates Customer Match audiences on the merchant's behalf

Google API data obtained through this integration:

Is used solely to provide Customer Match synchronization functionality
Is not used for model training
Is not combined with Shopify data for predictive analytics
Is not used to create or enrich external databases
Is not used for targeted or personalized advertising outside of merchant-directed audience syncing
Is not shared with third parties
Is retained only as necessary to perform the synchronization service

Lapio.ai complies with the Google API Services User Data Policy, including Limited Use requirements.

5.2 Subprocessors

We use the following categories of service providers to operate our Service:

Category	Provider	Purpose
Cloud Infrastructure	Amazon Web Services (AWS)	Hosting, compute, storage, databases
Database	Supabase (PostgreSQL)	Data storage and user authentication
Email Marketing	Klaviyo	Audience sync (when connected by merchant)
Advertising	Google Ads	Audience sync (when connected by merchant)
Bot Protection	Google reCAPTCHA	Spam and abuse prevention

We maintain contracts with subprocessors requiring them to protect data consistent with this policy. A current list of subprocessors is available upon request at support@lapio.ai.

5.3 No Sale of Personal Data

We do not sell personal data. We do not rent, trade, or otherwise transfer personal information to third parties for their marketing purposes.

5.4 Other Disclosures

We may disclose information:

To comply with legal obligations, court orders, or government requests
To protect our rights, privacy, safety, or property
In connection with a merger, acquisition, or sale of assets (with notice to you)
With your consent

5.5 Google API Services Compliance

Lapio.ai's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

Google user data is used only to provide user-facing functionality within Lapio.ai.
Google user data is not used for advertising, resale, database creation, creditworthiness determination, lending purposes, or AI model training.
Google user data is not used to train generalized machine learning or artificial intelligence systems.
Google user data is not transferred except as necessary to provide the Service to the merchant who granted access.

6. Data Retention

We retain personal data only as long as necessary to provide our Service and fulfill the purposes described in this policy:

Data Type	Retention Period
Shopify order data	Duration of your subscription + 30 days after uninstall
Customer segments and predictions	Duration of your subscription + 30 days after uninstall
Marketing channel sync logs	Duration of your subscription + 30 days after uninstall
Account information	Until you delete your account + 30 days
Session data	Deleted immediately upon app uninstall

Derived analytical outputs are retained only as necessary to operate and improve the Service.

Upon App Uninstall: When you uninstall Lapio.ai from your Shopify store, we delete or anonymize your data within 30 days, except where retention is required for:

Legal compliance
Security and fraud prevention logs
Aggregated, de-identified analytics

7. International Data Transfers

Our Service is hosted with reputable cloud service providers and may process and store data in regions outside your country of residence.

For transfers from the EEA, UK, or Switzerland:

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
Our subprocessors maintain appropriate certifications and data processing agreements
We implement technical and organizational measures to protect data during transfer

By using our Service, you acknowledge that your data may be transferred to and processed in countries with different data protection laws than your jurisdiction.

8. Security

We implement industry-standard technical and organizational security measures, including encryption in transit, access controls, monitoring, and secure credential management.

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Data Subject Rights and Requests

9.1 Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of personal data we hold about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your personal data
Restriction: Request restriction of processing
Portability: Request data in a portable format
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent where processing is based on consent

9.2 For Merchants

To exercise your rights regarding your account or store data:

Email us at support@lapio.ai with your request
We will respond within 30 days (or sooner as required by law)
You may also delete your data by uninstalling the app

9.3 For End Customers

If you are a customer of a merchant using Lapio.ai and wish to exercise your data rights:

Contact the merchant first - The merchant is the data controller for your purchase data
The merchant can submit requests to us on your behalf
You may also contact us directly at support@lapio.ai, and we will work with the merchant to fulfill your request

10. Shopify Platform Compliance

10.1 Mandatory Compliance Webhooks

We comply with Shopify's platform requirements for data handling, including responding to Shopify's mandatory compliance webhooks:

Customer Data Request (customers/data_request): When Shopify forwards a request from a customer to access their data, we provide the requested information to the merchant
Customer Redaction (customers/redact): When Shopify requests deletion of a specific customer's data, we remove or anonymize that customer's information from our systems
Shop Redaction (shop/redact): When a merchant uninstalls the app and Shopify requests shop data deletion, we delete all associated shop and customer data

10.2 Merchant Responsibilities

As a Shopify merchant using our Service, you are responsible for:

Ensuring you have appropriate legal basis to share customer data with us
Maintaining your own privacy policy that discloses use of third-party apps like Lapio.ai
Responding to your customers' data subject requests
Forwarding relevant requests to us when needed

11. Cookies and Tracking

11.1 Essential Cookies

Our Service uses essential cookies and session tokens necessary for:

Authentication and login sessions
Security (CSRF protection)
Remembering your preferences within the app

11.2 What We Don't Use

In the Shopify admin context, we do NOT use:

Third-party advertising cookies
Cross-site tracking
Social media tracking pixels

11.3 Landing Page

Our public website (lapio.ai) uses:

Google reCAPTCHA for bot protection and form security
Essential cookies for site functionality

12. Children's Privacy

Our Service is intended for business use by Shopify merchants. We do not knowingly collect personal information from children under 16 (or the applicable age of digital consent in your jurisdiction).

If you believe we have inadvertently collected such information, please contact us at support@lapio.ai, and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will update the "Last Updated" date at the top
We will notify you via email or prominent notice in the Service
Continued use after changes constitutes acceptance of the updated policy

We encourage you to review this policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Email: support@lapio.ai

This Privacy Policy is specific to the Lapio.ai Shopify application and the services described herein.