Privacy Policy

Last updated: 2026-05-25

This Privacy Policy explains what data Switchboard ("the App", "we", "us", "our") collects from Shopify stores that install it, how we use that data, and the rights store owners and their customers have over it.

Switchboard is operated by The Click Collective ("the Operator"). All inquiries should be directed to theclickcollectiveio@gmail.com.


1. Who this policy applies to

Switchboard is a B2B Shopify application installed by Shopify merchants. This policy covers:

Switchboard has no separate end-user signup; access is granted exclusively through Shopify's OAuth flow when a merchant installs the App.


2. What data Switchboard collects

2a. From the merchant (during installation and use)

When a merchant installs Switchboard, Shopify provides us with:

When the merchant uses the App, we additionally store:

2b. From the merchant's customers

Switchboard does not collect, store, or transmit personally identifiable information about the merchant's customers.

The Switchboard storefront SDK reads and writes cart-level data (cart attributes and line-item properties) that the merchant's theme or storefront code chooses to set. These values are processed in-memory inside the Shopify Function at checkout and are not persisted to Switchboard's database. The signed-price token issued by Switchboard's backend contains only a variant ID, a price in cents, an expiry timestamp, and a signature — no customer identifier.

The Switchboard backend may incidentally observe the customer's IP address and user-agent in standard web server access logs when their browser calls /apps/switchboard/sign-price via Shopify's App Proxy. These logs are retained for up to 30 days for operational and security purposes and are not used for profiling, advertising, or any secondary purpose.

2c. From the merchant's browser (when using the admin UI)

When a merchant uses the embedded Switchboard admin, our server receives standard web request metadata (IP address, user-agent, referrer). This is used for security, debugging, and rate-limiting only.


3. How we use the data

We use the data described above solely to:

We do not use any of this data to build advertising profiles, train machine-learning models, or share with third parties beyond the sub-processors listed in Section 5.


4. How long we retain data

Data Retention
Shopify session and access token Until the merchant uninstalls Switchboard, at which point Shopify revokes the token and we delete the session within 24 hours.
Function configurations, signing keys, billing state Until the merchant uninstalls. On the app/uninstalled webhook, all shop-scoped records are queued for deletion within 30 days.
Audit log entries 12 months, then automatically purged.
Web server access logs 30 days.
Compliance webhook requests (e.g. shop/redact) Acknowledged on receipt; deletion completed within Shopify's mandated 30-day window.

5. Sub-processors

Switchboard relies on the following third-party sub-processors to operate. Each is bound by its own privacy policy and data-protection agreement:

Sub-processor Purpose Data shared
Shopify Inc. Source of all merchant and customer data; provides OAuth, App Proxy, and Billing All data described in Section 2 originates from or is returned to Shopify
Fly.io Application hosting (Toronto region — yyz) All server-side processing
Supabase (managed Postgres) Primary database All persisted data in Section 2a

We do not use any analytics, advertising, or tracking SDKs.


6. Data location and transfers

Switchboard's application servers run in Toronto, Canada (Fly.io yyz). Supabase Postgres is hosted in the region selected at provisioning. Data may be transferred to Shopify's infrastructure as required for the App to function.

If you are an EU/UK data subject, Article 28 GDPR obligations are addressed via our sub-processor agreements; contact us for a copy of our Data Processing Addendum.


7. Your rights (GDPR, CCPA, and equivalents)

Customers of Shopify stores using Switchboard have the right to access, correct, and delete personal data the merchant holds about them. Because Switchboard does not store customer PII, requests of this nature should be directed to the merchant in the first instance.

Switchboard implements the three mandatory Shopify compliance webhooks at /webhooks/app/compliance:

Merchants may also email theclickcollectiveio@gmail.com at any time to request deletion of their shop's data ahead of uninstall, or to ask any data-protection question.


8. Security

We protect data using:

If you discover a security vulnerability, please report it to theclickcollectiveio@gmail.com. We aim to acknowledge reports within one business day.


9. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced to active merchants by email at the address on their Shopify account at least 14 days before the change takes effect.


10. Contact

The Click Collective Email: theclickcollectiveio@gmail.com

For Shopify-specific compliance requests, please continue to use Shopify's standard data-request and redact mechanisms — these are automatically routed to Switchboard's compliance webhook endpoint.