Privacy Policy
Last updated: 2026-05-25
This Privacy Policy explains what data Switchboard ("the App", "we", "us", "our") collects from Shopify stores that install it, how we use that data, and the rights store owners and their customers have over it.
Switchboard is operated by The Click Collective ("the Operator"). All inquiries should be directed to theclickcollectiveio@gmail.com.
1. Who this policy applies to
Switchboard is a B2B Shopify application installed by Shopify merchants. This policy covers:
- Merchants — the Shopify store owner or staff member who installs and uses Switchboard from the Shopify admin.
- Customers of the merchant's store — shoppers who interact with a storefront that has Switchboard installed.
Switchboard has no separate end-user signup; access is granted exclusively through Shopify's OAuth flow when a merchant installs the App.
2. What data Switchboard collects
2a. From the merchant (during installation and use)
When a merchant installs Switchboard, Shopify provides us with:
- The shop's
myshopify.comdomain - A Shopify-issued OAuth access token (used to call the Shopify Admin GraphQL API on the merchant's behalf, scoped to
write_validationsandwrite_cart_transforms) - The shop's primary locale and currency (read at runtime; not retained beyond the session)
When the merchant uses the App, we additionally store:
- Function configurations the merchant authors (validation rules, cart transform rules, safety rails, status flags)
- Per-shop signing keys used to sign price-override tokens for the Cart Transform feature. These keys are generated on first use, encrypted at rest with AES-256-GCM, and never transmitted to the storefront or any third party.
- Billing subscription state (current plan, trial expiry, subscription ID) returned to us by Shopify's Billing API
- Audit log entries recording administrative actions taken inside Switchboard (e.g. "rule created", "plan upgraded"), tied to the shop and the timestamp
2b. From the merchant's customers
Switchboard does not collect, store, or transmit personally identifiable information about the merchant's customers.
The Switchboard storefront SDK reads and writes cart-level data (cart attributes and line-item properties) that the merchant's theme or storefront code chooses to set. These values are processed in-memory inside the Shopify Function at checkout and are not persisted to Switchboard's database. The signed-price token issued by Switchboard's backend contains only a variant ID, a price in cents, an expiry timestamp, and a signature — no customer identifier.
The Switchboard backend may incidentally observe the customer's IP address and user-agent in standard web server access logs when their browser calls /apps/switchboard/sign-price via Shopify's App Proxy. These logs are retained for up to 30 days for operational and security purposes and are not used for profiling, advertising, or any secondary purpose.
2c. From the merchant's browser (when using the admin UI)
When a merchant uses the embedded Switchboard admin, our server receives standard web request metadata (IP address, user-agent, referrer). This is used for security, debugging, and rate-limiting only.
3. How we use the data
We use the data described above solely to:
- Provide the App's functionality (deploy and run the merchant's Shopify Functions, sign price-override tokens, evaluate cart attributes at checkout)
- Enforce plan limits and process billing via Shopify's Billing API
- Maintain an audit trail of administrative actions for the merchant's own review
- Diagnose errors and respond to support requests
- Comply with our legal obligations (including responding to GDPR / CCPA requests)
We do not use any of this data to build advertising profiles, train machine-learning models, or share with third parties beyond the sub-processors listed in Section 5.
4. How long we retain data
| Data | Retention |
|---|---|
| Shopify session and access token | Until the merchant uninstalls Switchboard, at which point Shopify revokes the token and we delete the session within 24 hours. |
| Function configurations, signing keys, billing state | Until the merchant uninstalls. On the app/uninstalled webhook, all shop-scoped records are queued for deletion within 30 days. |
| Audit log entries | 12 months, then automatically purged. |
| Web server access logs | 30 days. |
Compliance webhook requests (e.g. shop/redact) |
Acknowledged on receipt; deletion completed within Shopify's mandated 30-day window. |
5. Sub-processors
Switchboard relies on the following third-party sub-processors to operate. Each is bound by its own privacy policy and data-protection agreement:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Shopify Inc. | Source of all merchant and customer data; provides OAuth, App Proxy, and Billing | All data described in Section 2 originates from or is returned to Shopify |
| Fly.io | Application hosting (Toronto region — yyz) |
All server-side processing |
| Supabase (managed Postgres) | Primary database | All persisted data in Section 2a |
We do not use any analytics, advertising, or tracking SDKs.
6. Data location and transfers
Switchboard's application servers run in Toronto, Canada (Fly.io yyz). Supabase Postgres is hosted in the region selected at provisioning. Data may be transferred to Shopify's infrastructure as required for the App to function.
If you are an EU/UK data subject, Article 28 GDPR obligations are addressed via our sub-processor agreements; contact us for a copy of our Data Processing Addendum.
7. Your rights (GDPR, CCPA, and equivalents)
Customers of Shopify stores using Switchboard have the right to access, correct, and delete personal data the merchant holds about them. Because Switchboard does not store customer PII, requests of this nature should be directed to the merchant in the first instance.
Switchboard implements the three mandatory Shopify compliance webhooks at /webhooks/app/compliance:
customers/data_request— we respond confirming no customer data is heldcustomers/redact— we respond confirming no customer data is held to redactshop/redact— within 30 days of shop deletion, all shop-scoped records are erased from our database and backups are aged out within an additional 30 days
Merchants may also email theclickcollectiveio@gmail.com at any time to request deletion of their shop's data ahead of uninstall, or to ask any data-protection question.
8. Security
We protect data using:
- Encryption in transit — all merchant-facing traffic and storefront-to-backend traffic uses TLS 1.2 or higher
- Encryption at rest — per-shop signing keys are encrypted with AES-256-GCM using a master key held only in our deployment secret store
- Least-privilege OAuth scopes — we request only
write_validationsandwrite_cart_transforms - HMAC verification — every Shopify webhook and App Proxy request is signature-verified before any side effect
- Hosted infrastructure — Fly.io and Supabase both maintain SOC 2 Type II compliance
If you discover a security vulnerability, please report it to theclickcollectiveio@gmail.com. We aim to acknowledge reports within one business day.
9. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced to active merchants by email at the address on their Shopify account at least 14 days before the change takes effect.
10. Contact
The Click Collective Email: theclickcollectiveio@gmail.com
For Shopify-specific compliance requests, please continue to use Shopify's standard data-request and redact mechanisms — these are automatically routed to Switchboard's compliance webhook endpoint.