Privacy Policy

Locket ("the App") provides password-protected product access ("the Service") to merchants who use Shopify to power their stores. This Privacy Policy describes how personal information is collected, used, and shared when you install or use the App in connection with your Shopify-supported store.

Personal Information the App Collects

When you install the App, we are automatically able to access certain types of information from your Shopify account:

• Shop — Information about your store (name, domain, plan, timezone)
• Products — Information about your products (IDs, titles, vendors, tags)
• Collections — Information about your collections
• Customers — Customer IDs used for the exemption feature
• Themes — Information about your store's active theme (for Theme App Extension delivery)

Additionally, we collect the following information once you have installed the App:

• Install and uninstall date and time
• Lock names, targets (product GIDs, collection GIDs, vendor names, and tags) you configure
• Hashed passwords — passwords are stored using argon2id hashing; we never store plaintext passwords
• Customer IDs you add to the exemption list
• IP addresses of storefront visitors (used for rate-limiting unlock attempts; not stored long-term)

We collect personal information directly from you through the App's admin interface, through your Shopify account, and using the following technologies:

• Cookies — Signed, HttpOnly cookies are placed on your customers' browsers after a successful password entry to remember their unlocked status for a session.
• Log files — Server logs track actions and collect data including IP address, browser type, referring/exit pages, and timestamps.

How Do We Use Your Personal Information?

We use the personal information we collect from you and your customers in order to provide the Service and to operate the App. Specifically:

• To authenticate unlock attempts on your storefront
• To enforce rate limiting on password attempts to protect against brute-force attacks
• To check customer exemption lists when a logged-in customer visits a locked product
• To send you transactional emails about your account (e.g. billing receipts from Shopify)

We do not sell your personal information or your customers' personal information to third parties.

Sharing Your Personal Information

We share your Personal Information with third parties only to help us provide our services:

• Shopify — We operate on the Shopify platform and share information as necessary to provide the App.
• Fly.io — Our application infrastructure provider where your store's lock configuration is stored.
• Neon — Our managed Postgres database provider where lock data is stored securely.

We may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

Behavioural Advertising

We do not use your personal information or your customers' personal information for targeted advertising purposes.

Your Rights

If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us using the information below.

Additionally, if you are a European resident, we note that we are processing your information in order to fulfil contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of Europe, including to Australia and the United States.

Data Retention

When you install Locket, we maintain your lock configuration data for as long as you have the App installed. When you uninstall the App, we will delete your data within 30 days, unless we are required by law to retain it.

Customer exemption data is deleted immediately upon App uninstall. Storefront session cookies expire at the end of the browser session by default.

GDPR Data Requests

Locket processes mandatory Shopify GDPR webhooks:

• Customer data request — We will provide a summary of any customer data we hold upon request.
• Customer data erasure — We will delete all data associated with a specific customer ID upon request.
• Shop data erasure — We will delete all store data within 30 days of a shop redact request.

Changes

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.