This privacy policy explains how Gleam (operated by Digital Raise, "we", "us", "our") collects, uses, and protects information when you install or use the Gleam app on your Shopify store.
Gleam acts as a data processor on behalf of the Shopify merchant who installs the app (the "Merchant"). The Merchant is the data controller of personal data collected from their store visitors.
‍
1. Information we collect
From the Merchant (shop owner)- Shopify shop domain (e.g. `your-shop.myshopify.com`)- Shop owner email address- Configuration choices (rewards, branding, email templates, API keys)- API keys for third-party services you optionally connect (Anthropic, Resend, Klaviyo) — stored encrypted at rest using AES-256-GCM
From shop visitors (when reviews are submitted on the Merchant's shop)- Customer name (as entered by reviewer)- Customer email address- Review text, rating (1-5 stars), and optional title- Optional uploaded photos- IP address and browser user-agent (for spam prevention; not stored long-term)
From the Shopify shop (via Shopify APIs)- Product details (title, handle, ID) for the products being reviewed- Order data (`read_orders` scope) — order ID, line item titles, fulfillment timestamps — used to send post-purchase review invitations- Customer data (`read_customers` scope) — first name, last name, email — used for personalisation in invitation emails- Discount codes Gleam creates on the shop's behalf
We do not collect: full credit card information, billing address, password, or any other Shopify-stored sensitive data outside the scopes listed above.

2. How we use this information
- Display reviews on the Merchant's storefront (with the reviewer's permission, implied by submission)- Generate discount codes for review rewards- Send transactional emails (thank-you, post-purchase invitation, review-edit magic link) on the Merchant's behalf- Optionally analyse review sentiment using AI (Anthropic Claude) — only the review text and rating are sent- Aggregate anonymous statistics for the Merchant's admin dashboard
We do not use customer data for marketing of our own services. We do not sell, rent, or trade personal data to third parties.

3. Sub-processors
Gleam uses the following third-party services to operate. Each is bound by their own privacy policy and DPA:
‍
Fly.io | Application hosting + database | EU (Amsterdam) | https://fly.io/legal/privacy-policy/ ||
‍Resend (via Gleam Mail) | Transactional email delivery | EU/US | https://resend.com/legal/privacy-policy ||
‍Cloudinary | Photo upload + delivery | EU/US | https://cloudinary.com/privacy ||
‍Anthropic (only if AI features used) | Sentiment analysis | US | https://www.anthropic.com/legal/privacy ||
‍Klaviyo (only if Merchant connects own account) | Email events | US | https://www.klaviyo.com/legal/privacy/privacy-notice |
When the Merchant connects their
‍own Resend or Klaviyo account via API key, that integration is governed by the Merchant's relationship with that provider — Gleam only relays data per the Merchant's configuration.

4. Data retention
Review data + UGC posts: retained as long as the app is installed on the Merchant's shop. The Merchant can delete individual reviews via the admin dashboard at any time.
Email queue records: kept 90 days after delivery for audit and retry purposes.
API keys: encrypted, retained until the Merchant disconnects the integration or uninstalls the app.
Upon app uninstall: all shop-specific data is deleted within 48 hours via the `app/uninstalled` webhook handler. Photos uploaded to Cloudinary are also removed.
GDPR data requests (`customers/data_request`, `customers/redact`): processed within 30 days as required by Shopify's app requirements.
Shop redaction request (`shop/redact`): all shop data permanently deleted within 30 days of receipt.

5. Data security
All data in transit: TLS 1.2+ (HTTPS)- All data at rest on the Fly.io persistent volume: encrypted by default- API keys for third-party services: AES-256-GCM encryption with a server-side key not stored alongside the encrypted data- Database backups: automated daily snapshots with 5-day retention on Fly.io- Access to production database: limited to Digital Raise staff with multi-factor authentication
We are not certified to ISO 27001 or SOC 2. If your shop's compliance requirements demand certified processors, please contact us before installing.

6. International data transfers
Gleam's primary infrastructure is hosted in the EU (Amsterdam region of Fly.io). Some sub-processors (Anthropic, parts of Cloudinary) operate in the United States. Where personal data is transferred outside the EU, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Cookies and tracking
Gleam does not place tracking cookies on your shop visitors' browsers. The storefront review widget uses localStorage in the visitor's browser to remember which reviews they have already voted on (helpful/not helpful) — this data stays in their browser and is never sent to us.

8. Your rights
If you are a shop visitor whose data is processed via Gleam:

Access: request a copy of the data Gleam holds about you. Contact the Merchant's shop directly first; they can issue a `customers/data_request` via Shopify, which Gleam processes within 30 days.
Erasure: request deletion via the Merchant. Gleam processes `customers/redact` requests within 30 days.
Rectification: contact the Merchant to update or correct your data, or use the magic-link in review-edit emails (when sent).
Portability: a copy of your data in a machine-readable format can be requested via the Merchant.
For other questions or concerns: info@digitalraise.nl

9. Children's privacy
Gleam is not intended for use by children under 16. We do not knowingly collect data from minors. If you believe a minor has submitted a review, contact us at the email above and we will delete the data within 48 hours.

10. Changes to this policy
We may update this privacy policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be communicated to Merchants via email at least 30 days in advance.

11. Contact
Digital Raise
‍Email: info@digitalraise.nl
Website: https://digitalraise.nl