SwatchBoost Privacy Policy

SwatchBoost is a Shopify application developed and operated by OY Labs Ltd, a software company registered in the United Kingdom.

Contact: hello@oylabs.co

Website: https://oylabs.co

SwatchBoost collects and stores only the minimum data required to function:

• Shop domainYour myshopify.com domain, used to identify your store and retrieve your configuration.
• Access tokensShopify OAuth access tokens, stored securely in our database to make authenticated API calls on your behalf.
• App configurationSettings you configure in the app: colour themes, discount tier values, popup copy, accent colour, and which products are activated. This is shop-level data only.

We do not collect: customer names, emails, addresses, payment information, order history, or any personally identifiable information about your store visitors.

Data we collect is used solely to:

• — Serve the SwatchBoost popup to your store visitors
• — Apply your branding and discount settings to the popup
• — Authenticate API requests to Shopify on your behalf
• — Provide support when you contact us

We do not use your data for advertising, profiling, or any purpose other than operating the application.

We do not sell, rent, or share your data with third parties except:

• — Shopify — all API calls go through Shopify's platform as required to operate a Shopify app.
• — Infrastructure providers — our servers run on Amazon Web Services (AWS EC2, US East). AWS does not have access to your application data.

Both Shopify and AWS are bound by their own data processing agreements and privacy policies.

We retain your configuration data for as long as you have SwatchBoost installed. When you uninstall the app:

• — All shop configuration data is automatically deleted within 24 hours via our APP_UNINSTALLED webhook handler.
• — OAuth access tokens are deleted immediately.
• — No residual data is retained after deletion.

For merchants and customers in the European Economic Area (EEA), we process data in compliance with the General Data Protection Regulation (GDPR).

Lawful basis: Processing is carried out under the legitimate interest of operating the application you have chosen to install.

Your rights: As a merchant, you have the right to access, correct, or request deletion of any data we hold about your store. Contact us at hello@oylabs.co.

GDPR webhooks: SwatchBoost is registered with Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact). Since we store no customer PII, data requests are acknowledged and no data is returned. Shop redact requests trigger immediate data deletion.

We take reasonable technical and organisational measures to protect your data:

• — All data is transmitted over HTTPS/TLS
• — Shopify OAuth tokens are stored in a private PostgreSQL database not exposed to the public internet
• — Webhook payloads are verified using HMAC-SHA256 before processing

SwatchBoost does not set cookies on your storefront. The Shopify admin interface may use cookies for session management — these are governed by Shopify's own privacy policy.

We may update this Privacy Policy from time to time. Significant changes will be communicated via email to the store owner or displayed within the app. Continued use of SwatchBoost after changes constitutes acceptance of the updated policy.

For any privacy-related questions, data access requests, or concerns: