Privacy Policy
How Anchor Loyalty collects, uses, and protects your data.
NO7 SOFTWARE LIMITED (“we”, “us”, “our”, or the “Company”) operates the Anchor Loyalty application (the “App”, “Service”, or “Platform”) for Shopify merchants. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our App.
businessCompany Information
- Company:
- NO7 SOFTWARE LIMITED
- Company Number:
- 15251801
- Registered Office:
- 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
- Email:
- info@no7software.co.uk
- Data Protection:
- info@no7software.co.uk
1. Definitions
- “Merchant” refers to Shopify store owners who install and use the App
- “End Customer” refers to customers of the Merchant's store who participate in loyalty programs
- “Personal Data” means any information relating to an identified or identifiable natural person
- “Processing” means any operation performed on Personal Data
- “Data Controller” means the entity that determines the purposes and means of Processing
- “Data Processor” means the entity that Processes data on behalf of the Controller
2. Data Controller and Processor Roles
2.1 For Merchant Data
NO7 SOFTWARE LIMITED acts as the Data Controller for data we collect directly from Merchants (account information, billing data, usage analytics).
2.2 For End Customer Data
NO7 SOFTWARE LIMITED acts as the Data Processor on behalf of the Merchant, who remains the Data Controller for their customers' Personal Data. Merchants are responsible for:
- Obtaining appropriate consent from their customers
- Providing privacy notices to their customers
- Responding to data subject requests from their customers
- Ensuring lawful basis for processing customer data
3. Information We Collect
3.1 Merchant Information
When Merchants install and use Anchor Loyalty, we collect:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Store URL and name | Service provision | Contract performance |
| Store owner email | Communication, support | Contract performance |
| Billing information | Payment processing | Contract performance |
| App usage data | Service improvement | Legitimate interest |
3.2 End Customer Information
Through the App, we process the following End Customer data on behalf of Merchants:
| Data Type | Purpose | Retention |
|---|---|---|
| Shopify Customer ID | Customer identification | Until deletion request |
| Email address | Communication, identification | Until deletion request |
| Name | Personalization | Until deletion request |
| Points balance | Loyalty program operation | Until deletion request |
| Transaction history | Points tracking, auditing | Until deletion request |
| Tier status | Membership level tracking | Until deletion request |
| Reward redemptions | Discount code generation | Until deletion request |
| Referral codes | Referral program operation | Until deletion request |
| Total spending amount | Tier progression | Until deletion request |
| Province/region | Legal compliance (Quebec no-expiry rule) | Until deletion request |
| Birthday month | Birthday bonus points | Until deletion request |
3.3 Automatically Collected Information
- Log data (IP addresses, browser type, access times)
- Device information
- Cookies and similar technologies (for session management only)
4. How We Use Information
4.1 Primary Purposes
- Providing and maintaining the Anchor Loyalty service
- Calculating and awarding loyalty points based on customer purchases
- Processing reward redemptions and generating discount codes
- Tracking customer tier progression and spending milestones
- Managing referral program functionality
- Processing billing and payments
4.2 Secondary Purposes
- Analyzing usage patterns to improve the Service
- Detecting and preventing fraud or abuse (e.g., through device fingerprinting and rate limiting)
- Complying with legal obligations
- Communicating service updates and changes
4.3 Historical Order Import
During initial setup, with the Merchant's explicit consent, we may access the store's full order history to calculate retroactive loyalty points for existing customers. This is a one-time operation — order details (line items, payment info) are not stored. Only the calculated point values and order totals are retained for loyalty program operation.
4.4 Storefront Extensions
Anchor Loyalty provides theme, checkout, and customer account extensions that display loyalty information (points balance, available rewards, tier status) directly on the Merchant's storefront. These extensions access customer data only through authenticated Shopify APIs and do not collect additional data independently.
4.5 What We Do NOT Do
- check_circleWe do NOT sell Personal Data to third parties
- check_circleWe do NOT use Personal Data for advertising purposes
- check_circleWe do NOT share Personal Data with third parties for their marketing purposes
- check_circleWe do NOT make automated decisions that significantly affect individuals
5. Data Sharing and Disclosure
We may share data only in the following circumstances:
5.1 Service Providers
We use trusted third-party service providers bound by Data Processing Agreements:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Hosting infrastructure | US/EU |
| Supabase | Database (PostgreSQL) | US/EU |
| Sentry | Error monitoring and logging | US |
| Shopify | Platform integration | US/Canada |
5.2 Legal Requirements
We may disclose data when required by:
- Valid legal process (court order, subpoena)
- Law enforcement requests with proper authority
- Regulatory requirements
- Protection of our legal rights
5.3 Business Transfers
In the event of merger, acquisition, or sale, data may be transferred to the successor entity with equivalent privacy protections.
6. Data Security
shieldTechnical Measures
- •TLS 1.3 encryption for all data in transit
- •AES-256 encryption for sensitive data at rest
- •Regular security audits and penetration testing
- •Secure coding practices and code review
- •Database access controls and monitoring
corporate_fareOrganizational Measures
- •Staff confidentiality agreements
- •Access limited to authorized personnel only
- •Regular security training
- •Incident response procedures
- •Business continuity planning
6.3 Security Incident Response
In the event of a data breach:
- We will notify affected Merchants within 72 hours
- We will notify relevant supervisory authorities as required
- We will document and investigate all incidents
- We will implement remediation measures
7. Data Retention
7.1 Active Accounts
We retain data for as long as the Merchant has the App installed and maintains an active account.
7.2 After Uninstallation
- App uninstall webhook: Upon receiving Shopify's
app/uninstalledwebhook, we immediately clean up session data and mark the installation as inactive. - Shop redaction webhook: Most Merchant and End Customer data is permanently deleted within 48 hours of receiving Shopify's
shop/redactwebhook. However, we retain subscription data and basic store identifiers as a legitimate interest to prevent free-trial abuse and maintain necessary financial audit trails. - Customer redaction webhook: Individual customer data is permanently deleted upon receiving Shopify's
customers/redactwebhook, including loyalty points, transaction history, referral codes, and tier membership. Anonymized aggregate data may be retained for analytics. - Automated GDPR deletion: A scheduled process runs daily to process pending GDPR deletion requests.
- No backup retention: Deleted data is not retained in backups beyond 30 days.
7.3 Customer Data Requests
- Data access requests: Processed within 30 days
- Data deletion requests: Processed within 30 days
- Data portability requests: Processed within 30 days
7.4 Legal Hold
Data may be retained longer if required for:
- Ongoing legal proceedings
- Regulatory investigations
- Tax and accounting requirements (up to 7 years for financial records)
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:
8.1 Rights Summary
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your Personal Data | Email us |
| Rectification | Request correction of inaccurate data | Email us |
| Erasure | Request deletion (“right to be forgotten”) | Email us |
| Restriction | Request limitation of processing | Email us |
| Portability | Request data in machine-readable format | Email us |
| Object | Object to processing based on legitimate interest | Email us |
| Withdraw Consent | Withdraw consent at any time | Email us |
| Complaint | Lodge complaint with supervisory authority | Contact ICO (UK) |
8.2 How to Exercise Your Rights
- Merchants: Contact us directly at info@no7software.co.uk
- End Customers: Contact the Merchant (store owner) who controls your data. We will assist Merchants in fulfilling requests.
8.3 Response Timeline
- We will acknowledge requests within 7 days
- We will complete requests within 30 days
- Complex requests may take up to 90 days with notice
8.4 Verification
We may need to verify your identity before processing requests to prevent unauthorized access.
9. International Data Transfers
9.1 Transfer Mechanisms
When we transfer Personal Data outside the EEA/UK, we use:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Binding Corporate Rules where applicable
9.2 Shopify Integration
As the App operates within the Shopify platform, some data processing occurs through Shopify's infrastructure. Shopify maintains its own GDPR compliance measures and data processing agreements.
10. California Consumer Privacy Act (CCPA)
California residents have additional rights:
10.1 Rights
- Right to Know: What Personal Information is collected, used, shared
- Right to Delete: Request deletion of Personal Information
- Right to Opt-Out: Opt-out of sale of Personal Information (we do NOT sell data)
- Right to Non-Discrimination: Equal service regardless of privacy choices
10.2 “Do Not Sell” Disclosure
We do NOT sell Personal Information. We have not sold Personal Information in the preceding 12 months and have no plans to do so.
10.3 Categories of Information
In the preceding 12 months, we have collected:
- Identifiers (name, email, customer IDs)
- Commercial information (purchase history for points calculation)
- Internet activity (log data)
11. Children's Privacy
- Our Service is not directed to children under 16
- We do not knowingly collect Personal Data from children under 16
- If we discover such data has been collected, we will delete it promptly
- Parents/guardians may contact us to request deletion
12. Cookies and Tracking
12.1 Cookies We Use
- Essential cookies: Session management, authentication (strictly necessary)
- We do NOT use: Analytics cookies, advertising cookies, tracking cookies
12.2 Third-Party Cookies
The Shopify platform may set its own cookies. Refer to Shopify's Privacy Policy for details.
13. Changes to This Policy
13.1 Notification
- Material changes will be notified via email to Merchants
- Non-material changes will be posted with updated “Last Updated” date
- Continued use after changes constitutes acceptance
13.2 Version History
- March 24, 2026: Added Supabase and Sentry as service providers, added province/birthday data fields, added historical order import disclosure, added storefront extensions disclosure, expanded uninstallation and GDPR deletion details.
- December 14, 2025: Initial version
14. Contact Information
General Inquiries
NO7 SOFTWARE LIMITED
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
15. Additional Disclosures
15.1 Third-Party Links
Our Service may contain links to third-party websites. We are not responsible for their privacy practices.
15.2 Analytics
We may use aggregated, anonymized data for analytics purposes. This data cannot identify individuals.
15.3 Legal Basis Summary (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Service provision | Contract performance |
| Billing | Contract performance |
| Security measures | Legitimate interest |
| Fraud prevention | Legitimate interest |
| Legal compliance | Legal obligation |
| Marketing (with consent) | Consent |
Have questions about this Privacy Policy?
mailContact Us