Privacy Policy

App: STLR Loyalty  | Last updated: April 14, 2026

1. Overview

STLR Loyalty ("we", "our", or "the App") is a Shopify application that provides loyalty programme management for Shopify merchants. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

2. Data We Collect

When a merchant installs the App we collect and store:

  • Shop data – store domain, currency, plan name, and the OAuth access token required to interact with the Shopify Admin API.
  • Customer data – Shopify customer ID, email address, first name, last name, and order history — sourced from Shopify webhooks and the Storefront API.
  • Transaction data – loyalty point credits and debits, wallet value transactions, and redemption records.
  • Order data – order totals and discount codes used to calculate and reconcile loyalty rewards.

3. How We Use Your Data

  • To operate and deliver the loyalty programme on behalf of the merchant.
  • To calculate and award loyalty points based on purchase activity.
  • To create Shopify discount codes when customers redeem wallet value.
  • To display loyalty balances and rewards to customers via the storefront widget.
  • To provide merchants with analytics and activity reports inside the App.

We do not sell, rent, or share personal data with third parties for marketing purposes.

4. Data Retention

Customer and transaction data is retained while the App is installed on a merchant's store. When a merchant uninstalls the App, their store data is flagged as inactive. Shopify will send a shop/redact webhook 48 days after uninstallation, at which point all store and customer data is permanently deleted from our systems.

5. GDPR & Customer Data Requests

We honour all Shopify GDPR mandatory webhooks:

  • customers/data_request – We acknowledge data requests. Merchants can export a customer's loyalty history directly from the App dashboard.
  • customers/redact – Upon receiving a customer erasure request we anonymise all personally identifiable information (name and email) from our records while preserving anonymised transaction history for accounting integrity.
  • shop/redact – Upon receiving a shop erasure request we permanently delete all data associated with the store.

6. Data Security

All data is stored in a managed PostgreSQL database hosted on DigitalOcean with SSL encryption in transit and at rest. OAuth access tokens are stored server-side and never exposed to the browser.

7. Third-Party Services

The App interacts with the following third-party services:

  • Shopify – as the host platform. Shopify's own privacy policy applies to data processed through their APIs.
  • DigitalOcean – for application hosting and database storage.

8. Contact

If you have questions about this policy or wish to request deletion of your data, please contact us at: [email protected]