Privacy Policy
Last updated: 23 July 2025
Friction (“we,” “us,” or “our”) provides a Shopify app that stores and restores shopping carts (“the Service”).
We respect your and your shoppers’ privacy and comply with GDPR, CCPA, and the Shopify App Store’s Requirements for Apps Handling Personal Information.
1. Information we collect
| Category | Data points | Purpose | Retention |
|---|---|---|---|
| Store data | Store name, owner e-mail, shop domain | App authentication, billing | Deleted ≤ 30 days after uninstall |
| Cart metadata | Cart ID, line items, cart totals, browser/device hash* | Restore carts, calculate ROI | 12 months ⇢ then anonymised |
| Diagnostic logs | API latency, error traces (no PII) | Performance & security | 14 days |
*Device hash uses a first-party, non-cookie fingerprint (IP-truncated + User-Agent-hashed) to recognise returning anonymous sessions. No third-party cookies, no cross-site tracking.
2. How we use information
- Restore expired carts and trigger recovery flows.
- Show revenue analytics inside the Friction dashboard.
- Prevent malicious or duplicated carts.
3. Sharing & sub-processors
We never sell data.
Audited sub-processors:
| Provider | Purpose | Region | Safeguards |
|---|---|---|---|
| Supabase (Postgres) | Cart vault & auth | 🇪🇺 Frankfurt | EU SCCs |
| Vercel | Dashboard hosting | 🇺🇸 Iowa | DPA, SOC 2 |
4. Your rights
EU/UK shoppers can access, correct, or erase their data by e-mailing the merchant who installed our app; we process all merchant DSAR requests within 7 days.
5. Security
- TLS 1.3 in transit, AES-256 at rest
- Principle-of-least-privilege IAM
- Quarterly penetration tests
6. Contact
Questions? E-mail rohith@usefriction.com (attn: Rohith, Founder & CEO).