Privacy Policy
Last updated: April 12, 2026
This Privacy Policy describes how Craft Lab S.L.U. ("we", "us", "our"), a company registered in Spain, collects, uses, and shares personal information through the RefBoost application (the "App"), available on the Shopify App Store. RefBoost is a referral program management tool that Shopify merchants ("Merchants") install to run referral campaigns in their online stores.
By installing or using RefBoost, you agree to the practices described in this policy. If you are a customer of a Merchant using RefBoost ("End Customer"), this policy also applies to the data we process on behalf of that Merchant.
1. Information We Collect
1.1 Information from Merchants
When a Merchant installs RefBoost, we collect:
- Shopify store information: store domain, store name, email address, and Shopify access token (used to communicate with the Shopify Admin API on the Merchant's behalf).
- Account and billing information: subscription plan, billing status, and usage data (number of referrals, campaigns, and commission revenue).
- Configuration data: campaign settings, email template content, integration credentials (Klaviyo, Mailchimp, Twilio API keys), widget settings, and fraud prevention preferences.
1.2 Information from End Customers
When End Customers interact with a Merchant's referral program, we collect:
- Name and email address: to identify referrers and referred friends, send referral emails, and track referral relationships.
- IP address: to detect and prevent fraud (e.g., duplicate referrals from the same IP).
- Order information: order ID, order name, order total, product types, and customer tags — received via the Shopify
orders/createwebhook to process referral purchases and calculate commissions. - Referral activity: referral codes, click counts, referral status, and share activity.
1.3 Information Collected Automatically
- Usage data: pages visited within the App, features used, and interactions with the dashboard.
- Session data: session identifiers stored in cookies to maintain authenticated sessions within the Shopify admin iframe.
2. How We Use Information
| Purpose | Data Used |
|---|---|
| Operate the referral program (create referrals, track purchases, issue rewards) | Name, email, order data, referral codes |
| Send transactional emails (referral invitations, reward notifications, nudge reminders) | Name, email |
| Detect and prevent fraud (self-referrals, duplicate IPs, blacklist checks) | Email, IP address, order data |
| Calculate and charge commissions via Shopify Billing API | Order totals, referral revenue |
| Provide analytics and reporting to Merchants | Aggregated referral and revenue data |
| Sync data with third-party integrations configured by the Merchant | Name, email, referral events |
| Maintain and improve the App | Usage data, session data |
We process personal data only to provide and improve the services described above. We do not sell personal data. We do not use personal data for advertising, profiling, or automated decision-making with legal or significant effects. We do not use merchant or customer data to train artificial intelligence or machine learning models.
3. How We Share Information
We share personal data only in the following circumstances:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Resend (email service) | Recipient name and email, email content | Deliver transactional referral emails |
| Shopify | Billing and subscription data | Process Merchant subscriptions and usage charges |
| Klaviyo / Mailchimp (if enabled by Merchant) | Name, email, referral events | Sync referral data to Merchant's marketing platform |
| Twilio (if enabled by Merchant) | Phone number, referral link | Send SMS referral messages |
| Outgoing webhooks (if configured by Merchant) | Referral event data | Deliver referral events to Merchant's custom endpoints (e.g., Zapier) |
| Railway (hosting provider) | All data (hosting infrastructure) | Application hosting and database storage |
Third-party integrations (Klaviyo, Mailchimp, Twilio, outgoing webhooks) are optional and activated solely at the Merchant's discretion. We do not share data with these services unless the Merchant explicitly configures and enables them.
We may also disclose personal data if required by law, regulation, legal process, or governmental request.
4. Data Retention
- Active accounts: we retain Merchant and End Customer data for as long as the Merchant's RefBoost subscription is active.
- After uninstallation: when a Merchant uninstalls RefBoost, Shopify sends a
shop/redact webhook within 48 hours. Upon receipt, we delete all data associated with that shop within 30 days. - Customer data requests: upon receiving a
customers/data_request webhook, we provide all stored data for the requested customer within 30 days. - Customer data deletion: upon receiving a
customers/redact webhook, we anonymize or delete all personal data for the requested customer within 30 days. - Fraud prevention records: blacklisted customer entries and flagged referral data are retained for the duration of the Merchant's subscription to maintain fraud prevention integrity.
shop/redact webhook within 48 hours. Upon receipt, we delete all data associated with that shop within 30 days.customers/data_request webhook, we provide all stored data for the requested customer within 30 days.customers/redact webhook, we anonymize or delete all personal data for the requested customer within 30 days.5. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest (database encryption).
- Shopify webhook HMAC signature verification with timing-safe comparison to prevent tampering.
- Session tokens stored in a secure, server-side PostgreSQL database (not in client-side storage).
- Rate limiting on public-facing endpoints to prevent abuse and enumeration attacks.
- HTML escaping of merchant-controlled strings in storefront-facing widgets to prevent cross-site scripting.
- Separated production and staging environments with independent databases.
- Access to protected customer data restricted to authorized personnel only.
- Security incident response procedures in place, including 24-hour notification to Shopify in the event of a suspected data breach.
6. International Data Transfers
Craft Lab S.L.U. is based in Spain (European Union). Our application infrastructure is hosted on Railway, which may process data in data centers located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including standard contractual clauses or adequacy decisions, in compliance with the General Data Protection Regulation (GDPR).
7. Your Rights
7.1 For Merchants
You may access, update, or delete your data at any time through the App's Settings page, or by contacting us at privacy@appwarp.io. Uninstalling RefBoost will trigger automatic deletion of all your data.
7.2 For End Customers
If you are an End Customer of a Merchant using RefBoost, your primary point of contact for privacy inquiries is the Merchant whose store you interacted with. The Merchant is the data controller for your personal data; we act as a data processor on their behalf.
You may also contact us directly at privacy@appwarp.io. Under applicable privacy laws (including GDPR and CCPA/CPRA), you may have the following rights:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate data.
- Right to erasure: request deletion of your personal data.
- Right to restriction: request that we limit how we process your data.
- Right to data portability: receive your data in a machine-readable format.
- Right to object: object to the processing of your personal data.
- Right to opt out of sale: we do not sell personal data; however, you may exercise this right at any time.
- Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
We will respond to all valid requests within 30 days.
8. Cookies
RefBoost uses a single, strictly necessary session cookie to maintain Merchant authentication within the Shopify admin iframe. This cookie:
- Does not track End Customers across websites.
- Does not contain personal information.
- Is not used for advertising or analytics purposes.
- Is required for the App to function and cannot be opted out of.
We do not use any third-party tracking cookies, pixels, or similar technologies.
9. Children's Privacy
RefBoost is a business-to-business application intended for use by Shopify Merchants. We do not knowingly collect personal information from children under the age of 16. If we become aware that we have collected data from a child, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Merchants of material changes by updating the "Last updated" date at the top of this page. Continued use of the App after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your privacy rights, contact us at:
Craft Lab S.L.U.
Email: privacy@appwarp.io
Spain, European Union
If you are located in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.