2023 Projects, Inc. PRIVACY POLICY

‍Last updated: November 1, 2025

This Privacy Policy explains how 2023 Projects Inc. (“we”, “us”, “our”) processes information when you install and use the Love Loyalty app for Shopify (“App”). It is a standalone policy intended for submission to app stores and merchant stakeholders, not a cookies notice or general overview.

If you are a Shopify merchant installing the App, this Policy applies to (i) your information and your staff users’ information (we act as controller for that data), and (ii) information about your store customers that we process on your behalf to provide the App (we act as your processor / service provider). If you are a shopper/customer of a merchant using Love Loyalty, please contact that merchant (the store owner) for privacy questions—they are your controller.

1) Snapshot of how Love Loyalty handles data

No customer data persisted on our servers. Loyalty program data (e.g., points balances, membership status, tier, referral state) is stored in Shopify using Shopify metafields.
Transient processing only to provide features. We may process customer data transiently (e.g., reading order events and writing updated points to metafields) to operate features such as points calculation, redemptions, VIP tiers, paid memberships, and referrals.
Merchant/admin data is minimal. We keep only what we need to run and support the App (e.g., store ID, plan/billing info, configuration, support communications, technical logs).
No selling or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.
GDPR & CCPA rights supported. We support access, deletion, correction, data portability, objection/opt-out (as applicable), and lawful bases disclosures. We also honor Shopify’s privacy webhooks and merchant instructions.

2) Roles and responsibilities

For Merchant & Admin User Data (e.g., your name, email, store info, billing plan, configuration): 2023 Projects Inc. is the controller.
For Customer Loyalty Data that belongs to your Shopify store (e.g., points balances, membership flags, tiers, redemptions): you (the merchant) are the controller; we act as your processor/service provider and handle such data only to provide the App and according to your instructions and Shopify’s APIs.

If required, we will enter into a Data Processing Addendum (DPA) with you. Contact us at support@loveloyalty.app.

3) Categories of data we process

A. Merchant & Admin User Data (controller)

Identifiers & contact: name, email, Shopify store domain/ID, role.
Account & billing: plan tier, subscription status, billing events via Shopify Billing.
Configuration: loyalty program settings (e.g., point rules, tiers, membership pricing), integration toggles (e.g., Judge.me, Klaviyo).
Support & communications: messages you send to us, troubleshooting details.
Technical & diagnostics: app/server logs, API performance metrics, error traces, IP address, device/browser metadata (minimized and time-limited).

B. Customer Loyalty Data (processor/service provider)

Identifiers within Shopify: customer ID, email hash or reference (as exposed via Shopify as permitted).
Commercial data: order events and totals relevant to points/memberships (as exposed by Shopify).
Loyalty program state: points balance, redemptions, VIP tier, membership status, referral participation—stored in Shopify metafields.
Event data for analytics/automation (if enabled): loyalty-related events you choose to send to third parties (e.g., Klaviyo), strictly under your configuration.

We do not persist customer loyalty profiles on our own servers. Processing occurs via Shopify APIs to compute results and write them back to Shopify metafields or to the destinations you configure.

4) Sources of data

From Shopify via Admin/Storefront APIs and webhooks when you install and use the App.
From you when you configure features, contact support, or enable integrations.
From your authorized partners (e.g., Judge.me, Klaviyo) if you connect them.

5) Purposes of processing & lawful bases (GDPR)

Merchant & Admin User Data (controller)

Provide and operate the App (set up account, authenticate, configure features) – Art. 6(1)(b) Contract.
Billing & account management – Art. 6(1)(b) Contract and Art. 6(1)(c) Legal obligation.
Support, security, debugging, and service improvement – Art. 6(1)(f) Legitimate interests (to ensure a secure, reliable app).
Compliance with laws, enforcement of terms, fraud prevention – Art. 6(1)(c) Legal obligation and Art. 6(1)(f) Legitimate interests.
Marketing to merchants (product updates, feature announcements) – Art. 6(1)(f) Legitimate interests; where required, consent – Art. 6(1)(a).

Customer Loyalty Data (processor/service provider)

Operate loyalty features (calculate points, apply redemptions, update tiers/memberships, referrals) at your instruction – your lawful basis as controller applies - Art. 6(1)(b) Contract
Integrations you enable (e.g., sending events to Klaviyo) – performed strictly per your configuration and instructions. - Art. 6(1)(b) Contract

6) CCPA/CPRA “Notice at Collection” (service provider)

Category (examples)

Source

Business purpose

Disclosed to

Sold/Shared

Identifiers (store domain/ID; for customers: Shopify customer ID)

Shopify; Merchant

Provide App, authenticate, configure features

Shopify; infrastructure/subprocessors

Commercial info (order/transaction signals relevant to points)

Shopify

Calculate points, memberships, redemptions

Shopify (metafields), integrations you enable

Internet/technical activity (logs, device metadata)

App/servers

Security, debugging, reliability

Infrastructure/subprocessors

Customer loyalty state (points, tier, membership flags)

Derived in-App; stored in Shopify

Operate loyalty features

Stored in Shopify metafields

We do not sell or share personal information as defined by CPRA and do not use or disclose sensitive personal information for additional purposes requiring a “Limit Use” link.

7) Storage, retention, and deletion

Customer loyalty data lives in Shopify metafields under your store and follows your retention within Shopify.
Transient processing: We may temporarily hold minimal data in memory or short-lived caches solely to compute results and write them back to Shopify; such data is not retained.
Logs & diagnostics (which normally avoid personal data) are retained for a limited period (e.g., 30–90 days) for security and debugging, then deleted or anonymized.
Upon uninstall or instruction: We stop processing and, where applicable, delete controller-side data that we no longer need, within statutory time frames and in line with Shopify Partner requirements.
GDPR/CCPA erasure requests: For customer data, we honor Shopify’s privacy webhooks and your instructions; for merchant/admin data we delete upon verified request unless retention is required by law.

8) Disclosures and subprocessors

We disclose data only to:

Shopify (platform and APIs you use to run your store).
Infrastructure & tooling providers (e.g., hosting, logging, email/support desk) under data processing agreements.
Integrations you enable (e.g., Klaviyo, Judge.me) strictly per your configuration.
Legal/Compliance: to comply with law, enforce terms, or protect rights.

We maintain a list of current subprocessors and will provide it on request. We require appropriate contractual safeguards (including GDPR SCCs for international transfers where applicable).

9) International transfers

If data is transferred outside the EEA/UK/Switzerland, we use appropriate safeguards (e.g., EU/UK Standard Contractual Clauses, data minimization, and technical/organizational measures). You can request details at privacy@loveloyalty.app.

10) Security

We apply technical and organizational measures appropriate to the risk, including: least-privilege access, API scope minimization, encryption in transit, audit logging, secure development practices, and continuous monitoring. We design features so that customer loyalty data stays in Shopify metafields.

11) Your privacy rights

For Merchants/Admin Users (where we are controller)

Under GDPR/UK GDPR, you can access, correct, delete, restrict or object to processing, and request data portability. Where we rely on consent, you may withdraw consent at any time. You also have the right to lodge a complaint with your local supervisory authority.

Under CCPA/CPRA (for California residents), you have the rights to know/access, delete, correct, and to opt out of sale/share (not applicable here), and to be free from non-discrimination for exercising your rights.

To exercise your rights, contact privacy@loveloyalty.app. We will verify your request and respond within applicable timelines.

For Store Customers (where we are processor/service provider)

Please contact the merchant (store owner) directly to exercise your privacy rights. We will support the merchant by honoring their instructions and Shopify privacy webhooks (e.g., customer data requests and redaction).

12) Children’s privacy

The App is not directed to children and should not be used to manage programs targeted at children under the age of 16 (or as defined by local law), unless the merchant independently ensures all required consents and legal bases. We do not knowingly process children’s data.

13) Data Processing Addendum (DPA)

Where required, we will execute a DPA governing processing of customer personal data on your behalf (including purpose limitation, confidentiality, security measures, subprocessor controls, audit support, breach notice, and international transfer mechanisms). Request a copy at support@loveloyalty.app.

14) Changes to this Policy

We may update this Policy to reflect changes in law or our services. We will post the updated Policy with a new “Last updated” date and, where required, notify merchants in-app or by email.

15) Contact us

2023 Projects Inc.
Attn: Privacy
Email: support@loveloyalty.app
(If applicable) EU/UK Representative & DPO contact details available on request.