Introduction

This Privacy Policy describes how Wishfire ("we", "us", or "our") collects, uses, and protects information when you use our Shopify application. By installing and using Wishfire, you agree to the collection and use of information in accordance with this policy.

Wishfire is a wishlist management application for Shopify stores that helps merchants enable wishlist functionality for their customers.

Information We Collect

From Merchants (Store Owners):

Store domain name (e.g., yourstore.myshopify.com)
Store name and owner email address (provided by Shopify during installation)
OAuth access tokens (to securely access your Shopify store data via API)
App configuration settings (button styles, colors, text, branding preferences)
API keys you generate (stored as cryptographically hashed values)
Subscription plan and billing status (managed through Shopify's billing system)

From Your Store's Customers:

Shopify Customer IDs (for logged-in customers who add items to wishlists)
Guest tokens (32-character secure tokens for anonymous users, stored in their browser's localStorage)
Product IDs and variant IDs of items added to wishlists
Wishlist creation and update timestamps
Shared wishlist tokens (unique links customers can share with others)

Product Information (Cached from Your Store):

Product IDs, titles, handles, and images
Product variant IDs and pricing
This data is fetched from your Shopify store via API and cached for performance

Analytics and Usage Data:

Wishlist add/remove events (product ID, timestamp, customer ID)
Conversion tracking (when wishlisted items are purchased, tracked via order line item properties)
API usage counts (for billing purposes on usage-based plans)
IP addresses (from server logs, used for security and abuse prevention)

What We Do NOT Collect: We do not collect payment information (handled by Shopify), customer passwords (handled by Shopify), browsing history, marketing cookies, or any data beyond what's necessary for wishlist functionality.

How We Use Your Information

We use the collected information for the following purposes:

Service Delivery: To provide, maintain, and improve wishlist functionality for your Shopify store
Analytics: To display wishlist statistics, trends, and insights to merchants through the app dashboard
Customer Support: To respond to support inquiries and troubleshoot technical issues
Billing: To process subscription payments and manage plan upgrades/downgrades
Feature Development: To analyze usage patterns and develop new features based on merchant needs
Communication: To send important service updates, security alerts, and billing notifications
Compliance: To comply with legal obligations and respond to regulatory requests

Important: We never sell, rent, trade, or share your data with third parties for their marketing purposes. Your data is only used to operate and improve Wishfire.

Data Security

We implement industry-standard security measures to protect your information:

Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL protocols
Secure Storage: Data is stored on encrypted servers with access controls and regular security audits
Authentication: OAuth 2.0 authentication for secure Shopify API access
Access Controls: Strict internal access policies limiting who can view your data
Regular Audits: Ongoing security assessments and vulnerability testing
Data Isolation: Each store's data is logically separated in our database

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but maintain commercially reasonable safeguards.

Data Retention and Deletion

We retain your data only as long as necessary to provide wishlist functionality and comply with legal obligations.

Active Data Retention:

Wishlists: Stored until customer deletes items or merchant uninstalls app
Guest Wishlists: Retained indefinitely unless deleted by user or merchant uninstalls app
Shop Settings: Retained while app is installed
Conversion Analytics: Retained for historical reporting while app is installed

Automatic Deletion (GDPR/CCPA Compliance):

App Uninstall: Within 48 hours of uninstalling Wishfire, we automatically delete all shop data including: customer wishlists, product cache, settings, API keys, and sessions (triggered by Shopify's shop/redact webhook)
Customer Data Requests: When a customer requests data deletion through your store, their wishlist data is immediately deleted (triggered by Shopify's customers/redact webhook)
Shared Links: Expire based on settings (default: never, or custom expiry date set by merchant)

Legal Retention Requirements:

Billing Records: Shopify retains billing records per their policies (we do not store payment information)
Security Logs: Server logs retained for 90 days for security and abuse prevention
Anonymized Aggregates: Anonymized usage statistics (no personal data) may be retained for product improvement

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access and Portability:

Request a copy of your personal data in a structured, commonly used format
Export your wishlist data from the app dashboard at any time

Correction and Update:

Request corrections to inaccurate or incomplete data
Update your store information directly in the app settings

Deletion (Right to be Forgotten):

Request deletion of your personal data (subject to legal retention requirements)
Automatic deletion upon uninstalling the app

Restriction and Objection:

Request restriction of certain data processing activities
Object to processing of your personal data in certain circumstances

To exercise any of these rights, please contact us at support@wishfire.app

GDPR & CCPA Compliance

We are fully compliant with international data protection regulations

GDPR (General Data Protection Regulation):

We process data lawfully, fairly, and transparently
Data is collected for specified, explicit purposes
We minimize data collection to what's necessary
Data accuracy is maintained and updated as needed
Storage is limited to necessary retention periods
We implement appropriate security measures

CCPA (California Consumer Privacy Act):

California residents can request disclosure of data collection practices
Right to request deletion of personal information
Right to opt-out of data sale (we don't sell data)
Non-discrimination for exercising CCPA rights

Shopify Webhook Compliance:

We automatically handle data requests through Shopify's mandatory webhook system for customer data requests, redaction, and shop deletion.

Third-Party Services and Data Sharing

Wishfire relies on the following third-party services to operate. Your data may be shared with these services only as necessary to provide our functionality:

Shopify Platform:

Wishfire is built on Shopify's platform and uses their APIs to access your store data
Authentication is handled entirely by Shopify (OAuth 2.0)
Billing is processed through Shopify's billing system (we never handle payment information)
Subject to Shopify's Privacy Policy

Hosting Infrastructure:

Application hosted on Railway.app (cloud infrastructure provider)
PostgreSQL database hosted on Railway's secure servers
All data transmitted via encrypted connections (TLS 1.2+)

We Do NOT Share Data With: We do not sell, rent, or share your data with marketing companies, advertisers, data brokers, or any third parties for their own purposes. Data is only shared with the services listed above as necessary to operate the app.

Payment Processing:

Shopify Billing API for subscription payments
We do not store credit card information

These third-party services are bound by their own privacy policies and have their own security practices. We ensure all third-party providers maintain appropriate data protection standards.

Browser Storage (Not Cookies)

Important: Wishfire does NOT set any cookies. Instead, we use browser storage APIs:

LocalStorage (Customer's Browser):

Guest Tokens: 32-character secure tokens stored locally to identify anonymous users' wishlists
Wishlist Data Cache: Temporary cache of wishlist items for faster loading (synced with server)
This data stays in the customer's browser and is not transmitted unless they interact with wishlists

SessionStorage (Temporary):

Server Data Cache: Temporary storage during browsing sessions to reduce API calls
Automatically cleared when browser tab is closed

Authentication:

Merchant authentication is handled entirely by Shopify using their session management
Wishfire does NOT set authentication cookies - Shopify manages all admin session cookies
Customer authentication (when logged into storefront) is also handled by Shopify

No Tracking Cookies: We do not use marketing cookies, analytics cookies, or third-party tracking technologies. No data is shared with advertising networks.

Children's Privacy

Wishfire is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at support@wishfire.app so we can delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

Update the "Last Updated" date at the top of this policy
Notify you via email if changes are material
Display a notice in the app dashboard

We encourage you to review this Privacy Policy periodically. Continued use of Wishfire after changes constitutes acceptance of the updated policy.

Questions or Concerns?

If you have any questions about this Privacy Policy or our data practices, please contact us:

Support & Privacy: support@wishfire.app

We typically respond to privacy inquiries within 48 hours