Effective date: June 12, 2026
Privacy Policy
This Privacy Policy explains how Deck Builder collects, uses, stores, and discloses information when merchants install or use the Deck Builder Shopify app and when storefront customers interact with the app-powered deck builder experience on a merchant's storefront.
This policy is intended to describe the app's current data practices based on the app's implemented Shopify API access, database models, and storefront proxy routes.
Information We Collect Through Shopify
When a merchant installs or uses Deck Builder, the app receives information from Shopify that is needed to authenticate the shop, provide app features, and manage billing-related functionality.
| Category | Examples | Purpose |
|---|---|---|
| Merchant session and account data | Shop domain, session ID, access token, refresh token, granted scopes, session expiration timestamps, Shopify user ID, merchant first name, last name, email, locale, account owner status, collaborator status, and email verification status. | To authenticate the merchant, maintain the app session, honor Shopify permissions, and support secure access to the app. |
| Subscription and billing status data | Shopify shop ID, myshopify domain, subscription handle or plan name, trial end date, billing cycle end date, and deletion status for historical subscription records. | To determine which app features are available to a merchant, cache plan status, and support subscription management. |
| Merchant catalog data | Product types, collection IDs, titles and handles, product titles, product type, images, category names and IDs, inventory totals, variant IDs, variant titles, prices, currency codes, selected options, collection membership, and quantity available. | To power the deck builder search, filtering, sorting, and automatic product selection features on the merchant's storefront. |
Information We Collect Directly From Merchants
Most merchant information is received from Shopify during authentication and ongoing app use. We also generate operational records associated with merchant use of the app, including:
- Server-side logs used for troubleshooting, monitoring, and security review.
- Webhook-driven updates when app scopes change or the app is uninstalled.
- Subscription cache entries used to reduce repeated billing-status lookups.
The app does not ask merchants to manually provide customer lists, payment card data, or other off-platform personal data through a custom form in the current implementation.
Information We Collect Directly From Storefront Customers
When a storefront customer uses the deck builder widget, the app may process information submitted through the widget or request headers, including:
- Search terms entered into the deck builder.
- Requested quantities for searched cards.
- Selected filters, sort options, collection selections, and variant option selections.
- Buyer IP information forwarded to Shopify's Storefront API when available.
In the current implementation, this customer interaction data is used to return search results and related deck builder actions. The app does not currently persist those customer search inputs in its database.
The app does not currently use cookies, advertising pixels, or other similar tracking technologies for cross-site marketing or behavioral advertising within the implemented app routes.
How We Use Information
- To install, authenticate, and operate the app for a merchant's Shopify store.
- To determine subscription status and gate premium functionality.
- To query Shopify product and collection data needed for deck builder search results.
- To filter, sort, and auto-select products or variants requested through the storefront widget.
- To maintain security, debug errors, detect misuse, and monitor service health.
- To comply with legal obligations and respond to lawful requests.
We do not use the implemented app data flows to build third-party advertising profiles or to sell personal information.
Data Retention
- Merchant session records are stored in the app database for as long as needed to support authentication, app access, and related security functions, subject to session expiration and uninstall cleanup.
- When the app receives an uninstall webhook, it deletes merchant session records associated with that shop.
- Subscription records are retained to support feature access, billing-state checks, and related operational history until they are no longer needed for those purposes.
- Subscription cache entries are retained for short-lived operational periods based on cache expiration settings and billing or trial end times.
- Customer search and filter inputs handled through the app proxy are processed in request flow and are not currently stored in the app's database.
- Backup, infrastructure, and application log retention may vary based on hosting provider settings and legal requirements.
International Processing
Deck Builder may process and store information outside the merchant's or customer's country, including in the United States, through its hosting, database, caching, logging, and Shopify-connected service providers. When personal data is transferred across borders, we rely on contractual, technical, and organizational safeguards that are appropriate to the transfer and applicable law.
Individual Rights and Requests
Depending on the applicable law, individuals may have the right to request access to, correction of, deletion of, or restriction of certain personal data. Merchants may also contact us regarding data received through Shopify privacy webhooks or other privacy-related requests.
To make a privacy request, contact us using the details below. We may request information needed to verify the request before taking action.
Marketing and Advertising
Deck Builder is not designed as a marketing or advertising app. Based on the current implementation, the app does not use merchant or customer personal data for interest-based advertising, retargeting, or the sale or sharing of personal information for cross-context behavioral advertising.
Security
We use reasonable administrative, technical, and organizational measures designed to protect information processed by the app. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Contact Us
If you have questions about this Privacy Policy or want to submit a privacy-related request, contact:
XLP Technologies
Email: support@xlptechnologies.com
If you need a physical mailing address for a jurisdiction-specific notice, include that request in your email so we can provide the appropriate contact details.
Policy Updates
We may update this Privacy Policy from time to time to reflect changes to the app, legal requirements, or our data practices. When we do, we will update the effective date shown at the top of this page.