Privacy Policy

Effective date: 2026-05-13

Last updated: 2026-05-13

This Privacy Policy describes how McDaniel Creative ("we," "us," "our") collects, uses, and shares information in connection with the Prevey Shopify app ("Prevey," the "Service") available at prevey.app and installed by merchants on their Shopify storefronts.

If you have questions about this policy or your data, contact us at contact@prevey.app.

1. Who this policy applies to

This policy describes data we collect about two different groups:

- Merchants — Shopify store owners and staff who install and use Prevey to learn from their shoppers

- Shoppers — visitors to a Shopify store that has Prevey installed, including people who add items to their cart, submit a survey response, or interact with our exit-intent modal

Different sections of this policy apply to different groups; we've called out which is which throughout.

2. What we collect

From merchants

When you install Prevey, we collect from Shopify:

- Your shop's myshopify.com domain, contact email, and store name

- OAuth access tokens needed to read your orders and customer data scopes you've granted

- The settings you configure in the Prevey admin (survey question, branding, delivery preferences, etc.)

- A log of when you change those settings (in our internal audit table)

When you use the Prevey admin, our servers also record standard request metadata: IP address, browser type, and the pages you visit.

From shoppers

When Prevey's tracking pixel runs on a storefront where it's been installed, we collect:

- A first-party cookie (prevey_sid) containing a randomly generated session ID — this is not tied to your real identity

- A SHA-256 hash of your IP address combined with a per-shop secret salt. We never store your raw IP.

- Your browser's user-agent string

- Pages and products you view, items you add to your cart, and whether you started or completed checkout

- Whether you're logged into the store as a Shopify customer (and if so, your Shopify customer ID and email)

- If you submit your email via the exit-intent modal: that email address and your consent choice

When you submit a survey response, we additionally collect:

- The answer option you picked

- Any optional written comment you provide

Additional cookies we may set: prevey_modal_seen (suppresses the modal across sessions for the duration the merchant has configured, typically 7 days), prevey_exit_dismissed (suppresses the modal within the current session). These contain no personal data.

From abandoned-cart matching

To detect when a shopper who abandoned a cart later completes a purchase, we periodically query your shop's recent orders via Shopify's Admin API. We match the order's email/phone against our records and, if there's a match, mark that abandonment as "recovered" and store the order ID and total.

3. Why we collect it (legal basis)

For merchants, our legal basis for processing is performance of the contract that begins when you install the app and accept these terms, plus our legitimate interest in operating and improving the Service.

For shoppers, the legal bases vary by data type:

- Anonymous session tracking and cart events — legitimate interest of the merchant in understanding their store's performance, balanced against the minimal personal nature of this data (cookie ID + hashed IP)

- Email or phone submitted via the exit-intent modal — your explicit consent (the optional consent checkbox), and the merchant's legitimate interest in following up on an abandoned cart

- Email and phone obtained via Shopify customer account — the contract between you and the merchant, who has determined this purpose

- Survey responses — your explicit consent (you click an answer and submit)

You can withdraw consent at any time by emailing the merchant or contacting us at contact@prevey.app to have your data deleted.

4. How we use it

We use the data to:

- Render the exit-intent modal and storefront pixel

- Detect that a cart has been abandoned

- Send a survey email to identified shoppers (where the merchant has enabled email delivery)

- Match abandoned carts to subsequent orders so the merchant can measure recovery

- Aggregate response data for the merchant's dashboard (anonymized counts, percentages)

- Generate AI-powered summaries of free-text responses for the merchant (Growth tier and above; see Section 5)

- Detect bugs, monitor reliability, and improve the Service

- Comply with our legal obligations

We do not sell personal data to anyone, ever, under any tier of service.

5. Sub-processors — who we share data with

Prevey is built on top of services from other companies ("sub-processors"). When we share data with them, it's strictly to deliver the Service. Each sub-processor has their own privacy policy and security posture.

- Shopify — Underlying e-commerce platform. Receives: all merchant data and shopper data flows through Shopify's APIs and webhooks.

- Resend (resend.com) — Transactional email delivery. Receives: recipient email, sender display name, the rendered email content.

- Fly.io (fly.io) — Application hosting and Managed Postgres database. Receives: all Prevey data is stored on Fly infrastructure.

- cron-job.org — Scheduled job triggering. Receives: only the URL of our cron endpoint; no merchant or shopper data.

- Anthropic (anthropic.com) — AI summarization of survey responses (paid tiers only). Receives: free-text survey response content, anonymized of identifiers before sending.

- Cloudflare — DNS and CDN for prevey.app. Receives: request metadata for the prevey.app website itself; no app data.

We do not share data with advertising networks, data brokers, or analytics providers beyond what's listed above.

6. Where data is stored

All Prevey data is hosted on Fly.io infrastructure in the United States (region: San Jose, California). If you're a shopper or merchant outside the United States, your data will be transferred to and processed in the U.S. For visitors from the European Economic Area, the United Kingdom, or Switzerland, this transfer relies on Standard Contractual Clauses as the applicable safeguard.

7. Data retention

We hold data only as long as we need it:

- Anonymous storefront sessions with no associated abandonment: deleted automatically after 90 days of inactivity

- Storefront sessions with abandonments (containing email, phone, IP hash): personal identifiers stripped after 365 days; aggregate abandonment + response records retained

- Survey responses: retained for the merchant's reporting until the underlying session is anonymized; aggregate data may be retained indefinitely

- Delivery logs (email send records): deleted after 180 days

- Merchant settings: retained while you have the app installed; removed within 48 hours of uninstall via the standard Shopify shop/redact webhook

- Audit log of merchant settings changes: retained for 2 years for compliance

You can request earlier deletion at any time via the process in Section 9.

8. Cookies

The Prevey storefront pixel sets the following first-party cookies on storefronts where the merchant has installed our app embed:

- prevey_sid — Anonymous session identifier so we can correlate your cart events across page loads. Lifetime: 180 days.

- prevey_modal_seen — Records that we've shown you the exit-intent modal, so we don't pester you on every visit. Lifetime: configurable by merchant (typically 7 days; can be disabled).

- prevey_exit_dismissed — Records that you dismissed the modal in the current browsing session. Lifetime: until you close your browser.

We do not use third-party cookies, advertising cookies, or fingerprinting.

If your browser blocks cookies or you've opted out via the storefront's consent banner, the pixel will not set the prevey_sid cookie and you will not be tracked.

9. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

- Right to access — request a copy of the personal data we hold about you

- Right to deletion — request that we delete your personal data

- Right to correction — request correction of inaccurate data

- Right to portability — receive your data in a structured, machine-readable format

- Right to object — object to processing based on legitimate interest

- Right to withdraw consent — for processing based on consent

How to exercise these rights:

1. Through the merchant. Because Prevey processes shopper data on behalf of the Shopify merchant whose store you visited, the simplest path is to contact that merchant directly. Shopify provides a standard "Data subject request" workflow that automatically reaches us via webhook, and we respond by emailing you a copy of the data we hold or deleting it (depending on the request type).

2. Directly. You can also contact us at contact@prevey.app with proof of your relationship to the data (e.g., reply from the email address whose records you want to access). We will respond within 30 days.

California residents have additional rights under the CCPA, including the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA.

10. Security

We follow industry-standard practices:

- All data encrypted in transit (HTTPS / TLS 1.2+) and at rest (Fly Managed Postgres)

- Database backups are encrypted

- Production secrets stored only in Fly's encrypted secrets store, never in source code

- Access to production infrastructure protected by two-factor authentication

- Shopify webhook and app proxy signatures verified on every inbound request

- IP addresses hashed with a per-shop salt before storage

- Sensitive admin actions written to an audit log

- A written security incident response policy that requires customer notification within 72 hours of any confirmed breach affecting personal data (in line with GDPR Article 33)

No system is perfectly secure; if you believe your data may have been compromised, contact us immediately at contact@prevey.app.

11. Children's privacy

Prevey is not directed to children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we do, we'll update the "Last updated" date at the top of this page. Material changes will be announced via the Prevey admin interface and, where required, by email to merchants. Your continued use of the Service after a change indicates your acceptance of the updated policy.

13. Contact

Questions, concerns, or requests:

McDaniel Creative

Email: contact@prevey.app

Website: prevey.app