Effective date: May 21, 2026
Who we are: K1 Apps LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA ("we", "us", "our").
Contact: support@k1apps.com
This Privacy Policy explains how we collect, use, and protect personal data in connection with the K1 PreOrder Manager Shopify application (the "App"). For the K1 Apps website (k1apps.com), see our Website Privacy Policy.
Merchant data (Shop data). When you install and use the App, we act as an independent controller for your merchant/account information needed to operate, support, and improve the App (e.g., subscription, App settings, diagnostics).
Store customer data processed via Shopify APIs. When our App reads or writes limited order/product data to run pre‑orders (e.g., tagging orders, reading product/variant IDs), we act as a processor on your behalf. You remain the controller for your customers' data. We process customer data only under your documented instructions (the actions & logic you configure in the App). We do not re‑purpose customer data.
Data Processing Addendum (DPA). We offer a Controller‑Processor DPA with SCCs/UK Addendum at K1 PreOrder Manager DPA.
End‑customers. We do not provide any customer‑facing features that require direct contact with your store's end‑customers. We only process minimal order/product metadata required for the pre‑order workflow you configure.
We collect the minimum data necessary to run the App reliably, support you, and understand product usage.
Shop identifiers (theme name/ID/version, storefront/locale settings, location settings and time zone), catalog context (product/variant IDs, collection IDs/titles, conflict logs, UI preferences), order context (pre‑orders only), and technical logs (timestamps, request IDs, API errors, App version, device data). We do not store full order contents beyond what is necessary to tag/attribute pre‑order activity.
If you contact our support widget, the App may pass helpful shop context to reduce back‑and‑forth and speed resolution (e.g., store URL, installed theme name/ID, shop locale, time zone, App version, purely technical diagnostics such as feature flags, onboarding status). You can ask us to remove or limit what's shared.
Mixpanel (pseudonymous event data about admin UI usage, device/OS/browser, performance metrics); Hotjar (optional session insights for admin interface; we mask input fields where feasible and avoid capturing sensitive text; no storefront replays); Mantle (install & lifecycle telemetry; no end‑customer personal data).
Business contact information, such as email — we send operational/service emails needed to run the App (e.g., technical, security/reliability, onboarding). We may also send brief product communications that help improve quality and support (tips, highlights, short surveys) and limited information about closely related features or services. You can opt out of non‑operational emails at any time by contacting support@k1apps.com (transactional/service notices may still be sent).
We process data for the following purposes, under these typical legal bases:
| Purpose | Examples | Legal bases |
|---|---|---|
| Provide & operate the App | Render pre‑order button/badge, apply order tags, schedule rules, detect conflicts, maintain uptime/security | Performance of our agreement with your organization (Terms and Conditions); legitimate interests (operate a reliable app) |
| Support & diagnostics | Troubleshoot via Tidio, reproduce issues, communicate resolutions | Performance of our agreement (Terms and Conditions); legitimate interests |
| Product analytics & UX research | Understand feature adoption (Mixpanel), optional session insights (Hotjar), improve onboarding & performance, develop new features | Legitimate interests |
| Security & abuse prevention | Detect misuse, protect APIs and infrastructure, audit access | Legitimate interests; legal obligations |
| Compliance | Respond to data subject requests (Shopify GDPR webhooks); maintain records; tax/transactional communications | Legal obligations |
| Product communications & quality insights | Operational updates, relevant tips/highlights, short surveys; where permitted, info on closely related features/services | Legitimate interests (operate/improve the App and inform existing business users) |
Our admin UI and documentation may use cookies or local storage for authentication, preferences, and analytics (Mixpanel) plus optional session insights (Hotjar) — admin interface only. If you prefer, you can email support@k1apps.com and we will disable Hotjar session capture for your shop.
We share data only with service providers that help us run the App (e.g., Shopify platform services; Mixpanel — product analytics; Hotjar — optional session insights; Tidio — in‑app support chat; hosting/logging/email vendors). We require appropriate contractual safeguards and limit access to the minimum necessary. Our up‑to‑date Subprocessor List (vendor, service, country, DPF/SCC status) is published at the end of this document.
Advance notice. We will notify at least 30 days in advance of material changes to subprocessors; you may object within that time.
Our providers may process data outside your country. Where data is transferred internationally, we rely on appropriate safeguards and measures:
We keep data only as long as needed for the purposes above, to comply with law, or to resolve disputes. Our retention schedule:
| Data Category | Purpose | Retention |
|---|---|---|
| Shop configuration & rule settings | Operate app; audit | Active subscription + 30 days after uninstall (account deletion triggers immediate purge), then delete/anonymize |
| Order metadata we create (tags, rule IDs, pre‑order flags) | Attribution & reporting | 24 months after creation, then delete/anonymize |
| Error/diagnostic logs | Reliability & security | 90 days |
| Analytics (Mixpanel) | Product analytics | 14 months (or shorter if tool allows) |
| Session replays (Hotjar) | UX research | 30 days max |
| Support chats (Tidio) | Support history | 12 months from last interaction |
| Webhook delivery logs | Compliance proof | 30 days |
| Billing & accounting records | Tax/audit compliance | 7 years |
| Backups | DR only | 30 days; deletion cascades within that window |
If deletion conflicts with legal retention obligations (e.g. tax/audit), we will retain only what's necessary and isolate it from routine use.
We use industry‑standard safeguards such as TLS in transit, encryption at rest (where applicable), access controls, audit logging, environment segregation, and least‑privilege administration. No internet service is 100% secure, but we continuously work to protect your data and promptly remediate incidents. We assess incidents promptly and notify affected merchants and authorities as required by law (GDPR/UK/Law 25).
Depending on your location, you may have rights to access, correct, delete, restrict, object to processing, or port your personal data. As a Shopify app, we also support Shopify's mandatory privacy webhooks (see §11) to help you satisfy requests from your customers.
Response timelines & verification. We respond within 1 month (GDPR/UK) or 45 days (US states). We verify identity via admin email/domain verification or reasonable equivalent.
Appeals (US states). If we deny a request, you may appeal within 30 days by writing to privacy@k1apps.com. We will respond within 45 days.
To exercise your rights or ask questions, contact support@k1apps.com.
Analytics & replays. We use Mixpanel (pseudonymous) for product analytics and may use Hotjar session insights in the admin. If you prefer to opt out of Hotjar for your shop, email support@k1apps.com and we'll disable it.
Global Privacy Control (GPC). Where applicable, we honor Global Privacy Control (GPC) and similar browser signals for "sale"/"sharing" and targeted ads. (We do not sell/share personal information.)
Support context to Tidio. You can ask us to limit or turn off automatic shop‑context sharing; we can handle your request via email instead.
Email preferences. We send operational/service emails necessary to run the App. We may also send concise product communications that help improve quality and support and information about closely related features/services. You can opt out of non‑operational emails via support@k1apps.com or the unsubscribe link (where available).
We subscribe to and honor Shopify's mandatory privacy topics so you can meet your obligations:
Deletion SLA. On shop/redact, we erase shop data from our systems within 30 days (sooner where possible). Customers/redact requests are completed promptly upon webhook receipt. You can also request deletion via email.
Mixpanel (admin analytics). Used to understand feature adoption and improve UX. We do not use Mixpanel for advertising. Data is pseudonymous and focused on App UI usage.
Hotjar (session insights). Used occasionally to review how merchants interact with our admin screens. We focus on layout/navigation issues and mask input fields where feasible.
Mantle (install telemetry). Used to monitor installation health, onboarding progress, and aggregate reliability metrics. We do not send end‑customer personal data to Mantle.
Tidio (support). Used to provide real‑time chat and faster support. We pass helpful shop context (see §2B) to accelerate troubleshooting. You can always contact us by email instead.
Hosting (Hetzner). US‑based cloud infrastructure hosting for our application and databases. Primary processing and storage occurs in the United States (Hetzner US region). Transfers from the EEA/UK rely on the 2021 EU SCCs (Modules 2/3) with the UK Addendum/IDTA (as applicable), plus supplementary technical measures (e.g., encryption in transit and at rest).
Email (Twilio SendGrid). Delivery of service emails and permitted product communications (see §§2 and 10). Includes standard message metadata (recipient address, timestamps, delivery status).
Logging/Monitoring (Sentry). Error and performance telemetry to improve reliability. We scrub sensitive fields and avoid collecting customer payload content.
Our App is intended for businesses. We do not knowingly collect personal data from children.
We may update this Policy from time to time. We will post the updated version in‑app and update the "Effective date" above.
Company: K1 Apps LLC
Address: 30 N Gould St, STE R, Sheridan, WY 82801, USA
General inquiries: support@k1apps.com
Privacy inquiries: privacy@k1apps.com
This appendix lists our current subprocessors. We will notify at least 30 days in advance of material changes (add/replace) and provide an opportunity to object.
| Vendor | Service (Purpose) | Country/Region | Transfer Mechanism (DPF/SCC/UK Addendum) |
|---|---|---|---|
| Shopify Inc. and affiliates | Platform APIs & privacy webhooks | Various | See Shopify transfer statements |
| Mixpanel, Inc. | Product analytics (admin only) | US | DPF/SCC/UK Addendum (as applicable) |
| Hotjar Ltd. (optional) | Session insights (admin only) | EU | DPF/SCC/UK Addendum (as applicable) |
| Tidio | In‑app support chat | EU/US | DPF/SCC/UK Addendum (as applicable) |
| Mantle | Telemetry/diagnostics | TBD | TBD |
| Hetzner Online GmbH | Cloud hosting | US | SCCs (EU 2021 — Modules 2/3) + UK Addendum/IDTA |
| Twilio SendGrid, Inc. | Service emails and permitted product communications | US | DPF/SCC/UK Addendum (as applicable) |
| Sentry (Functional Software, Inc.) | Error & performance logs | EU/US | DPF/SCC/UK Addendum (as applicable) |