Legal

Privacy Policy.

Effective
April 27, 2026
Last updated
May 7, 2026
Company
ThePulse Creative Solutions LLC

1. Introduction

Daima Subscriptions App ("Daima," "we," "us," or "our"), operated by ThePulse Creative Solutions LLC, a California limited liability company, is a software-as-a-service application offered through the Shopify App Store. This Privacy Policy explains how we collect, use, store, share, and protect information when Shopify merchants install and use Daima, and when their end-customers interact with the Daima subscription widget on those merchants' storefronts.

This policy applies to:

  • Merchants — Shopify store owners or operators who install Daima on their store
  • Affiliates — third parties who participate in a merchant's affiliate program operated through Daima
  • End-Customers — visitors and subscribers of merchants' Shopify stores who interact with Daima-rendered widgets, the customer self-service portal, gift redemption pages, or affiliate links

By installing or using Daima, you agree to the practices described in this Policy and our Terms of Service. If you do not agree, do not install or use the App.

2. Roles and Responsibilities Under Data Protection Law

For purposes of the EU General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws:

  • The Merchant is the data controller with respect to the personal information of their end-customers, subscribers, affiliates, and gift recipients. The Merchant determines the purposes and means of processing and is responsible for the lawful basis of all processing activities, for providing required notices and obtaining required consents from data subjects, and for responding to data subject rights requests.
  • Daima (ThePulse Creative Solutions LLC) acts as a data processor for the Merchant, processing personal information solely under the Merchant's instructions and as necessary to provide the Service described in our Terms of Service and this Policy.
  • For the Merchant's own personal information (the Merchant's contact details, account information, and shop metadata collected via Shopify OAuth), Daima acts as a data controller.

Where the Merchant's instructions, applicable law, or Shopify platform requirements conflict with this Policy or our Terms of Service, we will inform the Merchant unless prevented from doing so by law.

3. Information We Collect

3.1 Merchant Information (Collected via Shopify OAuth)

  • Shop domain (e.g., your-store.myshopify.com)
  • Shopify session tokens (used for authenticated API access; never displayed to users)
  • Contact email (read from Shopify account)
  • Plan and currency (basic shop metadata)

3.2 Subscription & Product Data (via Shopify Admin API)

  • Selling plan group configurations
  • Product and variant information associated with subscription plans
  • Subscription contract data (contract ID, status, delivery frequency)
  • Active subscriber counts (aggregated per product and per store)

3.3 Order Data (via Shopify Webhooks)

  • Order ID and total amount (used for commission-based billing on the Free plan)
  • Line item selling plan allocations (used to identify subscription orders)
  • Customer ID associated with subscription orders (used for loyalty tier tracking and churn risk modeling)

3.4 Widget Analytics Data

  • Widget impressions (page views where the widget loaded)
  • Tab clicks (subscribe vs. one-time purchase selections)
  • Add-to-cart clicks initiated through the widget
  • Frequency change events
  • A/B test variant assignments

Note: Analytics data is aggregated daily (one row per shop per day). We do not store individual pageview-level data, browsing histories, or any device-level identifiers. We do not use tracking cookies, third-party analytics, or fingerprinting.

3.5 Loyalty Program Data

  • Customer ID (Shopify numeric ID; we do not store names, emails, or addresses for loyalty purposes)
  • Completed subscription order count
  • Current loyalty tier and tier upgrade timestamps

3.6 Affiliate Program Data

  • Affiliate name and email address (provided by the merchant or by the affiliate at signup)
  • Affiliate-generated unique discount codes
  • Commission tracking records (associated order IDs and calculated commission amounts)
  • HMAC-signed dashboard access tokens

3.7 Gift Subscription Data

  • Gifter's name and email (provided at gift purchase)
  • Recipient's name and email (provided by gifter)
  • Redemption status and timestamps

3.8 Churn Risk Inputs

  • Aggregated behavioral signals computed from existing data (subscription tenure, recent skip/pause activity, frequency changes, order history) used to generate per-subscriber risk scores. No additional data is collected specifically for churn modeling.

3.9 Application Error Logs

To diagnose problems and maintain service quality, the App writes server-side error events to a private internal log:

  • Shop domain (where the error occurred)
  • Route or webhook topic (e.g., app.subscriptions, orders/create)
  • Action intent (e.g., create-plan, charge-commission)
  • Error message and redacted stack trace
  • HTTP user-agent string
  • Severity classification (info, warn, error, critical)

End-customer personal information is automatically redacted before storage. Email addresses, phone numbers, names, postal addresses, payment card details, passwords, Shopify access tokens (shpat_, shpss_, shppa_, shpca_), customer access tokens, and any object property explicitly named email, phone, firstName, lastName, fullName, name, address, cardNumber, cvv, password, token, sessionToken, customerAccessToken, or accessToken are stripped or replaced with placeholders before the row is written.

Error logs are stored in our Supabase project (Section 6) in a database table protected by Row Level Security with no read policies — meaning the table is accessible only via our server-side service role key, never to browsers, customers, or merchants. Logs are retained for the period stated in Section 10 and are then automatically purged.

For errors classified as critical, the App may send an internal alert email to our support address via Resend (Section 6). Alert emails contain only the redacted error metadata above; no customer personal information is included. Alerts are rate-limited to a maximum of one email per 5 minutes per unique error to prevent flooding.

3.10 Information We Do NOT Collect

  • Credit card or payment information (handled entirely by Shopify)
  • Passwords or authentication credentials (Shopify OAuth handles authentication)
  • End-customer names, email addresses, phone numbers, or physical addresses (except for the limited contexts of affiliate signup and gift recipient delivery)
  • End-customer browsing history or behavior outside the subscription widget
  • Social Security numbers, government-issued identifiers, or financial account numbers
  • Health, biometric, genetic, or other sensitive special-category data
  • Tracking cookies, advertising identifiers, or device fingerprints

4. How We Use Information

We process personal information solely for the following purposes, in our role as a processor for the Merchant or as a controller of the Merchant's own data:

PurposeData UsedLawful Basis (GDPR)
Providing subscription management featuresShop domain, selling plans, contractsContract performance
Rendering the customized subscription widgetWidget settings, selling plan dataContract performance
Tracking widget performance analyticsAggregated daily analytics eventsLegitimate interests (improve service)
A/B testing widget configurationsVariant assignments, conversion metricsContract performance / legitimate interests
Managing loyalty tier programsCustomer ID, order count, tier statusContract performance
Calculating churn risk scoresAggregated subscription behavior signalsContract performance / legitimate interests
Operating the affiliate programAffiliate identity, codes, commissionsContract performance
Sending gift subscription emailsRecipient name and emailContract performance
Billing (commission calculation on Free plan)Order ID, order total, plan allocationContract performance / legal obligation
App authentication and session managementShopify session tokensContract performance
Service availability, security, fraud preventionSystem and request logsLegitimate interests

We do not use collected data for:

  • Advertising, ad targeting, or remarketing
  • Selling, renting, or licensing to third parties
  • Profiling end-customers for purposes unrelated to the Merchant's subscription program
  • Training generative AI, machine learning, or large language models on Merchant Data or end-customer data
  • Cross-Merchant data aggregation or benchmarking

5. Automated Decision-Making and Profiling

Daima includes a churn prediction feature (Pro plan only) that generates a per-subscriber risk score on a 0-to-100 scale based on weighted behavioral signals (subscription tenure, recent skip/pause activity, order cadence, etc.). This is a form of automated processing under GDPR Article 22.

The output is advisory only. The merchant decides what action, if any, to take based on the score. Daima does not automatically cancel, suspend, charge, or otherwise take action against any subscriber based on a churn risk score. End-customers retain full rights under the merchant's subscription terms regardless of any internal risk score.

Subscribers in jurisdictions that grant rights regarding automated decision-making (including the EU/EEA/UK under GDPR) may request an explanation of how a churn score was computed for them, request human review, or object to the processing, by contacting the merchant directly. The merchant is the controller and is responsible for fulfilling such requests; we will assist the merchant as required by law.

6. Sub-Processors and Third-Party Services

To deliver the Service, we use the following third-party service providers ("Sub-Processors"). Each is bound by data processing terms (or equivalent contractual safeguards) requiring it to process personal information only on our instructions and to maintain appropriate security measures.

Sub-ProcessorFunctionData ProcessedLocation
Shopify, Inc. Platform partner — store data, OAuth, billing via Shopify Managed Pricing, theme delivery, webhook delivery Subscription plans, orders, products, customer IDs (via API) Global (per Shopify)
Supabase, Inc. Database hosting and authentication infrastructure Widget settings, daily analytics, loyalty records, A/B test data, affiliate records, churn scores, gift records, session tokens, application error logs (PII redacted before storage) AWS US-East
Vercel, Inc. Application hosting and edge delivery for App backend (no persistent storage; serverless functions only) Request logs (transient), no persistent personal data Global edge network
Resend, Inc. Transactional email delivery from [email protected] (gift redemption, affiliate notifications) and internal critical-error alerts to our support address (PII redacted before send, rate-limited) Recipient name, recipient email, email content; for internal alerts: shop domain, route, sanitized error message United States

We do not share, sell, or transfer Merchant Data or end-customer data to any party beyond those listed above. Sub-Processors process data solely on our behalf for the purposes described in this Policy.

We may add, remove, or replace Sub-Processors. We will update this section to reflect material changes affecting the location or category of personal data processing. Continued use of the App after such updates constitutes acceptance of the change.

7. International Data Transfers

Personal information may be transferred to and processed in the United States, the European Union, or other jurisdictions where our Sub-Processors operate. Where required by applicable law, we rely on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA to the United States, supplemented by additional technical, contractual, and organizational measures as appropriate
  • UK International Data Transfer Addendum for transfers from the United Kingdom
  • Data processing addenda with our Sub-Processors that incorporate equivalent safeguards

You may request a summary of the safeguards in place for international transfers by contacting [email protected].

8. Cookies and Tracking Technologies

Daima itself does not set cookies, use local storage for tracking, or employ device fingerprinting on storefronts where the subscription widget renders. The Daima admin interface (rendered inside the Shopify Admin) inherits Shopify's session cookie context only.

The customer self-service portal and affiliate dashboard may use a single HMAC-signed session token transmitted via URL parameter or short-lived cookie strictly to authenticate the user's session. This is a strictly necessary cookie under GDPR/ePrivacy and does not require consent.

Your Shopify storefront may set its own cookies independently of Daima; that is governed by your store's own privacy practices.

9. Email Communications

The Service sends transactional emails on the Merchant's behalf via Resend, including without limitation:

  • Gift subscription redemption emails to recipients
  • Affiliate welcome and conversion notifications
  • Customer self-service portal confirmations

We may also send the Merchant operational emails (billing receipts, security notices, service updates, terms changes). These are not commercial marketing and you may not opt out without ceasing to use the Service.

We do not send unsolicited marketing emails to end-customers, affiliates, or gift recipients. The merchant is responsible for compliance with the U.S. CAN-SPAM Act, the Canadian Anti-Spam Legislation (CASL), the EU ePrivacy Directive, and equivalent laws in other jurisdictions.

10. Data Retention

Data TypeRetention Period
Widget settingsUntil app is uninstalled or merchant deletes
Daily analytics12 months rolling, then automatically purged
Loyalty tier configurationsUntil app is uninstalled or merchant deletes
Subscriber loyalty recordsUntil app is uninstalled or customer data deletion requested
Affiliate recordsUntil app is uninstalled, affiliate is deleted, or 7 years after last commission (for tax record retention)
Gift subscription records2 years from purchase, or until app is uninstalled
Churn risk scoresComputed daily; previous values overwritten — no historical retention beyond the 12-month analytics window
Session tokensUntil app is uninstalled or token expires
A/B test dataUntil merchant deletes or app is uninstalled
Application error logs (per Section 3.9)30 days, then automatically purged
Operational logs (request-level)30 days, for security and debugging

Upon app uninstallation: We receive a shop/redact webhook from Shopify within 48 hours of uninstall. Upon receipt, we permanently delete all data associated with that shop within 30 days, except where retention is required by law (e.g., financial records for tax purposes).

Upon customer data deletion request: We receive a customers/redact webhook from Shopify. Upon receipt, we permanently delete all records associated with that customer (loyalty records, churn scores, customer-linked analytics) within 30 days.

Email content held by Resend: Once an email is delivered via Resend, a copy may be retained by Resend per their own retention policy (typically up to 30 days for delivery logs). This is outside our direct control. See Resend's privacy policy for details.

11. Data Security

We implement the following security measures:

  • Encryption in transit: All data transmitted between Daima, Shopify, our Sub-Processors, and your browser uses TLS 1.2 or higher (HTTPS)
  • Encryption at rest: Data stored in Supabase is encrypted at rest using AES-256
  • Row Level Security (RLS): Enabled on all Supabase database tables with no public access policies; only our server-side service role key can read or write data
  • Authentication: Shopify OAuth 2.0 for merchant authentication; HMAC-signed tokens for affiliate dashboard access; no passwords stored
  • Webhook verification: All Shopify webhooks are HMAC-verified before processing
  • API key protection: All API keys, secrets, and Sub-Processor credentials are stored as environment variables, never committed to source code or exposed to browsers
  • Minimal data collection: We collect only the data necessary for app functionality
  • No client-side secrets: The Supabase service role key is used server-side only; the anonymous key has read-only access restricted by RLS
  • Operational logging: Limited request logs retained for 30 days for security and debugging purposes only
  • Application error logging: Server-side errors are written to a private internal log table protected by Row Level Security (no read policies — accessible only to our server-side service role). End-customer personal data (emails, phone numbers, names, addresses, payment details, authentication tokens) is automatically redacted before any error row is written. Logs are retained for 30 days, then automatically purged. See Section 3.9 for details
  • Sub-Processor diligence: All Sub-Processors are vetted for security posture and bound by data processing terms

Despite these measures, no system is 100% secure. We cannot guarantee absolute security and we expressly disclaim warranties to that effect in our Terms of Service. In the event of a personal data breach, we will notify affected merchants without undue delay and, where required, the relevant supervisory authority within 72 hours.

12. Shopify Mandatory Compliance Webhooks

Daima implements all three mandatory Shopify compliance webhooks:

12.1 Customer Data Request (customers/data_request)

When a customer requests access to their data, Shopify notifies us. We compile all data we hold for that customer (loyalty records, churn scores, order-linked analytics) and provide it to the merchant within 30 days. The merchant is responsible for delivering the data to the customer and for verifying the requester's identity.

12.2 Customer Data Erasure (customers/redact)

When a merchant or customer requests deletion of customer data, Shopify notifies us. We permanently delete all records associated with that customer ID from our database within 30 days.

12.3 Shop Data Erasure (shop/redact)

Within 48 hours of a merchant uninstalling Daima, Shopify notifies us. We permanently delete all data associated with that shop (widget settings, analytics, loyalty tiers, subscriber records, affiliate records, gift records, churn scores, session data) within 30 days.

13. Your Rights Under GDPR (EU/EEA/UK)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your data ("right to be forgotten")
  • Right to restriction — request that we limit how we process your data
  • Right to data portability — request your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw at any time
  • Rights related to automated decision-making — see Section 5 (Churn Prediction)

Lawful basis for processing: contract performance (delivering the App functionality you installed), legitimate interest (improving and securing the App), and legal obligation (complying with Shopify platform requirements and applicable law).

If you are an end-customer of a merchant who uses Daima, contact the merchant directly to exercise your rights — the merchant is the data controller. If you are a merchant exercising rights regarding your own information, or if a merchant has not responded to your request, contact us at [email protected].

Right to lodge a complaint: you have the right to lodge a complaint with your local data protection supervisory authority. We do not have a designated EU representative or Data Protection Officer at this time, as we do not meet the threshold criteria under GDPR Articles 27 and 37.

14. Your Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know — request disclosure of the categories and specific pieces of personal information we collect
  • Right to delete — request deletion of your personal information
  • Right to correct — request correction of inaccurate personal information
  • Right to opt-out — opt out of the "sale" or "sharing" of personal information
  • Right to limit use of sensitive personal information — Daima does not collect sensitive personal information as defined by CPRA

We do not sell or share personal information as those terms are defined by the CCPA/CPRA. We do not engage in cross-context behavioral advertising.

Categories of personal information collected:

  • Identifiers (shop domain, Shopify customer IDs, affiliate emails)
  • Commercial information (subscription order data for billing, loyalty tier records)
  • Internet or other electronic network activity (aggregated widget analytics)
  • Inferences (churn risk scores, derived from the above)

Non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

If you are an end-customer of a merchant, contact the merchant directly. Otherwise, to submit a request, contact [email protected]. We will verify your identity before responding.

15. Your Rights Under Other Applicable Privacy Laws

We comply with all applicable U.S. state privacy laws, including but not limited to those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Indiana (INCDPA), Iowa (ICDPA), Tennessee (TIPA), Montana (MCDPA), Oregon (OCPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Kentucky, Maryland (MODPA), Minnesota (MCDPA), Rhode Island, and any state or jurisdiction that adopts similar legislation. Residents of these states may have rights to access, delete, correct, and opt out of certain data processing activities. Quebec residents have rights under Law 25, and Brazilian residents have rights under the LGPD. To exercise any rights, contact us at [email protected].

16. Children's Privacy

Daima is a business-to-business application intended for use by Shopify merchants. We do not knowingly collect personal information from children under the age of 13 (or 16 in the EEA, where applicable). If we learn that we have collected data from a child without verification of parental consent, we will promptly delete it. Merchants are responsible for ensuring their own compliance with children's privacy laws (including COPPA in the United States) for any subscriber relationships with minors.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this document and provide reasonable notice to active merchants via email or in-app notification. Continued use of Daima after changes take effect constitutes acceptance of the updated Policy.

18. Contact Us

For privacy-related questions, data subject rights requests, or compliance inquiries:

ThePulse Creative Solutions LLC
Email: [email protected]

For general support questions about the App, email [email protected].

For Shopify platform-related privacy inquiries, you may also contact Shopify directly at [email protected].

This Privacy Policy is designed to comply with Shopify App Store requirements, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), other applicable U.S. state privacy laws, and similar laws in jurisdictions where our merchants operate.