Mavira Logo

Privacy Policy

Mavira AI LLC — Mavira Referral Tracker (Shopify App)

Effective Date: 2026-06-06

Last Updated: 2026-06-06

1. Overview

This Privacy Policy describes how Mavira AI LLC ("Mavira," "we," "us," or "our") collects, uses, shares, and protects data through our Shopify application, Mavira Referral Tracker (the "App"), distributed via the Shopify App Store and hosted at shop-app.maviraai.com. The App is the partner-facing counterpart to the consumer-facing Mavira service at maviraai.com, which matches a shopper's outfit style to products sold by participating merchants and links those shoppers to those merchants' Shopify stores.

The App exists to do two things on the merchant side:

  • Attribute orders.Identify, after the fact, which orders placed in the merchant's Shopify store originated from a shopper who arrived via a Mavira referral link.
  • Bill commissions on those attributed orders through Shopify. The App creates a Shopify-managed recurring app subscription with usage-based pricing, and submits a "usage record" to Shopify for each attributed order so that Shopify itself collects the commission from the merchant on Mavira's behalf.

This policy explains our data practices. Your use of the App is also governed by our Terms of Service. In this policy, "Merchant" refers to the Shopify store operator who has installed the App, and "end customer" refers to a visitor to the Merchant's store who may have arrived via a Mavira referral link.

The App does not monitor or collect data about general traffic on the Merchant's Shopify store; only visitors who arrived via a Mavira referral link are within scope of our end-customer data collection.

2. Roles and Scope

There are three parties whose data is relevant to this policy:

  • End customer.A consumer who clicks a Mavira referral link and may or may not place an order on the Merchant's Shopify store. The App's interaction with this person is limited to (a) a single first-party browser cookie carrying a pseudonymous referral code, set only where consent permits (see Section 4), and (b) limited per-order data observed after the order is placed (see Section 3.1).
  • Merchant. The owner of the Shopify store that has installed the App and has, or intends to enter, a referral partnership with Mavira. The Merchant approves the Shopify-managed subscription and is the party billed for commissions.
  • Mavira AI LLC. The App developer and the operator of the referral platform.

Roles under applicable data protection laws (e.g., GDPR, UK GDPR):

  • For the mavira_refcookie that Mavira places via the App's theme extension, Mavira acts as the data controller.
  • For the per-order data we receive from Shopify on the Merchant's behalf, Mavira acts as a data processor and the Merchant acts as the data controller.
  • For Merchant business data (contact details, subscription metadata, and the commission ledger described in Section 3.2), Mavira acts as a data controller with respect to its own commercial relationship with the Merchant.

3. What Data We Collect

This section enumerates every category of data the App collects, stores, or processes. For the purposes of transparency required by Shopify's app developer privacy requirements, this covers data collected (a) through Shopify's APIs, (b) directly from the Merchant, and (c) directly from end customers of the Merchant.

3.1 End-customer data

The App collects only the following data about end customers, and only in connection with a "qualifying purchase." A qualifying purchase is one made by a visitor who arrived at the Merchant's Shopify store via a link from the Mavira website, identified via URL parameters set by Mavira at the time of referral.

Cookie data (set in the end customer's browser):

  • A single first-party cookie named mavira_ref containing a pseudonymous referral code (alphanumeric, no more than 64 characters), set on the Merchant's storefront for up to 90 days from the date of the visitor's initial referral visit. The cookie is set only where the applicable consent signal permits it, or where no consent framework is detected on the storefront (see Section 4). A browser Global Privacy Control (GPC) signal overrides all of the foregoing: where GPC is present, no cookie is set and any existing mavira_ref cookie is deleted, regardless of any other consent signal (see Section 4).

Per-order data (collected after a qualifying purchase, from Shopify):

  • Shopify-assigned order ID, human-readable order name (e.g., "#1042"), and confirmation number.
  • The referral code that attributed the order (as carried through Shopify cart attributes and line-item properties).
  • Pre-tax/pre-shipping order amount (the subtotal before taxes and shipping fees).
  • Total order amount (including taxes and shipping).
  • Currency in which the transaction was processed.
  • Timestamp the order was placed.
  • Shop domain (the Shopify store from which the purchase originated) and Mavira's internal partner identifier for that Merchant.

Customer-data-request payloads (handled in transit only, not stored):

Where Shopify delivers a customers/data_request webhook, the payload itself may include an end customer's email address as provided by Shopify. That email transits our infrastructure only for the purpose of acknowledging the webhook, locating matching records, and forwarding those records to Mavira's operations team for delivery to the Merchant; it is not written to our database. See Section 10 for the full webhook handling description.

What we do not collect about end customers:We do not collect, transmit, or store an end customer's name, billing or shipping address, IP address, payment details, device fingerprint, or any browsing activity beyond what is required to identify the referral and the resulting qualifying purchase. The mavira_ref cookie carries only a pseudonymous referral code.

3.2 Merchant business data

Distinct from end-customer data, the App also stores the following Merchant business data — collected either from the Merchant directly during onboarding or from Shopify in connection with the App installation and the recurring app subscription described in our Terms of Service:

Partner record (one row per Merchant):

  • Internal numeric identifier for the partner.
  • Partner display name.
  • Merchant business contact email (used as the recipient for the operational emails described in Section 5).
  • Partner's marketing website URL (used for referral attribution; distinct from the Shopify store URL).
  • Immutable Shopify shop identifier (the numeric shop ID assigned by Shopify) — the canonical join key, which is robust to Merchant shop renames.
  • Mutable Shopify shop domain (the <store>.myshopify.comdomain), kept current via Shopify's shop/update webhook for human-readable logging and emails.
  • Shopify-assigned identifiers for the recurring app subscription (created when the Merchant approves the subscription during the App's in-app onboarding flow, rather than automatically at installation) and for the usage-based line item within that subscription.
  • Subscription status (one of pending_install, trial, active, cancelled, or frozen).
  • Current per-period billing cap (in USD), reflecting the cap most recently approved by the Merchant.
  • Applicable commission percentage (default 4%).
  • Trial end date and subscription-creation anchor date (used to align billing cycles).
  • A timestamp used internally to debounce cap-raise notifications (no more than one per 24 hours per Merchant).
  • Operational and idempotency metadata used to run the App reliably and to avoid duplicate actions, none of which contains end-customer data: a record of any cap raise awaiting Merchant approval (the Shopify-hosted approval URL and the proposed new cap amount, kept separate from the approved cap); the Shopify-hosted approval URL for a subscription that has been created but not yet approved, stored so the App can re-present Shopify's approval page to the Merchant during onboarding; a history of the Merchant's prior recurring app subscriptions, retained across reinstalls and restarts for billing reconciliation; markers indicating whether the trial-ending and first-commission emails have been sent; timestamps recording the Merchant's progress through the App's in-app onboarding (when the Merchant acknowledged the introductory step, attested that the storefront tracker has been enabled, and viewed the completion screen); timestamps recording the storefront enablement check described in Section 4.3 (when the check last ran for the store, and, where applicable, when the tracker was first observed to be disabled); and a throttle timestamp limiting how often order discovery is auto-triggered on dashboard load (see Section 4.2).

Commission ledger (one row per attributed order):

  • Reference to the Merchant.
  • Shopify order identifier and human-readable order name.
  • Pre-tax order amount, currency, the commission rate applied, and two distinct commission figures: the net commission currently owedfor the order (recomputed as the order's current subtotal changes — see Section 4.2), and the cumulative amount actually charged to Shopify for that order (which only ever increases, because Shopify usage records cannot be reversed).
  • Lifecycle status (one of accrued_trial, billable, invoiced, paid, refunded, or failed).
  • Once submitted to Shopify, the Shopify-assigned usage-record identifier.
  • The referral code that attributed the order.
  • Timestamps for when the order was placed, when our system recorded the commission, when the usage record was submitted to Shopify, when the commission was last reconciled to the order's current state, and when the commission was refunded (where applicable).
  • A JSON audit trail recording each reconciliation event applied to the order (e.g., a partial refund or an order edit), and a small JSON metadata field used to record failure reasons (e.g., why a usage-record submission was rejected).

A uniqueness constraint on (partner, Shopify order ID) ensures that no Merchant can be billed more than once for the same order through the App.

Commission-credit ledger (one row per un-recoverable over-charge):

Because Shopify does not permit reversing a usage record once submitted, where an order shrinks below the amount already charged for it (for example, a partial refund, a downward order edit, or a cancellation of an already-billed order), the App records the difference as an internal partner creditand applies it against the Merchant's future commission charges (see Section 4.2 and our Terms of Service). Each credit row contains only an internal partner reference, the originating Shopify order identifier, the currency, the credit amount and how much of it has been consumed, the reason for the credit, an idempotency key preventing duplicate credits, and timestamps. It contains no end-customer data beyond the order identifier and order amounts already described above.

Merchant-level commission aggregate (one row per Merchant per currency):

  • An internal partner identifier, the running aggregate commission total per currency, and an internal accounting snapshot identifier used for idempotency.

This aggregate contains no shop identifier, no end-customer data, and no per-order detail.

Shopify OAuth session tokensare held by the standard Shopify session-storage adapter, backed by our Postgres database on Supabase (in a database schema separate from the App's business data), for the purpose of authenticating App requests to the Shopify API. They are deleted when the App is uninstalled.

4. How We Collect Data

4.1 Referral cookie

When a visitor arrives at a Merchant's Shopify store via a Mavira referral URL (which carries a query parameter identifying the referral), a theme app extension that Merchants install into their storefront reads that parameter, validates it, and stores a 90-day first-party cookie named mavira_refin the visitor's browser. While the cookie is present, the extension carries the referral code through the Shopify cart and onto the resulting order via Shopify cart attributes and a hidden line-item property, so the referral code survives Shopify checkout and ends up on the order.

The App is designed to respect end-visitor privacy decisions. It integrates with Shopify's Customer Privacy API to read buyer consent signals, and it sets the mavira_ref cookie only where the applicable consent signal permits it. Where consent is required and not given, no cookie is set and no attribution occurs.

Global Privacy Control (GPC) overrides everything. If the visitor's browser sends a Global Privacy Control signal (navigator.globalPrivacyControl), the App treats this as a definitive instruction not to track: it does not set the mavira_ref cookie, deletes any existing mavira_ref cookie, and stops carrying the referral code through the cart and onto the order for that page view. A GPC signal takes precedence over all other consent signals — including an explicit grant communicated through the Customer Privacy API — and is not re-enabled if consent is later granted during the session.

Where no consent framework is detected on the storefront (specifically, where the Customer Privacy API does not load within a short timeout) and no GPC signal is present, the App sets the cookie. This is a deliberate design choice so that attribution continues to function for Merchants that have not deployed a consent surface; the App does not itself determine the visitor's jurisdiction or whether a consent framework is legally required there. The Merchant is responsible for deploying and correctly configuring a consent-management framework on its storefront (including via Shopify's Customer Privacy API) so that the applicable consent signal is presented to the App in accordance with the laws of its customers' jurisdictions. Mavira honors whatever consent signal the storefront surfaces (and always honors GPC), but it relies on the Merchant to put the correct consent infrastructure in place; see Section 11.3 and our Terms of Service for the allocation of responsibility between Mavira and the Merchant in this respect.

Visitors who arrive at the Merchant's storefront through any other channel are not tracked by the App in any way.

4.2 Order data

After a qualifying purchase is completed, the App identifies and records the order through the following complementary mechanisms:

  • Primary path (real-time webhook).The App subscribes to Shopify's orders/create webhook. When the webhook fires for a paid order, the App inspects the order for a Mavira referral code and, if found, records the order in our database and (where the Merchant is past their trial — see Section 7) submits the corresponding usage record to Shopify.
  • Safety-net polling. A periodic background poll (approximately every 5 minutes per shop) queries the Shopify Admin API for recently paid orders. This serves as a backstop if a webhook is delivered late, dropped, or otherwise missed.
  • Dashboard-load poll.When a Merchant opens the App's embedded dashboard, the App may run the same recent-orders query as the safety-net poll, throttled to at most once every approximately 5 minutes per shop. This is an additional trigger for the same query against the same data; it does not collect any new category of data.

Either path may detect a given order first; a database uniqueness constraint ensures that no order is recorded more than once. Orders without a Mavira referral are disregarded and not stored.

An order's commission is a live figure, not a one-time snapshot. After an order is first recorded, the App keeps the commission reconciled to the order's current state. The App subscribes to Shopify's orders/updated, refunds/create, and orders/cancelled webhooks; when an order is edited, partially or fully refunded, or cancelled, the App re-reads the order's current subtotal from Shopify and recomputes the commission accordingly. This can reduce the commission (a partial refund or downward edit) or increase it (an upward edit), and may result in an additional charge or in an internal credit applied against future charges, as described in our Terms of Service. No new category of end-customer data is collected in the course of this reconciliation.

All incoming Shopify webhook payloads — including but not limited to those described in this policy — are verified using Shopify's HMAC-signature mechanism before any processing. Requests with an invalid signature are rejected.

4.3 Storefront enablement check

Separately from the end-customer data described above, and in order to detect a configuration problem rather than to collect any end-customer data, the App performs an automated daily check of whether the App's referral tracker is actually switched on in the Merchant's storefront theme. Enabling the tracker is a step the Merchant completes during onboarding by self-attestation (the Merchant confirms that it has switched the theme app embed on); this check verifies that attestation on an ongoing basis, because a tracker that has been switched off silently stops all referral attribution for the Merchant.

Once per day, for each Merchant whose subscription is in a trial or active state, the App makes a single unauthenticated HTTP request to the Merchant's own public storefront homepage and inspects the returned page to determine whether the tracker asset is present. The request follows ordinary redirects and identifies itself with a descriptive User-Agent (MaviraTrackerCheck/1.0 (+https://www.maviraai.com)).

This check is directed only at the Merchant's own publicly available storefront. It does not collect, receive, or store any end-customer data, and it makes no request to any third party (it is therefore not a new sub-processor and does not change where data is processed). The App does not store the storefront's page content, its URL, or any other part of the response; it records only (a) a timestamp of when the check last ran for the store and (b), where the tracker is found to be absent, a timestamp marking when it was first observed to be disabled (cleared once the tracker is seen again or once the Merchant confirms re-enablement). A store that is password-protected, unreachable, or otherwise returns an inconclusive result is never treated as disabled. These two timestamps are Merchant business data and are described in Section 3.2.

Where the check finds the tracker disabled, the App shows the Merchant an in-product prompt to re-enable it, explains that no commissions are recorded while the tracker is switched off, and sends an internal operational alert to Mavira's operations team (see Sections 5 and 9). The allocation of responsibility, as between Mavira and the Merchant, for keeping the tracker enabled is addressed in our Terms of Service.

5. How We Use Your Data

We use the data described in Section 3 for the following purposes, and no others:

  • To identify and report qualifying purchases attributed to Mavira referral traffic.
  • To provide the Merchant with reporting on attributed sales through the App's embedded admin interface.
  • To calculate, and to keep reconciled to each order's current state, the commission amounts owed by the Merchant to Mavira in respect of attributed sales — including recomputing a commission when an order is edited, refunded, or cancelled, and netting any resulting over-charge against the Merchant's future commissions — in accordance with the commission structure approved by the Merchant when subscribing to the App.
  • To submit usage records to Shopify so that Shopify bills the Merchant on Mavira's behalf via the Merchant's Shopify-managed recurring app subscription.
  • To check, once per day, whether the App's referral tracker remains enabled on the Merchant's storefront, and to prompt the Merchant to re-enable it where it is not, as described in Section 4.3.
  • To send operational and transactional emails to the Merchant in connection with the App and the subscription, including (i) cap-raise approval requests, (ii) cap-raise approval confirmations, (iii) trial-ending reminders, (iv) first-commission notices, and (v) confirmations relating to uninstallation and data deletion. These are not marketing emails.
  • To send internal operational alerts to Mavira's operations team, including notifications of subscription declines, failures to create a subscription, unknown-partner installs, uninstallations, data-handling failures, detections that a Merchant's storefront tracker has been disabled, and uninstallations that occur while the Merchant still holds an unused commission credit.
  • To respond to data-subject and Merchant data requests, including those received via Shopify's mandatory GDPR compliance webhooks (Section 10).
  • To comply with legal obligations, enforce our agreements, and protect against fraud, abuse, or unauthorized use of the App.

We do not use the collected data for advertising, third-party marketing, profiling, automated decision-making producing legal or similarly significant effects, or any purpose beyond those listed above.

6. Data Sharing and Disclosure

6.1 Merchant access to attributed-sales data

Merchants can view data about orders attributed to their own store, and the resulting commissions, through the App's embedded admin interface. This is the only routine flow of data back to Merchants from the App, and it is limited to data associated with that Merchant's store.

6.2 Sub-processors

We use the following third-party service providers ("sub-processors") to process data on our behalf in connection with the App. Each sub-processor receives only the data needed to perform its specific function and is subject to written terms requiring it to protect that data.

Sub-processorFunctionData processedRegion
SupabaseManaged Postgres database; system of record for everything the App persistsAll App business data described in Section 3 (partner records, commission ledger, commission-credit ledger, sales records, merchant-level aggregates, deletion-job coordination records) in one database schema, and the Shopify OAuth session tokens in a separate database schema within the same Supabase project.United States
VercelApplication hosting and request routing; runs the App's server runtime at shop-app.maviraai.comData in transit only (Vercel does not have direct access to our database).United States
ShopifyOAuth provider, webhook source, and the billing platform through which Mavira charges the MerchantSubscription state, usage-record submissions (one per attributed order), and the data required to operate Shopify's billing for the Merchant. Shopify is also the source of all order data the App receives.As specified in Shopify's privacy policy
ResendOutbound transactional email provider (an essential dependency; the App will not operate without it)Recipient address, subject line, and body of each outbound email described in Section 5; in the case of forwarding a Shopify customers/data_requestto Mavira operations, this includes the requesting end customer's email address as it appears in the Shopify-provided webhook payload, plus matching per-order records. Resend handles email in transit; we do not rely on Resend for long-term storage.United States

The Shopify OAuth session store described in Section 3.2 is held in our Postgres database on Supabase, in a database schema separate from the App's business data. Supabase is therefore the sub-processor for the session tokens as well; no separate sub-processor is involved in storing them.

If we change our sub-processors, we will update this section, and — for material changes affecting data location, security posture, or categories of data processed — provide notice in accordance with Section 14.

6.3 No sale; no third-party marketing

We do not sell, rent, or share data with any third party for advertising, marketing, profiling, or any purpose other than those described in this policy. We do not share end-customer personal data for cross-context behavioral advertising.

6.4 Legal disclosures

We may disclose data if we are required to do so by law, regulation, or valid legal process (such as a court order or subpoena), or where we believe in good faith that disclosure is necessary to protect our rights, the rights of Merchants or end customers, or the integrity of the App.

6.5 Business transfers

If Mavira undergoes a merger, acquisition, sale of substantially all of its assets, financing, reorganization, or similar transaction, Merchant and end-customer data may be transferred to the successor or affiliated entity as part of that transaction. We will require any such successor to honor the commitments in this policy or provide affected parties with notice and an opportunity to object before any change in data handling takes effect, as required by applicable law.

7. Data Storage, Security, and Retention

7.1 Storage and security

All App business data is stored on Supabase (United States region). Supabase employs industry-standard security practices including encryption in transit (TLS) and at rest. Access to production data is restricted to authorized personnel and to the App itself via a server-side service-role credential. Shopify OAuth tokens are held by the Shopify-recommended session-storage adapter, backed by the same Supabase Postgres project as the business data but kept in a separate database schema; they are deleted on uninstall.

All webhook endpoints validate Shopify's HMAC signature before processing the payload, and reject requests with an invalid signature. Inbound and outbound traffic between the App, Shopify, Supabase, Resend, and the Merchant's browser is transmitted over TLS.

7.2 Retention periods

DataRetention
Per-order data (the sales and commissions tables)Up to approximately 24 months from the order date, while the App remains installed on the Merchant's store. The commissions row now also carries the cumulative amount charged to Shopify, a per-order reconciliation audit trail, and the time of last reconciliation; these are subject to the same 24-month retention. See Section 7.3.
Commission-credit ledger (the commission_credits table)A credit row is retained until consumed by future charges, and is retained thereafter for audit purposes. It carries no end-customer identity (only an order identifier and amounts). An outstanding (unused) credit at uninstall is retained so it can be settled or, on reinstall, reused; it is removed via the deletion paths in Sections 7.4 and 10 (uninstall deletion, customers/redact, and shop/redact).
Merchant-level commission aggregate (the billing table)Up to seven (7) years, for internal accounting, tax, and dispute-resolution purposes. Contains no end-customer data, no per-order detail, and no shop identifier.
Partner record (the partners table)Retained while the App is installed on the Merchant's store. On uninstall, the Merchant's subscription status is updated to cancelled and the record is retained for audit purposes, subject to deletion upon Merchant request as described in Section 8.
Shopify OAuth session tokensDeleted immediately upon receipt of Shopify's app/uninstalled webhook.
Deletion-job coordination records (the pending_deletions table)Retained only until the corresponding deletion job completes, then routinely garbage-collected.

7.3 Rolling purge and aggregate-then-delete invariant

On a rolling weekly basis, per-order data older than approximately 24 months is purged. Because the purge runs weekly, individual records may persist for up to approximately seven days past the 24-month mark before they are processed.

Every code path that removes per-order data first folds the commission totals into the Merchant-level aggregate described above. That aggregation and the per-order deletion occur in a single database transaction, so the per-order data cannot be deleted without the corresponding commission being preserved in aggregate. The aggregate row contains only Mavira's internal identifier for the Merchant, the summed commission amount, and the currency — no shop domain, no order identifiers, and no end-customer data.

7.4 Deletion on uninstall

If a Merchant uninstalls the App, the following occurs:

  • Immediately on receipt of Shopify's app/uninstalledwebhook, the App deletes the Merchant's OAuth session tokens, marks the partner record's subscription status as cancelled (which causes background jobs such as cap-raise checks and trial-ending emails to stop touching that record), schedules per-order data deletion for approximately 36 hours later, and sends an internal notification email to Mavira operations.
  • Approximately 36 hours after uninstall, a scheduled deletion job folds the Merchant's per-order data into the Merchant-level aggregate (Section 7.3) and deletes the per-order rows.
  • Approximately 48 hours after uninstall, Shopify delivers a shop/redact webhook as a GDPR safety net. On receipt, the App deletes any per-order data that the scheduled 36-hour job has not already removed.

In all cases, per-order data is deleted within thirty (30) days of uninstall, as required by Shopify. The Merchant-level aggregate is retained as described in Section 7.2. Where the Merchant uninstalls while still holding an unused commission credit, the App notifies Mavira's operations team and retains the credit-ledger row (which contains no end-customer identity) so that the credit can be settled out of band or reused if the Merchant reinstalls; that ledger row is removed by the deletion paths described above and in Section 10.

7.5 Breach notification

In the event of a personal data breach affecting Merchant or end-customer data processed through the App, we will notify affected Merchants without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with applicable law.

8. Merchant Data Rights and Deletion Requests

As a Merchant using the App, you have the right to:

  • Request a copy of the data we hold associated with your store, including the partner record, per-order data, and commission ledger entries.
  • Request correction of any inaccurate data.
  • Request deletion of data associated with your store. The deletion timelines described in Section 7.4 apply to deletion requests concerning App data.
  • Request restriction of how we process your data, subject to the limits of what is necessary to continue providing the App.
  • Object to processing of your data based on Mavira's legitimate interests, where such a right applies under applicable law.

To exercise any of these rights, contact us at team@maviraai.com. We will acknowledge requests within thirty (30) days, and deletion timelines specifically are as described in Section 7.4.

End-customer requests.End customers (visitors who made a purchase through a Mavira-referred link) may request access to or deletion of their order data either by (a) submitting a request through the Merchant, who can forward it via Shopify's standardized customer data request flow (see Section 10), or (b) emailing team@maviraai.com directly with their order number. We will locate and delete (or, where the request is for access, forward to the relevant Merchant) any associated data within thirty (30) days.

9. Outbound Communications

The App may send the following operational and transactional emails. All such emails are sent via Resend (see Section 6.2) from a single sender, Mavira Referral Tracker <notifications@maviraai.com>. None of these emails is marketing.

To the Merchant (sent to the Merchant business contact email on file):

  • Cap-raise approval request— When the Merchant's accrued commissions cross 80% of the current Shopify billing cap, an email containing a Shopify-hosted approval URL is sent so the Merchant can authorize a higher cap. The same Merchant will not receive more than one such email per 24-hour period.
  • Cap-raise confirmation — When Shopify confirms that a new cap has been approved, an email confirms the new amount and notes any previously-failed commissions retried under the new cap.
  • Trial-ending reminder— Approximately 14 days before the Merchant's trial period ends, an email notifies the Merchant of the trial-end date.
  • First-commission notice — When the first post-trial commission for that Merchant is successfully submitted to Shopify, an email notes the amount and order.

To Mavira operations (sent to team@maviraai.com):

  • Internal alerts relating to subscription declines, failures to create a subscription, unknown-partner installations, uninstallations, deletion-scheduling failures, customer-data-request webhooks, detections that a Merchant's storefront tracker has been disabled or could not be verified, and uninstallations that occur while a Merchant still holds an unused commission credit (so it can be settled out of band).

Transactional email is a required dependency of the App: the App will not start without its email provider configured, and a failed send surfaces as an error rather than being silently dropped. Merchants who notice they are not receiving expected operational emails should contact Mavira support at business@maviraai.com.

10. Shopify Mandatory Compliance Webhooks

In accordance with Shopify's privacy requirements, the App subscribes to and responds to Shopify's three mandatory GDPR compliance webhooks. Each incoming request is verified using Shopify's HMAC signature; requests with an invalid signature are rejected with a 401 response. Requests with a valid signature are acknowledged with a 200 response and processed within 30 days.

The data the App stores is keyed by Shopify order ID and shop identifier (see Section 3). When a compliance webhook references specific orders, the App locates and acts on the matching records in both the per-order data set (sales) and the commission ledger (commissions).

customers/data_request

The payload includes the resource IDs of customer orders for which data has been requested and, in some cases, the requesting customer's email address as provided by Shopify. The App acknowledges receipt with a 200 response, then queries its database for any per-order and commission records associated with those order IDs in the requesting shop's data set. The matching records (and the customer's email address as provided in the webhook payload, where included) are routed to Mavira's operations team at team@maviraai.com, which forwards the data to the Merchant within 30 days for delivery to the requesting customer. The data forwarded to the Merchant consists of, for each matching order: order ID, order name, confirmation number, referral code, subtotal, total, currency, and timestamp; and, where applicable, the corresponding commission amount and lifecycle status. Mavira's internal partner identifier is not included. The shop domain is not included because the request is inherently scoped to the requesting shop. If no matching records exist, the response to the Merchant confirms that no referral-attributed sales were recorded for those orders. The Merchant remains the data controller and is responsible for delivering the data to the requesting customer.

customers/redact

The payload includes the resource IDs of customer orders for which deletion has been requested. The App acknowledges receipt with a 200 response, then for each matching record (in both the sales and commissions tables) folds the commission totals into the Merchant-level aggregate described in Section 7.3 and deletes the underlying per-order record. Aggregation and deletion occur in a single database transaction, so per-order data cannot be deleted without the corresponding commission being preserved at the Merchant level. If no matching records exist, the App takes no action beyond acknowledgment. After redaction, the App holds no record connecting the customer to the order — only the merchant-level aggregate, which carries no customer identifier or per-order detail. Where a record is subject to a separate legal retention obligation, only the minimum required portion is retained, and only for the minimum duration required.

shop/redact

Shopify sends this webhook approximately 48 hours after a Merchant uninstalls the App. On receipt, the App verifies the HMAC signature and deletes any per-order data still associated with that shop. In practice, most such data has already been deleted by the scheduled 36-hour deletion job described in Section 7.4; shop/redact serves as a safety net that ensures any records the scheduled job did not remove are deleted at this point. In all cases, per-order data associated with the shop is removed within 30 days of uninstall, as Shopify requires. The only data retained beyond this deletion is the Merchant-level aggregate described in Section 7, which carries no shop identifier or end-customer data and is retained for up to seven (7) years for accounting and dispute-resolution purposes.

End customers who wish to request access to or deletion of their attribution data outside the Merchant-driven Shopify webhook flow may also email team@maviraai.com directly with their order number, as described in Section 8.

11. GDPR and International Compliance

If you or your customers are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with a comprehensive data protection regime, you may have additional rights under the General Data Protection Regulation (GDPR), the UK GDPR, or comparable laws.

11.1 Roles

As described in Section 2, our role under GDPR differs by data type:

  • Cookie data (Mavira as controller). For the mavira_refcookie that Mavira places via the App's theme extension, Mavira acts as the data controller. Our lawful basis for this limited processing is legitimate interest (Art. 6(1)(f) GDPR) in accurately attributing sales conversions to Mavira referral traffic, balanced against the limited and pseudonymous nature of the data, the cookie's strict purpose limitation, and the consent gate provided by Shopify's Customer Privacy API. Where consent is the applicable lawful basis under local law, the cookie is set only where consent is given through the Customer Privacy API.
  • Order data (Mavira as processor).For per-order data processed on behalf of Merchants, Mavira acts as a data processor and the Merchant acts as the data controller. We process such data only in accordance with the Merchant's instructions (including by virtue of the Merchant's installation and continued use of the App), as described in this policy and our Terms of Service, and as set out in any Data Processing Agreement in effect between Mavira and the Merchant.
  • Merchant business data (Mavira as controller). For data we hold about the Merchant itself (including the partner record, subscription metadata, and commission ledger) as part of our own commercial relationship with the Merchant, Mavira acts as a data controller.

11.2 Data-subject rights

We honor data-subject requests submitted to us directly, and will respond within thirty (30) days as described in Section 8. Where Mavira is a processor, we will refer end-customer requests to the relevant Merchant (the controller) and assist that Merchant in responding.

11.3 Cookie consent

We make an effort to respect end-visitor privacy decisions. The mavira_refcookie described in Section 4 is set on the Merchant's storefront only where the applicable consent signal (as communicated via Shopify's Customer Privacy API) permits it, or where no consent framework is detected on the storefront. A Global Privacy Control (GPC) signal from the visitor's browser overrides all other signals: where GPC is present, no cookie is set, any existing mavira_ref cookie is deleted, and no referral attribution occurs, regardless of any consent granted through the Customer Privacy API. The cookie is limited in scope, persists for 90 days, and is used for no purpose other than referral attribution.

The App does not perform geolocation or determine the visitor's jurisdiction; it acts on the consent signal the storefront surfaces (and always on GPC). The Merchant is responsible for deploying and correctly configuring a consent-management framework on its storefront — including via Shopify's Customer Privacy API where applicable — so that the consent signals required in its customers' jurisdictions are presented to the App. Where a Merchant fails to do so, the App's "no framework detected" behavior may result in the cookie being set in circumstances where the Merchant's own legal obligations would have required consent. As further set out in our Terms of Service, responsibility for obtaining and surfacing legally required end-customer consent rests with the Merchant, and Mavira is not responsible, as between Mavira and the Merchant, for a breach of privacy or data-protection law that results from the Merchant's failure to put adequate consent infrastructure in place. Nothing in this paragraph limits any non-waivable rights of end customers under applicable law or Mavira's own obligations as a controller of the mavira_ref cookie (Section 11.1).

11.4 Data minimization

We collect only the minimum data necessary to fulfill the referral tracking, commission calculation, and Shopify-managed billing purposes described in this policy. No additional data fields are collected beyond those listed in Section 3.

11.5 International data transfers

All App business data is stored on Supabase in the United States. The App's server runtime (Vercel) and our outbound email provider (Resend) are also based in the United States. If you or your customers are located in the EEA, the UK, or another jurisdiction with cross-border transfer restrictions, your data may be transferred to and processed in the United States.

Each of our US-based sub-processors maintains GDPR-compliant transfer arrangements and relies on appropriate safeguards for cross-border transfers, including Standard Contractual Clauses (SCCs) as approved by the European Commission and, where applicable, the UK International Data Transfer Addendum. We periodically review our sub-processors' transfer documentation to confirm continuing adequacy.

11.6 Data Processing Agreement

A Data Processing Agreement (DPA) governing Mavira's role as processor is available upon request by contacting team@maviraai.com, and applies to any Merchant acting as a data controller regardless of location.

11.7 Right to lodge a complaint

EEA-based and UK-based Merchants and their customers have the right to lodge a complaint with their local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu; the UK's authority is the Information Commissioner's Office (ico.org.uk). We encourage you to contact us at team@maviraai.com first so we can attempt to resolve any concerns directly.

12. California Privacy Rights (CCPA / CPRA)

If you or your customers are California residents, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Categories of personal information collected

In the twelve (12) months prior to the effective date of this policy, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers — limited to a pseudonymous referral cookie identifier, Shopify order identifiers, Merchant business contact email, and Mavira-assigned internal identifiers.
  • Commercial information — order subtotals, totals, currency, and the commission amounts calculated from them.
  • Internet or other network activity information — referral source and timestamps relating to qualifying purchases.

We do not collect any other categories of personal information, including sensitive personal information.

Sources and purpose

This information is collected from the Merchant's Shopify store via the Shopify API, from the Merchant during onboarding, and from the end customer's browser (cookie only). It is used solely for the referral-attribution, commission-calculation, Shopify-managed billing, and operational-communication purposes described in Section 5.

No sale or sharing of personal information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not sold or shared personal information in the preceding twelve (12) months. Notwithstanding that position, the App honors the Global Privacy Control (GPC) signal — which is recognized under California law as an opt-out-of-sale/sharing preference signal — by suppressing referral attribution and the mavira_ref cookie entirely whenever GPC is present (see Section 4.1). We treat a GPC signal as a definitive opt-out instruction even though we do not consider our limited, pseudonymous referral processing to constitute a sale or a share.

Your rights

California residents have the right to know what personal information is collected, to request deletion, to request correction, to opt out of sale or sharing (we do not sell or share as those terms are defined under the CCPA, but we nonetheless honor the GPC opt-out signal as described above), to limit the use of sensitive personal information (not applicable, as we collect none), and to non-discrimination for exercising these rights. To exercise any of these rights, contact us at team@maviraai.com. California enforcement of these rights is shared between the California Privacy Protection Agency (CPPA) and the California Attorney General.

13. Children's Privacy

The App is intended solely for use by Shopify Merchants and is not directed at or designed for use by children. We do not knowingly collect any data from children under the age of 13, or under the applicable minimum age in the visitor's jurisdiction (which may be as high as 16 in certain EEA member states). If you believe that a child has provided data through the App, please contact us at team@maviraai.com and we will promptly delete any such data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — such as expansions in the types of data we collect, new purposes for which we use data, additions of sub-processors that change where or how data is processed, or changes to the retention periods in Section 7 — we will provide at least thirty (30) days' notice before the updated policy takes effect, via the Shopify App Store, the App interface, and by email to the address associated with the Merchant's Shopify account where practical. For non-material changes (such as clarifications, typographical corrections, or formatting changes), we will update the effective date without advance notice. The updated policy will include a revised effective date, and the prior version will be made available upon request.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Mavira AI LLC

Registered Office: 16192 Coastal Highway, Lewes, Delaware 19958, County of Sussex

Website: maviraai.com

Privacy inquiries: team@maviraai.com

Commercial / partnership inquiries: business@maviraai.com

Privacy Contact (Voluntary)

While not required to do so under applicable law, Mavira AI LLC has voluntarily designated a privacy contact to oversee data protection matters:

Aubrey Stevens — aubrey@maviraai.com

GDPR Representative

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our GDPR representative and your point of contact for the following regions:

  • United Kingdom (UK), under UK GDPR Article 27
  • European Union (EU), under GDPR Article 27

Prighter gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit: https://app.prighter.com/portal/maviraai.