
Mavira AI LLC — Mavira Referral Tracker (Shopify App)
Effective Date: 2026-06-06
Last Updated: 2026-06-06
This Privacy Policy describes how Mavira AI LLC ("Mavira," "we," "us," or "our") collects, uses, shares, and protects data through our Shopify application, Mavira Referral Tracker (the "App"), distributed via the Shopify App Store and hosted at shop-app.maviraai.com. The App is the partner-facing counterpart to the consumer-facing Mavira service at maviraai.com, which matches a shopper's outfit style to products sold by participating merchants and links those shoppers to those merchants' Shopify stores.
The App exists to do two things on the merchant side:
This policy explains our data practices. Your use of the App is also governed by our Terms of Service. In this policy, "Merchant" refers to the Shopify store operator who has installed the App, and "end customer" refers to a visitor to the Merchant's store who may have arrived via a Mavira referral link.
The App does not monitor or collect data about general traffic on the Merchant's Shopify store; only visitors who arrived via a Mavira referral link are within scope of our end-customer data collection.
There are three parties whose data is relevant to this policy:
Roles under applicable data protection laws (e.g., GDPR, UK GDPR):
mavira_refcookie that Mavira places via the App's theme extension, Mavira acts as the data controller.This section enumerates every category of data the App collects, stores, or processes. For the purposes of transparency required by Shopify's app developer privacy requirements, this covers data collected (a) through Shopify's APIs, (b) directly from the Merchant, and (c) directly from end customers of the Merchant.
The App collects only the following data about end customers, and only in connection with a "qualifying purchase." A qualifying purchase is one made by a visitor who arrived at the Merchant's Shopify store via a link from the Mavira website, identified via URL parameters set by Mavira at the time of referral.
Cookie data (set in the end customer's browser):
mavira_ref containing a pseudonymous referral code (alphanumeric, no more than 64 characters), set on the Merchant's storefront for up to 90 days from the date of the visitor's initial referral visit. The cookie is set only where the applicable consent signal permits it, or where no consent framework is detected on the storefront (see Section 4). A browser Global Privacy Control (GPC) signal overrides all of the foregoing: where GPC is present, no cookie is set and any existing mavira_ref cookie is deleted, regardless of any other consent signal (see Section 4).Per-order data (collected after a qualifying purchase, from Shopify):
Customer-data-request payloads (handled in transit only, not stored):
Where Shopify delivers a customers/data_request webhook, the payload itself may include an end customer's email address as provided by Shopify. That email transits our infrastructure only for the purpose of acknowledging the webhook, locating matching records, and forwarding those records to Mavira's operations team for delivery to the Merchant; it is not written to our database. See Section 10 for the full webhook handling description.
What we do not collect about end customers:We do not collect, transmit, or store an end customer's name, billing or shipping address, IP address, payment details, device fingerprint, or any browsing activity beyond what is required to identify the referral and the resulting qualifying purchase. The mavira_ref cookie carries only a pseudonymous referral code.
Distinct from end-customer data, the App also stores the following Merchant business data — collected either from the Merchant directly during onboarding or from Shopify in connection with the App installation and the recurring app subscription described in our Terms of Service:
Partner record (one row per Merchant):
<store>.myshopify.comdomain), kept current via Shopify's shop/update webhook for human-readable logging and emails.pending_install, trial, active, cancelled, or frozen).Commission ledger (one row per attributed order):
accrued_trial, billable, invoiced, paid, refunded, or failed).A uniqueness constraint on (partner, Shopify order ID) ensures that no Merchant can be billed more than once for the same order through the App.
Commission-credit ledger (one row per un-recoverable over-charge):
Because Shopify does not permit reversing a usage record once submitted, where an order shrinks below the amount already charged for it (for example, a partial refund, a downward order edit, or a cancellation of an already-billed order), the App records the difference as an internal partner creditand applies it against the Merchant's future commission charges (see Section 4.2 and our Terms of Service). Each credit row contains only an internal partner reference, the originating Shopify order identifier, the currency, the credit amount and how much of it has been consumed, the reason for the credit, an idempotency key preventing duplicate credits, and timestamps. It contains no end-customer data beyond the order identifier and order amounts already described above.
Merchant-level commission aggregate (one row per Merchant per currency):
This aggregate contains no shop identifier, no end-customer data, and no per-order detail.
Shopify OAuth session tokensare held by the standard Shopify session-storage adapter, backed by our Postgres database on Supabase (in a database schema separate from the App's business data), for the purpose of authenticating App requests to the Shopify API. They are deleted when the App is uninstalled.
When a visitor arrives at a Merchant's Shopify store via a Mavira referral URL (which carries a query parameter identifying the referral), a theme app extension that Merchants install into their storefront reads that parameter, validates it, and stores a 90-day first-party cookie named mavira_refin the visitor's browser. While the cookie is present, the extension carries the referral code through the Shopify cart and onto the resulting order via Shopify cart attributes and a hidden line-item property, so the referral code survives Shopify checkout and ends up on the order.
The App is designed to respect end-visitor privacy decisions. It integrates with Shopify's Customer Privacy API to read buyer consent signals, and it sets the mavira_ref cookie only where the applicable consent signal permits it. Where consent is required and not given, no cookie is set and no attribution occurs.
Global Privacy Control (GPC) overrides everything. If the visitor's browser sends a Global Privacy Control signal (navigator.globalPrivacyControl), the App treats this as a definitive instruction not to track: it does not set the mavira_ref cookie, deletes any existing mavira_ref cookie, and stops carrying the referral code through the cart and onto the order for that page view. A GPC signal takes precedence over all other consent signals — including an explicit grant communicated through the Customer Privacy API — and is not re-enabled if consent is later granted during the session.
Where no consent framework is detected on the storefront (specifically, where the Customer Privacy API does not load within a short timeout) and no GPC signal is present, the App sets the cookie. This is a deliberate design choice so that attribution continues to function for Merchants that have not deployed a consent surface; the App does not itself determine the visitor's jurisdiction or whether a consent framework is legally required there. The Merchant is responsible for deploying and correctly configuring a consent-management framework on its storefront (including via Shopify's Customer Privacy API) so that the applicable consent signal is presented to the App in accordance with the laws of its customers' jurisdictions. Mavira honors whatever consent signal the storefront surfaces (and always honors GPC), but it relies on the Merchant to put the correct consent infrastructure in place; see Section 11.3 and our Terms of Service for the allocation of responsibility between Mavira and the Merchant in this respect.
Visitors who arrive at the Merchant's storefront through any other channel are not tracked by the App in any way.
After a qualifying purchase is completed, the App identifies and records the order through the following complementary mechanisms:
orders/create webhook. When the webhook fires for a paid order, the App inspects the order for a Mavira referral code and, if found, records the order in our database and (where the Merchant is past their trial — see Section 7) submits the corresponding usage record to Shopify.Either path may detect a given order first; a database uniqueness constraint ensures that no order is recorded more than once. Orders without a Mavira referral are disregarded and not stored.
An order's commission is a live figure, not a one-time snapshot. After an order is first recorded, the App keeps the commission reconciled to the order's current state. The App subscribes to Shopify's orders/updated, refunds/create, and orders/cancelled webhooks; when an order is edited, partially or fully refunded, or cancelled, the App re-reads the order's current subtotal from Shopify and recomputes the commission accordingly. This can reduce the commission (a partial refund or downward edit) or increase it (an upward edit), and may result in an additional charge or in an internal credit applied against future charges, as described in our Terms of Service. No new category of end-customer data is collected in the course of this reconciliation.
All incoming Shopify webhook payloads — including but not limited to those described in this policy — are verified using Shopify's HMAC-signature mechanism before any processing. Requests with an invalid signature are rejected.
Separately from the end-customer data described above, and in order to detect a configuration problem rather than to collect any end-customer data, the App performs an automated daily check of whether the App's referral tracker is actually switched on in the Merchant's storefront theme. Enabling the tracker is a step the Merchant completes during onboarding by self-attestation (the Merchant confirms that it has switched the theme app embed on); this check verifies that attestation on an ongoing basis, because a tracker that has been switched off silently stops all referral attribution for the Merchant.
Once per day, for each Merchant whose subscription is in a trial or active state, the App makes a single unauthenticated HTTP request to the Merchant's own public storefront homepage and inspects the returned page to determine whether the tracker asset is present. The request follows ordinary redirects and identifies itself with a descriptive User-Agent (MaviraTrackerCheck/1.0 (+https://www.maviraai.com)).
This check is directed only at the Merchant's own publicly available storefront. It does not collect, receive, or store any end-customer data, and it makes no request to any third party (it is therefore not a new sub-processor and does not change where data is processed). The App does not store the storefront's page content, its URL, or any other part of the response; it records only (a) a timestamp of when the check last ran for the store and (b), where the tracker is found to be absent, a timestamp marking when it was first observed to be disabled (cleared once the tracker is seen again or once the Merchant confirms re-enablement). A store that is password-protected, unreachable, or otherwise returns an inconclusive result is never treated as disabled. These two timestamps are Merchant business data and are described in Section 3.2.
Where the check finds the tracker disabled, the App shows the Merchant an in-product prompt to re-enable it, explains that no commissions are recorded while the tracker is switched off, and sends an internal operational alert to Mavira's operations team (see Sections 5 and 9). The allocation of responsibility, as between Mavira and the Merchant, for keeping the tracker enabled is addressed in our Terms of Service.
We use the data described in Section 3 for the following purposes, and no others:
We do not use the collected data for advertising, third-party marketing, profiling, automated decision-making producing legal or similarly significant effects, or any purpose beyond those listed above.
6.1 Merchant access to attributed-sales data
Merchants can view data about orders attributed to their own store, and the resulting commissions, through the App's embedded admin interface. This is the only routine flow of data back to Merchants from the App, and it is limited to data associated with that Merchant's store.
6.2 Sub-processors
We use the following third-party service providers ("sub-processors") to process data on our behalf in connection with the App. Each sub-processor receives only the data needed to perform its specific function and is subject to written terms requiring it to protect that data.
| Sub-processor | Function | Data processed | Region |
|---|---|---|---|
| Supabase | Managed Postgres database; system of record for everything the App persists | All App business data described in Section 3 (partner records, commission ledger, commission-credit ledger, sales records, merchant-level aggregates, deletion-job coordination records) in one database schema, and the Shopify OAuth session tokens in a separate database schema within the same Supabase project. | United States |
| Vercel | Application hosting and request routing; runs the App's server runtime at shop-app.maviraai.com | Data in transit only (Vercel does not have direct access to our database). | United States |
| Shopify | OAuth provider, webhook source, and the billing platform through which Mavira charges the Merchant | Subscription state, usage-record submissions (one per attributed order), and the data required to operate Shopify's billing for the Merchant. Shopify is also the source of all order data the App receives. | As specified in Shopify's privacy policy |
| Resend | Outbound transactional email provider (an essential dependency; the App will not operate without it) | Recipient address, subject line, and body of each outbound email described in Section 5; in the case of forwarding a Shopify customers/data_requestto Mavira operations, this includes the requesting end customer's email address as it appears in the Shopify-provided webhook payload, plus matching per-order records. Resend handles email in transit; we do not rely on Resend for long-term storage. | United States |
The Shopify OAuth session store described in Section 3.2 is held in our Postgres database on Supabase, in a database schema separate from the App's business data. Supabase is therefore the sub-processor for the session tokens as well; no separate sub-processor is involved in storing them.
If we change our sub-processors, we will update this section, and — for material changes affecting data location, security posture, or categories of data processed — provide notice in accordance with Section 14.
6.3 No sale; no third-party marketing
We do not sell, rent, or share data with any third party for advertising, marketing, profiling, or any purpose other than those described in this policy. We do not share end-customer personal data for cross-context behavioral advertising.
6.4 Legal disclosures
We may disclose data if we are required to do so by law, regulation, or valid legal process (such as a court order or subpoena), or where we believe in good faith that disclosure is necessary to protect our rights, the rights of Merchants or end customers, or the integrity of the App.
6.5 Business transfers
If Mavira undergoes a merger, acquisition, sale of substantially all of its assets, financing, reorganization, or similar transaction, Merchant and end-customer data may be transferred to the successor or affiliated entity as part of that transaction. We will require any such successor to honor the commitments in this policy or provide affected parties with notice and an opportunity to object before any change in data handling takes effect, as required by applicable law.
All App business data is stored on Supabase (United States region). Supabase employs industry-standard security practices including encryption in transit (TLS) and at rest. Access to production data is restricted to authorized personnel and to the App itself via a server-side service-role credential. Shopify OAuth tokens are held by the Shopify-recommended session-storage adapter, backed by the same Supabase Postgres project as the business data but kept in a separate database schema; they are deleted on uninstall.
All webhook endpoints validate Shopify's HMAC signature before processing the payload, and reject requests with an invalid signature. Inbound and outbound traffic between the App, Shopify, Supabase, Resend, and the Merchant's browser is transmitted over TLS.
| Data | Retention |
|---|---|
Per-order data (the sales and commissions tables) | Up to approximately 24 months from the order date, while the App remains installed on the Merchant's store. The commissions row now also carries the cumulative amount charged to Shopify, a per-order reconciliation audit trail, and the time of last reconciliation; these are subject to the same 24-month retention. See Section 7.3. |
Commission-credit ledger (the commission_credits table) | A credit row is retained until consumed by future charges, and is retained thereafter for audit purposes. It carries no end-customer identity (only an order identifier and amounts). An outstanding (unused) credit at uninstall is retained so it can be settled or, on reinstall, reused; it is removed via the deletion paths in Sections 7.4 and 10 (uninstall deletion, customers/redact, and shop/redact). |
Merchant-level commission aggregate (the billing table) | Up to seven (7) years, for internal accounting, tax, and dispute-resolution purposes. Contains no end-customer data, no per-order detail, and no shop identifier. |
Partner record (the partners table) | Retained while the App is installed on the Merchant's store. On uninstall, the Merchant's subscription status is updated to cancelled and the record is retained for audit purposes, subject to deletion upon Merchant request as described in Section 8. |
| Shopify OAuth session tokens | Deleted immediately upon receipt of Shopify's app/uninstalled webhook. |
Deletion-job coordination records (the pending_deletions table) | Retained only until the corresponding deletion job completes, then routinely garbage-collected. |
On a rolling weekly basis, per-order data older than approximately 24 months is purged. Because the purge runs weekly, individual records may persist for up to approximately seven days past the 24-month mark before they are processed.
Every code path that removes per-order data first folds the commission totals into the Merchant-level aggregate described above. That aggregation and the per-order deletion occur in a single database transaction, so the per-order data cannot be deleted without the corresponding commission being preserved in aggregate. The aggregate row contains only Mavira's internal identifier for the Merchant, the summed commission amount, and the currency — no shop domain, no order identifiers, and no end-customer data.
If a Merchant uninstalls the App, the following occurs:
app/uninstalledwebhook, the App deletes the Merchant's OAuth session tokens, marks the partner record's subscription status as cancelled (which causes background jobs such as cap-raise checks and trial-ending emails to stop touching that record), schedules per-order data deletion for approximately 36 hours later, and sends an internal notification email to Mavira operations.shop/redact webhook as a GDPR safety net. On receipt, the App deletes any per-order data that the scheduled 36-hour job has not already removed.In all cases, per-order data is deleted within thirty (30) days of uninstall, as required by Shopify. The Merchant-level aggregate is retained as described in Section 7.2. Where the Merchant uninstalls while still holding an unused commission credit, the App notifies Mavira's operations team and retains the credit-ledger row (which contains no end-customer identity) so that the credit can be settled out of band or reused if the Merchant reinstalls; that ledger row is removed by the deletion paths described above and in Section 10.
In the event of a personal data breach affecting Merchant or end-customer data processed through the App, we will notify affected Merchants without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with applicable law.
As a Merchant using the App, you have the right to:
To exercise any of these rights, contact us at team@maviraai.com. We will acknowledge requests within thirty (30) days, and deletion timelines specifically are as described in Section 7.4.
End-customer requests.End customers (visitors who made a purchase through a Mavira-referred link) may request access to or deletion of their order data either by (a) submitting a request through the Merchant, who can forward it via Shopify's standardized customer data request flow (see Section 10), or (b) emailing team@maviraai.com directly with their order number. We will locate and delete (or, where the request is for access, forward to the relevant Merchant) any associated data within thirty (30) days.
The App may send the following operational and transactional emails. All such emails are sent via Resend (see Section 6.2) from a single sender, Mavira Referral Tracker <notifications@maviraai.com>. None of these emails is marketing.
To the Merchant (sent to the Merchant business contact email on file):
To Mavira operations (sent to team@maviraai.com):
Transactional email is a required dependency of the App: the App will not start without its email provider configured, and a failed send surfaces as an error rather than being silently dropped. Merchants who notice they are not receiving expected operational emails should contact Mavira support at business@maviraai.com.
In accordance with Shopify's privacy requirements, the App subscribes to and responds to Shopify's three mandatory GDPR compliance webhooks. Each incoming request is verified using Shopify's HMAC signature; requests with an invalid signature are rejected with a 401 response. Requests with a valid signature are acknowledged with a 200 response and processed within 30 days.
The data the App stores is keyed by Shopify order ID and shop identifier (see Section 3). When a compliance webhook references specific orders, the App locates and acts on the matching records in both the per-order data set (sales) and the commission ledger (commissions).
customers/data_request
The payload includes the resource IDs of customer orders for which data has been requested and, in some cases, the requesting customer's email address as provided by Shopify. The App acknowledges receipt with a 200 response, then queries its database for any per-order and commission records associated with those order IDs in the requesting shop's data set. The matching records (and the customer's email address as provided in the webhook payload, where included) are routed to Mavira's operations team at team@maviraai.com, which forwards the data to the Merchant within 30 days for delivery to the requesting customer. The data forwarded to the Merchant consists of, for each matching order: order ID, order name, confirmation number, referral code, subtotal, total, currency, and timestamp; and, where applicable, the corresponding commission amount and lifecycle status. Mavira's internal partner identifier is not included. The shop domain is not included because the request is inherently scoped to the requesting shop. If no matching records exist, the response to the Merchant confirms that no referral-attributed sales were recorded for those orders. The Merchant remains the data controller and is responsible for delivering the data to the requesting customer.
customers/redact
The payload includes the resource IDs of customer orders for which deletion has been requested. The App acknowledges receipt with a 200 response, then for each matching record (in both the sales and commissions tables) folds the commission totals into the Merchant-level aggregate described in Section 7.3 and deletes the underlying per-order record. Aggregation and deletion occur in a single database transaction, so per-order data cannot be deleted without the corresponding commission being preserved at the Merchant level. If no matching records exist, the App takes no action beyond acknowledgment. After redaction, the App holds no record connecting the customer to the order — only the merchant-level aggregate, which carries no customer identifier or per-order detail. Where a record is subject to a separate legal retention obligation, only the minimum required portion is retained, and only for the minimum duration required.
shop/redact
Shopify sends this webhook approximately 48 hours after a Merchant uninstalls the App. On receipt, the App verifies the HMAC signature and deletes any per-order data still associated with that shop. In practice, most such data has already been deleted by the scheduled 36-hour deletion job described in Section 7.4; shop/redact serves as a safety net that ensures any records the scheduled job did not remove are deleted at this point. In all cases, per-order data associated with the shop is removed within 30 days of uninstall, as Shopify requires. The only data retained beyond this deletion is the Merchant-level aggregate described in Section 7, which carries no shop identifier or end-customer data and is retained for up to seven (7) years for accounting and dispute-resolution purposes.
End customers who wish to request access to or deletion of their attribution data outside the Merchant-driven Shopify webhook flow may also email team@maviraai.com directly with their order number, as described in Section 8.
If you or your customers are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with a comprehensive data protection regime, you may have additional rights under the General Data Protection Regulation (GDPR), the UK GDPR, or comparable laws.
11.1 Roles
As described in Section 2, our role under GDPR differs by data type:
mavira_refcookie that Mavira places via the App's theme extension, Mavira acts as the data controller. Our lawful basis for this limited processing is legitimate interest (Art. 6(1)(f) GDPR) in accurately attributing sales conversions to Mavira referral traffic, balanced against the limited and pseudonymous nature of the data, the cookie's strict purpose limitation, and the consent gate provided by Shopify's Customer Privacy API. Where consent is the applicable lawful basis under local law, the cookie is set only where consent is given through the Customer Privacy API.11.2 Data-subject rights
We honor data-subject requests submitted to us directly, and will respond within thirty (30) days as described in Section 8. Where Mavira is a processor, we will refer end-customer requests to the relevant Merchant (the controller) and assist that Merchant in responding.
11.3 Cookie consent
We make an effort to respect end-visitor privacy decisions. The mavira_refcookie described in Section 4 is set on the Merchant's storefront only where the applicable consent signal (as communicated via Shopify's Customer Privacy API) permits it, or where no consent framework is detected on the storefront. A Global Privacy Control (GPC) signal from the visitor's browser overrides all other signals: where GPC is present, no cookie is set, any existing mavira_ref cookie is deleted, and no referral attribution occurs, regardless of any consent granted through the Customer Privacy API. The cookie is limited in scope, persists for 90 days, and is used for no purpose other than referral attribution.
The App does not perform geolocation or determine the visitor's jurisdiction; it acts on the consent signal the storefront surfaces (and always on GPC). The Merchant is responsible for deploying and correctly configuring a consent-management framework on its storefront — including via Shopify's Customer Privacy API where applicable — so that the consent signals required in its customers' jurisdictions are presented to the App. Where a Merchant fails to do so, the App's "no framework detected" behavior may result in the cookie being set in circumstances where the Merchant's own legal obligations would have required consent. As further set out in our Terms of Service, responsibility for obtaining and surfacing legally required end-customer consent rests with the Merchant, and Mavira is not responsible, as between Mavira and the Merchant, for a breach of privacy or data-protection law that results from the Merchant's failure to put adequate consent infrastructure in place. Nothing in this paragraph limits any non-waivable rights of end customers under applicable law or Mavira's own obligations as a controller of the mavira_ref cookie (Section 11.1).
11.4 Data minimization
We collect only the minimum data necessary to fulfill the referral tracking, commission calculation, and Shopify-managed billing purposes described in this policy. No additional data fields are collected beyond those listed in Section 3.
11.5 International data transfers
All App business data is stored on Supabase in the United States. The App's server runtime (Vercel) and our outbound email provider (Resend) are also based in the United States. If you or your customers are located in the EEA, the UK, or another jurisdiction with cross-border transfer restrictions, your data may be transferred to and processed in the United States.
Each of our US-based sub-processors maintains GDPR-compliant transfer arrangements and relies on appropriate safeguards for cross-border transfers, including Standard Contractual Clauses (SCCs) as approved by the European Commission and, where applicable, the UK International Data Transfer Addendum. We periodically review our sub-processors' transfer documentation to confirm continuing adequacy.
11.6 Data Processing Agreement
A Data Processing Agreement (DPA) governing Mavira's role as processor is available upon request by contacting team@maviraai.com, and applies to any Merchant acting as a data controller regardless of location.
11.7 Right to lodge a complaint
EEA-based and UK-based Merchants and their customers have the right to lodge a complaint with their local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu; the UK's authority is the Information Commissioner's Office (ico.org.uk). We encourage you to contact us at team@maviraai.com first so we can attempt to resolve any concerns directly.
If you or your customers are California residents, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
Categories of personal information collected
In the twelve (12) months prior to the effective date of this policy, we have collected the following categories of personal information as defined by the CCPA:
We do not collect any other categories of personal information, including sensitive personal information.
Sources and purpose
This information is collected from the Merchant's Shopify store via the Shopify API, from the Merchant during onboarding, and from the end customer's browser (cookie only). It is used solely for the referral-attribution, commission-calculation, Shopify-managed billing, and operational-communication purposes described in Section 5.
No sale or sharing of personal information
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not sold or shared personal information in the preceding twelve (12) months. Notwithstanding that position, the App honors the Global Privacy Control (GPC) signal — which is recognized under California law as an opt-out-of-sale/sharing preference signal — by suppressing referral attribution and the mavira_ref cookie entirely whenever GPC is present (see Section 4.1). We treat a GPC signal as a definitive opt-out instruction even though we do not consider our limited, pseudonymous referral processing to constitute a sale or a share.
Your rights
California residents have the right to know what personal information is collected, to request deletion, to request correction, to opt out of sale or sharing (we do not sell or share as those terms are defined under the CCPA, but we nonetheless honor the GPC opt-out signal as described above), to limit the use of sensitive personal information (not applicable, as we collect none), and to non-discrimination for exercising these rights. To exercise any of these rights, contact us at team@maviraai.com. California enforcement of these rights is shared between the California Privacy Protection Agency (CPPA) and the California Attorney General.
The App is intended solely for use by Shopify Merchants and is not directed at or designed for use by children. We do not knowingly collect any data from children under the age of 13, or under the applicable minimum age in the visitor's jurisdiction (which may be as high as 16 in certain EEA member states). If you believe that a child has provided data through the App, please contact us at team@maviraai.com and we will promptly delete any such data.
We may update this Privacy Policy from time to time. For material changes — such as expansions in the types of data we collect, new purposes for which we use data, additions of sub-processors that change where or how data is processed, or changes to the retention periods in Section 7 — we will provide at least thirty (30) days' notice before the updated policy takes effect, via the Shopify App Store, the App interface, and by email to the address associated with the Merchant's Shopify account where practical. For non-material changes (such as clarifications, typographical corrections, or formatting changes), we will update the effective date without advance notice. The updated policy will include a revised effective date, and the prior version will be made available upon request.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Mavira AI LLC
Registered Office: 16192 Coastal Highway, Lewes, Delaware 19958, County of Sussex
Website: maviraai.com
Privacy inquiries: team@maviraai.com
Commercial / partnership inquiries: business@maviraai.com
Privacy Contact (Voluntary)
While not required to do so under applicable law, Mavira AI LLC has voluntarily designated a privacy contact to oversee data protection matters:
Aubrey Stevens — aubrey@maviraai.com
GDPR Representative
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our GDPR representative and your point of contact for the following regions:
Prighter gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit: https://app.prighter.com/portal/maviraai.
© 2026 Mavira AI LLC. All rights reserved.