Mavira Logo

Privacy Policy

Mavira AI LLC — Shopify App

Effective Date: 2026-05-11

Last Updated: 2026-05-11

1. Overview

This Privacy Policy describes how Mavira AI LLC ("we," "us," or "our") collects, uses, and protects data through our Shopify application (the "App"). The App is designed to track sales conversions that originate exclusively from traffic referred by the Mavira website (maviraai.com). The App does not monitor or collect data from general traffic on a Merchant's Shopify store — only visitors who arrived via a Mavira referral link are within scope.

This policy explains our data practices. Your use of the App is also governed by our Terms of Service. In this policy, "Merchant" refers to the Shopify store operator who has installed the App.

2. What Data We Collect

The App collects a limited, specific set of data — and only when a qualifying purchase occurs. A "qualifying purchase" is one made by a visitor who arrived at your Shopify store via a link from the Mavira website, identified via URL parameters set by Mavira at the time of referral. The App does not track, collect, or store any data related to orders from customers who did not originate from a Mavira referral link.

When a qualifying purchase is made, we collect the following data:

  • Timestamp — the date and time the purchase was completed
  • Shop domain — the Shopify store from which the purchase originated
  • Shopify order identifiers — the unique Order ID assigned by Shopify, along with the human-readable order name and confirmation number
  • Pseudonymous referral code — the value carried by the visitor's mavira_ref cookie at the time of purchase, used solely for attribution
  • Pre-tax / pre-shipping order amount — the subtotal before taxes and shipping fees
  • Total order amount — the final order total including taxes and shipping
  • Currency — the currency in which the transaction was processed
  • Internal partner identifier — Mavira's internal reference for the Merchant whose store originated the order

No Directly Identifying End-Customer Data Collected: We do not collect directly identifying information about the end customer, including name, email address, billing or shipping address, or payment details. The mavira_ref cookie described in Section 3 contains only a pseudonymous identifier used solely for attribution.

3. How We Collect Data

When a visitor arrives at a Merchant's Shopify store via a Mavira referral link, a cookie named mavira_refis set in the visitor's browser to identify them as a Mavira-referred visitor. This cookie persists for 90 daysfrom the date of the visitor's initial referral visit. It is used solely to attribute a subsequent purchase to Mavira's referral traffic. Visitors who arrive through any other channel are not tracked by the App in any way.

The App integrates with Shopify's Customer Privacy API to respect buyer consent signals. The mavira_refcookie is only set where the applicable consent signal permits it, or where no consent framework applies to the visitor's jurisdiction. Merchants are responsible for configuring their storefront's consent settings in accordance with applicable law.

Rather than relying on real-time event webhooks, the App uses a polling mechanism to periodically check for new orders and identify those attributable to Mavira referral traffic. Only orders associated with the mavira_ref cookie are processed. No data is collected or stored for any other orders.

4. How We Use Your Data

The data we collect is used exclusively to:

  • Track and report sales conversions attributable to Mavira referral traffic
  • Provide Merchants with accurate performance metrics for their Mavira partnership
  • Calculate any revenue-sharing or commission amounts, where applicable

We do not use the collected data for advertising, profiling, or any purpose beyond the referral tracking functionality described above.

5. Data Sharing and Disclosure

Merchants can view data about orders attributable to their own store through the App's reporting interface. This is the only routine flow of data back to Merchants, and it is limited to the per-order data described in Section 2 for orders originating from that Merchant's store.

We do not sell or rent your data. We do not share data with any other third parties for advertising, marketing, or any other purpose. We may disclose data if required to do so by law, regulation, or valid legal process (such as a court order or subpoena).

6. Data Storage and Security

All data collected by the App is stored securely on Supabase, a managed cloud database platform. Data is stored in the United States. Supabase employs industry-standard security practices including encryption at rest and in transit. Supabase is our sole third-party sub-processor for App data; no other third parties receive or process order data collected by the App.

Retention:We retain per-order data for approximately twenty-four (24) months from the date the order was recorded, while the App remains installed on your store. This retention period covers commission calculation, year-over-year partner reporting, and the resolution of billing disputes raised within the dispute window described in our Terms of Service. On a rolling weekly basis, per-order data older than approximately 24 months is aggregated into the merchant-level billing record described below — adding only Mavira's internal identifier for the Merchant and the summed commission amount per currency, with no order-level or end-customer detail — and the underlying per-order records are then deleted in the same database transaction. Because the purge runs weekly, individual records may persist for up to approximately seven days past the 24-month mark before they are processed.

If you uninstall the App, deletion is triggered by Shopify's app/uninstalled webhook (sent immediately on uninstall) and scheduled to complete within approximately 36 hours. As a safety net, Shopify also delivers a shop/redactwebhook approximately 48 hours after uninstall; on receipt, we delete any per-order data that the scheduled 36-hour job has not already removed. In all cases, deletion is completed within 30 days of uninstall as required by Shopify. Before per-order data is deleted, any commissions associated with those orders are added to the merchant-level billing record described below. That record contains only (a) Mavira's internal identifier for the Merchant (not the Shopify shop domain, store name, or any end-customer data) and (b) the aggregated amount of commissions owed by the Merchant to Mavira, plus the corresponding currency and an internal accounting key. The billing record is used solely for internal accounting, tax, and dispute-resolution purposes and is retained for up to seven (7) years.

You may also request deletion at any time by contacting team@maviraai.com. App-specific deletion timelines (as described above) apply to deletion requests concerning App data.

Breach Notification: In the event of a personal data breach affecting Merchant data, we will notify affected Merchants without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with applicable law.

7. How the App Accesses Order Data

The App uses a polling mechanism to access order data from the Shopify API on a periodic basis. This means the App periodically queries the Merchant's store for recent orders and checks whether any are associated with the mavira_ref cookie. Only orders that match a Mavira referral are recorded; all other order data is disregarded and not stored.

This polling approach does not require real-time event hooks and is limited in scope to identifying and recording qualifying conversions as described in this policy.

8. Shopify Mandatory Compliance Webhooks

In accordance with Shopify's privacy requirements, the App subscribes to and responds to Shopify's three mandatory GDPR compliance webhooks. Each incoming request is verified using Shopify's HMAC signature; requests with an invalid signature are rejected with a 401 response. Requests with a valid signature are acknowledged with a 200 response and processed within 30 days.

The data the App stores is keyed by Shopify order ID and shop domain (see Section 2). When a compliance webhook references specific orders, the App locates and acts on the matching records in our database.

customers/data_request

When Shopify delivers this webhook, the payload includes the resource IDs of customer orders for which data has been requested. The App acknowledges receipt with a 200 response, then queries its database for any per-order data associated with those order IDs in the requesting shop's data set. The matching records are routed to Mavira's privacy team at team@maviraai.com, which forwards the data to the Merchant within 30 days for delivery to the requesting customer. The data forwarded to the Merchant consists of the order ID, order name, confirmation number, referral code, subtotal, total, currency, and timestamp for each matching order. Mavira's internal partner identifier is not included, as it is an internal-only reference. The shop domain is not included in the forwarded data because the request is inherently scoped to the requesting shop. If no matching records exist, the response to the Merchant confirms that no referral-attributed sales were recorded for those orders. The Merchant remains the data controller and is responsible for delivering the data to the requesting customer.

customers/redact

When Shopify delivers this webhook, the payload includes the resource IDs of customer orders for which deletion has been requested. The App acknowledges receipt with a 200 response, then for each matching per-order record adds the commission to the merchant-level billing record described in Section 6 and deletes the underlying per-order record. Both steps occur in a single database transaction, so the per-order record cannot be deleted without the corresponding commission being preserved at the merchant level. If no matching records exist, the App takes no action beyond acknowledgment. After redaction, the App holds no record connecting the customer to the order — only the merchant-level commission aggregate, which carries no customer identifier or per-order detail. Where a record is subject to a separate legal retention obligation, only the minimum required portion is retained, and only for the minimum duration required.

shop/redact

Shopify sends this webhook approximately 48 hours after a Merchant uninstalls the App. On receipt, the App verifies the HMAC signature and deletes any per-order data still associated with that shop. In practice, most data is already gone by this point: when the Merchant first uninstalls, Shopify sends an app/uninstalledwebhook (delivered immediately) which triggers our scheduled deletion job to remove the shop's per-order data within approximately 36 hours. The shop/redact webhook serves as a safety net that ensures any records the scheduled job did not remove are deleted at this point. In all cases, per-order data associated with the shop is removed within 30 days of uninstall, as Shopify requires. The only data retained beyond this deletion is the aggregated internal billing record described in Section 6, which contains an internal partner ID and commission totals (no shop identifier and no end-customer data) and is retained for up to seven (7) years for accounting and dispute-resolution purposes.

End customers who wish to request access to or deletion of their attribution data outside the Merchant-driven Shopify webhook flow may also email team@maviraai.com directly with their order number, as described in Section 9.

9. Merchant Data Rights and Deletion Requests

As a Merchant using our App, you have the right to:

  • Request a copy of the data we hold associated with your store
  • Request correction of any inaccurate data
  • Request deletion of all data associated with your store
  • Request restriction of how we process your data

To exercise any of these rights, please send an email to team@maviraai.com. We will acknowledge requests within 30 days; deletion timelines specifically are as described in Section 6.

End Customer Requests: End customers (visitors who made a purchase through a Mavira-referred link) may also request deletion of their order data by emailing team@maviraai.com with their order number, or by submitting a request through the Merchant, who can forward it via Shopify's standardized customer data request process. We will locate and delete any associated data within 30 days.

10. GDPR and International Compliance

If you or your customers are located in the European Economic Area (EEA) or United Kingdom, you may have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR.

Our processing of end-customer personal data is limited to a pseudonymous cookie identifier and per-order data associated with referral-attributed purchases. We do not collect directly identifying information about end customers. Our role under GDPR differs depending on the type of data:

Cookie data (Mavira as controller)

For the mavira_ref cookie that Mavira places, Mavira acts as the data controller. Our lawful basis for this limited processing is legitimate interest in accurately attributing sales conversions to Mavira referral traffic.

Order data (Mavira as processor)

For per-order data processed on behalf of Merchants, Mavira acts as a data processor and the Merchant acts as the data controller. We process such data only in accordance with the Merchant's instructions and as described in this policy.

We are committed to honoring all data subject and merchant data requests submitted to us directly, and we will respond to such requests within 30 days as described in Section 9.

Cookie Consent

The mavira_refcookie described in Section 3 is set on the Merchant's storefront only where the applicable consent signal (as communicated via Shopify's Customer Privacy API) permits it, or where no consent framework applies to the visitor's jurisdiction. The cookie is limited in scope, persists for 90 days, and is used for no purpose other than referral attribution.

Data Minimization

We collect only the minimum data necessary to fulfill the referral tracking purpose described in this policy. No additional data fields are collected or stored beyond those listed in Section 2.

International Data Transfers

All data is stored on Supabase, which is based in the United States. If you or your customers are located in the EEA or UK, your data may be transferred to and stored in the US. Supabase maintains GDPR compliance and covers cross-border transfers under Standard Contractual Clauses (SCCs), providing appropriate safeguards for international data transfers.

Data Processing Agreement

A Data Processing Agreement (DPA) governing Mavira's role as processor is available upon request by contacting team@maviraai.com, and applies to any Merchant acting as a data controller regardless of location.

Right to Lodge a Complaint

EEA-based and UK-based merchants and their customers have the right to lodge a complaint with their local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu; the UK's authority is the Information Commissioner's Office (ico.org.uk). We encourage you to contact us at team@maviraai.com first so we can attempt to resolve any concerns directly.

11. California Privacy Rights (CCPA / CPRA)

If you or your customers are California residents, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the 12 months prior to the effective date of this policy, we have collected the following categories of personal information as defined by the CCPA: identifiers (limited to a pseudonymous referral cookie identifier and Shopify order ID); commercial information (order totals, subtotals, and currency); and internet or other network activity information (referral source and timestamp). We do not collect any other categories of personal information, including sensitive personal information.

Sources and Purpose

This information is collected from the Merchant's Shopify store via the Shopify API and from the end customer's browser (cookie). It is used solely for the referral attribution and commission-calculation purposes described in Section 4.

No Sale or Sharing of Personal Information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not sold or shared personal information in the preceding 12 months.

Your Rights

California residents have the right to know what personal information is collected, to request deletion, to request correction, to opt out of sale or sharing (not applicable, as we do neither), to limit the use of sensitive personal information (not applicable, as we collect none), and to non-discrimination for exercising these rights. To exercise any of these rights, contact us at team@maviraai.com. California enforcement of these rights is shared between the California Privacy Protection Agency (CPPA) and the California Attorney General.

12. Children's Privacy

The App is intended solely for use by Shopify merchants and is not directed at or designed for use by children. We do not knowingly collect any data from children under the age of 13, or under the applicable minimum age in the visitor's jurisdiction (which may be as high as 16 in certain EEA member states). If you believe that a child has provided data through the App, please contact us at team@maviraai.com and we will promptly delete any such data.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — such as expansions in the types of data we collect or new purposes for which we use data — we will provide at least 30 days' notice before the updated policy takes effect, via the Shopify App Store, the App interface, and by email to the address associated with the Merchant's Shopify account where practical. For non-material changes (such as clarifications or formatting), we will update the effective date without advance notice. The updated policy will include a revised effective date.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Mavira AI LLC

Registered Office: 16192 Coastal Highway, Lewes, Delaware 19958, County of Sussex

Website: maviraai.com

Privacy inquiries: team@maviraai.com

Commercial / partnership inquiries: business@maviraai.com

Privacy Contact (Voluntary)

While not required to do so under applicable law, Mavira AI LLC has voluntarily designated a privacy contact to oversee data protection matters:

Aubrey Stevens — aubrey@maviraai.com

GDPR Representative

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our GDPR representative and your point of contact for the following regions:

  • United Kingdom (UK), under UK GDPR Article 27
  • European Union (EU), under GDPR Article 27

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/maviraai

© 2026 Mavira AI LLC. All rights reserved.

Shopify App Terms of ServiceSite Privacy PolicySite Terms of ServiceCookie PolicyData DeletionMain Site