Privacy Policy
Last updated: May 2026. This Privacy Policy describes how WishPoint (WishPoint, referred to as we, us, or our) collects, uses, and protects information obtained through the WishPoint Shopify application.
1. Information We Collect
When you install WishPoint, we access data from your Shopify store through the official Shopify Admin API. Specifically, we collect:
Merchant Data (Shop-level)
- Shop domain, name, and currency settings
- Theme data (to detect app embed and block installation status)
- Order history (to calculate points earned per purchase)
- Products and collections metadata (for wishlist goal eligibility)
- Discount codes (created and managed for reward redemption)
- Draft orders (used to apply reward discounts at checkout)
Customer Data (Shopper-level)
- Shopify customer ID, email address, and name
- Points balance, total points earned, and total points redeemed
- Wishlist goals: product ID, title, price, and progress metrics
- Order IDs linked to point-earning events (for idempotency)
- Email engagement timestamps (e.g., last nudge email sent)
Technical / Operational Data
Standard request metadata — including IP addresses, user agent strings, and timestamps — is processed by our infrastructure and error-monitoring providers for security, reliability, and performance purposes. This data is not linked to individual end-customers in our database.
Data Written to Shopify Customer Metafields
WishPoint writes the following data to Shopify customer metafields so it can be accessed by theme extensions and checkout extensions without an additional API call:
wishpoint.points_data— Points balance and historywishpoint.wishlist— Current wishlist goalwishpoint.settings— Cached display settings (currency name, brand color)
2. How We Use Your Data
Data collected by WishPoint is used exclusively to operate and improve the app:
- To calculate and award points when orders are placed or updated
- To track customer wishlist goals and progress
- To generate and apply personalised reward discount codes
- To send transactional and engagement email notifications
- To display analytics dashboards to the merchant
- To power the storefront widget and checkout extension UI
We do not sell, rent, or share your data or your customers' data with third parties for advertising, profiling, or any purpose unrelated to operating the WishPoint service.
3. Data Storage, Security, and Sub-processors
All data is stored in an encrypted PostgreSQL database hosted on Neon (US region), a managed database provider with industry-standard security controls including encryption at rest and in transit. All communication between WishPoint, Shopify, and our database is protected by HTTPS/TLS.
To operate the service, WishPoint shares limited data with the following sub-processors. Each processor handles only the data necessary for its function.
Each sub-processor operates under its own privacy policy and data processing agreement. We vet sub-processors for adequate security controls and limit data transfer to what is strictly necessary.
4. GDPR, CCPA, and Data Subject Rights
WishPoint is compliant with Shopify's mandatory privacy webhook requirements. The following webhooks are handled automatically:
customers/data_requestCustomer Data RequestWhen a customer requests a copy of their data held by your store, WishPoint logs the request and exports all associated points history, wishlist goals, and email timestamps for that customer ID.
customers/redactCustomer Data ErasureWhen a customer requests deletion, WishPoint anonymises and removes all personal data for that customer ID. Points history aggregates may be retained in anonymised form for analytics integrity.
shop/redactShop Data ErasureWhen a merchant uninstalls WishPoint and requests full data deletion, all shop records, customer records, and associated metafield data are permanently deleted within 30 days.
To submit a data deletion or export request directly, email us at [email protected]. We will respond within 30 days.
5. Cookies and Tracking
We do not use advertising pixels or third-party analytics/tracking scripts.
- Admin app — uses Shopify's secure HTTP-only session cookie for authentication. Sentry is loaded for error and performance monitoring; it does not use persistent cookies and does not track visitors across sites.
- Marketing website — embeds a Chatbase support chat widget. Chatbase may set a functional cookie to maintain chat session continuity between page loads. No personal data is collected via chat unless you voluntarily submit it.
- Storefront widget — does not set any cookies. Uses
localStorageonly to store the customer's open/closed widget state locally in their browser.
6. Data Retention
Merchant and customer data is retained for as long as WishPoint is installed on your Shopify store. If you uninstall the app, data will be purged within 30 days unless you've submitted an earlier deletion request. Backup snapshots (if any) are deleted on the same schedule.
7. Children's Privacy
WishPoint is a B2B service intended for Shopify merchants. We do not knowingly collect personal information from individuals under 16 years of age. If you believe a minor's data has been submitted, please contact us and we will delete it promptly.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top of the page. Material changes will be communicated to active merchants via the WishPoint admin dashboard.
9. Contact Us
For privacy inquiries, data requests, or questions about this policy, please contact: