Privacy Policy
Last updated: 2026-05-30
This Privacy Policy describes how Promolexa (“we”, “us”, or “our”) collects, uses, and shares information when you install and use the Promolexa app (“the Service”) in your Shopify store.
1. Who We Are
Promolexa is a Shopify app that generates AI-powered marketing content (launch announcements, social posts, health scores, competitor alerts) for merchants. Contact: support@promolexa.com.
2. Information We Collect
When you install Promolexa, we collect data necessary to operate the Service:
- Shop information: your
.myshopify.comdomain, shop email (from Shopify Admin), shop name and locale. - Product catalog data: product titles, descriptions, images, vendor, type, price, and Shopify GIDs of products you select to generate kits for.
- Order data (read to compute aggregates): to produce your Health Score, our server reads your store’s orders for the most recent calendar month via the Shopify Admin API — including each order’s total, traffic source, line items (product, quantity, price), and the customer reference and lifetime order-count attached to the order. We use this data only to calculate aggregate metrics (total revenue, average order value, repeat-customer rate, top products, top traffic sources), and we store only those aggregates — never the underlying orders, line items, or customer references. We never access payment or card data.
- OAuth tokens: if you connect Facebook, Instagram, X, or LinkedIn via the Connections page, we store the access and refresh tokens, AES-256-GCM-encrypted at rest with a key separate from the database.
- Content you generate: AI-generated launch kit emails, social posts, descriptions, Health Score recommendations, competitor counter-campaigns, and any hero images you generate via Replicate. Hero images are hosted on Vercel Blob and accessible at the URLs we surface in the app.
- Activity logs: records of every email sent and every social post published from the Service — recipient address, subject, timestamp, status (sent/failed), and platform-specific post IDs. Used to populate your “Recent sends” and “Recent posts” UI panels.
- Competitor URLs: the public website URLs you add as competitors. We scrape only publicly accessible HTML.
3. Information We Do NOT Collect
- Individual customer contact details (names, emails, phone numbers, shipping addresses) or payment/card data — we never request or store these.
- We do not retain raw orders, line items, or per-customer records after computing your monthly aggregates; only the resulting Health Score metrics are stored.
- Anything outside your own Shopify store.
- Browser fingerprints or analytics tracking on your storefront.
4. How We Use Information
- To generate marketing content via large language models (currently Llama 3.3 70B via Groq).
- To generate hero images via Replicate (Flux Schnell).
- To send emails on your behalf via Resend, using the recipient list you provide.
- To publish to Facebook, Instagram, X, or LinkedIn on your behalf, only when you have explicitly OAuth-connected the platform and clicked the post button.
- To monitor competitor websites weekly via static-HTML scraping (Cheerio).
- To compute monthly Health Scores and surface AI recommendations.
- To audit emails sent and posts published, so you can see your activity history in the app.
We do not sell or rent your data, and we do not use your shop’s data to train AI models. The LLM inference providers we use (Groq, Replicate) are configured to not retain your prompts beyond the immediate inference request — see their respective privacy policies.
5. Sub-processors
We rely on the following third parties to operate the Service. Each is bound by their own privacy and security commitments:
| Provider | Purpose | Region |
|---|---|---|
| Shopify | Source of all merchant data; embedded app host | Global |
| Vercel | Application hosting | US East (iad1) |
| Neon | PostgreSQL database | US East (us-east-1) |
| Resend | Email delivery | US East (us-east-1) |
| Groq | AI text generation (LLM inference) | US |
| Replicate | AI image generation | US |
| Vercel Blob | Generated image storage | US East |
| Sentry | Error and performance monitoring (no PII) | EU or US |
| Meta (Facebook, Instagram) | Social posting — only on your OAuth connection | Global |
| X (Twitter) | Social posting — only on your OAuth connection (currently disabled in Promolexa) | Global |
| Social posting — only on your OAuth connection | Global |
6. Data Retention
- While installed: we retain your data as long as the Service is active in your store.
- On uninstall: Shopify fires the
shop/redactwebhook 48 hours after you uninstall. On receipt, we cascade-delete all your data (products, launch kits, health scores, competitors, alerts, integrations, audit logs, sessions) from our database. Generated images on Vercel Blob are also removed. - Audit logs: we retain
EmailSendandSocialPostrows for up to 12 months after they are written, for support and dispute resolution purposes. These rows are subject to the same cascade-delete on uninstall.
7. GDPR Rights (and Equivalent Rights in Other Jurisdictions)
If you are located in the EU, UK, or another region with comparable privacy laws, you have the right to:
- Access your data — request a portable copy via support@promolexa.com.
- Rectify inaccurate data — contact support@promolexa.com.
- Delete your data — uninstall the app and your data is removed within 48 hours; or request immediate deletion via support.
- Object to processing — uninstall the app stops all processing.
- Withdraw consent for OAuth-connected platforms — disconnect them on the Connections page.
For customer data requests: because we do not collect individual customer PII, if a customer requests data deletion via Shopify’s customers/data_request or customers/redact webhook, we have no customer-level data to provide or delete. We respond with HTTP 200 acknowledging the request.
8. Security
- OAuth tokens for connected social platforms are AES-256-GCM-encrypted at rest.
- All database connections use TLS.
- All Sub-processor communication uses HTTPS / TLS.
- The encryption key is stored in our hosting provider’s secret management, separate from the database.
- We rotate API keys after any suspected exposure.
We cannot guarantee absolute security on the Internet. If we become aware of a breach affecting your data, we will notify you within 72 hours per GDPR requirements.
9. International Transfers
Your data is processed in the United States (Vercel, Neon, Resend, Groq, Replicate, Vercel Blob). If you are located outside the US, by installing Promolexa you consent to this transfer.
10. Children’s Privacy
The Service is intended for businesses and is not designed for or directed at children under 16. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via in-app notice or email at least 30 days before they take effect.
12. Contact
For privacy questions, data requests, or complaints: support@promolexa.com
If you are located in the EU and believe we are not adequately addressing your concerns, you have the right to lodge a complaint with your national data protection authority.