Spectrum Privacy Policy

This policy covers personal data we process about:

• Site visitors (getspectrum.ai).

• Prospects and customers engaging with sales, support, or demos.

• Users of Spectrum products (e.g., merchant admins).

• End-customers of our merchants whose data we process to deliver our services (under our customers’ instructions).

A. Data You Provide

• Account and contact info: name, business email, phone, role, company.

• Merchant account setup: store URL, Shopify org ID, billing info (handled by our payment processor), usage preferences.

• Support and content: tickets, call recordings (where permitted), feedback, attachments.

B. Data We Collect Automatically

• Device/usage data: IP address, user-agent, time zone, pages visited, product features used, events (clicks, conversions), session diagnostics, performance logs.

• Cookies and similar technologies for session authentication, preferences, and analytics (see Section 11).

• Storefront interaction data: When our app is active on a merchant’s store, we collect browsing behavior (pages viewed, clicks), cart and purchase activity, session identifiers, and IP-derived approximate geolocation (city/region level) from the merchant’s shoppers. This data powers features the merchant has enabled (personalization, A/B testing, analytics). We do not place third-party advertising cookies on merchant storefronts.

C. Data from Integrations and Partners

Shopify and other platforms (per access scopes granted by the merchant): store metadata, products/collections, orders, carts, customers, discounts, webhooks, app events.

We request only the Shopify API access scopes necessary for our app to function. The specific data fields we receive depend on the scopes your admin approves during installation and can be reviewed or adjusted in Shopify’s app settings at any time. We comply with Shopify’s protected customer data requirements and do not attempt to circumvent PII access restrictions. Where our scopes include Shopify Protected Customer Data fields (such as name, email, phone, and address), our use of those fields is described in the “Shopify Protected Customer Data” section below.

A. For Site Visitors, Prospects, and Product Users (Controller)

• Provide and secure the service; create/administer accounts; authenticate sessions.

• Billing and account communications; respond to inquiries; provide support.

• Improve product performance and features; debug and prevent abuse.

• Marketing with consent or where permitted by law (opt-out anytime).

B. For Merchant Shoppers (Service Provider / Processor)

We process shopper personal data strictly under the merchant’s instructions to power storefront speed, personalization, experimentation, analytics, pricing, and growth features.

We do not use shoppers’ personal data for our own marketing or for cross-context behavioral advertising.

C. Aggregated and De-Identified Data

We may use data that has been aggregated and de-identified so that it can no longer reasonably identify any individual or merchant to improve our products, conduct research, and build benchmarks. This data is not "personal information" under applicable privacy laws. We maintain and use de-identified information only in a de-identified fashion and take reasonable measures to prevent re-identification.

D. Automated Decision-Making

We may use automated systems to personalize storefronts or recommend products on behalf of merchants. You can request human review of significant automated decisions by contacting support@tectonic.so.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined by the California Privacy Rights Act (CPRA). If this changes, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link.

The following disclosures supplement the rest of this policy for California residents, as required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").

Categories of Personal Information Collected

The table below describes the categories of personal information we have collected in the preceding 12 months, the sources, the purposes for collection, and the categories of third parties with whom we disclose each category for a business purpose.

Sensitive personal information: We may collect IP-derived geolocation (city/region level). We do not use precise geolocation or any other sensitive personal information (as defined by the CCPA) to infer characteristics about consumers. We do not collect or process Social Security numbers, financial account credentials, racial or ethnic origin, genetic or biometric data, health information, sexual orientation, or contents of private communications.

Sale and sharing: We have not sold or shared (as those terms are defined by the CCPA) personal information in the preceding 12 months.

Retention: We retain each category of personal information for as long as described in Section 7 (Data Retention) below.

We retain personal data for as long as needed to provide the services, comply with legal obligations, resolve disputes, and enforce agreements. Merchant shoppers’ data retention is governed by the merchant’s settings and instructions (see DPA). When retention is no longer required, data is deleted or anonymized.

Upon app uninstallation by a merchant, we cease processing their store data and initiate deletion of store and associated shopper data within 30 days, unless a longer retention period is required by law, requested by the merchant under a valid agreement, or necessary to complete an in-progress transaction. Merchants may request earlier deletion by contacting support@tectonic.so.

We may disclose personal data to:

Service providers/sub-processors (cloud hosting, databases, email/SMS, analytics, support tools, payments) under contracts that require confidentiality and appropriate security. A list of our current sub-processors is available upon request.

We will provide merchants with reasonable advance notice of changes to our sub-processor list and an opportunity to object (see DPA for details).

Integrations at the merchant’s direction (e.g., Shopify, marketing and analytics platforms connected by the merchant).

Corporate transactions (merger, financing, acquisition); legal compliance (lawful requests); and to protect rights, safety, and security.

Our primary infrastructure is in the United States. If we transfer personal data outside the US (for example, to provide support or use sub-processors in other jurisdictions), we use appropriate safeguards as required by applicable law.

We implement technical and organizational measures designed to protect personal data, including:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256), including encryption of database backups.

• Strict separation between production and non-production environments. Real shopper personal data is never used in test or staging environments.

• Single sign-on with multi-factor authentication and strong password requirements for all staff accounts that can access production systems.

• Role-based access controls following the principle of least privilege; staff access to protected customer data is limited to personnel with a documented business need.

• Vulnerability management, dependency scanning, and regular review of access to production systems.

We are also implementing centralized access logging for protected customer data, a documented data loss prevention (DLP) program, and a documented and tested security incident response plan. These programs will be in place prior to general availability of our Shopify app on the Shopify App Store.

If we become aware of a personal data breach impacting you, we will notify affected merchants and regulators within the timeframes required by applicable law.

California Residents (CCPA)

If you are a California resident, you have the following rights under the CCPA:

Right to know / access: You may request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we disclosed it.

Right to delete: You may request deletion of personal information we collected from you, subject to certain exceptions.

Right to correct: You may request correction of inaccurate personal information.

Right to opt-out of sale/sharing: We do not sell or share your personal information. If this changes, we will provide an opt-out mechanism.

Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond what is needed to provide the services.

Right to non-discrimination: We will not discriminate against you for exercising your rights.

Other US State Privacy Laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others) have similar rights under their respective laws, including access, deletion, correction, opt-out, and the right to appeal a denial. To exercise these rights, contact support@tectonic.so.

For Merchant Shoppers

Where we process shopper data as a service provider on behalf of a merchant, the merchant is responsible for responding to consumer rights requests. We will assist the merchant in fulfilling those requests. If you contact us directly and we determine that the merchant is the appropriate party, we will direct you to them.

Request process and verification: To submit a rights request, email support@tectonic.so. We will acknowledge receipt and respond within the timeframes required by applicable law (generally 45 days, with a possible 45-day extension where necessary). We may need to verify your identity before processing your request.

Authorized agents: You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authorization and may still verify your identity directly.

Consent reliance and signals: Where we process shopper data on behalf of a merchant, we rely on the merchant to obtain any consents required by applicable law before sharing that data with us. We honor consent and preference signals (including opt-outs of sale/share, marketing, and automated decision-making) communicated to us through the storefront, the Shopify customer privacy API, or directly by the merchant.

We use cookies and similar technologies to keep you signed in, remember preferences, measure site and product usage, and improve performance.

Where required, we obtain consent via our banner and honor your choices. See our cookie policy for details and controls.

We use analytics and advertising tools such as Google Ads conversion tracking, Google Analytics, and (if enabled) Meta Pixel to measure campaign performance. These tools may set cookies or use device signals to understand how users interact with our site. You can opt out via your browser settings or applicable opt-out mechanisms (including the NAI opt-out at networkadvertising.org or the DAA opt-out at aboutads.info).

Our services are designed for businesses, not children. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal information from a child, we will delete it promptly.

Spectrum is a Shopify app that accesses Shopify Protected Customer Data ("PCD") at both Level 1 and Level 2. Level 2 includes the customer name, email, phone, and address fields. This section explains, field by field, what we access and why, and how we comply with Shopify’s Protected Customer Data Requirements.

Fields we access and how we use them:

• Customer name — used to personalize merchant-authorized experiences (greetings, recommendations, segmentation) and to identify a returning shopper across sessions.

• Customer email — used as a stable identifier to link shopper sessions across devices, to write tag and segment updates back to the merchant’s Shopify customer record (under the merchant’s instructions), and to send transactional and lifecycle email to shoppers on the merchant’s behalf using Spectrum’s email infrastructure. Spectrum does not use shopper email for its own marketing.

• Customer phone — currently received as part of Shopify’s customer data scope but not processed or used by any Spectrum feature. If we add a phone-based feature in the future, we will update this policy and notify the merchant before processing.

• Customer address — used for region- and country-aware personalization, shipping-related experiences, and analytics segmentation that the merchant has enabled.

Data minimization. We request only the minimum API access scopes required for our app to function, and within those scopes we ingest only the fields we actually use. Scopes can be reviewed by the merchant in Shopify’s app settings at any time.

Purpose limitation. We process PCD strictly to deliver features the merchant has enabled in Spectrum. We do not use PCD for our own marketing, do not sell PCD, and do not share PCD for cross-context behavioral advertising.

Consent. We rely on the merchant, as the controller of shopper data, to obtain any consents required by applicable law before sharing PCD with us. We honor opt-out and consent signals (including opt-outs of sale/share, marketing, and automated decision-making) communicated to us through the storefront, the Shopify customer privacy API, or directly by the merchant.

Automated decision-making. Where our features make automated decisions that produce legal or similarly significant effects (for example, pricing or content personalization), shoppers can request human review by contacting the merchant or support@tectonic.so. Merchants can also disable any automated feature that produces such effects.

Retention. PCD is retained only for as long as the merchant remains an active customer and the data is required to deliver enabled features. On app uninstallation, we cease processing the merchant’s store data and delete PCD within 30 days, unless a longer retention period is required by law or requested under a valid agreement. Merchants may request earlier deletion at support@tectonic.so.

Security commitments for Level 2 data. We encrypt PCD in transit (TLS 1.2+) and at rest (AES-256), including database backups. We separate production and non-production environments and never use real shopper data in test or staging. Staff access to PCD requires single sign-on with multi-factor authentication, follows the principle of least privilege, and is governed by strong password policy. We are implementing centralized access logging for PCD, a documented data loss prevention (DLP) program, and a documented and tested security incident response plan; these programs will be in place prior to general availability of our Shopify app on the Shopify App Store.

Sub-processors. We engage a limited number of vetted sub-processors (cloud hosting, databases, observability, support tooling, email delivery) under contracts that require confidentiality and equivalent data protection commitments. A current list of sub-processors is available to merchants on request and through our Data Processing Addendum.

Mandatory compliance webhooks. Our app subscribes to and responds to Shopify’s mandatory compliance webhooks (customers/data_request, customers/redact, shop/redact). Requests received through these webhooks are honored within the timeframes required by Shopify and applicable law.

Data Processing Addendum. A Data Processing Addendum (DPA) governing our processing of shopper personal data on behalf of merchants will be made available to every merchant on request at support@tectonic.so prior to general availability of our Shopify app.

Reporting concerns. To report a privacy or security concern related to Shopify Protected Customer Data, contact support@tectonic.so. We will acknowledge receipt within five business days.

When you install our app, you grant specific access scopes in Shopify. We only receive the data necessary for the app to function, and scopes can be reviewed or adjusted by your admin in Shopify. We follow Shopify's privacy requirements for apps, including the Shopify API License and Terms of Use.

Mandatory compliance webhooks: Our app subscribes to and responds to Shopify's mandatory compliance webhooks (customers/data_request, customers/redact, shop/redact), enabling us to process data access, deletion, and erasure requests initiated through the Shopify platform.

App uninstallation: When a merchant uninstalls Spectrum, we cease processing their store data and initiate deletion as described in Section 7. Merchants may request a copy of their data before uninstallation.

Protected customer data: See the dedicated “Shopify Protected Customer Data” section above for our Level 1 and Level 2 commitments, including field-level disclosures and security measures.

Our sites and dashboards may include links or integrations to third-party services. Their privacy practices are governed by their own policies, and we are not responsible for their content or practices.

We may update this policy to reflect changes in our practices or legal requirements. We will post updates here and revise the "Last updated" date. Material changes will be communicated through the service or by email where appropriate.

Tectonic Technologies Inc

26 Cathy Lane, Oakland, CA 94619

Email: support@tectonic.so

If you are not satisfied with our response to a privacy concern, you may contact the California Attorney General's office or the relevant regulator in your jurisdiction.