Privacy Policy

Last Updated: 28.01.2026

Sonar Seed ("we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect information when you install or use the Sonar Seed application (the "App") in connection with your Shopify store.

This Privacy Policy applies to merchants who install the App and to influencers who use the influencer portal. By using the App, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

To provide our Services, we collect specific information from your Shopify account and your interactions with the App.

1.1 Merchant Information

When you install the App, we collect:

  • Contact Information: Name, email address, phone number, and physical address of the shop owner.
  • Store Information: Shop URL, Shopify shop ID, shop currency, time zone, and plan details.
  • Authentication Data: Shopify access tokens (encrypted and stored securely).
  • Account Settings: Your configuration preferences within the App, including automation rules and commission structures.

1.2 Influencer Data (Protected Customer Data)

When an individual signs up as an influencer or is recruited by you, we collect and store:

  • Personally Identifiable Information (PII): Full name, email address, physical shipping address, and phone number.
  • Social Media Data: Social media handles (Instagram, TikTok, YouTube), profile URLs, follower counts, and engagement metrics.
  • Financial Data: Affiliate sales performance, commission amounts earned, discount code usage, and payout history.
  • Content Submissions: Uploaded images, videos, captions, and other deliverables submitted through the portal.
  • Account Data: Login timestamps, magic link usage, IP addresses (for security purposes), and preferences.

1.3 End-Customer Order Data (Ephemeral Processing)

We access your Shopify Order stream to provide the Services:

  • Processing Without Long-Term Storage: We process order details (line items, total spend, discount codes used, customer email, order date) in real-time to:

    • Track affiliate sales and attribute them to specific influencers
    • Automate influencer recruitment based on spend thresholds you define
    • Calculate commission tiers and payments

  • Data Minimization: We do not store personally identifiable information (PII) of your end-customers (shoppers) unless:

    • They trigger a recruitment threshold and are invited to become an influencer, OR
    • Their order contains an affiliate discount code, in which case we store only the minimum data necessary to link the sale to the influencer (order ID, total, discount code, timestamp)

  • Ephemeral Nature: Order data for customers who do not meet either condition above is processed in-memory and is not persisted to our databases.

1.4 Data Controller Roles

The nature of our data processing relationship depends on the type of data:

  • Merchant Data: You are the data controller; we act as your data processor when handling your store information and settings.
  • Influencer Data: We act as joint controllers with you. Both parties determine the purposes and means of processing influencer personal data. Our respective responsibilities are outlined in the Data Processing Agreement (DPA).
  • End-Customer Data: We process end-customer order data solely as your data processor, following your instructions and configuration. We do not make independent decisions about this data.

Our Data Processing Agreement (DPA) is available at Data Processing Agreement and is incorporated into our Terms of Use by reference.

1.5 Automatically Collected Information

When you or influencers use the App, we automatically collect:

  • Usage Data: Pages viewed, features used, time spent in the App, and interaction patterns.
  • Technical Data: IP address, browser type and version, operating system, device identifiers, and referral URLs.
  • Cookies and Similar Technologies: See our Cookie Policy for detailed information.

2. How We Use Information

We use the collected information for the following purposes:

2.1 Service Provision

  • Creating and managing Draft Orders for influencer gifts
  • Tracking affiliate code usage and attributing sales to influencers
  • Calculating commissions and managing tier progression
  • Displaying performance analytics and reporting
  • Facilitating influencer portal access via magic links

2.2 Recruitment Automation

  • Analyzing customer purchase history against your defined thresholds (e.g., "Spent > $500")
  • Suggesting potential brand ambassadors based on your criteria
  • Sending automated recruitment invitations (only with your authorization)

2.3 Communication

We send transactional emails via Resend, including:

  • Welcome messages to new influencers
  • Shipping notifications for seeded products
  • Magic login links for portal access
  • Commission milestone notifications
  • Service-related updates and security alerts

Marketing Communications: We do not send marketing emails through the App unless you explicitly opt in.

2.4 Integration Synchronization

  • Syncing influencer data with your Klaviyo account (only if enabled by you in App settings)
  • Updating influencer segments and tags for marketing automation
  • Triggering custom flows based on tier changes or milestone achievements

2.5 Security and Fraud Prevention

  • Detecting and preventing fraudulent activity, including fake influencer accounts
  • Monitoring for unusual patterns in affiliate code usage
  • Rate limiting to prevent API abuse
  • Maintaining audit logs for security investigations

2.6 Service Improvement

  • Analyzing aggregated, anonymized usage data to improve App features
  • Conducting A/B testing to optimize user experience
  • Developing new features based on usage patterns

2.7 Legal Compliance

  • Responding to legal requests and court orders
  • Enforcing our Terms of Use and policies
  • Complying with applicable laws and regulations

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data based on the following legal grounds:

Data TypeLegal BasisPurpose
Merchant Account DataContract (Art. 6(1)(b))Necessary to provide the App Services
Influencer PIIContract (Art. 6(1)(b))Necessary to fulfill influencer agreement and calculate commissions
Order ProcessingLegitimate Interest (Art. 6(1)(f))Affiliate tracking and fraud prevention (minimal impact on data subjects)
Marketing Emails (if opted in)Consent (Art. 6(1)(a))You can withdraw consent at any time
Security LogsLegitimate Interest (Art. 6(1)(f))System security and fraud prevention
Legal ComplianceLegal Obligation (Art. 6(1)(c))Responding to lawful requests

4. Sharing Information with Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following categories of recipients:

4.1 Sub-Processors

We use carefully vetted sub-processors to deliver the Services. A current list is maintained at Sub-Processor List.

ProcessorPurposeData SharedLocation
ShopifyE-commerce PlatformOrder creation, customer tagging, metafield updatesCanada, USA
KlaviyoMarketing AutomationInfluencer name, email, tier status (only if enabled by you)USA
ResendEmail DeliveryInfluencer email addresses and message contentUSA
SupabaseDatabase & AuthenticationEncrypted application data, user credentialsUSA
UpstashCaching & Rate LimitingIP addresses (hashed), session tokensUSA, EU
VercelHosting InfrastructureRequest logs (anonymized where possible)USA, EU

4.2 Service Providers

We may engage additional service providers for:

  • Payment processing (for App subscription fees)
  • Customer support tools
  • Analytics and monitoring (aggregated data only)

4.3 Legal Requirements

We may disclose information if required to do so by law or in response to:

  • Valid legal process (subpoenas, court orders)
  • Government or regulatory requests
  • Protection of our rights, property, or safety
  • Investigation of fraud or security issues

4.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice in the App before your information is transferred and becomes subject to a different privacy policy.

5. International Data Transfers

Your data may be transferred to and processed in the United States and other jurisdictions where our sub-processors operate, which may have different data protection laws than your jurisdiction.

5.1 Transfer Mechanisms

For data transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs): We have executed EU Standard Contractual Clauses with sub-processors located outside the EEA to ensure adequate protection.
  • Adequacy Decisions: Where the European Commission has determined that a country provides adequate data protection (e.g., certain exceptions under GDPR Art. 49).
  • Your Consent: For transfers not covered by the above, we will obtain your explicit consent.

For details on our transfer safeguards, including copies of our SCCs, please contact privacy@sonarseed.com.

6. Automated Decision-Making and Profiling

The App uses automated decision-making logic in the following ways:

6.1 Recruitment Automation

  • Logic: Automatically selecting customers for invitation based on spend thresholds, order frequency, or product categories you configure.
  • Impact: Customers may receive a recruitment invitation if they meet your criteria.
  • Your Rights: You can configure or disable this feature at any time. Customers can opt out of invitations.

6.2 Tier Promotion

  • Logic: Automatically promoting influencers to VIP tiers based on sales performance metrics (e.g., "Generated $5,000+ in affiliate sales").
  • Impact: Influencers may receive higher commission rates or exclusive benefits.
  • Your Rights: You define tier thresholds and can manually override automated promotions.

Merchant Responsibility: Under GDPR and similar laws, you must ensure you have a lawful basis for subjecting customers to automated profiling. We recommend including disclosure in your store's privacy policy.

7. Data Retention and Deletion

7.1 Retention Periods

  • Merchant Data: Retained for as long as the App is installed on your Shopify store, plus 30 days to allow for reactivation.
  • Influencer Data: Retained for as long as the influencer relationship is active, plus 3 years after termination for legal and accounting purposes (e.g., commission disputes, tax obligations).
  • Order Data (Affiliate Sales): Retained for 7 years to comply with tax and accounting regulations.
  • Security Logs: Retained for 90 days unless required for ongoing investigations.

7.2 Deletion Upon Uninstallation

When you uninstall the App, we receive an app/uninstalled webhook from Shopify. We will:

  1. Mark your account for deletion within 48 hours
  2. Delete all merchant settings and influencer data within 30 days
  3. Retain aggregated, anonymized analytics data (non-personal) for service improvement

Exception: We may retain data longer if required by law (e.g., tax records, legal holds, ongoing disputes).

7.3 GDPR and Shopify Data Subject Requests

We support Shopify's mandatory webhooks for data subject rights:

  • customers/redact: If a customer requests deletion via Shopify, we will permanently remove their data from our systems within 30 days.
  • shop/redact: When a shop owner requests deletion of their store data, we will delete all associated data within 30 days.
  • customers/data_request: We will provide a machine-readable export of customer data upon request.

8. Your Rights Under Privacy Laws

Depending on your location, you and your influencers have the following rights:

8.1 GDPR Rights (EEA, UK, Switzerland)

  • Right of Access (Art. 15): Request a copy of personal data we hold about you.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
  • Right to Restriction (Art. 18): Limit how we process your data in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

8.2 CCPA Rights (California Residents)

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected.
  • Right to Delete: Request deletion of your personal information (subject to exceptions).
  • Right to Opt-Out of Sale: We do not sell personal information, so this right is not applicable.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

8.3 How to Exercise Your Rights

Merchants:

  • Access and export data via the App dashboard under "Settings > Data Export"
  • Delete influencer profiles directly within the App
  • Email privacy@sonarseed.com for complex requests

Influencers:

  • Contact the merchant directly through the influencer portal
  • Email privacy@sonarseed.com
  • Use Shopify's privacy request portal (if applicable)

Response Time: We will respond to requests within 30 days (GDPR) or 45 days (CCPA), and may extend by an additional 30 days if necessary, with notice.

Verification: We may require verification of your identity before processing requests to prevent fraudulent submissions.

9. Security Measures

We implement industry-standard security measures to protect your data:

9.1 Technical Safeguards

  • Encryption in Transit: All data transmitted between your browser and our servers uses TLS 1.3 encryption.
  • Encryption at Rest: Sensitive data (API keys, passwords) is encrypted using AES-256-CBC encryption.
  • Secure Authentication: Influencer portal access uses magic links with time-limited tokens; Shopify OAuth for merchant accounts.
  • Access Controls: Role-based access controls (RBAC) limit employee access to personal data on a need-to-know basis.
  • Secure Infrastructure: Data is hosted on Supabase and Vercel, which maintain SOC 2 Type II compliance.

9.2 Organizational Safeguards

  • Employee Training: All employees undergo privacy and security training.
  • Background Checks: Employees with access to personal data undergo background checks.
  • Incident Response Plan: We maintain a data breach response plan and will notify affected parties as required by law.
  • Regular Audits: We conduct annual security audits and vulnerability assessments.

9.3 Data Breach Notification

In the event of a data breach affecting personal data, we will:

  1. Notify affected merchants within 72 hours of becoming aware of the breach (GDPR requirement)
  2. Provide details on the nature of the breach, categories of data affected, and remediation steps
  3. Assist merchants with any required notifications to data subjects
  4. Cooperate with regulatory authorities as required

To report a suspected security issue, contact security@sonarseed.com.

10. Children's Privacy

The App is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected such information, we will delete it promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact privacy@sonarseed.com.

11. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature. Our App does not currently respond to DNT signals because there is no industry consensus on how to interpret them. We will update this policy if a standard emerges.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

12.1 Notice of Changes

We will notify you of material changes by:

  • Posting the updated Privacy Policy within the App settings
  • Sending an email notification to your registered email address
  • Displaying a prominent notice on the influencer portal login page

12.2 Effective Date

Changes become effective 30 days after notice for material changes, or immediately for non-material clarifications. Your continued use of the App after the effective date constitutes acceptance of the updated policy.

12.3 Version History

Previous versions of this Privacy Policy are archived and available upon request.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Sonar Seed
Data Protection Officer

Email: privacy@sonarseed.com
Support: support@sonarseed.com
Legal: legal@sonarseed.com

Address: Sonar Stack, c/o GAM, Pappelallee 64, 10437 Berlin, Deutschland

13.1 Supervisory Authority

If you are located in the EEA or UK and have concerns about our data practices, you have the right to lodge a complaint with your local data protection authority:

Last Reviewed: 28.01.2026
Version: 2.0