This Privacy Policy explains how Beefy Nachos Ltd (“we”, “us”, or “our”) collects, uses, processes, and protects information in connection with the Sort’d Merchandiser Shopify application and all associated services, including theme extensions, Shopify Pixels, APIs, dashboards, and analytics tools (collectively, the “Service”).

We are committed to respecting privacy, minimising data collection, and processing information in a lawful, fair, and transparent manner in accordance with applicable data protection laws.

1. Identity of the Data Controller

For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, Beefy Nachos Ltd is the data controller in respect of the data processed through the Service. Beefy Nachos Ltd is a company incorporated in the United Kingdom with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX. Sort’d Merchandiser is a product and trading name of Beefy Nachos Ltd.

If you have any questions regarding this Privacy Policy or our data protection practices, you may contact us at info@beef-nachos.com.

2. Scope and Application

This Privacy Policy applies to all use of the Sort’d Merchandiser Service by merchants who install the app on their Shopify stores. It also applies to data processed through Shopify Pixels and Theme App Extensions operated by the Service on merchant storefronts.

This Policy does not apply to Shopify itself, to data processed directly by Shopify under its own terms and privacy policies, or to any third-party applications or services that a merchant may choose to integrate independently of Sort’d Merchandiser.

3. Definitions

For the purposes of this Privacy Policy, a “Merchant” refers to the Shopify store owner or operator who installs and uses the Service. A “Storefront Customer” refers to an end user who visits or interacts with a merchant’s online storefront. “Merchant Data” refers to information relating to the Merchant or their store, while “Customer Data” refers to information relating to Storefront Customers. “Personal Data” has the meaning given to it under applicable data protection laws.

4. Overview of Data Processing

Sort’d Merchandiser is designed to provide merchandising and analytics functionality while collecting as little personal data as possible. The Service distinguishes clearly between Merchant Data and Storefront Customer Data, and processes each category for different purposes and under different legal bases.

The Service does not knowingly collect or process personal data relating to Storefront Customers and is architected to avoid persistent identifiers, cookies, and direct identifiers wherever possible.

5. Merchant Data

5.1 Categories of Merchant Data

When a Merchant installs and uses the Service, we may collect and process information relating to the Merchant and their Shopify store. This includes store identifiers such as the myshopify domain, product, variant, inventory, and collection metadata, configuration settings selected within the app, app usage information, and communications sent to us for support purposes. Billing and subscription information is processed by Shopify in accordance with its own terms, and we do not collect or store payment card details.

5.2 Purpose of Processing Merchant Data

Merchant Data is processed strictly for the purpose of providing, operating, and maintaining the Service. This includes enabling merchandising and automation features, generating analytics and reports for the Merchant, responding to support requests, improving the functionality and reliability of the Service, preventing misuse or abuse, and complying with applicable legal obligations.

5.3 Lawful Bases for Processing Merchant Data

We process Merchant Data on the basis that such processing is necessary for the performance of a contract between us and the Merchant, namely the provision of the Service. In certain circumstances, we also rely on our legitimate interests in operating, securing, and improving the Service, provided that such interests are not overridden by the rights and freedoms of the Merchant.

6. Storefront Customer Data

6.1 No Direct Collection of Personal Data

Sort’d Merchandiser is intentionally designed so that it does not collect personal data from Storefront Customers. The Service does not collect names, email addresses, account identifiers, IP addresses, persistent identifiers, or cookie-based identifiers from individuals browsing a merchant’s storefront.

6.2 Session-Based Analytics

The Service may process anonymous, event-level data relating to interactions with a merchant’s storefront, such as product views, collection views, add-to-cart events, completed checkouts, and product impressions on collection pages. This data is associated with a randomly generated session identifier that exists only for the duration of a single browsing session.

Session identifiers are stored exclusively in browser session storage, are cleared automatically when the browsing session ends, and cannot be used to link activity across sessions or to identify an individual. While such data is considered pseudonymised under data protection laws, the Service is designed to minimise any risk of re-identification by avoiding persistent identifiers and direct personal data.

6.3 Privacy Permissions and Consent

Sort’d Merchandiser integrates with Shopify’s Customer Privacy API to respect Storefront Customer privacy preferences. Depending on how the Merchant configures the Service, tracking may only operate where specific privacy permissions have been accepted. If the required permissions are not present, no tracking occurs. If a Storefront Customer later withdraws consent, tracking ceases immediately.

Merchants are responsible for determining which permissions are required and for disclosing their use of analytics in their own privacy policies.

7. Cookies and Similar Technologies

The Service does not use cookies or similar persistent tracking technologies. It relies solely on browser session storage to support session-based analytics. Session storage is temporary, scoped to the active browser session, and is not transmitted with HTTP requests, further reducing privacy impact.

8. Data Sharing and Sub-processors

We do not sell, rent, or otherwise share data for advertising or marketing purposes. We may engage third-party service providers to support the operation of the Service, including cloud hosting and analytics infrastructure. These providers act as sub-processors and process data solely on our instructions and subject to appropriate contractual safeguards.

Our current sub-processors include Google Cloud Platform for infrastructure hosting, Mantle for analytics processing, and Mixpanel for analytics tooling.

9. International Data Transfers

Data processed in connection with the Service may be transferred to and processed in countries outside the United Kingdom or European Economic Area. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws.

10. Data Retention

Merchant Data is retained for as long as the Merchant maintains an active relationship with the Service. Analytics data may be retained in aggregated form for reporting and service improvement purposes. Tracking ceases immediately when the Service is uninstalled or terminated.

Merchants may request deletion of analytics data by contacting info@beef-nachos.com. Deletion requests will be handled within a reasonable timeframe, although retention of historical or aggregated data cannot be guaranteed.

11. Data Security

We implement appropriate technical and organisational measures designed to protect data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data transmission, access controls, and infrastructure-level security provided by our cloud hosting providers. While we take reasonable steps to protect data, no system can be guaranteed to be completely secure.

12. Data Subject Rights

Where applicable under data protection laws, individuals may have rights to access, correct, delete, or object to the processing of their personal data, and to lodge a complaint with a supervisory authority. Requests may be submitted to info@beef-nachos.com. Because the Service does not collect personal data from Storefront Customers, certain rights may not apply in practice.

13. Merchant Responsibilities

Merchants are responsible for ensuring that their use of the Service complies with applicable laws, including by providing appropriate disclosures in their own privacy policies and configuring privacy permissions in accordance with their legal obligations.

14. Children’s Data

The Service is not directed at children and is not intended to be used to collect data relating to minors.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service or in legal requirements. Any updates will be indicated by a revised “Last updated” date. Continued use of the Service constitutes acceptance of the updated Privacy Policy.

16. Complaints and Supervisory Authority

If you believe that we have not complied with applicable data protection laws, you have the right to lodge a complaint with the UK Information Commissioner’s Office or another competent supervisory authority.

17. Contact Information

For all privacy-related enquiries, please contact:

📧 info@beef-nachos.com

‍