Subline Merchant Privacy Policy

Last Updated: 26 February 2026

Effective Date: 26 February 2026

1. Introduction

This Privacy Policy explains how Subline Ltd ("Subline," "we," "us," or "our") collects, uses, stores, and protects your information when you use the Subline Merchant App ("App").

By installing the App from the Shopify App Store or using our services, you acknowledge that you have read and understood this Privacy Policy. This policy applies to merchants who use the App; it does not cover end consumers who use the Subline mobile shopping platform.

If you have any questions about this Privacy Policy, please contact us at partners@sublineapp.com.

2. Definitions

  • "App" means the Subline Merchant App available through the Shopify App Store.

  • "Platform" means the Subline mobile application and associated services through which consumers discover and purchase products.

  • "Product Data" means information about your products that is synced to the Platform.

  • "Merchant Account Data" means information about your Shopify store and account.

  • "Order Data" means information about orders placed through the Platform.

  • "Shopify" means Shopify Inc. and its subsidiaries.

3. Data Controller

Subline Ltd is the data controller for the personal data processed through the App. We are a company registered in England and Wales, and we are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contact Details:

Email: partners@sublineapp.com

4. Data We Collect

We collect and process the following categories of data:

4.1 Product Data

When you enable product sync, we collect and store the following information about your products:

  • Product and variant identifiers (Shopify GraphQL IDs)

  • Product titles and descriptions

  • Product images

  • Vendor/brand name

  • Product types and categories

  • Shopify Standard Product Category (taxonomy ID, name, full name, and level)

  • Product attribute metadata (target gender, fabric/material, colour pattern, neckline), resolved from Shopify metaobject references

  • Tags and keywords

  • Collection names

  • Variant options (size, colour, and other attributes)

  • Inventory quantities and availability status

  • Product URLs on your Shopify store

  • Per-country pricing (price and compare-at price for each country in your active Shopify Markets)

  • Available countries from your Shopify Markets configuration (cached and refreshed periodically)

  • Shipping and delivery configuration (processing times, shipping zones, free shipping rules)

  • Fulfilment event data for Subline Orders (shipment dates, delivery dates, carrier names, tracking numbers, origin and destination countries)

4.2 Merchant Account Data

We collect and store the following information about your store:

  • Shop domain (e.g., yourstore.myshopify.com)

  • Shop name

  • Shop numeric identifier (used for billing credit processing via Shopify Partner API)

  • Shop base currency

  • Storefront API access token (used by our backend to support store integration)

  • Store logo and favicon (uploaded by you)

  • Email address (for notifications)

  • Terms acceptance timestamp

  • Billing subscription identifiers and status

4.3 Order Data

For orders that originate from the Subline Platform, we collect:

  • Shopify order ID and order number

  • Order date and time

  • Order total amount and product subtotal

  • Order currency

  • Commission amount (calculated at 10% of product subtotal)

  • Refund amounts and dates (if applicable)

  • Usage billing record identifiers

  • Cart token (used to link orders to checkouts initiated from the Subline mobile app)

  • Customer journey data (landing pages, referrer URLs, and UTM parameters from the first and last visit) — used solely to determine whether an order originated from the Subline Platform; not stored beyond this attribution check

  • Fulfilment dates (when orders are shipped and delivered)

  • Carrier names and tracking numbers

  • Origin and destination countries

4.4 Session Data

To enable the App to function within your Shopify admin, we store:

  • Shopify OAuth access tokens

  • Session identifiers and expiry information

5. How We Use Your Data

We use the data we collect for the following purposes:

Product Data to display your products to consumers on the Subline Platform; to power search, filtering, and recommendation features; to maintain wishlists and favourites functionality.

Merchant Account Data to authenticate your access to the App; to create and manage your store on our Platform; to fetch live product prices; to display your branding to consumers; to send you important notifications.

Order Data to calculate and charge commission; to provide you with order tracking and reporting; to process refund credits; to comply with legal and accounting obligations.

Fulfilment Data to calculate and improve estimated delivery timeframes displayed to consumers on the Platform.

Session Data to maintain your authenticated session within the Shopify admin; to make API calls on your behalf.

6. Legal Basis for Processing

Under the UK GDPR, we process your data based on the following legal grounds:

  • Performance of Contract: Processing Product Data, Merchant Account Data, and Order Data is necessary to provide the services described in our Merchant Terms of Service.

  • Legitimate Interests: We may process certain data for our legitimate business interests, such as improving our services, preventing fraud, and ensuring platform security. We balance these interests against your rights and freedoms.

  • Legal Obligation: We may process Order Data to comply with legal requirements, such as tax reporting and accounting obligations.

7. Third-Party Services

We use the following third-party services to provide the App:

7.1 Supabase

  • Purpose: Cloud storage for store logos and favicons; database for checkout tracking

  • Data Shared: Logo/favicon images; checkout completion data

  • Location: Data may be processed in the EU/US

  • Privacy Policy: https://supabase.com/privacy

7.2 Railway (Backend Infrastructure)

  • Purpose: Hosts our backend API that stores Product Data

  • Data Shared: Product Data, store configuration

  • Location: Data processed in the US/EU

  • Privacy Policy: https://railway.app/legal/privacy

7.3 Shopify APIs

  • Admin API: Used to access your product catalog and process webhooks

  • Storefront API: Used by our backend to fetch live product prices

  • Billing API: Used to charge commission through your Shopify bill

  • Partner API: Used to issue refund credits

  • Privacy Policy: https://www.shopify.com/legal/privacy

8. Data Sharing

We do not sell your data. We share your data only as described below:

Recipient Data Shared Purpose Subline Platform Users Product Data, store branding To display your products to consumers Supabase Logos, checkout data Cloud storage and database services Railway Product Data Backend infrastructure Shopify Billing data, API requests Payment processing and platform integration

We may also disclose your data if required by law, to protect our rights, or in connection with a business transfer (e.g., merger or acquisition).

9. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the UK Information Commissioner's Office

  • Data processing agreements with our service providers

  • Compliance with applicable data protection frameworks

10. Data Retention

We retain your data as follows:

10.1 Product Data

  • During Use: Stored while your App is installed and sync is enabled

  • On Uninstall: Soft-deleted (marked as unavailable) to preserve consumer wishlist references

  • On GDPR Request: Hard-deleted upon receiving a shop/redact webhook from Shopify

10.2 Merchant Account Data

  • During Use: Stored while your App is installed

  • On Uninstall: Deleted, except for data required for legal or accounting purposes

10.3 Order Data

  • Retention Period: Retained for a minimum of 7 years for legal and accounting purposes

  • On GDPR Request: Anonymised where possible; retained where legally required

  • Retention Period: Retained for a minimum of 7 years for legal and accounting purposes

  • On Uninstall: Fulfilment tracking data is deleted; order financial data is retained where legally required

10.4 Session Data

  • Retention Period: Automatically expires based on Shopify's session duration

  • On Uninstall: Deleted

11. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of the data we hold about you

  • Right to Rectification: Request correction of inaccurate data

  • Right to Erasure: Request deletion of your data (subject to legal retention requirements)

  • Right to Restriction: Request that we limit how we use your data

  • Right to Data Portability: Request your data in a machine-readable format

  • Right to Object: Object to processing based on legitimate interests

  • Right to Withdraw Consent: Where processing is based on consent, withdraw at any time

To exercise any of these rights, please contact us at partners@sublineapp.com. We will respond to your request within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk.

12. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (HTTPS/TLS)

  • Secure storage with access controls

  • Regular security assessments

  • Limited access to personal data on a need-to-know basis

  • Secure handling of API tokens and credentials

While we take reasonable precautions, no method of transmission or storage is 100% secure. If you become aware of any security issues, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy with a new "Last Updated" date

  • Sending an email notification for significant changes

  • Displaying a notice in the App

Your continued use of the App after changes take effect constitutes acceptance of the updated Privacy Policy.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Subline Ltd

Email: partners@sublineapp.com

This Privacy Policy was last updated on 26 February 2026