Privacy Policy

1.1 Merchant Data

The Service automatically collects merchant account information necessary to provide the Service, including store identifiers, configuration settings, and order/customer data shared via the Shopify API (e.g., names, email addresses, billing/shipping details). Payment card details are never collected or stored by us. This data is collected solely for app functionality and stored securely.

1.2 Automated Bot Detection (All Visitors — No Consent Required)

When any session initiates on a merchant's storefront where the Service is active, we perform server-side automated bot detection before any visitor data collection takes place. This processing does not involve any client-side access to terminal device information and does not require ePrivacy consent.

What this involves:

• Server-side analysis of the incoming request, including the IP address (automatically transmitted as part of any web request), request headers, behavioral patterns, and request signatures.
• Checking the session against known bot signatures, datacenter IP ranges, known malicious IP blocklists, and automated traffic indicators. Integration with Cloudflare Turnstile for network-level bot verification.

Purpose: To identify and block automated scripts (bots) that are not natural persons and therefore have no data privacy rights under GDPR or applicable law. Bots do not have legal standing as data subjects; this processing does not engage data subject rights.

Legal basis: This processing does not engage the ePrivacy Directive (which protects natural persons only) in respect of confirmed bot traffic. For sessions that cannot yet be confirmed as bots — and where the session may therefore involve a natural person — we rely on legitimate interests (Article 6(1)(f) GDPR) for the server-side IP and request-header analysis, given that no terminal device access occurs at this stage and that bot prevention is a recognized legitimate interest under Recital 47 GDPR and Datatilsynet's guidance.

Storage: Where a session is confirmed as bot traffic, minimal session data (IP address, request signature, timestamp, and detection outcome) may be retained for up to 90 days for blocklist maintenance, dispute handling, and rule fine-tuning. No data subject rights apply to confirmed bot session records.

Ambiguous sessions: Where a session cannot be definitively identified as bot or human at the server-side stage, it is treated as potentially involving a natural person, and the full human-visitor protections described below apply.

1.3 Human Visitor Data (Consent Required for EU/EEA Visitors)

Where a session has passed our bot detection checks — meaning we treat the visitor as a legitimate human visitor — and where the visitor has given consent, we collect a limited set of browser and network signals. These signals are collected in the visitor's browser and transmitted to our servers via a network request, where they are stored. Nothing is stored on or in the visitor's device or browser.

What we collect:

• IP address
• Autonomous System Number (ASN)
• Country (derived from IP address)
• Browser type and version
• User agent string

How these details are used:

The stored details are used solely to apply merchant-defined access rules. For example, a merchant may configure the Service to restrict access from a specific IP address, ASN, or country. Where a visitor's stored details match a merchant-configured rule, access to the storefront or checkout may be restricted. No fraud scoring, behavioral profiling, or inference generation takes place.

ePrivacy and Consent:

The collection of browser and network signals via JavaScript executing in the visitor's browser and their transmission to our servers engages Article 5(3) of the ePrivacy Directive (2002/58/EC), as implemented in Denmark and across EU/EEA member states, which requires prior informed consent before such collection takes place. Consent is managed through Shopify's Data Privacy platform on the merchant's storefront. You may decline consent, in which case no collection under this Section will take place; server-side bot detection will continue to operate independently.

If you have given consent and later wish to withdraw it, you may do so via the consent mechanism on the merchant's storefront. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Note on Cloudflare Turnstile: Where our integrated Cloudflare Turnstile challenge is triggered as part of bot detection, Cloudflare may independently set cookies or use local storage as part of its verification process. This is governed by Cloudflare's own Privacy Policy.

Retention: We store the collected details for up to 90 days from the date of the visitor's consent. Data is deleted promptly once it is no longer needed, and in any event no later than 90 days after collection.

No data collected under this section is used for advertising, cross-site tracking, marketing, or any purpose unrelated to access control on the installing merchant's store.

3.1 GDPR

Server-side bot detection (Section 1.2): Server-side request analysis (IP address, headers, request signatures) does not constitute terminal device access under the ePrivacy Directive and does not require ePrivacy consent. For sessions not yet confirmed as bots — and therefore potentially involving a natural person — we rely on legitimate interests (Article 6(1)(f) GDPR). Bot and automated traffic prevention are recognized legitimate interests under Recital 47 GDPR, EDPB Guidelines 1/2024, and Datatilsynet's guidance. We have conducted and documented a Legitimate Interests Assessment (LIA) in respect of this processing.

ePrivacy — Client-side browser and network signal collection (Section 1.3): For EU/EEA visitors, we rely on consent (Article 6(1)(a) GDPR and the applicable national ePrivacy implementation) for client-side collection and transmission of browser and network signals. Consent is managed through Shopify's Data Privacy platform.

Substance of human visitor data processing (storage, application of access rules, rule fine-tuning): We and the merchant rely on legitimate interests (Article 6(1)(f) GDPR) for the processing of human visitor data once collection has been lawfully obtained via consent. A documented LIA supports this basis.

Automated access restriction decisions (Article 22 GDPR): Where the application of merchant-defined rules results in a human visitor's access being restricted solely by automated means, we rely on Article 22(2)(a) GDPR (processing necessary for entering into or performing a contract). Appropriate safeguards are in place. See Section 6.

3.2 CCPA/CPRA

Under the CCPA/CPRA, the collection and use of visitor data for access control and transaction security constitutes processing for our business purposes (specifically, security, fraud prevention, and debugging). We do not sell or share personal information as defined under the CCPA/CPRA.

Categories of personal information collected (mapped to CCPA statutory categories):

Categories of sources: Server-side from incoming requests (all sessions); transmitted from visitors' browsers to our servers via network request (human visitors who have consented).

Categories of third parties with whom data is shared: Infrastructure providers (Shopify, Supabase, Fly.io, Cloudflare), all bound by security and confidentiality obligations.

Sensitive personal information: To the extent that any data collected constitutes sensitive personal information under the CPRA, we limit our use of such information to purposes permitted under the CPRA and do not use it to infer characteristics about consumers beyond what is necessary for access control purposes.

International Data Transfers

Where personal data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) as adopted by the European Commission and/or transfers to countries benefiting from an EU adequacy decision. A list of key service providers and applicable transfer mechanisms is available upon request at hello@espressoapps.com.

Merchants

As a merchant, you have the right to access, correct, and delete your shop and customer data via the app settings or by contacting us at hello@espressoapps.com.

Visitors (Human)

As a human visitor, you have the following rights in respect of your data, to the extent applicable under your jurisdiction:

• Withdraw consent for client-side collection and transmission of browser and network signals at any time via the consent mechanism on the merchant's storefront. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data, subject to our legitimate interests in retaining data for active dispute or chargeback investigations.
• Restriction: Request that we restrict processing of your data.
• Objection: Object to processing based on legitimate interests. We and the merchant will cease processing unless compelling legitimate grounds exist (e.g., an ongoing dispute or chargeback investigation).
• Rights related to automated access restriction decisions: See Section 6 above.
• Data portability: Where applicable, request that your data be provided in a structured, commonly used, machine-readable format.

How to exercise your rights: Please contact the merchant in the first instance. You may also contact us directly at hello@espressoapps.com.

For GDPR: If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority or with our lead supervisory authority: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark — dt@datatilsynet.dk.

For CCPA/CPRA: We do not sell or share personal information. You may submit a request for deletion or to know what data we hold via the merchant or by contacting us directly.

Example disclosure wording for your store's privacy policy

To help secure our storefront and manage access, we use Kairos (operated by Espresso Apps). Kairos performs server-side bot detection on all sessions using IP address and request signals — this does not require your consent as it targets automated scripts rather than individual users. Where you have given your consent, Kairos also collects a limited set of browser and network signals — specifically your IP address, ASN, country, browser type and version, and user agent string — which are transmitted to Espresso Apps' servers and stored for up to 90 days. These details may be used to restrict access to our storefront or checkout in accordance with our configured access rules (for example, blocking specific IP addresses, networks, or countries). If your access is restricted by an automated rule, you have the right to request human review of that decision via our customer support team. You may withdraw your consent at any time via the consent mechanism on our storefront. For more information, see the Kairos Privacy Policy.