Privacy Policy

Effective date: March 1, 2026  ·  Last updated: March 12, 2026

MYNTY Inc. ("MYNTY," "we," "us," or "our") operates the Code Lock Shopify application and the www.mynty.io website (collectively, the "Services"). This Privacy Policy describes what information we collect, how we use it, and the choices you have. By using our Services you agree to the practices described here.

1. Information We Collect

Merchant account data. When you install Code Lock from the Shopify App Store, we receive your Shopify store URL, shop name, contact email, and the OAuth access token that allows our app to act on your behalf. We store this in our database to operate the service.

Influencer and referral configuration. You provide us with referral codes, discount codes, influencer identifiers, and tracking parameters that you configure inside the Code Lock dashboard. This information is stored in our database and used solely to power attribution for your store.

Attribution session data. When a shopper visits your storefront via a tracked referral link, our storefront script captures the referral parameter and creates an attribution session. We store a pseudonymous session identifier, the referral code, the associated discount code, a timestamp, and an expiry date. We do not store shoppers' names, email addresses, or payment details.

Order data. When a Shopify orders/create webhook fires, we receive the order payload from Shopify (which includes order ID, line items, discount codes applied, cart token, checkout token, and note attributes). We use this data to resolve attribution and record which influencer drove the order. We do not store full payment card data.

Dashboard usage data. We collect standard server logs (IP address, browser user-agent, pages visited, timestamps) when you use the MYNTY dashboard. We may also collect analytics via Google Analytics 4 on marketing pages.

Communications. If you contact us by email, we retain that correspondence to respond to you and improve our services.

2. How We Use Your Information

• To install, operate, and maintain Code Lock on your Shopify store.
• To resolve attribution and credit the correct influencer for each order.
• To display analytics and KPIs inside your dashboard.
• To send you transactional emails (e.g., installation confirmations, service alerts).
• To diagnose bugs, investigate security incidents, and improve the Service.
• To comply with legal obligations.

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

3. Data Shared with Third Parties

We use a limited set of subprocessors to deliver the Service:

• Shopify Inc. — our platform partner; order and store data flows through their APIs.
• Supabase / PostgreSQL — our hosted database provider where merchant configuration and attribution records are stored.
• Render — our cloud hosting provider where the API server and dashboard run.
• Google Analytics — used on marketing pages to understand aggregate traffic patterns (no personally identifiable information is sent).

All subprocessors are contractually required to handle your data in accordance with applicable privacy law.

4. Shopify Customer Data

Code Lock and Smart Suppress handle Shopify customer data on behalf of merchants (as a data processor). The specific customer data we process includes:

• Customer order count — used by Smart Suppress to segment returning customers (new, warm, hot) and determine appropriate discount actions. This data is received in real time from Shopify's checkout and order webhooks and is not stored long-term beyond the attributed order record.
• Customer email (hashed) — when an order is attributed, we may receive the customer's email as part of the Shopify order payload. We use it solely to link repeat purchases for attribution accuracy. We log all access to customer personal data for compliance auditing.

We comply with Shopify's Partner Program requirements for GDPR/CCPA data handling, including mandatory webhooks:

• customers/redact — we delete all stored data associated with a customer upon receiving this request.
• customers/data_request — we log the request and can provide a data export upon merchant instruction.
• shop/redact — when a store uninstalls and the 48-hour redact period elapses, we delete all data associated with that shop.

5. Cookies and Tracking Technologies

The MYNTY dashboard uses a session cookie (mynt_session) to keep you logged in. This cookie is strictly necessary for authentication and is not used for advertising. Our marketing pages may set Google Analytics cookies to measure aggregate traffic. You can opt out of Google Analytics at tools.google.com/dlpage/gaoptout.

The Code Lock storefront script sets a sessionStorage and localStorage entry on the merchant's storefront to persist attribution lock state across page navigations. This data stays in the shopper's browser and is not transmitted to any third-party advertising network.

6. Data Retention

• Attribution session records are retained for the configured lock TTL (default 30 days) and can be purged upon merchant request.
• Order attribution records are retained for up to 24 months to support reporting and auditing.
• Merchant account data is retained for the duration of the subscription plus 90 days after deletion, after which it is permanently removed.
• Server logs are retained for 30 days.

7. Security

We use industry-standard security practices including encrypted connections (TLS), hashed passwords (scrypt), HMAC-verified webhook payloads, environment-variable secret management, and structured access logging for all protected customer data. We maintain a documented security incident response policy that covers investigation, merchant notification within 72 hours, Shopify notification, and remediation. No security measure is 100% guaranteed; if you believe your account has been compromised, contact us immediately at hello@mynty.io.

8. Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you.
• Request correction or deletion of your data.
• Restrict or object to certain processing.
• Data portability.
• Lodge a complaint with a supervisory authority (EU/EEA residents).

To exercise any of these rights, email us at hello@mynty.io. We will respond within 30 days.

9. Children's Privacy

Our Services are not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. International Transfers

MYNTY is based in the United States. If you are accessing our Services from outside the US, your information may be transferred to and processed in the US. We rely on standard contractual clauses and other appropriate safeguards for cross-border transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page with a revised "Last updated" date. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

12. Contact Us

MYNTY Inc.
hello@mynty.io