Privacy Policy

Last updated: February 7, 2026

At AddToQuote ("we," "us," or "our"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application and related services.

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when you:

  • Install and configure our Shopify application
  • Create quote requests through our platform
  • Contact our customer support team
  • Subscribe to our services or newsletters
  • Communicate with us via email, phone, or other channels

This information may include: name, email address, company name, phone number, billing information, and any other details you choose to provide.

1.2 Information from Shopify

When you install AddToQuote on your Shopify store, we access and process the following data through the Shopify API:

  • Store Information: Store name, domain, email, currency, timezone, and plan details
  • Product Data: Product titles, descriptions, prices, images, variants, and inventory
  • Collection Data: Collection names, handles, and associated products
  • Customer Information: Names, email addresses, and contact details for customers who submit quote requests
  • Order Information: Order details when quotes are converted to orders

1.3 Information from Google and Microsoft (Optional Email Integration)

If you choose to connect your Gmail or Microsoft Outlook account to send quote notifications from your own email address, we access the following data through OAuth 2.0 authorization:

  • Google Gmail: Your Gmail email address and permission to send emails on your behalf (via the gmail.send scope). We do not read, scan, or access the content of your inbox or existing emails.
  • Microsoft Outlook: Your Outlook email address and permission to send emails on your behalf (via the Mail.Send scope). We do not read, scan, or access the content of your inbox or existing emails.
  • OAuth Tokens: Access and refresh tokens are stored encrypted (AES-256-GCM) in our database and are used solely to send quote-related emails on your behalf.

You can disconnect your Gmail or Outlook account at any time from the app settings. Upon disconnection, all stored OAuth tokens are immediately deleted.

1.4 Automatically Collected Information

We automatically collect certain information when you use our service:

  • Device information (browser type, operating system)
  • IP address and approximate location
  • Usage data (pages visited, features used, time spent)
  • Referral source and navigation patterns

2. How We Use Your Information

We use the collected information for the following purposes:

  • Service Delivery: To provide, operate, and maintain our quote management services
  • Communication: To send quote notifications, updates, and customer communications
  • Improvements: To analyze usage patterns and improve our application
  • Support: To respond to inquiries and provide customer assistance
  • Billing: To process subscription payments through Shopify
  • Compliance: To comply with legal obligations and enforce our terms

3. Data Sharing and Disclosure

We do not sell your personal information. We may share your data with:

3.1 Service Providers

  • Supabase: Database hosting and management (PostgreSQL)
  • Amazon Web Services (AWS): Email delivery (SES)
  • Cloudflare: CDN, DDoS protection, and file storage (R2)
  • Shopify: E-commerce platform integration and billing
  • Google (Gmail API): Email delivery when merchant connects their Gmail account (optional, OAuth 2.0)
  • Microsoft (Graph API): Email delivery when merchant connects their Outlook account (optional, OAuth 2.0)

3.2 Legal Requirements

We may disclose information when required by law, legal process, or government request, or to protect our rights, privacy, safety, or property.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.

4. Data Security

We implement robust security measures to protect your data:

  • Encryption in Transit: All data transmitted using TLS 1.2+ encryption
  • Encryption at Rest: Sensitive data encrypted using AES-256-GCM
  • Access Controls: Role-based access with strong authentication
  • Secure Infrastructure: Hosted on enterprise-grade cloud platforms (Supabase, Cloudflare)
  • Regular Audits: Periodic security assessments and monitoring

5. Data Retention

We retain your information as follows:

  • Active Accounts: Data retained while your account is active
  • After Uninstall: Core data deleted within 48 hours of app uninstallation (per Shopify GDPR requirements)
  • Backup Data: May persist in backups for up to 30 days
  • Legal Requirements: Some data may be retained longer for legal compliance

6. Your Privacy Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data
  • Portability: Request your data in a portable format
  • Opt-Out: Unsubscribe from marketing communications
  • Restrict Processing: Request limitation of data processing

To exercise these rights, contact us at privacy@addtoquote.com.

7. GDPR Compliance (European Users)

For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR):

  • Legal Basis: We process data based on contract performance, legitimate interests, and consent
  • Data Controller: AddToQuote Inc. is the data controller
  • Data Transfers: Data may be transferred to the US under Standard Contractual Clauses
  • DPA: We maintain Data Processing Agreements with sub-processors

We respond to GDPR data requests (customers/data_request, customers/redact, shop/redact) within the required timeframes.

8. CCPA Compliance (California Users)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising privacy rights

9. Cookies and Tracking

Our application uses essential cookies for authentication and functionality. We do not use third-party tracking cookies. Our embedded Shopify app uses session tokens for secure authentication.

10. Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. Third-Party Links

Our service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or through the Shopify app. Continued use after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy or our data practices, contact us at:

14. Google API Services — Limited Use Disclosure

AddToQuote's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only use Google user data (your Gmail email address and send permission) to provide the email-sending feature you explicitly enabled — sending quote notifications, confirmations, and updates from your Gmail address.
  • We do not use Google user data for advertising, retargeting, or serving ads.
  • We do not sell, lease, or transfer Google user data to third parties, data brokers, or information resellers.
  • We do not use Google user data to determine creditworthiness or for lending purposes.
  • We do not allow humans to read your Google user data unless: (a) you give explicit consent for a specific message, (b) it is necessary for security purposes (investigating abuse or security incidents), or (c) it is required to comply with applicable law.
  • OAuth tokens are encrypted at rest (AES-256-GCM) and are only used to authenticate email-sending requests.
  • You may revoke access at any time by disconnecting Gmail in the app settings or by removing AddToQuote from your Google Account permissions.

15. Microsoft API Services Disclosure

When you connect your Microsoft Outlook account, AddToQuote accesses the Microsoft Graph API solely to send emails on your behalf. We adhere to Microsoft's API Terms of Use.

  • We only use Microsoft user data (your Outlook email address and send permission) to send quote-related emails from your Outlook address.
  • We do not read, scan, or access your inbox, calendar, contacts, or any data beyond what is required to send emails.
  • We do not sell, share, or transfer Microsoft user data to third parties.
  • OAuth tokens are encrypted at rest and are only used to authenticate email-sending requests.
  • You may revoke access at any time by disconnecting Outlook in the app settings or by removing AddToQuote from your Microsoft Account app permissions.

16. Shopify App Store

AddToQuote is available on the Shopify App Store. Our data practices comply with Shopify's API Terms of Use and Partner Program Agreement. For information about Shopify's privacy practices, please visit Shopify's Privacy Policy.