Privacy Policy — Poper Quiz App for Shopify
Effective date: 2026-04-28 Last updated: 2026-04-28
This Privacy Policy describes how Latracal Solutions Pvt. Ltd. (Poper) ("we", "us", "our") — the developer of the Poper Quiz App for Shopify (the "App") — collects, uses, and shares information when a Shopify merchant installs the App or when a customer of that merchant interacts with a quiz the merchant has built using the App.
1. Who is the data controller?
For data the App processes on behalf of a merchant (e.g. quiz response data, customer emails captured by a quiz), the merchant is the data controller and we act as a processor. For data we collect about the merchant directly (e.g. account login data, app usage telemetry), we are the controller.
2. What data we collect
From merchants (the Shopify store owner / staff)
| Data | Source | Purpose |
|---|---|---|
Shop domain (e.g. your-shop.myshopify.com) |
Shopify on app install | Identify which shop is using the App |
| Shop access tokens (online + offline) | Shopify OAuth | Authenticate API calls back to Shopify on the merchant's behalf |
| Quiz definitions you create | You enter via the App's admin UI | Render the quiz on your storefront |
| Integration credentials you enter (e.g. Mailchimp API key, webhook URL) | You enter via the Integrations tab | Forward quiz responses to the third-party services you have connected |
From storefront visitors (customers of the merchant)
| Data | When | Purpose |
|---|---|---|
| Quiz answers (text, choices, scale ratings) | When the visitor completes a quiz | Score the quiz, choose product recommendations, optionally fire integrations |
| Email address (if the quiz includes an email-input question) | When the visitor enters it | Display product recommendations, deliver to integrations like Klaviyo / Mailchimp / HubSpot if the merchant has connected them |
| Shop the quiz was taken on | Automatic from the storefront URL | Tenant-scope the response in our database |
| Submission timestamp | Automatic | Audit trail and analytics |
| IP address | Automatic, kept transiently for rate limiting | Prevent abusive submission patterns. Not persisted to the database. |
We do not collect:
- Names, addresses, or phone numbers, unless the merchant explicitly adds a question that asks for them
- Browser fingerprints or behavioral tracking
- Third-party advertising identifiers
- Payment information (the App does not process payments)
3. How we use the data
- To operate the App. Render quizzes, save responses, return product recommendations, sync data to merchant-connected integrations.
- To support merchants. Diagnose issues you report and improve the App's reliability.
- To comply with the law. Respond to lawful requests from authorities, prevent fraud, enforce our Terms of Service.
We do not sell or rent data, and we do not use the data to train AI models or for any purpose other than the ones above.
4. Where the data is stored
- App database (Postgres): hosted at Hetzner, Falkenstein, Germany (EU).
- Session storage (Postgres): hosted at Hetzner, Falkenstein, Germany (EU) for the embedded admin app.
- Shopify: Shopify retains its own copy of customer/order data per its own privacy commitments.
5. Sub-processors
We share data only with the following sub-processors, each listed by purpose:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Shopify | Hosts the storefront and merchant admin where the App runs | Shop domain, OAuth tokens |
| Hetzner (Falkenstein, Germany) | Hosts the App admin UI, webhook endpoints, and database | All inbound request data, quiz responses, definitions, tokens |
| Cloudflare | DNS for findr.poper.ai |
Domain resolution metadata only (TLS terminates on our Hetzner server, not at Cloudflare) |
Integrations (Klaviyo, Mailchimp, HubSpot, Slack, Zapier, Google Sheets, Custom Webhook) are not sub-processors — they are independent third-party services that the merchant connects directly. When the merchant enables one, the data forwarded to it is governed by that service's own privacy policy and the merchant's contract with them. We act as a conduit only.
6. How long we keep the data
| Data | Retention |
|---|---|
| Quiz definitions | While the merchant has the App installed |
| Quiz responses | While the merchant has the App installed (merchant can also delete via their admin Responses tab) |
| Shopify session + access tokens | Deleted on app uninstall |
| Server logs (no PII, IPs scrubbed) | 30 days |
| Backups | 30 days, then permanently deleted |
7. GDPR / customer rights
If you are an end customer who took a quiz on a merchant's storefront and want to exercise your data-protection rights (access, deletion, portability, correction), contact the merchant directly — they are the controller and have the authority to act. Shopify offers them tools to do this; we honor those requests automatically:
- Access request: the merchant fires Shopify's
customers/data_requestwebhook → we return every quiz response we have for the email within 30 days. - Deletion request: the merchant fires Shopify's
customers/redactwebhook → we hard-delete every response row matching the email immediately.
If you cannot reach the merchant, contact us at privacy@poper.ai.
If you are a merchant, on uninstall we wipe your access tokens immediately and (48 hours later, per Shopify's shop/redact webhook) wipe your quiz definitions and responses.
8. Cookies
The App's storefront embed does not set any first-party cookies. Shopify's own session cookies are subject to Shopify's privacy policy. The embedded admin app uses session cookies that Shopify's App Bridge manages on our behalf — these are essential for the admin UI to authenticate.
9. International transfers
Quiz response data is stored in Falkenstein, Germany (EU). If you are accessing the App from outside this region, your data will cross borders to reach us. We rely on Shopify's existing transfer mechanisms (typically Standard Contractual Clauses) for EU/UK personal data.
10. Children's privacy
The App is not directed at children under 13 (or the equivalent minimum age in the merchant's jurisdiction). Merchants must not configure quizzes that knowingly collect data from children.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced on this page with a new "Last updated" date. For changes that affect existing data processing, we will email installed merchants 30 days before the change takes effect.
12. Contact
Latracal Solutions Pvt. Ltd. (Poper) Postal address: provided on request via privacy@poper.ai Email: privacy@poper.ai