Privacy Policy

1. Who We Are

Honestly ("we," "us," "our") is a Shopify application operated by Dromai. We embed verified social media content from TikTok, YouTube, Reddit, and Instagram on Shopify product pages to provide authentic social proof.

If you are located in the European Economic Area (EEA) and have questions about your data, please contact us at lets@usehonestly.com.

2. Scope

This Privacy Policy applies to:

• Merchants who install and use the Honestly app through the Shopify App Store
• Storefront visitors who interact with the Honestly widget on merchant product pages
• Social media content creators whose publicly available content may be displayed through the widget

This policy does not apply to data collected by Shopify itself. For Shopify's data practices, please refer to Shopify's Privacy Policy.

3. Data We Collect

3.1 Merchant Data

When you install Honestly, we collect:

API Scope: We request only the write_products scope. We do not access customer data, order data, financial data, or any other merchant data beyond product information.

3.2 Storefront Visitor Data

When a visitor views a product page with the Honestly widget, we collect anonymous interaction events only:

All widget analytics are aggregated and anonymous. There is no way to trace any event back to an individual visitor.

3.3 Analytics Data

We collect anonymous usage analytics via PostHog to improve the product. A generated anonymous ID (not linked to your real identity) tracks interactions like button clicks, feature usage, and search events within the extension. Analytics data is routed through our proxy (k.usehonestly.com) to PostHog.

We do not sell analytics data or use it for advertising.

3.4 Payment Data

Payments are processed by Stripe. We never store your credit card information. Stripe receives your email address and payment details to process transactions. We store your subscription status, plan type, and billing period in our database.

Stripe's handling of payment data is governed by Stripe's Privacy Policy.

3.5 Transactional Emails

We use Resend to send transactional emails including subscription confirmations and usage limit notifications. Your email address is shared with Resend solely for delivering these emails. We do not send marketing emails.

3.6 Usage Tracking

We track the number of product searches per billing period to enforce free plan limits. This count is stored in our database and tied to your account.

3.7 Public Social Media Content

We collect and store publicly available social media content, including:

• Post/video titles and text content
• Video transcripts
• Author usernames (public handles, not private identities)
• Public engagement metrics (views, likes, comments)
• Thumbnails and media URLs
• Public comments and replies

All content is sourced from public posts on TikTok, YouTube, Reddit, and Instagram. We do not access private accounts, direct messages, or non-public content.

3.8 AI-Generated Data

We generate and store:

• Sentiment and attribute scores for social content (generated by AI analysis)
• Content relevance rankings
• Vector embeddings of public social content (for semantic search)
• AI conversation history from the "Ask Honestly" feature

4. How We Use Your Data

5. Third-Party Services (Sub-Processors)

We use the following third-party services to operate Honestly:

No customer or visitor personal data is sent to any third-party service. AI services receive only public social media content and merchant-initiated queries.

AI Model Training: Neither Anthropic, OpenAI, nor Google use data sent via their APIs to train their models.

Service Limitation: None of our third-party service providers are authorized to use your data beyond providing their respective service to us.

6. Data Retention

Upon app uninstall, we mark your store as inactive and delete all associated data within 30 days. If you require immediate deletion, contact us at lets@usehonestly.com.

7. Data Subject Rights

For Merchants (and EEA/UK Individuals)

Under the GDPR and UK GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data — "right to be forgotten" (Art. 17)
• Restrict processing of your data (Art. 18)
• Data portability — receive your data in a structured, machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local data protection authority

For California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

• Know what personal information we collect and how it is used
• Delete your personal information
• Opt out of the sale or sharing of personal information
• Non-discrimination for exercising your privacy rights

We do not sell or share personal information as defined under the CCPA/CPRA.

For All Individuals

To exercise any of these rights, email us at lets@usehonestly.com. We will respond within:

• 30 days for GDPR requests
• 45 days for CCPA/CPRA requests

For Storefront Visitors

Because we do not collect any personal information from storefront visitors (no IP addresses, no identifiers, no cookies), there is no personal data to access, correct, or delete. All widget analytics are fully anonymous and cannot be linked to any individual.

8. International Data Transfers

Our services are hosted in the United States. If you are located in the EEA, UK, or Switzerland, data transferred to the US is protected by:

• Standard Contractual Clauses (SCCs) incorporated into our sub-processors' data processing agreements
• Anthropic's DPA with SCCs
• OpenAI's DPA with SCCs
• Supabase's DPA (AWS infrastructure, SOC 2 Type II certified)

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit: All data transmitted over HTTPS/TLS
• Authentication: Shopify OAuth with session tokens; HMAC signature verification on all App Proxy requests
• Access control: Row-Level Security (RLS) policies on all database tables; service-role keys never exposed to client-side code
• Infrastructure: Managed hosting on Render and Supabase with automated security updates
• Monitoring: Application logging and error tracking

In the event of a data breach, we will:

• Notify Shopify within 24 hours (per Shopify API Terms)
• Notify the relevant supervisory authority within 72 hours (per GDPR Art. 33)
• Notify affected merchants without undue delay

10. Children's Privacy

Honestly is a business-to-business service for Shopify merchants. We do not knowingly collect personal information from children under the age of 16 (or 13 where applicable). If you believe a child has provided us with personal information, please contact us at lets@usehonestly.com and we will delete it promptly.

11. Cookies and Tracking Technologies

We do not use cookies.

The Honestly widget uses browser localStorage solely to cache product content for performance (30-minute expiry). This cache contains only public social media content — never personal information. No tracking cookies, pixels, or fingerprinting technologies are used.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify merchants via the Honestly admin dashboard or email

Your continued use of Honestly after changes are posted constitutes acceptance of the updated policy.

13. Shopify's Role

Shopify provides the platform on which Honestly operates. Shopify is not responsible for the Honestly application, its data practices, or any issues arising from its use. For Shopify's own privacy practices, see Shopify's Privacy Policy.