Legal
Privacy Policy
Last Updated: March 7, 2026 · Effective Date: March 7, 2026
1. Who We Are
Honestly ("we," "us," "our") is a Shopify application operated by Dromai. We embed verified social media content from TikTok, YouTube, Reddit, and Instagram on Shopify product pages to provide authentic social proof.
If you are located in the European Economic Area (EEA) and have questions about your data, please contact us at lets@usehonestly.com.
2. Scope
This Privacy Policy applies to:
- Merchants who install and use the Honestly app through the Shopify App Store
- Storefront visitors who interact with the Honestly widget on merchant product pages
- Social media content creators whose publicly available content may be displayed through the widget
This policy does not apply to data collected by Shopify itself. For Shopify's data practices, please refer to Shopify's Privacy Policy.
3. Data We Collect
3.1 Merchant Data
When you install Honestly, we collect:
| Data | Source | Purpose |
|---|---|---|
| Store domain | Shopify OAuth | Account identification |
| Store name | Shopify OAuth | Display in admin dashboard |
| OAuth access token | Shopify OAuth | Authenticated API access |
| Staff user name and email | Shopify session | Session management |
| Product data | Shopify Admin API | Product matching and widget display |
| Billing subscription status | Shopify Billing API | Subscription management |
| Support messages | In-app support form | Customer support |
API Scope: We request only the write_products scope. We do not access customer data, order data, financial data, or any other merchant data beyond product information.
3.2 Storefront Visitor Data
When a visitor views a product page with the Honestly widget, we collect anonymous interaction events only:
| Event | Metadata | Contains PII? |
|---|---|---|
| Widget impression | None | No |
| Widget opened | None | No |
| Card clicked | Source type | No |
| Source link clicked | Platform name, URL | No |
| Card visible | Card ID | No |
| Filter used | Filter type and value | No |
| Card dwell time | Duration in ms | No |
| Reply expanded | None | No |
| Quote viewed | Platform | No |
| Recommendation clicked | Attribute name | No |
| Widget scrolled | Scroll depth % | No |
| Panel closed | None | No |
We do NOT collect:
- IP addresses
- Names, emails, or any personal identifiers
- Device fingerprints or browser user agents
- Cookies for tracking
- Geolocation data
- Purchase or browsing history
- Any data that could identify an individual visitor
All widget analytics are aggregated and anonymous. There is no way to trace any event back to an individual visitor.
3.3 Public Social Media Content
We collect and store publicly available social media content, including:
- Post/video titles and text content
- Video transcripts
- Author usernames (public handles, not private identities)
- Public engagement metrics (views, likes, comments)
- Thumbnails and media URLs
- Public comments and replies
All content is sourced from public posts on TikTok, YouTube, Reddit, and Instagram. We do not access private accounts, direct messages, or non-public content.
3.4 AI-Generated Data
We generate and store:
- Sentiment and attribute scores for social content (generated by AI analysis)
- Content relevance rankings
- Vector embeddings of public social content (for semantic search)
- AI conversation history from the "Ask Honestly" feature
4. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing the Honestly service | Merchant account data, product data | Contract performance |
| Displaying social proof | Public social content, product data | Legitimate interest |
| Widget analytics | Anonymous interaction events | Legitimate interest |
| AI-powered insights | Aggregated analytics, social content | Contract performance |
| Billing management | Shopify billing data | Contract performance |
| Customer support | Support messages, store domain | Contract performance |
| Responding to legal requests | Store domain, webhook payloads | Legal obligation |
We do NOT use your data to:
- Train, fine-tune, or improve any AI or machine learning model
- Sell or rent to any third party
- Build advertising profiles
- Target advertisements
- Contact your customers
5. Third-Party Services (Sub-Processors)
We use the following third-party services to operate Honestly:
| Service | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database hosting | Oregon, USA |
| Render | Application and API hosting | Oregon, USA |
| Shopify | Platform, OAuth, Billing | Shopify infrastructure |
| Anthropic (Claude) | AI content analysis | USA |
| OpenAI | Text embeddings | USA |
| Google (Gemini) | Content relevance scoring | USA |
| Apify | Social media content scraping | Czech Republic / EU |
| Jina | Search engine result discovery | USA |
| Resend | Transactional email | USA |
No customer or visitor personal data is sent to any third-party service. AI services receive only public social media content and merchant-initiated queries.
AI Model Training: Neither Anthropic, OpenAI, nor Google use data sent via their APIs to train their models.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Merchant account data | Subscription + 30 days after uninstall |
| OAuth session tokens | Deleted immediately upon uninstall |
| Product data | Subscription + 30 days after uninstall |
| Widget interaction events | Subscription + 30 days after uninstall |
| Public social media content | While product is active; 30 days after deletion request |
| AI conversation history | Subscription + 30 days after uninstall |
| Content embeddings | Subscription + 30 days after uninstall |
| Support messages | 1 year from submission |
| Application server logs | 30 days |
Upon app uninstall, we mark your store as inactive and delete all associated data within 30 days. If you require immediate deletion, contact us at lets@usehonestly.com.
7. Data Subject Rights
For Merchants (and EEA/UK Individuals)
Under the GDPR and UK GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data — "right to be forgotten" (Art. 17)
- Restrict processing of your data (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time where processing is based on consent
- Lodge a complaint with your local data protection authority
For California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Opt out of the sale or sharing of personal information
- Non-discrimination for exercising your privacy rights
We do not sell or share personal information as defined under the CCPA/CPRA.
For All Individuals
To exercise any of these rights, email us at lets@usehonestly.com. We will respond within:
- 30 days for GDPR requests
- 45 days for CCPA/CPRA requests
For Storefront Visitors
Because we do not collect any personal information from storefront visitors (no IP addresses, no identifiers, no cookies), there is no personal data to access, correct, or delete. All widget analytics are fully anonymous and cannot be linked to any individual.
8. International Data Transfers
Our services are hosted in the United States. If you are located in the EEA, UK, or Switzerland, data transferred to the US is protected by:
- Standard Contractual Clauses (SCCs) incorporated into our sub-processors' data processing agreements
- Anthropic's DPA with SCCs
- OpenAI's DPA with SCCs
- Supabase's DPA (AWS infrastructure, SOC 2 Type II certified)
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: All data transmitted over HTTPS/TLS
- Authentication: Shopify OAuth with session tokens; HMAC signature verification on all App Proxy requests
- Access control: Row-Level Security (RLS) policies on all database tables; service-role keys never exposed to client-side code
- Infrastructure: Managed hosting on Render and Supabase with automated security updates
- Monitoring: Application logging and error tracking
In the event of a data breach, we will:
- Notify Shopify within 24 hours (per Shopify API Terms)
- Notify the relevant supervisory authority within 72 hours (per GDPR Art. 33)
- Notify affected merchants without undue delay
10. Children's Privacy
Honestly is a business-to-business service for Shopify merchants. We do not knowingly collect personal information from children under the age of 16 (or 13 where applicable). If you believe a child has provided us with personal information, please contact us at lets@usehonestly.com and we will delete it promptly.
11. Cookies and Tracking Technologies
We do not use cookies.
The Honestly widget uses browser localStorage solely to cache product content for performance (30-minute expiry). This cache contains only public social media content — never personal information. No tracking cookies, pixels, or fingerprinting technologies are used.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify merchants via the Honestly admin dashboard or email
Your continued use of Honestly after changes are posted constitutes acceptance of the updated policy.
13. Shopify's Role
Shopify provides the platform on which Honestly operates. Shopify is not responsible for the Honestly application, its data practices, or any issues arising from its use. For Shopify's own privacy practices, see Shopify's Privacy Policy.
Contact Us
For any privacy-related questions or requests:
Email: lets@usehonestly.com
We aim to respond to all inquiries within 2 business days.