Privacy Policy

1. Introduction

Fidras ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information about you when you use our Shopify application.

2. Information We Collect

When you install and use our app, we collect:

• Store Information: Shop name, domain, email, and settings
• Customer Data: Names, email addresses, order history, and shopping behavior (from your Shopify store)
• Order Data: Order details, products purchased, and transaction information
• Analytics Data: Usage patterns, engagement metrics, and performance data

3. How We Use Your Information

We use the collected information to:

• Provide customer segmentation and analytics
• Generate AI-powered business insights
• Send automated marketing emails (abandoned cart, welcome emails, etc.)
• Calculate customer lifetime value and RFM scores
• Improve our services and user experience

4. Data Sharing

We do not sell your data. We may share data with:

• Service Providers: Email services (SendGrid), AI services (DeepSeek), WhatsApp messaging (Meta Cloud API) for functionality
• Legal Requirements: When required by law or to protect our rights

5. Data Retention

We retain your data as long as your app is installed. When you uninstall the app, we delete all associated data within 48 hours as required by Shopify's GDPR requirements.

6. Your Rights (GDPR)

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Object to data processing
• Data portability

To exercise these rights, contact us at the email below.

7. Security

We implement industry-standard security measures including encryption, secure connections (HTTPS), and access controls to protect your data.

8. Contact Us

For privacy-related questions or requests, contact us at:

Email: catalystiq.ae@gmail.com

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page.

10. WhatsApp Business Messaging

Our app integrates with Meta's WhatsApp Cloud API to enable store owners to send transactional and marketing messages to their customers via WhatsApp. Store owners connect their own WhatsApp Business Account through a secure Facebook OAuth flow. Messages are sent from the store owner's WhatsApp Business phone number to their customers on their behalf.

We act as a technology provider facilitating messaging between store owners and their customers. We do not independently contact end users; all messages are initiated by or on behalf of the store owner.

11. WhatsApp Data We Collect

When a store owner connects their WhatsApp Business Account, we collect and store:

• WhatsApp Business Account ID: To identify the connected business account
• Phone Number ID: To send messages via the WhatsApp Cloud API
• Display Phone Number: For display purposes in the app dashboard
• OAuth Access Token: To authenticate API requests (stored securely, never shared)
• Customer Phone Numbers: Provided by the store owner for message delivery
• Message Logs: Message content, delivery status, read receipts, and timestamps

We do not access or store Facebook profile data, friend lists, or any personal Facebook account information beyond the WhatsApp Business Account details required for messaging.

12. WhatsApp Data Usage and Retention

WhatsApp data is used exclusively for:

• Sending transactional messages (order confirmations, shipping updates)
• Sending marketing messages (abandoned cart reminders, welcome messages) with customer consent
• Providing message delivery analytics to the store owner

Retention: WhatsApp message logs are retained for 180 days and then automatically deleted. OAuth access tokens are deleted immediately when a store owner disconnects their WhatsApp account or uninstalls the app. All WhatsApp data is deleted within 48 hours of app uninstallation.

13. Meta/Facebook OAuth

To connect WhatsApp Business, store owners authorize our app via Facebook Login. We request the following permissions:

• whatsapp_business_management: To read WhatsApp Business Account details and phone numbers
• whatsapp_business_messaging: To send WhatsApp messages on behalf of the store
• business_management: To discover the business associated with the WhatsApp Business Account

We do not request access to personal Facebook data. Store owners can revoke access at any time by disconnecting WhatsApp from within our app or by removing the app from their Facebook Business settings. Upon disconnection, all stored credentials and tokens are immediately deleted.

14. Data Deletion Requests

In compliance with Meta Platform Terms and GDPR, we provide multiple ways to request data deletion:

• In-app: Store owners can disconnect their WhatsApp account at any time from the Integration settings page. This immediately deletes all stored tokens and credentials.
• App uninstall: When a store owner uninstalls the Fidras app from Shopify, all associated data (including WhatsApp credentials, message logs, and customer data) is deleted within 48 hours.
• Data Deletion Callback: We provide a data deletion callback endpoint at https://fidras.onrender.com/api/gdpr/delete for automated deletion requests from the Meta platform.
• Email request: You can email us at catalystiq.ae@gmail.com to request deletion of all your data. We will process the request within 30 days.

Upon receiving a data deletion request, we delete the following: OAuth access tokens, WhatsApp Business Account credentials, phone number IDs, message logs, and any other data associated with the requesting user or business.

15. Customer Consent for WhatsApp Messages

WhatsApp messages are only sent to customers who have explicitly opted in to receive notifications. Consent is collected through:

• Shopify checkout SMS/marketing opt-in checkbox
• Account registration marketing consent
• Store-specific opt-in forms

Customers can opt out at any time by replying "STOP" to any WhatsApp message. Our system immediately processes the opt-out, marks the customer as unsubscribed, and stops all future messages. We also honor unsubscribe requests made through the store's customer account page or via email to our support address.

16. Meta Platform Data Policy Compliance

We comply with the Meta Platform Terms and Developer Policies. Specifically:

• We do not sell, license, or purchase any data obtained from Meta
• We do not transfer Meta data to any data broker or advertising network
• We do not use Meta data for purposes unrelated to our app's functionality
• We do not store Meta data longer than necessary for our app's functionality
• We implement reasonable security measures to protect all stored data
• We delete all Meta-related data when a user disconnects or requests deletion

17. Meta Ads Manager Integration

Our app integrates with Meta's Marketing API to allow merchants to manage their Facebook and Instagram ad campaigns directly from our dashboard. Merchants connect their Meta ad account through a secure Facebook OAuth flow. All campaigns, ad sets, and ads are created on behalf of the merchant under their own Meta ad account.

18. Meta Ads Data We Collect

When a merchant connects their Meta Ads account, we collect and store:

• Meta Ads OAuth Access Token: To authenticate API requests on the merchant's behalf (stored securely, never shared)
• Ad Account ID: To identify which Meta ad account to manage
• Connected Email Address: For display purposes in the merchant dashboard
• Granted Scopes: To track which permissions the merchant has authorized
• Connected Facebook Page IDs: To associate ads with the merchant's Pages
• Token Expiration Date: To refresh tokens before expiry

We also temporarily process (without long-term storage) ad performance metrics returned by Meta's API such as impressions, clicks, spend, and conversion data.

19. Meta Ads Data Usage and Retention

Meta Ads data is used exclusively for:

• Reading ad campaign performance for the merchant's analytics dashboard
• Creating, editing, and pausing ad campaigns at the merchant's request
• Looking up ad account currency and Facebook Pages owned by the merchant
• Maintaining an audit log of campaign management actions for accountability

Retention: OAuth access tokens are deleted immediately when a merchant disconnects their Meta Ads account or uninstalls the app. Audit logs are retained for 90 days. All Meta-related data is deleted within 48 hours of app uninstallation.

20. Meta Ads OAuth Scopes Requested

We request the following permissions during the Meta Ads connection flow:

• ads_read: To read ad performance, campaigns, and account information for analytics
• ads_management: To create, edit, pause, resume, and delete campaigns, ad sets, and ads on behalf of the merchant
• business_management: To discover the merchant's connected ad accounts
• pages_show_list: To display the merchant's Facebook Pages so they can pick which Page to associate with their ads
• pages_read_engagement: To verify Page ownership before associating it with ads
• pages_manage_ads: To create ad creatives associated with the merchant's Facebook Page

We do not request access to personal Facebook data, friends lists, or any private profile information.

21. Meta Ads Compliance

We comply with the Meta Platform Terms, Meta Marketing API policies, and the Facebook Advertising Policies. Specifically:

• All ads are created in PAUSED status by default; merchants explicitly choose when to activate them
• We do not auto-publish ads without merchant action
• We do not bypass Meta's ad review process
• We maintain an audit log of every create, edit, and delete action for accountability and abuse prevention
• We rate-limit API calls and implement exponential backoff to respect Meta's rate limits
• We do not sell, license, or transfer Meta Ads data to any third party