PartnerMetricsSHOPIFY · INTELLIGENCE
Sign Up

Privacy Policy

What data we collect, where it lives, and your rights

Last updated: 2026-05-18

This page explains what personal data PartnerMetrics collects, how we use it, who we share it with, where it lives, and how you control it. We sell nothing to third parties and we never touch merchant data. Read on for the long version.

Table of Contents

  1. Who We Are
  2. Data We Collect
  3. Legal Basis for Processing
  4. How We Use Your Data
  5. Data Sharing & Third Parties
  6. International Transfers
  7. Data Retention
  8. Your Rights
  9. Automated Decision-Making
  10. Cookies
  11. Security
  12. Data Breach Notification
  13. Children
  14. Changes to This Policy
  15. Contact

1. Who We Are

PartnerMetrics (“we”, “our”, “us”) is a service operated by Sevenhills Software LLP. PartnerMetrics provides competitive intelligence and analytics for Shopify app developers — including App Store rank tracking, competitor monitoring, AI-powered review analysis, and integration with each user’s own Shopify Partner API token for install and revenue metrics.

For the purposes of the EU General Data Protection Regulation (GDPR) and the Indian Digital Personal Data Protection Act, 2023 (DPDPA), Sevenhills Software LLP is the data controller of your personal data.

Registered Address
Sevenhills Software LLP
TCE-TBI, Madurai - 625016
Tamil Nadu, India

Data Protection Contact: privacy@partnermetrics.io
Grievance Officer: harish@binarychakra.com

2. Data We Collect

Account data

When you sign up, we collect your email address and, optionally, your name. This is necessary to create and manage your account.

Workspace and tracking configuration

When you add a Shopify app to track or a competitor to watch, we store the public app slug (e.g. apps.shopify.com/your-app), your alert preferences, and your selected categories. This is necessary to deliver the tracking and alerting features you signed up for.

Shopify Partner API tokens (optional)

If you choose to connect your Shopify Partner account, we store your Partner API access token and Partner Organization ID. These credentials are encrypted at rest using AES-256-GCM at the application layer, with the encryption key held outside the database, before storage and are used exclusively to fetch your own install, uninstall, revenue, MRR, churn, and subscription data from Shopify on your behalf.

Public App Store data

PartnerMetrics ingests publicly available data from apps.shopify.com— listing pages, category rankings, reviews — for every app in the Shopify App Store. This includes apps you do not own and have not connected. This data is public, does not identify individual merchants, and is governed by Shopify’s App Store terms and our crawl-budget policy. We do not scrape Shopify Partner Dashboard data and we do not access merchant accounts.

Usage and operational data

We collect aggregated usage metrics for your account: feature use, API call counts, and infrastructure health signals. This data is used to generate your dashboards and to investigate performance issues.

Billing data

Payment information is collected and processed by Lemon Squeezy (our payment processor and merchant of record). We store only a Lemon Squeezy customer ID and subscription status — we never store full card numbers.

Technical and log data

We collect standard web server logs including IP addresses, browser type, and pages visited. This data is used for security monitoring and is retained for 30 days.

3. Legal Basis for Processing

Under the GDPR, we process your personal data on the following grounds:

  • Contract performance (Art. 6(1)(b)) — processing your account data, tracking configurations, and Partner API tokens is necessary to deliver the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)) — retaining billing records as required by Indian Companies Act, 2013 and GST law.
  • Consent (Art. 6(1)(a)) — for non-essential analytics cookies (you can withdraw consent at any time via our cookie banner) and for our optional outbound product update communications.

Legitimate Interests Assessment Summary

We rely on legitimate interests for: (a) security monitoring — detecting and preventing fraud, abuse, and unauthorised access to your account; (b) service improvement — analysing aggregated, anonymised usage patterns to improve performance and reliability; (c) public-data ingestion from the Shopify App Store, which is necessary for the core product function and processes only publicly-available business data. We have assessed that these interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 8).

4. How We Use Your Data

  • To provision, operate, and maintain your PartnerMetrics account
  • To fetch your install, revenue, and subscription data from your connected Shopify Partner organization
  • To generate your dashboards, alerts, and AI-summarized review insights
  • To process payments and manage subscriptions
  • To send transactional emails (account creation, password reset, alerts, billing notifications)
  • To investigate security incidents and prevent abuse
  • To improve our services (using aggregated, anonymised data)

5. Data Sharing & Third Parties

We do not sell your personal data. Ever.

We share data only with the following sub-processors, each bound by a Data Processing Agreement (DPA):

Sub-ProcessorPurposeLocation
SupabasePrimary database, authentication, and encrypted credential storage (AES-256-GCM at the application layer)EU (Frankfurt)
VercelApplication hosting and edge functionsUS (with EU SCCs)
Lemon SqueezyPayment processing and merchant of recordUS (with EU SCCs)
ResendTransactional email deliveryUS (with EU SCCs)
Amazon Web Services (SES)Outbound product update email deliveryUS (with EU SCCs)
AnthropicAI inference for review analysis and insight generationUS (with EU SCCs)

We may also share data with law enforcement or regulators where required by law or a valid legal process.

6. International Transfers

Our primary infrastructure (Supabase database) is located within the EU/EEA. Some sub-processors are based in the United States:

  • Vercel (US) — application data is transferred under EU Standard Contractual Clauses (SCCs).
  • Lemon Squeezy (US) — payment data is transferred under EU SCCs.
  • Resend / AWS SES (US) — transactional and outbound email data is transferred under EU SCCs.
  • Anthropic (US) — anonymized review text and prompt context is transferred under EU SCCs for AI inference; no personal identifiers are sent.

No personal data is transferred to countries without adequate protection unless appropriate safeguards (SCCs, adequacy decisions, or your explicit consent) are in place.

7. Data Retention

Data TypeRetention Period
Account dataRetained while active; deleted promptly upon account deletion
Tracking configurations & Partner API tokensDeleted when the integration is disconnected or the account is deleted
Historical Partner API data (installs, revenue)Retained while account is active; deleted on account deletion (historical data persists across disconnect/reconnect so dashboards survive)
Public App Store data (apps, reviews, rankings)Retained indefinitely as part of our public-data dataset (does not contain personal data about you)
Usage metrics90 days, then automatically purged
Billing records8 years (required under Indian Companies Act, 2013 and GST regulations)
Web server logs30 days

8. Your Rights

Under the GDPR and applicable Indian data protection laws, you have the following rights. To exercise any of them, email privacy@partnermetrics.io. We will respond within 30 days.

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — ask us to correct inaccurate data
  • Right to erasure — request deletion of your personal data. You can also delete your account directly from Settings → Danger Zone, which immediately purges all your data
  • Right to restriction — ask us to pause processing in certain circumstances
  • Right to data portability — download a structured, machine-readable JSON export of your personal-account data at any time from /api/account/export while signed in (analytics CSV/JSON exports are additionally available from your dashboard on paid plans)
  • Right to object — object to processing based on legitimate interests (Section 3)
  • Right to withdraw consent — for cookie-based analytics or outbound product update emails, withdraw consent at any time via the cookie banner or the unsubscribe link in any email

Complaints

If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority:

  • India — You may contact us at privacy@partnermetrics.io or write to our Grievance Officer at our registered address. Once the Data Protection Board of India is constituted under the Digital Personal Data Protection Act, 2023, you may lodge complaints with them.
  • EU — Find your national Data Protection Authority at edpb.europa.eu/members

9. Automated Decision-Making

PartnerMetrics uses automated processing for the following purposes:

  • AI review analysis — automatically clustering, tagging, and summarizing Shopify App Store reviews using Claude (Anthropic). The output is informational and does not produce legal or similarly significant effects on you or any third party.
  • Cross-source insight generation — automatically correlating ranking, review, and Partner API data to surface insights. The output is informational; you decide whether to act on it.
  • Alert generation — automatically generating alerts when configured thresholds (rank change, competitor change, new review) are crossed.

We do not make any decisions based solely on automated processing that produce legal effects or similarly significantly affect you (Art. 22 GDPR). If you have concerns about any automated processing, contact privacy@partnermetrics.io.

10. Cookies

We use cookies and similar technologies. Below is a summary — see our full Cookie Policy for complete details.

TypeExamplesCan You Disable?
Strictly necessaryAuthentication session, cookie consent, Lemon Squeezy fraud preventionNo (required for the site to function)
FunctionalFirst-touch marketing attribution (appscope_attribution)Yes — via browser settings

We do not use advertising or tracking cookies. We do not share cookie data with advertisers.

11. Security

We implement industry-standard security measures including:

  • TLS encryption for all data in transit
  • AES-256-GCM encryption at rest for Shopify Partner API tokens and any other third-party credentials
  • Row Level Security (RLS) enforced at the database layer
  • Multi-factor authentication (MFA) required for super-admin access
  • Regular security scanning and dependency auditing

No system is 100% secure. If you discover a vulnerability, please report it responsibly to security@partnermetrics.io.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
  • If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay via email and an in-app notice (GDPR Art. 34).
  • Our notification will include the nature of the breach, the data affected, likely consequences, and the measures taken to address it.

13. Children

PartnerMetrics is not directed at children under 18. We do not knowingly collect data from children. If we become aware that a child under 18 has provided us with personal data, we will:

  • Promptly delete the account and all associated data within 48 hours
  • Notify the parent or guardian if contact information is available

If you believe a child has created an account, please contact us immediately at privacy@partnermetrics.io.

14. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email or via an in-app notice at least 14 days before the changes take effect. The “Last updated” date at the top of this page will always reflect the most recent revision.

15. Contact

For any privacy-related questions or to exercise your data rights:

Email: privacy@partnermetrics.io
Post: Sevenhills Software LLP, TCE-TBI, Madurai - 625016, Tamil Nadu, India

End of Privacy Policy