echomate
Codes that echo back
Privacy Policy
Last updated: April 28, 2026
1. Who We Are
echomate is a Shopify app developed by Valerian Huber, operating under the brand Alpin-Code (alpin-code.de). echomate provides store health monitoring, QR code generation, short link tracking, and analytics for Shopify merchants.
2. What Data We Collect
Merchant Data (Shopify Store Owners)
- Shop domain — Your myshopify.com domain, used to identify your store
- Session tokens — Encrypted Shopify session data for authentication
- Settings — Your app configuration (scan frequency, QR branding, etc.)
- QR codes & links — The QR codes and short links you create
End-User Data (People Scanning QR Codes / Clicking Links)
- IP address — Hashed (SHA-256) and truncated daily for privacy. We never store raw IP addresses.
- Country — Derived from Cloudflare headers (cf-ipcountry), not from IP geolocation
- Device type, browser, OS — Extracted from the User-Agent header
- Referrer — Sanitized (query params and fragments stripped)
- Timestamp — When the scan or click occurred
3. What Data We Do NOT Collect
- We do not use cookies on redirect pages
- We do not collect names, email addresses, or personal identifiers of end-users
- We do not sell data to third parties
- We do not use the data for advertising
- We do not store raw IP addresses (only daily-rotated hashes)
4. How We Use Data
- Analytics — Aggregate scan/click counts, device breakdowns, country distribution
- A/B Testing — Random variant selection (no user profiling)
- Rate Limiting — Prevent abuse (IP-based, in-memory only)
- Store Health — Google PageSpeed API calls on merchant's behalf
5. Data Storage & Security
- Data is stored in Supabase (PostgreSQL) with Row-Level Security (RLS) enabled
- All connections use HTTPS/TLS
- API keys are stored as SHA-256 hashes (never in plain text)
- Shopify session tokens are encrypted
- Our server runs on a dedicated VPS with Docker containerization
6. Data Retention
- Free plan: Analytics data retained for 7 days
- Growth plan: Analytics data retained for 180 days
- Pro plan: Analytics data retained indefinitely (until uninstall)
- A daily cron job automatically deletes expired analytics data
- When you uninstall the app, your data is retained for 30 days (in case of reinstall), then permanently deleted
7. Third-Party Services
- Shopify — Authentication, billing, webhooks
- Supabase — Database hosting (EU region)
- Resend — Transactional email delivery to merchants (e.g. weekly scan summaries, alerts). Only the merchant's email address and message body are transmitted.
- Google PageSpeed Insights API — Store health scanning (merchant-initiated only)
- Google Analytics 4 — Optional, merchant-configured for their own GA4 property
- Facebook Pixel / Google Ads — Optional retargeting, merchant-configured
8. GDPR Compliance
We comply with the General Data Protection Regulation (GDPR):
- We process data based on legitimate interest (analytics for merchants) and consent (merchants install the app voluntarily)
- We support Shopify's mandatory GDPR webhooks:
customers/data_request— We respond with any data we holdcustomers/redact— We delete customer-related datashop/redact— We delete all shop data
- End-users can request data deletion by contacting the merchant or us directly
9. Your Rights
As a merchant or end-user, you have the right to:
- Access the data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Object to data processing
- Export your data (available via CSV export and REST API)
10. Contact
For privacy inquiries, data requests, or questions:
Email: help@alpin-code.de
Developer: Valerian Huber
Brand: Alpin-Code (alpin-code.de)