ShopShift .

§ 02 · Legal

Privacy Policy.

Last updated · 2026-05-07

1. Who we are.

ShopShift is operated by SVEA IT (CVR-no. 36606061), Denmark. This Privacy Policy describes how we handle personal data in two distinct situations: (a) when you use the ShopShift dashboard as a Customer (a webshop merchant), and (b) when our snippet runs on a webshop you visit, as a Visitor.

2. Important: which privacy policy applies?

When you visit a webshop that has the ShopShift snippet installed, the operator of that webshop is the data controller for the data the snippet captures about your visit. Their privacy policy applies to that data — not this one.

ShopShift acts as their data processor (in GDPR terms): we process visitor data only to provide the service the merchant has contracted with us. We cannot directly respond to data-subject requests from end-users of customer webshops; please contact the operator of the website you visited. We will support their requests as data processor.

This Privacy Policy applies to (a) Customer accounts on shopshift.io and (b) limited operational telemetry we collect on our own behalf (security logs, error tracking).

3. Customer data (you, the merchant).

When you sign up for a ShopShift account we collect your email address, the URL of the webshop you connect, payment-method details collected by our billing processor (Stripe — we never see or store your full card number), and any optional profile information you provide. We process this data on the legal basis of contract — it is necessary to provide the service. We retain Customer data for as long as your account is active and for up to ninety days after termination.

4. Visitor data captured by the snippet.

For transparency, here is what the snippet captures when it runs on a merchant's webshop, irrespective of which privacy policy applies:

  • The page URL viewed and the time of the view.
  • The visitor's clicks, including the text and CSS selector of the clicked element (so we can attribute conversions to a specific element).
  • Time spent on the page and scroll-depth events.
  • Viewport dimensions and a coarse device bucket (mobile / tablet / desktop).
  • An opaque random identifier ("visitor_uid"), stored in localStorage and a first-party cookie on the merchant's domain, used to recognize repeat visits to the same shop.
  • Country, derived from the IP address at the request boundary. The IP itself is never persisted.
  • Referring URL and standard click-ID parameters (gclid, fbclid, msclkid, ttclid) for attribution analytics.

The snippet does NOT capture: form-field values, payment-card data, account credentials, cross-site tracking identifiers, biometric data, or any data the visitor types into form inputs. Payment fields are excluded by design (forms with autocomplete `cc-*` or `name`/`id` matching common card patterns emit no events at all).

The snippet honors standard consent signals before tracking: Global Privacy Control (`navigator.globalPrivacyControl`), the IAB TCF v2 API, and any consent-banner platform the merchant has installed. If consent is not present, the snippet runs no tracking and no experiments.

5. Data retention.

Raw visit and event records are retained for ninety (90) days, then permanently purged. Aggregated, de-identified rollups (daily statistics, per-page behavior, experiment results, declared winners) are retained indefinitely. Customer profile data is retained for the life of the account plus ninety days. AI call logs (which capture model usage and cost, not visitor PII) are retained for the life of the account.

6. Subprocessors.

We use a small set of subprocessors to deliver the service (hosting, AI inference, snippet CDN, billing, error tracking, geolocation lookup). The current list is published on a separate page and is updated whenever a vendor changes: shopshift.io/subprocessors . We will give existing Customers at least thirty days' notice of any new subprocessor we engage that processes Customer or Visitor data.

7. Your rights under GDPR (EU/EEA/UK residents).

You have the right to access, rectify, port, or erase your personal data, to restrict or object to processing, and to lodge a complaint with a supervisory authority. For Customer data, you can exercise most of these rights from the dashboard; for anything that requires manual handling, write to privacy@shopshift.io . For Visitor data, your primary contact is the merchant operating the webshop you visited (the data controller, see Section 2).

8. Your rights under CCPA/CPRA (California residents).

California residents have the right to know what personal information we collect, to delete it, to correct it, and to opt out of "sale" or "sharing" of personal information (we do not sell or share visitor data). Requests can be made to privacy@shopshift.io . We honor Global Privacy Control as an opt-out signal automatically.

9. International transfers.

Our infrastructure is hosted in the EU. Some subprocessors (notably OpenAI for AI inference and Stripe for billing) may process data in the United States. Such transfers rely on the EU Standard Contractual Clauses or other lawful transfer mechanisms.

10. Security.

We use industry-standard encryption in transit (TLS 1.2+), encryption at rest, principle-of-least-privilege access controls, and audit logging. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you and the relevant authorities as required by law.

11. Changes to this Policy.

We will announce material changes by email and via a dashboard banner at least thirty days before they take effect. Minor edits (clarifications, typos) will be reflected in the "Last updated" date at the top of this page.

12. Contact.

Privacy questions, data-subject requests, or DPA requests: privacy@shopshift.io . ShopShift is operated by SVEA IT (CVR 36606061), Denmark.