Privacy Policy
Effective date: April 8, 2024 Last updated: April 7, 2026
1. About this app
Section titled “1. About this app”tt-blocks (“we”, “us”, “the App”) is a Shopify app that lets merchants compose visual blocks (badges, buttons, coupons, payment icons, brand icons, text, label chips) and render them on the storefront via a theme app extension. The App is operated by Tantou AI.
This Privacy Policy describes what data we receive when the App is installed, how we use it, where it is stored, and your rights regarding that data.
2. Information we receive
Section titled “2. Information we receive”2.1 From Shopify (merchant store)
Section titled “2.1 From Shopify (merchant store)”When the App is installed on a Shopify store, we receive the following data through authenticated Shopify APIs:
- Store-enabled languages — to support multi-language widget content
- Read-only theme files — to derive style data and identify where widgets render in the theme
- Product, collection, and variant metadata — read for visibility rules; we also write widget configuration back to product metafields
- Product inventory levels — for inventory-based visibility rules
- Public product and inventory data — for widget rendering on collection pages
We do not request access to customer personal data, orders, or payment information.
2.2 From storefront visitors
Section titled “2.2 From storefront visitors”When a block renders on a storefront page, the App’s storefront script evaluates visibility rules in the visitor’s browser. Depending on what the merchant configures, this may involve reading from page context:
- Page URL and UTM parameters
- Customer login state (logged in / logged out)
- Customer tags, total spent, order count (only if the merchant configures customer-targeted visibility rules)
- Country, device type, browser language
This information is read from the visitor’s browser context only and is not transmitted to our servers, except in aggregated, non-identifiable form for analytics (see Section 4).
3. How we use information
Section titled “3. How we use information”We process personal data on the following legal bases under GDPR Article 6:
- Performance of a contract (Art. 6(1)(b)) — to provide and operate the App as agreed in the Terms of Service
- Legitimate interests (Art. 6(1)(f)) — to maintain service quality, debug errors, and aggregate non-identifiable performance metrics
- Compliance with legal obligations (Art. 6(1)(c)) — to respond to Shopify’s mandatory privacy webhooks (see Section 7)
We use the data we receive to:
- Operate the editor and renderer — store and serve widget configuration, evaluate visibility rules
- Service operations — aggregate, non-identifiable performance metrics (impression count, click count, error counts)
- Compliance — respond to Shopify’s mandatory privacy webhooks (see Section 7)
We do not:
- Sell, rent, or share merchant or visitor data with advertisers or data brokers
- Build cross-shop visitor profiles
- Use the data for any purpose outside the App’s stated function
4. Where data is stored
Section titled “4. Where data is stored”Widget configuration, authentication sessions, and aggregated non-identifiable analytics events are stored on Cloudflare’s secure cloud infrastructure. A copy of the widget configuration is mirrored to Shopify metafields, which are owned by the merchant store.
Security measures — Data in transit is protected by TLS. Data at rest is encrypted by the underlying provider. Access to production infrastructure follows the principle of least privilege, and we conduct periodic security reviews.
International transfers — Data may be transferred and processed outside the European Economic Area (EEA) where Shopify and Cloudflare operate. Such transfers rely on the safeguards each provider maintains, including Standard Contractual Clauses (SCCs) and the EU–U.S. Data Privacy Framework where applicable.
5. Third parties
Section titled “5. Third parties”- Shopify — required for App operation; subject to Shopify’s Privacy Policy
- Cloudflare — infrastructure provider (compute, storage, CDN)
We do not share data with any other third parties.
6. Data retention
Section titled “6. Data retention”| Event | Behavior |
|---|---|
| Active installation | Widget configuration retained for the lifetime of the App installation |
| Merchant uninstalls App | When Shopify notifies us of the uninstall, merchant data is deleted within 30 days (in line with Shopify’s shop/redact requirement) |
| Customer data request | See Section 7 |
7. Your privacy rights
Section titled “7. Your privacy rights”7.1 GDPR data subject rights
Section titled “7.1 GDPR data subject rights”If you are a resident of the European Economic Area (EEA), you have the following rights under GDPR Articles 15–22:
- Right of access — confirm whether we hold your personal data and obtain a copy
- Right to rectification — correct inaccurate data
- Right to erasure (“right to be forgotten”) — request deletion
- Right to restriction — limit how we process your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right not to be subject to automated decision-making — see Section 7.3
- Right to lodge a complaint — file a complaint with your local supervisory authority
In compliance with Shopify’s mandatory privacy webhooks, the App responds to:
| Shopify webhook | Our response |
|---|---|
customers/data_request | Provide an export of any data we hold about the customer. Typically none — we do not store customer PII. |
customers/redact | Delete any data we hold about the customer. Typically none. |
shop/redact | Delete all data associated with the merchant’s shop. |
Storefront visitors should contact the merchant first; the merchant routes the request to Shopify, which triggers the webhook to us. Merchants can also reach us directly at support@tantou.ai.
7.2 California residents (CCPA / CPRA)
Section titled “7.2 California residents (CCPA / CPRA)”If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by CPRA, including:
- The right to know what personal information we collect, use, and disclose
- The right to delete personal information we have collected
- The right to correct inaccurate personal information
- The right to opt out of the “sale” or “sharing” of personal information — we do not sell or share personal information
- The right to non-discrimination for exercising your rights
To exercise these rights, contact support@tantou.ai.
7.3 Automated decision-making
Section titled “7.3 Automated decision-making”We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.
8. Cookies and tracking
Section titled “8. Cookies and tracking”- Admin UI (embedded in Shopify Admin) — relies on Shopify’s own session cookies for authentication; these are set by Shopify, not by us. We do not set our own cookies in the admin and do not use third-party tracking cookies.
- Storefront script — does not set cookies and does not use fingerprinting techniques.
9. Children’s privacy
Section titled “9. Children’s privacy”The App is not directed to children under 13 (or under 16 in the European Union, depending on member state law). We do not knowingly collect data from children.
10. Changes to this policy
Section titled “10. Changes to this policy”We may update this Privacy Policy from time to time. The “Last updated” date above reflects the latest revision. Material changes will be communicated to merchants at least 30 days in advance via the App interface or email; non-material updates take effect upon posting.
11. Contact
Section titled “11. Contact”For privacy questions, data subject requests, or complaints, contact:
- Email: support@tantou.ai