Saga StackBuilder
Saga StackBuilder (“the App,” “we,” “us,” or “our”) is a Shopify application that lets merchants group existing products into goal-based bundles (“stacks”) and add a storefront widget that offers those stacks to shoppers in one click.
This policy explains what personal and store data the App accesses, why we process it, how it is stored and protected, how long we keep it, and the choices and rights available to you. It applies to the App and its associated services only. It does not cover Shopify itself, the merchant store the App is installed on, or any third-party website, which are governed by their own privacy notices.
This policy concerns three groups of people and data:
We collect only the data needed to operate the App. We request the minimum Shopify access scopes required: read access to products and read access to orders. We do not request write access to products or orders, and we do not request theme scopes.
| Data | Purpose |
|---|---|
| Store domain and Shopify store ID | Identify your store and scope all of your data to your account. |
| Store name, contact email, primary currency, time zone | Display the App correctly, format figures, and contact you about the service. |
| Shopify access token and granted scopes | Authenticate API calls to Shopify on your behalf. Stored encrypted at rest (see Section 11). |
| Subscription & billing status | Manage your plan, trial period, and access to features. Charges are processed by Shopify Billing, not by us. |
| App settings you configure | Store your stack definitions, widget appearance, and placement preferences. |
To render product pickers and the storefront widget quickly, the App keeps a mirror cache of your catalog: product titles, handles, images, prices, inventory availability, variants (including selling-plan/subscription indicators), and tags. Shopify remains the source of truth; the cache is kept current through product webhooks and can be rebuilt at any time.
When order attribution is enabled, the App receives order webhooks from Shopify and reads the fields needed to attribute revenue to stacks: the order identifier, order total and currency, and line items (including the stack identifier the widget attaches to items it adds). We do not build a full mirror of your orders and we do not store customer names, email addresses, shipping addresses, or payment details. We store only order identifiers, monetary totals, currency, and the internal product references involved.
On a merchant’s storefront, the widget records aggregate interaction events — impressions, clicks, and add-to-cart actions — each tied to a first-party, anonymous session identifier. This identifier is a random value used solely to connect a single visitor’s actions for attribution. It contains no name, email, address, or other directly identifying information. Its use is described further in Section 6.
We use the information above to:
We do not sell personal information, and we do not use it for advertising or cross-context behavioral advertising.
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
For storefront shopper data, the merchant is the controller and determines the applicable legal basis; we process this data on the merchant’s documented instructions.
The anonymous session identifier described in Section 3.4 is a behavioral attribution identifier. Although it stores no directly identifying details, we treat it as subject to privacy and consent rules rather than claiming it is exempt.
The widget respects the merchant’s existing consent signal where one is exposed (for example, through Shopify’s Customer Privacy API or a consent banner). If analytics consent has not been given, the widget still renders and can still add items to the cart, but it suppresses the tracking beacon rather than firing it. In that case, attribution simply undercounts — metrics are treated as a meaningful lower bound.
We do not claim to store no personal data of any kind. We claim that we store no customer PII and use only an anonymous, consent-respecting attribution identifier. Merchants are responsible for displaying any consent mechanism their jurisdiction requires and for disclosing the App’s analytics in their own storefront privacy notice.
Order data accessed through Shopify may fall under Shopify’s Protected Customer Data requirements. We access order data only after the required Shopify approval is in place, limit our use of it to the attribution features described in this policy, retain only the minimal fields listed in Section 3.3, and apply the security and retention controls in Sections 11 and 12. We do not use order data to identify individual shoppers or for any purpose unrelated to the merchant’s analytics.
| Provider | Function | Data involved |
|---|---|---|
| Shopify Inc. | Platform, authentication, webhooks, App Proxy, billing | Store, catalog, order, and subscription data |
| Railway (application hosting & PostgreSQL database) | Runs the App and stores its database | All App data described in Section 3 |
We require each provider to safeguard data consistent with this policy and applicable law.
Our service providers may process data in countries where they operate, including the United States and other countries. Where personal data is transferred outside jurisdictions with applicable data transfer restrictions (such as the EEA or the UK), we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses or equivalent legal mechanisms provided by our service providers.
We apply technical and organizational measures appropriate to the data we hold, including:
No method of transmission or storage is completely secure. While we work to protect your data, we cannot guarantee absolute security.
We keep data only as long as needed for the purposes in this policy:
We may retain limited records longer where required for legal, accounting, or security purposes, kept to the minimum necessary.
Depending on where you live, you may have rights over your personal information, including to access, correct, delete, port, or restrict its processing, to object to processing, and to withdraw consent. Where the CCPA/CPRA applies, you have rights to know, delete, and correct, and a right not to be discriminated against for exercising them; note that we do not sell or share personal information for cross-context behavioral advertising.
Merchants can exercise many of these rights directly by managing their data in the App or by uninstalling it. For storefront shoppers, the merchant is the controller and is the primary point of contact; we will assist merchants in responding to such requests. To make a request to us directly, contact us using Section 16. We may need to verify your identity, and we will respond within the timeframe required by applicable law.
The App is a business tool intended for merchants and is not directed to children. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us so we can delete it.
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify merchants through the App or by email. Your continued use of the App after an update takes effect constitutes acceptance of the revised policy.
For privacy questions or to exercise your rights, contact:
SK Labs
Kalyanpur Kanpur, Uttar Pradesh, India - 208016
Email: sa39in12th@gmail.com
If you are in the EEA or UK and believe we have not addressed your concern, you may lodge a complaint with your local data protection authority.