Purvell

Legal

Privacy Policy

Last updated: July 12, 2025

1. Who we are

Purvell (“Purvell”, “we”, “us”, or “our”) operates the website at purvell.com and the ReviewPilot Shopify application available at app.purvell.com.

If you have questions about this policy, contact us at [email protected].

2. Information we collect

2.1 Shopify merchants (ReviewPilot users)

When you install ReviewPilot on your Shopify store, we receive and store:

  • Store domain — your .myshopify.com address, used to identify your account.
  • Shopify access token — a scoped OAuth token that lets ReviewPilot read your fulfilled orders. Stored encrypted at rest.
  • Store settings — your email delay preference, whether review requests are enabled, and the plan you are on.

2.2 Your customers (end-user data processed on your behalf)

When Shopify sends ReviewPilot an orders/fulfilled webhook for your store, we temporarily process:

  • Customer email address — used to send the review request email. Stored until the email is sent or deleted.
  • Customer first name — used to personalise the email greeting.
  • Order number and product titles — used to personalise the email body via AI. Not retained after the email is sent.

You, the merchant, are the data controller for your customers' data. Purvell acts as a data processor on your behalf.

2.3 Website visitors (purvell.com)

We do not use analytics tracking, advertising pixels, or third-party cookies on purvell.com. We collect no personally identifiable information from visitors beyond what your browser sends in a standard HTTP request.

3. How we use your information

  • To deliver the ReviewPilot service — scheduling and sending review request emails on behalf of your store.
  • To generate AI-personalised emails — customer name and product titles are sent to Google Gemini (see §5) to generate the email body. No data is retained by the AI provider beyond the request.
  • To send transactional emails — review request emails are delivered via Resend (see §5).
  • To maintain your account — storing your plan, settings, and installation status.
  • To respond to support requests — if you email us, we use your email to reply.

We do not sell, rent, or trade personal data. We do not use customer data for advertising.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area (EEA), we process personal data on the following legal bases:

  • Contract performance — processing required to provide the ReviewPilot service you have installed.
  • Legitimate interests — maintaining service security, preventing abuse, and improving reliability. We balance these interests against your rights.
  • Legal obligation — processing required to comply with applicable law.

For personal data belonging to your customers, you are the controller. By installing ReviewPilot you confirm you have a lawful basis (such as legitimate interest or consent) to send post-purchase review request emails to your customers under applicable law.

5. Third-party service providers

We share data with the following processors only to the extent necessary to deliver our service:

ProviderPurposeData shared
ShopifyApp platform — OAuth, webhooks, store dataStore domain, access token
Google GeminiAI email body generationCustomer first name, product titles (no PII retained)
ResendTransactional email deliveryCustomer email address, email content

All providers are contracted to process data solely for the purposes described above and are prohibited from using it for their own commercial purposes.

6. Data retention

  • Shop records — retained while your store has ReviewPilot installed. Upon uninstall, your shop record is marked inactive. You may request permanent deletion at [email protected].
  • Review request records — retained for 90 days after the email is sent, then purged automatically.
  • Customer data — email addresses and names are removed from our database once the review request email is delivered or the 90-day window elapses, whichever comes first.

7. Shopify GDPR webhooks

ReviewPilot supports all three Shopify GDPR mandatory webhooks. When Shopify sends a data request or erasure signal on behalf of your customer or your store, we process it automatically:

  • customers/data_request — we log the request and email you within 30 days with any data we hold for that customer.
  • customers/redact — we permanently delete all stored data linked to that customer email across your shop's records.
  • shop/redact — we permanently delete all stored data associated with your shop, including review request records.

8. Your rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Request deletion of your personal data.
  • Object to or restrict processing of your personal data.
  • Data portability — receive your data in a structured, machine-readable format.
  • Lodge a complaint with a supervisory authority (EU/UK residents).

To exercise any of these rights, email [email protected]. We will respond within 30 days.

9. Data security

We take reasonable technical and organisational measures to protect your data, including encryption at rest and in transit (TLS), restricted access controls, and automated data purging. No system is completely secure — if you believe your data has been compromised, contact us immediately at [email protected].

10. Cookies

The ReviewPilot application uses a single session cookie (shopify_oauth_state) during the Shopify OAuth installation flow. This cookie is short-lived (5 minutes), HTTP-only, and is deleted immediately after installation completes. We do not use tracking cookies, advertising cookies, or persistent analytics cookies anywhere in our services.

11. Children's privacy

Our services are not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us at [email protected] and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the “Last updated” date at the top of this page. Continued use of ReviewPilot after a policy update constitutes acceptance of the revised policy.

13. Contact

For any privacy-related questions, data requests, or concerns:

Purvell
Email: [email protected]