ShopMetrics Privacy Policy
Effective Date: May 31, 2026 Last Updated: May 31, 2026
This Privacy Policy explains how Stackrift ("ShopMetrics," "we," "us," or "our") collects, uses, discloses, and protects personal data in connection with the ShopMetrics mobile application (the "App") and our website at https://shopmetrics.stackrift.dev (together, the "Service").
ShopMetrics is an independent analytics companion for businesses that use Square. We are not affiliated with, endorsed by, or operated by Square or Block, Inc. Please read this Policy together with our Terms of Service.
1. Introduction & Scope
This Policy applies to two groups of people:
- Account holders — the business owners and authorized users who create a ShopMetrics account and connect their Square account.
- Merchant end-customers — the individual customers of those businesses, whose information (such as names, emails, and purchase history) appears in the business's Square data. We process this information on behalf of the business, not for our own purposes (see Section 2 and Section 14).
This Policy covers personal data we process through the App, our website, and our backend systems. It does not cover Square's own processing of your data, which is governed by Square's privacy policy.
2. Our Dual Role: Controller and Processor
ShopMetrics operates in two distinct legal capacities:
As a Data Controller. When you create a ShopMetrics account, we determine the purposes and means of processing your personal data (your name, email address, business name, and usage information). We are the controller for that data and are responsible for its lawful processing.
As a Data Processor. When you connect your Square account, ShopMetrics accesses your Square business data on your instruction. That data includes information about your customers — such as their names, email addresses, telephone numbers, purchase history, and bookings — which you collected in your role as a Square seller. With respect to that end-customer data, you (the business) remain the data controller and ShopMetrics acts solely as your data processor. We process it only to provide the analytics you have requested, on your documented instructions, and never for our own independent purposes.
Reference: GDPR Art. 4(7) (controller), Art. 4(8) and Art. 28 (processor).
3. Data We Collect
We collect or receive the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account & Identity Data | Name, email address, business name | You, at registration |
| Square Authorization Credentials | OAuth access/refresh tokens, Square merchant ID | Issued by Square when you connect your account; stored server-side only, never on your device |
| Business & Location Data | Location name, address, business type, currency, timezone | Square Locations API |
| Team Member Data | Names, roles, employment status of your Square team members | Square Team Members API |
| Catalog / Item Data | Product and service names, descriptions, prices, categories | Square Catalog API |
| Customer Records | Your customers' names, email addresses, phone numbers, customer IDs | Square Customers API |
| Order & Payment Data | Transaction amounts, item quantities, order dates, tips, fulfillment type (no raw card numbers) | Square Orders / Payments APIs |
| Booking Data | Appointment status, service, staff, start time, customer ID | Square Bookings API |
| Usage & Log Data | Features and reports viewed, timestamps, error logs | Generated by your use of the App |
| Technical / Device Data | Device type, OS version, app version, IP address | Automatically collected |
We do NOT collect: payment card numbers, CVV/security codes, bank account numbers, Social Security numbers, government-issued ID numbers, biometric data, precise geolocation, or health data.
We do NOT use third-party advertising networks or third-party product-analytics SDKs in the App.
4. Sources of Personal Data
Where we do not collect data directly from you, we receive it from:
- The Square API (via your OAuth authorization) — the source of all business, catalog, customer, order, payment, and booking data listed above.
- You — at account registration and when you contact us.
- Automatically — usage instrumentation and technical/device data generated as you use the App, and server logs from our infrastructure provider.
Reference: GDPR Art. 14 (information to be provided where data is not obtained from the data subject).
5. Purposes & Legal Bases (GDPR)
For users in the EEA, UK, and Switzerland, we process personal data on the following legal bases under GDPR Article 6:
| Purpose | Data Involved | Legal Basis |
|---|---|---|
| Provide and operate the analytics service (sync Square data, generate reports) | Account data; Square-sourced data | Art. 6(1)(b) — performance of a contract |
| Authentication and security | Account data, authorization credentials, device data | Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests (security) |
| Improve the Service via aggregated, de-identified usage analysis | Usage/log data (de-identified) | Art. 6(1)(f) — legitimate interests in product improvement |
| Legal compliance and responding to lawful requests | As required | Art. 6(1)(c) — legal obligation |
| Service communications (security alerts, service notices) | Account email | Art. 6(1)(b) — contract |
| Marketing communications (if any) | Account email | Art. 6(1)(a) — consent (you may withdraw at any time) |
| Process your customers' data to show you analytics | Customer, order, booking data | Art. 6(1)(b) — our contract with you; we act as your processor for this data |
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects (GDPR Art. 22). You may request our legitimate-interests balancing assessment at privacy@stackrift.dev.
6. How We Use Data (Plain-Language Summary)
We use personal data to: authenticate you and keep your account secure; retrieve and sync your Square data; calculate and display analytics, reports, and trends; provide customer support; maintain, debug, and improve the Service (using de-identified data where possible); send you service-related messages; and comply with our legal obligations. We never use your customers' personal data for advertising or for any purpose other than providing analytics to you.
7. Data Sharing & Subprocessors
We do not sell, rent, or trade personal data. We share personal data only with the service providers ("subprocessors") that help us run the Service, and only as needed:
| Subprocessor | Role | Data Involved | Location | Safeguard |
|---|---|---|---|---|
| Square, Inc. / Block, Inc. | Source of your business data via OAuth (we read from Square on your instruction) | Authorization tokens exchanged during sync | United States | Square Developer Terms; EU-US DPF / SCCs |
| Supabase, Inc. | Database, authentication, and backend infrastructure | All personal data we store | United States (EU region available on request) | Supabase DPA incorporating EU SCCs |
| Vercel, Inc. / Cloudflare, Inc. | Hosting/CDN for our website and edge functions | Technical/log data, IP addresses | United States / global edge | Vendor DPAs incorporating EU SCCs |
| Apple, Inc. | App distribution and (if enabled) crash diagnostics | Crash/diagnostic data | United States | App Store platform terms |
Other disclosures. We may disclose data: (a) to comply with law, legal process, or lawful requests from authorities; (b) to a successor entity in a merger, acquisition, or asset sale (subject to this Policy); and (c) with your consent.
We maintain a current subprocessor list and will give at least 30 days' notice of material additions, allowing you to object.
8. "Do Not Sell or Share" (California)
We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under California Civil Code § 1798.140. Because we do not sell or share, we are not required to provide a "Do Not Sell or Share My Personal Information" link; if this ever changes, we will update this Policy and provide the required opt-out before any such activity begins.
Sensitive Personal Information. To the extent we process any information classified as "sensitive" under the CPRA, we use it only as necessary to provide the Service. We do not use sensitive personal information for purposes that would trigger a right to limit under Cal. Civ. Code § 1798.121. We do not offer financial incentives for personal information and do not discriminate against you for exercising your rights.
9. Data Retention
We keep personal data only as long as necessary for the purposes in this Policy, unless a longer period is required by law:
| Data | Retention |
|---|---|
| Account data | Duration of your account + 30 days after closure |
| Square authorization tokens | Until you revoke access or close your account — then deleted promptly |
| Customer / order / booking data (processed on your behalf) | Duration of your account + 30 days after closure |
| Usage logs | Up to 12 months |
| Records subject to legal hold | Until the matter is resolved |
When you close your account, or revoke ShopMetrics' access from your Square account, we delete or de-identify the associated personal data within 30 days, except where law requires retention. You can request deletion at any time via the in-app account-deletion option or our account-deletion request form.
10. International Data Transfers
ShopMetrics is operated from New Jersey, United States. If you are in the EEA, UK, or Switzerland, your data is transferred to and processed in the United States, where our infrastructure providers operate. We rely on appropriate safeguards under GDPR Chapter V, including the EU-U.S. Data Privacy Framework (where a subprocessor is certified) and the European Commission's 2021 Standard Contractual Clauses, supported by transfer impact assessments where required. If you require your data to remain in the EEA, contact us at privacy@stackrift.dev to discuss an EU-hosted configuration.
11. Security
We implement technical and organizational measures appropriate to the risk, including: encryption in transit (TLS) and at rest; storage of Square authorization tokens on the server side only, never on your device; row-level security and least-privilege access controls on our database; and restricted administrative access. We do not store payment card data; Square handles all card tokenization and is PCI DSS compliant. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
12. Your GDPR Rights (EEA / UK / Switzerland)
You have the right to: access your data (Art. 15); rectify inaccurate data (Art. 16); request erasure (Art. 17); restrict processing (Art. 18); data portability (Art. 20); object to processing based on legitimate interests (Art. 21); and not be subject to solely automated decisions with significant effects (Art. 22 — which we do not perform).
To exercise these rights, email privacy@stackrift.dev. We respond within 30 days and may need to verify your identity first.
Complaints. You may lodge a complaint with your local supervisory authority — e.g., the UK ICO (ico.org.uk), the Irish DPC (dataprotection.ie), or your national EU authority.
If your request concerns data about your business's own customers (records sourced from Square), we will refer you to the relevant business, since we process that data only as their processor.
13. Your California Rights (CCPA / CPRA)
California residents have the right to: know what personal information we collect and how we use it; delete personal information (with exceptions); correct inaccurate information; opt out of sale/sharing (we do not sell or share); limit use of sensitive personal information (not applicable as described above); and non-discrimination for exercising rights.
To submit a request, email privacy@stackrift.dev or use our privacy request form. We acknowledge within 10 business days and respond within 45 days (extendable by 45 days with notice). We verify identity via your registered email. You may use an authorized agent with proof of authorization.
14. Notice to Merchant End-Customers
If you are a customer of a business that uses ShopMetrics (e.g., a shop, restaurant, or salon that uses Square):
ShopMetrics does not collect your data directly. The business you transacted with collected it, and authorized ShopMetrics to access it via Square solely to provide that business with analytics. That business is the data controller for your information; ShopMetrics is only its processor. To exercise privacy rights over your data, please contact the business directly. If you cannot reach them, email privacy@stackrift.dev and we will make reasonable efforts to direct your inquiry. We never use end-customer data for advertising or profiling.
15. Children's Privacy
The Service is a business tool intended for users 18 and older. It is not directed to children, and we do not knowingly collect personal data from anyone under 16 (or under 13 in the US under COPPA). If we learn we have collected such data, we will delete it. Contact us at privacy@stackrift.dev if you believe a child has provided us data.
16. Data Breach Notification
If a personal data breach affects data we process on your behalf, we will notify you without undue delay and, where feasible, within 48 hours of becoming aware, with enough detail for you to meet your own obligations. As a controller for account-holder data, where a breach is likely to risk individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals where there is high risk (Art. 34). We comply with applicable US state breach-notification laws, including Cal. Civ. Code § 1798.82.
17. Third-Party Services & Links
The Service relies on and may link to third parties (Square, Supabase, Apple, Cloudflare/Vercel). Their handling of your data is governed by their own privacy policies, and we are not responsible for their practices. We encourage you to review them, particularly Square's privacy policy.
18. Cookies & Tracking Technologies
The mobile App uses local device storage only for essential functions (e.g., session/state) and does not use advertising cookies or third-party trackers. Our website may use strictly necessary cookies and, where required, will request consent for any non-essential cookies. We honor recognized browser opt-out signals (e.g., Global Privacy Control) where applicable.
19. Changes to This Policy
We may update this Policy from time to time. For material changes, we will provide notice in the App or by email at least 30 days before they take effect, and update the "Last Updated" date above. Continued use of the Service after the effective date constitutes acceptance.
20. Contact Us
Stackrift Privacy inquiries: privacy@stackrift.dev Support: support@stackrift.dev
For EEA/UK residents, you also have the right to contact your local data protection authority.
This Privacy Policy is provided as a draft and does not constitute legal advice. Have it reviewed by qualified privacy counsel before publication.