PopBoost Privacy Policy
Last updated: May 20, 2026
This Privacy Policy applies solely to the PopBoost Shopify app, published by Extensions Market. It discloses what data PopBoost collects from merchants, how that data is used, with whom it is shared, and how it is stored and deleted. By installing or using PopBoost, you (the merchant) agree to this policy.
Summary: PopBoost collects only what it needs to function — your shop domain, OAuth token, and widget settings. It does not store customer personal data. The Social Proof Popup reads first names and cities from recent orders but never writes them to a database. All merchant data is deleted within 48 hours of uninstallation.
1. Data PopBoost Collects
Merchant data (collected on install)
- Shop domain — your
myshopify.com domain. Used to identify your account, associate widget settings, and authenticate Shopify Admin API calls.
- OAuth access token — a Shopify-issued token provided during installation. Used to authenticate requests to the Shopify Admin API. Stored securely in our database and never exposed to the storefront.
Widget settings (stored per shop)
- Widget enable/disable state — which of the 7 widgets are active for your store.
- Widget configuration — the settings you enter for each widget: message text, colors (hex codes), thresholds (free shipping amount, stock level), timing (countdown end date, popup delay/duration), position preferences, and discount codes. This data is entered by you and stored so your widgets display correctly on your storefront.
Shopify API data accessed at runtime
PopBoost holds the following Shopify API scopes to power specific widgets. This data is accessed in real time and not persisted to our database beyond the transient cache described below:
- read_products — accessed by Product Badges (to evaluate sale status, inventory level, creation date, and product tags) and Stock Countdown (to read current inventory quantities). Read at page load from the storefront via Liquid and the Shopify API. Not stored.
- read_orders — accessed by the Social Proof Popup only. PopBoost reads the 5 most recent orders (customer first name and city only) via the Shopify Admin API and caches the result per shop for up to 5 minutes. This cache is stored in server memory only — it is never written to a database, log file, or persistent storage. No order IDs, amounts, product names, email addresses, or other order fields are read or stored.
- read_customers — used to access the city field on customer records linked to orders, for the Social Proof Popup. Only city is read. Not stored.
2. Data PopBoost Does NOT Collect
- Customer email addresses, full names, phone numbers, or mailing addresses
- Customer payment data or order amounts
- Browsing behaviour of shoppers on your storefront
- Any data beyond first name and city for the Social Proof Popup
- Analytics on how shoppers interact with widgets (clicks, dismissals, conversions)
3. How Data Is Used
- Shop domain + OAuth token — to authenticate your session in the PopBoost admin and to make authorised Shopify Admin API calls on your behalf.
- Widget settings — to render your configured widgets correctly on your storefront via the Shopify App Block system.
- Recent order data (first name + city) — to populate the Social Proof Popup toast notifications shown to visitors. Displayed for a few seconds per notification, then discarded. Never stored.
- Billing — managed entirely by Shopify's billing system. PopBoost does not process or store payment details.
4. Third-Party Services
| Service | Data shared | Purpose |
|---|
| Shopify |
Shop domain, session token, widget API requests |
Platform authentication, storefront rendering via App Blocks, billing |
| Railway |
App request payloads (widget settings, API responses) |
Cloud hosting for the PopBoost server and PostgreSQL database |
| Google Analytics |
Anonymised page view data |
Traffic analytics on extensionsmarket.com only — not inside the Shopify admin or storefront |
We do not share any merchant or customer data with advertising networks, data brokers, or any party not listed above.
5. Data Retention
- Active subscription — your shop domain, OAuth token, and widget settings are retained for as long as PopBoost is installed on your store.
- After uninstallation — all merchant data (shop domain, session token, widget settings) is deleted from our database within 48 hours of receiving the
app/uninstalled webhook from Shopify.
- Social Proof Popup cache — held in server memory for up to 5 minutes, then automatically evicted. Never written to disk or database.
- Backups — Railway database backups are retained for up to 7 days and then permanently deleted.
6. Security
All data is transmitted over HTTPS. OAuth tokens are stored in a private PostgreSQL database hosted on Railway with no public access. We do not log API responses that contain personal data. Our server infrastructure is not shared with other tenants.
7. Your Rights
As a merchant, you have the right to:
- Access — request a copy of the data we hold about your store.
- Deletion — request immediate deletion of all your store's data. You can also trigger deletion by uninstalling PopBoost from your Shopify admin, which initiates automatic deletion within 48 hours.
- Correction — update your widget settings at any time from the PopBoost admin dashboard.
To exercise these rights, contact us at [email protected]. We will respond within 5 business days.
8. GDPR & CCPA
PopBoost is designed to minimise data collection. For GDPR purposes, Extensions Market acts as a data processor on behalf of the merchant (data controller) for any personal data accessed via the Shopify API. For CCPA purposes, we do not sell personal information. We support Shopify's standard GDPR webhook topics (customers/data_request, customers/redact, shop/redact) to handle customer data requests forwarded from Shopify.
9. Changes to This Policy
We may update this policy when PopBoost's data practices change. If we make material changes, we will update the "Last updated" date above. Continued use of PopBoost after changes constitutes acceptance of the updated policy.
10. Contact
For questions about this Privacy Policy or to submit a data request: