Privacy Policy
Product Quiz — last updated 2026-05-26
1. Introduction
Product Quiz (“the App,” “we,” “us,” or “our”) is a Shopify app that lets merchants build product-recommendation quizzes shown on their storefront. Shoppers answer a short series of questions and receive personalized product recommendations drawn from the merchant’s catalog.
This Privacy Policy explains what information the App accesses from your Shopify store, what we store in our database, how we use it, who we share it with, how long we keep it, and what rights you have over it. Please read it carefully. By installing the App you agree to the practices described here.
This policy covers merchants (Shopify store owners and their staff) who install or use the App. It also describes how we handle data generated by shoppers who take quizzes on merchant storefronts — such data is anonymous unless the merchant enables the optional lead-capture feature, in which case a shopper may voluntarily submit their email address (see Sections 3.3 and 3.5). It does not cover the practices of Shopify, Inc. itself — see Shopify’s Privacy Policy for that.
2. What the App Does and Why It Reads Store Data
To power product recommendations, the App reads product catalog data from your Shopify store via the Admin API. The App is designed with strict data minimization in mind: it reads only the catalog information required to match quiz answers to relevant products, and it deliberately does not request access to customer personal data, order data, financial data, or any other information beyond the catalog and app-proxy scopes listed below.
Specifically, the App is granted the following Admin API access scopes:
- read_products — used to fetch product titles, descriptions, tags, variants, images, and collection membership in order to build quiz recommendation logic and display product cards to shoppers.
- write_app_proxy — used to serve the storefront quiz widget via Shopify’s App Proxy. The proxy routes shopper quiz requests through Shopify to our server; Shopify signs each request and we verify the signature before processing.
The App does not request and does not read: customer personal data (names, email addresses, phone numbers, physical addresses), order data, draft orders, financial reports, staff account details, payout information, theme source code, metafields (beyond standard product fields), or any other store data outside the scopes listed above.
3. What We Store
3.1 Store identifier and Shopify session tokens
We store your store’s .myshopify.com domain as the primary key that associates all your data with your store. We also store Shopify OAuth session tokens for the duration of your installation, used solely to authenticate Admin API requests from your store to our server. Session tokens are purged on uninstall.
3.2 Quiz definitions (merchant content)
The App stores the quizzes you create: quiz titles, question text, answer option text, the mapping of answers to product tags or collection IDs, and your quiz configuration settings (e.g. result display options). This content belongs to you and is used solely to serve the quiz on your storefront and display it in the App’s admin interface.
3.3 Anonymous shopper quiz responses
When a shopper takes a quiz on your storefront, the App records their responses. These responses are keyed by a randomly generated session identifier (a UUID created at quiz-start time). Except for the optional lead-capture email described in Section 3.5, we do not collect, request, or store:
- The shopper’s name, email address, or phone number (email is collected ONLY when the merchant has enabled lead capture and the shopper voluntarily submits it — see Section 3.5).
- The shopper’s IP address (it is not persisted; it may appear transiently in server access logs which are rotated and not stored in our database).
- The shopper’s Shopify customer ID or account information.
- Any payment or order information.
- Any information that, by itself or in combination with other data we hold, would identify a specific individual.
The session identifier is generated fresh for each quiz session and is not linked to a Shopify customer account, browser cookie, or any persistent device identifier. It is used solely to associate the answers within a single quiz-taking session with the recommendations served at the end of that session, and to power the per-session analytics described in Section 3.4 below.
3.4 Aggregate event counts and analytics
The App records aggregate event counts to give merchants honest analytics about how their quizzes are performing. These events are:
- Quiz view — a shopper loaded the quiz widget.
- Quiz completion — a shopper reached the results screen.
- Recommendation shown — a specific product was shown to a shopper as a recommendation (recorded as a count per product ID, not per individual shopper).
- Add to cart — a shopper clicked “Add to cart” on a recommended product from within the quiz results (recorded as a count per product ID).
All event counts are aggregated at the quiz and product level. They do not include individual shopper identities, device fingerprints, or any information that could be used to track a specific individual across sessions.
3.5 Shopper emails (optional lead capture)
Merchants on the Pro plan can enable lead capture per quiz. When enabled, the quiz asks the shopper for their email address right before showing their results (the merchant chooses whether the step can be skipped). If the shopper submits an email address, we store: the email address, the quiz that captured it, the anonymous session identifier, and a timestamp. This IS personal data, and we treat it accordingly:
- It is collected directly from the shopper, voluntarily — never read from Shopify customer records (the App has no customer data scopes).
- It is visible only to the merchant whose store captured it (on the App’s Leads page, with CSV export) and is used by us solely to provide that page. We never use it for advertising, profiling, AI/ML training, or resale, and we never contact shoppers ourselves.
- It is deleted when: the merchant’s customer requests deletion (Shopify’s
customers/redactwebhook — we delete all lead rows matching that customer’s email for that store), the store is redacted (shop/redact), the retention purge described in Section 5 runs after uninstall, or the merchant deletes the quiz that captured it. - The merchant is the data controller for captured leads; we process them on the merchant’s behalf. Merchants are responsible for using captured emails in accordance with their own privacy policy and applicable marketing-consent laws.
4. How We Use the Data
We use the data described above solely to:
- Serve the quiz widget to shoppers on your storefront and compute personalized product recommendations based on their answers.
- Display quiz management, configuration, and performance analytics to you (the merchant) within the App’s Shopify Admin interface.
- Respond to Shopify’s mandatory GDPR compliance webhooks (see Section 7).
- Diagnose errors in our application. Error monitoring captures stack traces and request context; it does not include shopper quiz responses or merchant catalog content beyond what appears in a stack trace.
We do not use your store data or shopper quiz data for advertising, for training any AI or machine-learning model, for any form of individual profiling, or for sale or transfer to third parties.
We do not use any third-party AI or large-language-model (LLM) processors in the generation of quiz recommendations. Recommendations are computed by deterministic logic running on our servers based on the mapping rules you define in the App.
5. Data Retention
Your store’s data — quiz definitions, anonymous shopper responses, aggregate event counts, and session tokens — is retained for as long as the App is installed on your store.
When you uninstall the App, we receive a Shopify app/uninstalled webhook. We mark your store as inactive and stop processing new requests. Your data is then permanently deleted at whichever of these comes first: (a) receipt of Shopify’s shop/redact GDPR webhook, which Shopify typically sends about 48 hours after uninstall — all data for your store is deleted immediately upon receipt; or (b) an automated retention purge that permanently deletes all data belonging to stores uninstalled more than 30 days ago.
If you reinstall the App before deletion has occurred, your quiz definitions and analytics history are preserved. Because Shopify usually sends shop/redact about 48 hours after uninstall, in practice data from an uninstalled store is deleted within a few days, and never later than 31 days after uninstall (the 30-day retention window plus, at most, the purge job’s six-hour sweep interval).
Anonymous shopper session records (answer sets keyed by a random UUID) are deleted together with all other store data on uninstall or shop/redact. Shopper emails captured by the optional lead-capture feature (Section 3.5) follow the same store-level deletion schedule, and are additionally deleted per-customer upon a customers/redact request at any time.
6. Sub-Processors and Hosting
We rely on the following third-party sub-processors to operate the App:
- Shopify, Inc. — Platform operator and provider of the Admin API through which we read your catalog, and the App Proxy through which shopper quiz requests are routed. Shopify processes data under its own DPA and privacy policy. See Shopify Privacy Policy.
- Railway, Inc. — Cloud hosting provider for our application server and PostgreSQL database. Your store’s quiz data and shopper response data reside in a PostgreSQL database on Railway infrastructure. Railway’s data centers are located in the United States. See Railway Privacy Policy.
We do not use any other sub-processors. We do not send your store data or shopper quiz data to any analytics service, advertising network, data broker, or AI/LLM provider.
7. GDPR, CCPA, and Mandatory Compliance Webhooks
7.1 GDPR compliance webhooks
Shopify requires all apps to honor three mandatory compliance webhooks. We implement all three:
- customers/data_request — A merchant’s customer may request a copy of their personal data held by apps installed on that store. The only customer personal data Product Quiz can hold is a lead-capture email (Section 3.5). On receipt we identify how many lead records match the named customer’s email for that store; the merchant can view and export those records at any time from the App’s Leads page to fulfill the request. Anonymous quiz session IDs cannot be linked back to a specific individual and are not personal data under GDPR.
- customers/redact — A merchant’s customer may request deletion of their personal data held by apps. Our handler permanently deletes every lead-capture record matching the customer’s email address for that store, immediately upon receipt. There is no other customer personal data to delete.
- shop/redact — Sent by Shopify after a store uninstalls and requests data deletion. Upon receipt, we permanently and immediately delete all data associated with the
.myshopify.comdomain identified in the webhook payload: the store record, all quiz definitions, all anonymous shopper response records, all captured lead emails, all aggregate event counts, and all session tokens.
7.2 Your rights as a merchant (GDPR / CCPA)
If you are located in the European Economic Area, the United Kingdom, or California, you may have additional rights regarding your data, including:
- Right of access — You may request a copy of the data we hold about your store (quiz definitions, aggregate event counts).
- Right to erasure — You may request deletion of your store’s data. The most direct way is to uninstall the App (Shopify will subsequently send us the
shop/redactwebhook, which triggers immediate deletion). You may also contact us directly. - Right to rectification — If any quiz definition data we hold is inaccurate, you may update it directly within the App or contact us.
- Right to portability — You may request a machine-readable export of your quiz definitions and aggregate analytics data.
- Right to object — You may object to our processing of your data. The primary mechanism is uninstalling the App, which terminates processing.
To exercise any of these rights, contact us at info+support@legitimateapps.com. We will respond within 30 days.
8. International Data Transfers
Our application servers and database are hosted on Railway’s infrastructure, which is located in the United States. If you are based outside the United States, your store’s quiz data, anonymous shopper response data, and any captured lead emails are transferred to and processed in the United States when you use the App. We rely on Shopify’s standard data-processing agreements and Railway’s data-processing terms to provide appropriate safeguards for such transfers where applicable under GDPR.
9. Security
We implement the following security measures to protect the data we store:
- All communication between your Shopify store, shoppers’ browsers (via Shopify’s App Proxy), and our servers takes place over HTTPS/TLS.
- All webhook payloads from Shopify are verified using HMAC-SHA256 before processing.
- App Proxy requests from shoppers are verified using Shopify’s signed-proxy signature before any shopper data is processed.
- App Bridge session tokens are verified cryptographically on every authenticated Admin request.
- Access to our production database is restricted to our application server; it is not publicly accessible.
- We do not log the content of webhook payloads that contain merchant or customer information beyond the store domain identifier.
No method of electronic storage or transmission is 100% secure. While we strive to protect your information using commercially reasonable means, we cannot guarantee absolute security.
10. Children’s Privacy
The App’s merchant-facing interface is a business-to-business service intended for Shopify merchants (businesses and business operators). The storefront quiz widget may be viewed by shoppers of any age depending on the nature of the merchant’s store. Quiz answers are anonymous session records only. If a merchant enables lead capture, the email step accepts whatever address the shopper voluntarily submits; we do not knowingly collect emails from children, and merchants are responsible for ensuring their storefront, quiz content, and lead-capture usage are appropriate for their audience and jurisdiction.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “last updated” date at the top of this page. For material changes, we will notify merchants via the App’s in-app interface or by email to the store contact address. Continued use of the App after a policy change constitutes acceptance of the updated policy.
12. Contact Us
For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, please contact us at:
info+support@legitimateapps.com
We aim to respond to all privacy-related inquiries within 30 calendar days.
© 2026 Product Quiz. All rights reserved.