Privacy Policy

1. Introduction

RolloutFactory Inc., operating as Growzilla (“we,” “our,” or “us”), is a company incorporated in the State of Delaware, United States. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you install and use the Growzilla application on Shopify (“the App”), visit our website at growzilla.xyz, or interact with our services.

By installing the App or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms described here, please do not install the App or use our services.

2. Our Role as Data Processor and Controller

When we process data on behalf of Shopify merchants through the App, we act as a data processor. The merchant remains the data controller and is responsible for ensuring that their use of the App complies with applicable data protection laws, including obtaining any necessary consent from their customers.

When we collect information directly from merchants for account management, billing, and communications, we act as the data controller for that information.

3. Information We Collect

3.1 Information Collected Through Shopify

When a merchant installs the App, we access certain store data through Shopify's APIs. This includes:

• Store information: Store name, domain, contact email, currency, and timezone
• Order data: Order details including order amounts, products purchased, dates, discount codes used, and landing page URLs (used for UTM attribution)
• Product data: Product names, prices, inventory levels, and variants
• Customer data: Customer names, email addresses, and order history as associated with attributed orders

3.2 Information Provided by Merchants

Merchants may directly provide us with:

• Account credentials (email, password) for dashboard access
• Organization and team member details
• Creator and influencer roster information
• Meta (Facebook) Ads system user access tokens for ad campaign data retrieval
• Billing and payment information

3.3 Information Collected from Third-Party Integrations

When a merchant connects their Meta Ads account, we collect campaign performance data including ad spend, impressions, clicks, and conversion metrics. We do not access or store Meta pixel data or personal data of ad viewers. Access tokens provided by merchants are encrypted at rest.

3.4 Automatically Collected Information

When you access our website or dashboard, we may automatically collect:

• IP address, browser type, and operating system
• Pages visited and time spent on pages
• Referring website addresses
• Device identifiers and usage patterns

4. How We Use Your Information

We use the information we collect for the following purposes:

• Attribution and analytics: Matching orders to UTM links to determine which creators, posts, and campaigns generated revenue
• Dashboard and reporting: Displaying sales performance, creator metrics, funnel visualizations, and advertising analytics
• Service operation: Authenticating users, syncing store data, processing Meta ad campaign data, and generating insights
• Service improvement: Analyzing usage patterns to improve functionality and user experience
• Communication: Sending service updates, security alerts, and support messages
• Legal compliance: Fulfilling legal obligations and responding to lawful requests

5. How We Share Your Information

We do not sell, rent, or trade personal information. We may share information in the following circumstances:

• Service providers: With third-party vendors who perform services on our behalf, including cloud hosting (Render, Vercel), payment processing, and analytics. These providers are contractually bound to use data only for the services they provide to us.
• Shopify: As required by the Shopify platform for app functionality, compliance, and mandatory data subject request webhooks
• Business transfers: In connection with any merger, acquisition, or sale of company assets, with prior notice to affected users
• Legal requirements: When required by law, regulation, legal process, or governmental request

6. Data Storage and Security

Your data is stored on servers located in the United States, provided by Render (backend infrastructure) and Vercel (frontend hosting). We implement industry-standard security measures to protect your information, including:

• Encryption of sensitive credentials at rest using Fernet symmetric encryption
• HTTPS/TLS encryption for all data in transit
• JWT-based authentication with bcrypt password hashing
• Role-based access controls separating merchant and creator data
• Regular security reviews of our infrastructure

No method of electronic storage or transmission is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain merchant and store data for as long as the App remains installed and the merchant account is active. Upon uninstallation of the App or account deletion:

• Store data, order data, and attribution records are deleted within 30 days
• Meta Ads access tokens are immediately revoked and deleted
• Account credentials are permanently removed
• Aggregated, anonymized analytics data may be retained for service improvement

We may retain certain data for longer periods where required by law or for legitimate business purposes such as resolving disputes or enforcing our agreements.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent legislation, including:

• Right to access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure: Request deletion of your personal data, subject to legal retention obligations
• Right to restrict processing: Request that we limit how we process your data in certain circumstances
• Right to data portability: Request your data in a structured, machine-readable format for transfer to another service
• Right to object: Object to processing of your data where we rely on legitimate interests as the legal basis
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

We process personal data under the following lawful bases: performance of a contract (providing our services), legitimate interests (improving our services and fraud prevention), and consent (where explicitly given).

To exercise any of these rights, please contact us at privacy@growzilla.xyz. We will respond within 30 days.

9. Your Rights Under CCPA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete: Request deletion of personal information we have collected from you
• Right to opt out: Opt out of the sale of personal information. We do not sell personal information.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

10. International Data Transfers

Our servers are located in the United States. If you access our services from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission, or other legally recognized transfer mechanisms, to ensure your data receives adequate protection.

11. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and dashboard to maintain sessions, remember preferences, and understand usage patterns.

• Essential cookies: Required for authentication, session management, and core functionality. These cannot be disabled.
• Analytics cookies: Help us understand how users interact with our services. We use Microsoft Clarity for session analytics.

You may control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our services.

12. Shopify Data Subject Requests

We comply with Shopify's mandatory privacy compliance webhooks. When a merchant or their customer submits a data subject request through Shopify, we process the following request types:

• Customer data request: We provide all personal data we hold for the specified customer
• Customer data erasure: We delete all personal data associated with the specified customer
• Shop data erasure: Upon app uninstallation, we delete all data associated with the merchant's store

These requests are processed within the timeframes required by Shopify and applicable law.

13. Children's Privacy

Our services are designed for business use and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take prompt steps to delete that information.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify merchants of material changes by email or through the App at least 30 days before the changes take effect. The “Last updated” date at the top of this page indicates when this policy was last revised.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: