Skip to content
CoroBlock
Privacy Policy

How CoroBlock handles merchant and storefront data

This page explains the core data flows in CoroBlock so merchants can understand what is stored, why it is stored, and how Shopify-related privacy requests are handled.

Last updated: April 2, 2026

Data Controller

CoroBlock is operated by Ahmet Akkuş (sole proprietorship). For any privacy-related questions or to exercise your rights under GDPR, please contact us at aa.ahmetakkus@gmail.com.

What we store

  • Merchant account details (email, name, password hash) needed to authenticate and access the CoroBlock workspace.
  • Campaign configuration data such as popup content, layout, visual design, triggers, targeting rules, and publishing state.
  • Storefront event data such as popup views, clicks, form submissions, and campaign performance metrics for analytics.
  • Shopify installation and connection metadata (shop domain, access tokens) required to maintain the published campaigns on your storefront.
  • Billing and subscription information processed through Shopify Billing API (we do not store payment card details).

Shopify OAuth Scopes and Justification

  • read_themes — To open the current Shopify theme context and guide merchants to enable the CoroBlock app embed.
  • read_customers — To support customer-aware form workflows and map submissions to the connected Shopify store when needed.
  • write_customers — To create or update Shopify customer records when a merchant uses CoroBlock forms for lead capture and sync.

How the data is used

  • To let merchants create, edit, preview, publish, and manage marketing campaigns.
  • To render the correct active campaign on the connected Shopify storefront for each visitor session.
  • To calculate plan usage limits, campaign analytics, and operational audit trails.
  • To process Shopify GDPR/compliance privacy webhooks (data request, data deletion, store redaction).
  • To maintain billing status and reconcile Shopify subscription charges.

Third-Party Service Providers

We use trusted third-party services to operate the CoroBlock platform. These providers only process data on our behalf:

  • Supabase — Database hosting, authentication, and serverless function infrastructure. Data is stored in Supabase's secure cloud environment.
  • OpenRouter — AI generation service used to process user prompts into campaign designs. Prompts are transient and not permanently stored.
  • Sentry — Error monitoring and crash reporting. No personally identifiable information is sent to Sentry.
  • Resend — Email delivery service for password resets and GDPR data request exports.
  • Vercel — Application hosting and CDN. All application code and static assets are served through Vercel's edge network.
  • Shopify — E-commerce platform integration. Customer and merchant data flows through Shopify APIs under OAuth.

Data Retention

Campaign and merchant data is retained for as long as your CoroBlock account is active and for a reasonable period thereafter for analytics and support purposes.

When you uninstall CoroBlock from your Shopify store, we receive a webhook that triggers deletion of store-specific campaign data. Residual backup data may persist for up to 48 hours before being permanently purged.

Form submission data (email, phone, survey responses) submitted through campaigns is retained until you or the visitor request deletion.

GDPR Rights — EU Residents

If you are a resident of the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

To exercise any of these rights, please contact us at aa.ahmetakkus@gmail.com. We will respond to your request within 30 days.

  • Right of Access: You may request a copy of the personal data we hold about you.
  • Right of Rectification: You may request correction of inaccurate personal data.
  • Right of Erasure: You may request deletion of your personal data ('right to be forgotten').
  • Right to Restrict Processing: You may ask us to limit how we use your personal data.
  • Right to Data Portability: You may request a machine-readable copy of your data.
  • Right to Object: You may object to processing of your personal data in certain circumstances.

Storefront Data Collection

CoroBlock campaigns embedded on Shopify storefronts may collect limited visitor data (such as IP address, user agent, and page URL) for analytics and targeting purposes. This data is processed transiently to determine which campaign to show and is not associated with individual identities unless a visitor voluntarily submits information through a form.

Cookies may be used for frequency capping (preventing the same popup from appearing too frequently) and trigger settings (e.g., exit intent, scroll percentage). Cookie duration and behavior can be configured per campaign.

Security

We implement industry-standard security measures including HTTPS/TLS encryption, Content Security Policy (CSP) headers, row-level database security (RLS), and input sanitization to protect your data from unauthorized access.

Contact & Data Protection Officer

For all privacy-related matters, please contact:

  • Name: Ahmet Akkuş
  • Email: aa.ahmetakkus@gmail.com
  • Role: Data Protection Officer / Controller