For Shopify Merchants and Their Customers
Effective Date: February 19, 2026 | Last Updated: February 19, 2026
This is a standalone Privacy Policy for the Gimmie AI Shopify App. It applies to Shopify merchants ("Merchants") who install the Gimmie App and to the end consumers ("Shoppers") who interact with the Gimmie recommendation widget on Merchant storefronts.
This Shopify App Privacy Policy ("Shopify Policy") governs the collection, use, sharing, and protection of data in connection with the Gimmie AI Shopify App ("App"). It applies to:
Merchants: Shopify store owners and operators who install the App via the Shopify App Store. By installing the App, Merchants accept this Policy as part of their agreement with Gimmie.
Shoppers: End consumers who interact with the Gimmie gift recommendation widget embedded on a Merchant's Shopify storefront.
Gimmie AI, LLC acts as a Data Controller for its own purposes and as a Data Processor on behalf of Merchants with respect to Shopper data collected through the App, consistent with Shopify's Partner Program requirements and applicable data protection law.
This Policy is incorporated by reference into Gimmie's Master Privacy Policy (available at www.gimmie.ai/privacy) and Gimmie's Terms of Service. In the event of a conflict between this Shopify Policy and the Master Privacy Policy on matters specific to the Shopify App, this Shopify Policy controls.
When a Merchant installs the Gimmie App, we access the following data from the Merchant's Shopify store via Shopify's Admin API:
Store Information: Store name, URL, industry/category, plan type, and primary contact email.
Product Catalog: Product titles, descriptions, categories, images, prices, inventory counts, and metadata — used to power the AI recommendation catalog.
App Configuration Settings: Settings configured by the Merchant within the App dashboard (e.g., recommendation widget placement, curated collections).
Anonymized Performance Data: Aggregate widget impression counts, recommendation click-through rates, and conversion attribution data (via Shopify order webhooks where a Gimmie referral is present).
Gimmie does not access Merchant checkout data, payment information, or Shopper payment details at any point.
Merchant payment or banking information
Full Shopper order histories (we receive only anonymized conversion attribution for affiliate commission purposes)
Merchant customer lists, email lists, or CRM data
Any data not required for the App's core recommendation functionality
To provide and operate the App's AI gift recommendation functionality within the Merchant's storefront.
To tag and index Merchant products with psychological attributes for archetype-matching.
To generate performance analytics and reports for the Merchant's App dashboard.
To calculate and verify affiliate commission attribution.
To provide Merchant support and communicate App updates.
Merchant data is retained for the duration of the App installation. Upon App uninstallation, we will delete or anonymize Merchant-specific data within 30 days, except where retention is required by law or for legitimate dispute resolution purposes.
When a Shopper interacts with the Gimmie recommendation widget on a Merchant's storefront, we may collect:
Color Preference Responses: Responses to our color-based diagnostic questions (used diagnostically to infer psychological attributes — color data is discarded after profiling, as described in Section 5).
Gift Recipient Information: Any details the Shopper voluntarily provides about a gift recipient (e.g., recipient age range, relationship, occasion).
Interaction Data: Product views, recommendation clicks, and widget engagement data.
Device and Session Data: IP address (anonymized or truncated), browser type, referring URL, and session identifiers.
Full names or email addresses of Shoppers (unless voluntarily provided through a Merchant-configured form).
Payment or checkout information.
Shopper account credentials from the Merchant's store.
Precise geolocation data.
We process Shopper data on the following bases:
Consent: Psychological profiling (color diagnostic and archetype classification). Consent is obtained through the widget's consent notice before the diagnostic flow begins.
Legitimate Interests: Anonymized analytics, widget performance optimization, and affiliate attribution — where our interests are not overridden by Shopper rights.
Contractual Necessity: Delivering the recommendation results requested by the Shopper.
Shopper Data Retention
Psychological archetype data derived from a Shopper session is retained for up to 90 days to enable session continuity and repeat recommendations.
Anonymized interaction data is retained for up to 12 months for performance analytics.
No personally identifiable Shopper data is retained beyond 90 days without express consent.
The App's core functionality involves AI profiling: we transform Shopper color responses into psychological archetypes, which are then matched with products from the Merchant's catalog. This process constitutes automated decision-making with significant effects on product recommendations presented to Shoppers.
Shoppers are informed of AI profiling through a clear consent notice within the widget before the diagnostic flow begins.
The consent notice explains that color responses are used to infer personality characteristics and that this influences recommended products.
Shoppers may decline profiling and will still be shown non-personalized product suggestions.
Shoppers may decline or withdraw consent to AI profiling at any time by:
Dismissing the consent notice in the widget.
Contacting Gimmie at privacy@gimmie.ai (for requests related to Gimmie's processing).
Contacting the Merchant (for any Merchant-specific processing).
Merchants who install the App take on independent responsibilities with respect to the privacy of their Shoppers:
Privacy Policy Disclosure: Merchants must maintain a current and compliant privacy policy on their Shopify storefront that discloses the use of third-party AI recommendation tools, including Gimmie, and their data practices.
Consent Mechanism: Merchants must not disable or circumvent the Gimmie widget's built-in consent notice without Gimmie's prior written approval and a substitute compliant consent mechanism.
Age Verification: Merchants who sell age-restricted products or serve audiences that may include minors must ensure appropriate age verification controls are in place.
Cross-Border Transfers: Merchants operating outside the US who process Shopper data from the EEA, UK, or Canada must ensure they have a valid legal basis for transferring data to Gimmie's US-based infrastructure.
Data Subject Requests: If a Shopper contacts a Merchant with a data access, correction, or deletion request related to Gimmie-processed data, Merchants must forward such requests to privacy@gimmie.ai within 5 business days.
Gimmie shares Merchant and Shopper data only with trusted service providers under data processing agreements:
Supabase: Database infrastructure for storing product catalog data and pseudonymized Shopper archetype profiles.
OpenAI: AI inference for product attribute tagging. Shopper data is pseudonymized before transmission. Data is not used for OpenAI model training under our enterprise data processing terms.
Analytics Providers: Aggregate, anonymized performance data only.
We share aggregate and anonymized performance reports with the Merchant (e.g., widget impressions, recommendation clicks, conversion attribution). We do not share individual Shopper profiles with Merchants.
Gimmie does not sell, rent, or broker Merchant data or Shopper data to any third party for their own marketing or commercial purposes.
We will only disclose data to law enforcement pursuant to a valid legal order, after internal legal review, disclosing only the minimum necessary, and notifying affected parties unless legally prohibited.
Gimmie's infrastructure is based in the United States. Merchants operating in the EEA, UK, Canada, or other jurisdictions with data transfer restrictions should be aware that data processed through the App may be transferred to the US.
Gimmie relies on Standard Contractual Clauses (SCCs) for EEA/UK transfers and on PIPEDA-compliant transfer agreements for Canada. Merchants who require specific data processing agreements (DPAs) to comply with GDPR Article 28 may request one from privacy@gimmie.ai.
TLS 1.2+ encryption in transit for all API communications between Shopify and Gimmie.
AES-256 encryption at rest for all stored data.
Role-based access controls limiting internal access to data.
Regular security reviews and penetration testing.
Data breach notification to affected Merchants within 72 hours of confirmed breach (consistent with GDPR Article 33 timelines).
The Gimmie App complies with Shopify's Partner Program security requirements, including HTTPS-only API communication and OAuth 2.0 for App authentication.
This App is built and operates in compliance with:
Shopify Partner Program Agreement
Shopify API Terms of Service
Shopify App Store Review Guidelines
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
Children's Online Privacy Protection Act (COPPA) — the App is not directed at children under 13
Gimmie uses only Shopify API scopes necessary for the App's core functionality. We request only the minimum permissions required. Merchants can review the requested scopes at the time of App installation.
Shoppers interacting with the Gimmie widget have the following rights with respect to data Gimmie processes:
Access: Request a summary of what data Gimmie holds about you (typically session-scoped pseudonymous data).
Deletion: Request deletion of any session data associated with your device/browser.
Opt-Out: Withdraw consent to AI profiling at any time.
Portability: Receive a copy of your data in a machine-readable format.
Complaint: Lodge a complaint with your applicable data protection authority.
To exercise these rights, contact privacy@gimmie.ai. Please include the Merchant storefront URL where you interacted with the widget and an approximate date so we can locate your session data. We will respond within 30 days.
The Gimmie App is not directed at children under the age of 13. Merchants may not use the App in contexts where the primary audience is children under 13 without implementing appropriate parental consent mechanisms and notifying Gimmie.
Merchants whose storefronts serve audiences that may include minors bear primary responsibility for age-gating App functionality where required by applicable law.
We may update this Shopify Policy to reflect changes in our App's functionality, legal requirements, or Shopify's platform policies. We will notify Merchants of material changes via:
Email to the Merchant's primary Shopify store contact address.
In-App notification within the Gimmie App dashboard.
Continued use of the App after the effective date of any changes constitutes Merchant acceptance. Merchants who do not agree may uninstall the App. We will provide at least 30 days' notice before material changes take effect.
For privacy questions, data processing agreements (GDPR Article 28 DPAs), or to exercise your rights:
Email (Privacy): privacy@gimmie.ai
Email (Support): support@gimmie.ai
Website: www.gimmie.ai
Mailing Address: Gimmie AI, LLC, Austin, Texas, United States
Merchants requiring a formal Data Processing Agreement (DPA) for GDPR compliance may request one at privacy@gimmie.ai. We target a 5-business-day turnaround for DPA requests.
Gimmie AI, LLC is committed to being a trustworthy technology partner for Shopify merchants. We build privacy protections into our App by design, not as an afterthought — because your customers' trust is your most valuable asset, and ours too.