Privacy Policy
Overview
Sternify GmbH (“Sternify”, “we”, “us”) takes the protection of your personal data seriously. This Privacy Policy explains what personal data we process, for what purposes, on what legal basis, and what rights you have. It applies to:
• our website sternify.com (the “Website”),
• the Sternify app distributed through the Shopify App Store and embedded in the Shopify admin (the “App”), and
• the storefront widgets the App renders in the online stores of merchants who install the App (bundles, upsells, gifts, reviews, cart drawer, and related features).
1. Controller
Sternify GmbH Dresdener Ring 40 65239 Hochheim am Main, Germany Email: support@sternify.com
We have not appointed a data protection officer, as we are not legally required to do so. For all data protection matters, please contact us at support@sternify.com.
2. Our two roles: controller and processor
Depending on whose data is involved, we act in different roles under the GDPR:
• For merchants (Shopify store owners and their staff who install and use the App) and for Website visitors, we are the controller.
• For end customers (visitors and buyers of a merchant’s online store), we are a processor acting on behalf of the merchant, who is the controller. Our processing of end-customer data is governed by the Data Processing Annex in our Terms of Service (https://sternify.com/terms). End customers who have questions about how their data is handled should contact the store they purchased from; we support merchants in fulfilling such requests.
3. Data we process as controller
3.1 Website visitors
When you visit sternify.com, our hosting provider (Framer B.V., Netherlands) processes technical connection data (IP address, browser type, requested pages, timestamps) in server logs to deliver the site and ensure its security. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a secure website).
If you use our free product-page analysis tool on the Website, we process the URL you submit together with your IP address, approximate country, browser user agent, and referrer, in order to provide the analysis and to enforce fair-use rate limits. Legal basis: Art. 6(1)(b) GDPR (performing the service you request) and Art. 6(1)(f) GDPR (abuse prevention). This data is deleted after 30 days.
3.2 Merchant account data
When you install the App, we receive and store via the Shopify API:
• your store’s .myshopify.com domain,
• the store owner’s email address,
• the name and email address of the staff member using the App,
• API access tokens and granted permission scopes,
• installation date, trial status, and subscription plan.
We use this data to provide the App, manage your subscription and trial, authenticate API requests, and contact you about your account. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
3.3 Product analytics
We measure how merchants use the App (features used, onboarding progress, pages viewed within the App) with PostHog, hosted in the EU, to improve the product. Events are keyed to your store domain and account email. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our product).
3.4 Support and communication
• In-app support chat is provided by Intercom (EU hosting). When you use it, your name, email address, store domain, and plan are shared with Intercom so we can help you.
• Product and lifecycle emails (onboarding tips, feature announcements, trial reminders) are sent via Brevo (Sendinblue SAS, France). You can unsubscribe from marketing emails at any time via the link in each email.
Legal basis: Art. 6(1)(b) GDPR for support and service messages; Art. 6(1)(f) GDPR for product communication to existing customers.
3.5 Error monitoring
We use Sentry (EU data residency, Germany) to detect and fix errors in the App and in our storefront scripts. Error reports may contain your store domain and technical context. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable, secure product).
3.6 AI product-page analysis (“AI Coach”)
When you run an AI analysis of one of your product pages, we send the page URL (and, for password-protected development stores, the storefront password you provide) to our own analysis service hosted with Hetzner Online GmbH (Germany). The service captures screenshots of the publicly rendered page and submits them to Google Gemini (Google LLC, USA) for automated evaluation. Screenshots reflect whatever is visible on the page. Results are stored with your store domain so you can revisit them. Legal basis: Art. 6(1)(b) GDPR (you request the analysis). Transfers to Google are safeguarded by the EU–US Data Privacy Framework and Standard Contractual Clauses.
4. Data we process on behalf of merchants (end customers)
When a merchant uses the App, we process limited data about that store’s visitors and customers as processor, strictly to provide the App’s features:
• Widget analytics: when a visitor sees or interacts with a Sternify widget, we record the event type, widget ID, store domain, and a random, pseudonymous session ID generated in the visitor’s browser. We do not collect names, email addresses, IP addresses, or cart contents through this pixel, and we only store aggregated counts.
• Review request emails (Pro plan): after an order is fulfilled, we receive the customer’s name, email address, and basic order data (order number, purchased items) via Shopify webhooks in order to send a review request on the merchant’s behalf via Resend, Inc. (USA). Customers can unsubscribe via the link in each email; unsubscribe requests are stored and honored across all future emails from that store.
• Review submissions: reviews a customer submits (name, email, rating, text, optional images) are stored in the merchant’s own Shopify store, not on our servers.
The merchant remains the controller for this data. Deletion and access requests by end customers are fulfilled through the merchant, including via Shopify’s GDPR webhooks (customers/data_request, customers/redact, shop/redact), which we implement.
5. Cookies and local storage in merchant storefronts
Our storefront widgets store the following in the visitor’s browser. All values are pseudonymous (random identifiers or flags); none contain names, emails, or other directly identifying data:
Key · Type · Purpose
sternify_session_id · localStorage · Random session ID for deduplicating analytics events
sternify_visited_* (bundles, upsells, gifts, product sets) · localStorage · Remembering which widgets a visitor has already seen
sternifyBannerCloseTime · localStorage · Remembering that a banner was dismissed
sternify_cart_reopen · sessionStorage · Restoring the cart drawer state
announcementIsInit, announcementDeadline · localStorage · Cart countdown/announcement state
cart / cart_id · cookie / localStorage · Shopify cart reference for cart features
These are functional/measurement identifiers set in the context of the merchant’s store; the merchant’s own cookie/consent solution governs their storefront.
6. Recipients and sub-processors
We share personal data only with the service providers listed below, under data processing agreements, and never sell it. Current sub-processors:
Provider · Purpose · Location / Region
Supabase · Database and application data · EU
DigitalOcean · Application hosting · EU
Hetzner Online GmbH · AI analysis service hosting · Germany (EU)
Framer B.V. · Website hosting · Netherlands (EU)
Sentry · Error monitoring · Germany (EU data residency)
PostHog · Product analytics · EU
Intercom · Support chat · EU
Brevo (Sendinblue SAS) · Merchant emails · France (EU)
Resend, Inc. · Transactional review-request emails · USA
Google LLC (Gemini API) · AI page analysis · USA
Mantle (Heymantle Inc.) · App analytics and billing insights · USA
Shopify International Ltd. · Platform, billing, APIs · Ireland / Canada / USA
Where providers are located outside the EU/EEA, transfers are safeguarded by adequacy decisions (including the EU–US Data Privacy Framework where the provider is certified) or the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
7. Retention
• Merchant account data is stored for the duration of the contract. After uninstallation we retain limited records (store domain, trial history, billing records) as needed for fraud and trial-abuse prevention and to meet statutory retention duties (§ 147 AO, § 257 HGB — up to 10 years for billing records).
• End-customer review-email data is deleted no later than 90 days after the review request is sent, or earlier upon a redaction request received via Shopify’s GDPR webhooks. Unsubscribe entries are retained so that the opt-out can be permanently honored.
• Website analysis-tool data (Section 3.1) is deleted after 30 days.
• Error logs are retained for 90 days. Product analytics data is retained for up to 24 months.
8. Your rights
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21 GDPR). Where processing is based on consent, you may withdraw it at any time with future effect. To exercise your rights, contact us at support@sternify.com.
You also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the Hessian Commissioner for Data Protection and Freedom of Information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit), Wiesbaden, Germany.
9. Changes to this policy
We may update this Privacy Policy to reflect changes in our services or legal requirements. The current version is always available at https://sternify.com/privacy. Material changes affecting merchants will be announced in the App or by email.




