Legal

Privacy Policy

Effective date: May 1, 2026

Overview

Glancito ("Glancito", "we", "us", or "our") operates a loyalty and marketing platform for Shopify merchants (glancito.com and related services). This Privacy Policy explains how we collect, use, disclose, and protect personal information when:

  • Merchants install and use the Glancito Shopify app or access the Glancito dashboard.
  • Loyalty members (shoppers at a merchant's Shopify store) interact with Glancito's storefront widget, receive loyalty emails, or participate in a merchant's loyalty or marketing program powered by Glancito.
  • Visitors browse glancito.com.

By using any Glancito service you agree to this policy. If you do not agree, please do not use the service.

Data We Collect

From Merchants (account holders)

  • Account data: name, email address, business name, Shopify store URL, and account credentials.
  • Billing data: subscription plan, billing cycle. Payment card details are handled by Shopify Billing and are never stored by Glancito.
  • Store data via Shopify API: products, orders, customer records, discount codes, and webhooks — used to run the loyalty program.
  • Dashboard usage: pages visited, features used, settings changed, and support interactions, used to improve the product and provide support.

From Loyalty Members (shoppers)

When a merchant installs Glancito, we process their customers' data on the merchant's behalf. This includes:

  • Identity data: first name, last name, email address, Shopify customer ID.
  • Transaction data: order history, order values, product purchases — used to award and calculate loyalty points.
  • Loyalty data: points balance, points transaction history, tier status, tier history, referral links and completions, reward redemptions.
  • Marketing engagement data (Marketing Hub merchants only): email open events, link click events, campaign attribution, journey step completions.
  • Churn and RFM data: recency, frequency, and monetary scoring derived from transaction data. Used to calculate churn risk and loyalty health scores.
  • Birthday: if the merchant collects this and enables birthday rewards, we store the birth month/day (not year) to trigger rewards.

From Website Visitors

  • Usage data: IP address, browser type, pages visited, referrer URL, time on page — collected via analytics tools (see Cookie Policy).
  • Contact form submissions: name, email, and message when you contact us.

Automatically Collected Technical Data

  • Log data: server access logs including IP address, request path, response codes, and timestamps.
  • Cookies and similar technologies: see our Cookie Policy for details.

How We Use Data

PurposeData usedLegal basis (GDPR)
Providing the loyalty program (points, tiers, rewards, widget)Member identity, transaction, loyalty dataContract performance
Sending transactional loyalty emails (points earned, tier upgrades, reward codes, expiry notices)Member email, loyalty dataContract performance / Legitimate interests
Marketing Hub campaigns and journeys (Growth & Pro plans)Member identity, loyalty, engagement dataContract performance
Calculating RFM scores and churn riskTransaction, loyalty dataContract performance
Billing and subscription managementMerchant account, billing dataContract performance
Product analytics and improvementDashboard usage, anonymised member metricsLegitimate interests
Security, fraud prevention, and abuse detectionLog data, account dataLegitimate interests / Legal obligation
Responding to support and legal requestsAccount, identity dataLegal obligation / Legitimate interests
Marketing to prospective merchantsWebsite visitor data, contact form submissionsConsent / Legitimate interests

We do not use loyalty member data to build advertising profiles, sell to third parties, or target members on behalf of any merchant other than the one they enrolled with.

Merchants & Data Processing

Under data protection law (GDPR and similar frameworks), the merchant is the data controller for their customers' personal data, and Glancito is a data processor acting on the merchant's instructions.

This means:

  • The merchant is responsible for having a lawful basis to share their customers' data with Glancito (typically covered in their own store privacy policy).
  • Merchants must have appropriate privacy notices in place for their shoppers before enrolling them in a loyalty program.
  • Glancito processes loyalty member data only to provide the contracted service to that specific merchant.
  • Merchants may request deletion of their customers' data at any time via the dashboard or by contacting us at privacy@glancito.com.

If you are a loyalty member and want to exercise your privacy rights (access, deletion, correction), you should contact the merchant whose store you enrolled in. We will support merchants in responding to such requests. Alternatively, contact us directly at privacy@glancito.com and we will route your request appropriately.

Data Sharing

We share data only in the following circumstances:

Service providers (sub-processors)

We use a limited set of trusted infrastructure and tooling providers who process data on our behalf:

ProviderPurposeLocation
Shopify Inc.App platform, billing, storefront integrationCanada / Global
Amazon Web ServicesCloud hosting and storageUS / EU
StripePayment processing (merchant billing only)US
Postmark / SendGridTransactional email delivery (loyalty emails)US
SentryError monitoringUS
Google Analytics 4Website analytics (glancito.com only)US

At merchant direction — integrations

When a merchant connects a third-party integration (e.g. Klaviyo, Mailchimp, Judge.me), we share only the data necessary to enable that integration, as configured by the merchant. You can disconnect integrations at any time from your dashboard.

Legal requirements

We may disclose data if required by applicable law, valid legal process (subpoena, court order), or to protect the rights, property, or safety of Glancito, our merchants, or others.

Business transfers

If Glancito is acquired by or merges with another company, data may be transferred as part of that transaction. We will notify affected users via email or a prominent notice on glancito.com prior to the transfer, and the acquiring entity will be bound by this policy or provide equivalent protection.

We do not sell, rent, or share personal data with advertisers or data brokers.

Retention & Deletion

  • Merchant account data: retained for the duration of the subscription, then deleted or anonymised within 90 days of account closure, unless we are required to retain it longer for legal or financial compliance purposes.
  • Loyalty member data: retained for as long as the merchant's account is active. Merchants can delete individual member records from the dashboard at any time. Upon merchant account closure, member data is deleted or anonymised within 90 days.
  • Marketing Hub data (campaign logs, journey events): retained for 24 months to support revenue attribution and analytics, then deleted.
  • Backups: encrypted backups may persist for up to 30 days beyond deletion requests.
  • Website logs: retained for 90 days for security and debugging purposes.

Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls — Glancito staff access production data only when necessary for support or incident response.
  • Regular security reviews and dependency auditing.
  • Shopify's authenticated API with scoped access tokens — we never store your Shopify admin password.

No method of transmission or storage is 100% secure. If you discover a security issue, please disclose it responsibly to security@glancito.com.

GDPR — Your Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR (or equivalent legislation):

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
  • Restriction: ask us to limit how we process your data in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@glancito.com. We will respond within 30 days. Loyalty members should also be able to raise requests directly with the merchant whose store they enrolled in.

You have the right to lodge a complaint with your local data protection authority (e.g. ICO in the UK, DPC in Ireland).

International transfers: Glancito's primary infrastructure is in the United States. When we transfer EEA personal data to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA), as applicable.

CCPA — California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you additional rights:

  • Know: request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Delete: request deletion of personal information, subject to certain exceptions.
  • Correct: request correction of inaccurate personal information.
  • Opt out of sale/sharing: we do not sell or share personal information for cross-context behavioural advertising, so no opt-out is needed.
  • Non-discrimination: we will not discriminate against you for exercising CCPA rights.

To submit a verifiable consumer request, email privacy@glancito.com with "CCPA Request" in the subject line. We may need to verify your identity before processing the request.

Children

Glancito's services are directed at businesses and adults. We do not knowingly collect personal information from children under 13 years of age (or the applicable age of digital consent in your jurisdiction). If you believe a child has provided us with personal information, please contact us immediately at privacy@glancito.com and we will delete it promptly.

Policy Changes

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Effective date" at the top of this page.
  • Notify merchants via email at least 14 days before the changes take effect.
  • Post a notice in the Glancito dashboard.

Continued use of the service after the effective date constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Glancito
Email: privacy@glancito.com
Subject line: "Privacy Request"