Guidecom Inc ("Guidecom," "we," "us," or "our") operates the Guidecom platform, which includes our marketing website at guidecom.io, our standalone merchant dashboard at app.guidecom.io, and the Guidecom Shopify application that enables merchants to embed guided product configuration widgets on their online stores. This Privacy Policy describes how we collect, use, store, and protect information when you use any of our services.

This policy applies to three categories of users:

• Website Visitors: Anyone browsing guidecom.io, submitting the contact form, or booking a demo.
• Merchants: Retailers who use the Guidecom dashboard — either through our Shopify app or through the standalone dashboard at app.guidecom.io.
• Shoppers: End customers who interact with the Guidecom widget on a merchant's storefront.

1. Information We Collect

1.1 Information from Website Visitors

When you visit guidecom.io, we collect only what is needed to operate the site and respond to you:

• Contact form submissions: If you submit the form on our contact page, we receive the information you provide (name, work email, company, topic, and message) and use it to respond to your inquiry. We do not use this information for unsolicited marketing.
• Demo bookings: Our "Book a Demo" section embeds Calendly. When you schedule a meeting, Calendly collects your name, email, and any details you provide directly, and shares the resulting booking with us. Calendly's handling of that data is governed by its own privacy policy .
• Server and request logs: Our hosting provider (Vercel) records standard HTTP request logs — including IP address, request path, timestamp, and user agent — for the purposes of operating the site, debugging, and security. These logs are retained on a short, rolling basis.
• Fonts and assets: Some static assets on the marketing site are loaded from Google Fonts. Google may receive standard request information (such as IP address) as a result of your browser loading these resources.

The guidecom.io marketing site does not set any tracking cookies and does not use third-party analytics or advertising pixels.

1.2 Information from Merchants

When you create an account and use the Guidecom dashboard — either through our Shopify app or through the standalone dashboard at app.guidecom.io — we collect:

• Account information: Store or company name, contact email address, and, if applicable, your Shopify domain (e.g., yourstore.myshopify.com).
• User credentials: Email address and password (passwords are hashed using bcrypt and never stored in plain text).
• Shopify access tokens (Shopify merchants only): OAuth access tokens required to communicate with the Shopify Admin API on your behalf. These are not collected from merchants who use the standalone dashboard without a Shopify integration.
• Product catalog data: Product titles, descriptions, prices, images, inventory levels, tags, variants, and metafields synced from your Shopify store.
• Collection data: Shopify collection titles, types, and associated products.
• Order financial data: Order totals, subtotals, tax amounts, currency, financial status, and fulfillment status. We do not collect customer names, email addresses, shipping addresses, or payment information from orders.
• App configuration: Widget settings, product categories, compatibility rules, and categorization rules you create within the platform.
• Billing information: Subscription plan and billing status, processed exclusively through the Shopify Billing API. We do not collect or store your payment method details.

1.3 Information from Shoppers

When shoppers interact with the Guidecom widget on a merchant's storefront, we collect limited, non-personally-identifiable information:

• Configuration session data: Product selections, step progress, and cart totals within the widget. Sessions are identified by a randomly generated token (e.g., gcp_[timestamp]_[random]) and are not linked to any personal identity.
• Widget interaction events: Actions such as opening the widget, viewing steps, selecting or deselecting products, applying filters, completing a configuration, and adding items to cart. These events include timestamps and product identifiers but no personal information.
• Shopify cart token: When a shopper adds products to their Shopify cart through the widget, Shopify returns a cart token. We store this token to attribute subsequent orders to widget sessions for the merchant's analytics.
• IP address (transient only): We process IP addresses solely for rate limiting to protect against abuse. IP addresses are stored in memory (Redis) with a maximum lifetime of one minute and are never written to our database.

1.4 Information We Do Not Collect

We want to be explicit about data we do not collect from shoppers:

• Names, email addresses, phone numbers, or mailing addresses
• Payment or credit card information
• Precise geolocation data
• Device fingerprints or cross-site tracking identifiers
• Browsing history outside of widget interactions
• Social media profiles or identifiers

2. How We Use Information

2.1 Website Visitor Data

• Responding to inquiries: Using contact form submissions and demo bookings to reply to your questions and schedule demos.
• Operating the site: Using server logs to run, debug, and secure guidecom.io.

We do not use website visitor information for profiling, automated decision-making, or advertising.

2.2 Merchant Data

• Providing the service: Syncing your product catalog, evaluating compatibility rules, displaying the widget on your storefront, and processing billing.
• Analytics: Generating usage reports including configuration completions, conversion rates, and revenue attribution.
• Account management: Authenticating your access, managing team members, and communicating service updates.

2.3 Shopper Data

• Widget functionality: Persisting configuration sessions so shoppers can resume their product selection if they navigate away.
• Merchant analytics: Providing merchants with aggregated, non-identifying analytics about widget usage and conversion rates.
• Revenue attribution: Linking Shopify cart tokens to widget sessions so merchants can measure the revenue impact of their guided commerce experience.
• Rate limiting: Preventing abuse of our API endpoints.

3. Cookies and Local Storage

3.1 Marketing Website (guidecom.io)

The guidecom.io marketing site does not set any first-party cookies and does not use third-party analytics or advertising pixels. The embedded Calendly scheduling widget may set its own cookies when you interact with it; those cookies are governed by Calendly's privacy policy.

3.2 Merchant Dashboard (app.guidecom.io and embedded Shopify app)

When merchants sign in to the Guidecom dashboard — whether at app.guidecom.io or within the embedded Shopify admin — we set the following cookies:

• Session cookie (__Secure-next-auth.session-token): An encrypted JWT containing your user ID, email, name, retailer ID, and role. Expires after 30 days. HttpOnly, Secure, SameSite=None.
• CSRF token (__Host-next-auth.csrf-token): Protects against cross-site request forgery. HttpOnly, Secure.

3.3 Shopper Widget

The widget does not set any cookies on shoppers' browsers. It uses a single localStorage entry:

• Session token (gcp_session_[retailerId]): Stores an opaque session identifier so shoppers can resume their configuration if they navigate away. This is automatically cleared when the shopper adds items to their cart, and can be cleared by the shopper at any time by clearing their browser storage.

The widget also sets a Shopify cart attribute (_gcp_bundle) on the shopper's Shopify cart when items are added. This attribute is stored by Shopify (not by Guidecom) and is used by the discount function to validate bundle eligibility.

4. Data Sharing and Third-Party Services

We do not sell, rent, or trade your information to third parties. We share data only with the following service providers who process data on our behalf:

• Vercel — Application and website hosting and CDN for guidecom.io and app.guidecom.io. Processes HTTP request logs (IP addresses, request paths, user agents).
• Supabase — PostgreSQL database hosting. Processes all persistent application data (encrypted at rest).
• Upstash — Redis for rate limiting. Processes IP addresses and request counters (transient, 1-minute lifetime).
• Shopify — E-commerce platform integration for merchants using the Shopify app. Processes product data, order data, billing, and OAuth authentication.
• Calendly — Demo scheduling widget embedded on guidecom.io. Processes name, email, and scheduling details you provide when booking a meeting.
• Google Fonts — Serves web fonts used on guidecom.io and app.guidecom.io. May receive standard request metadata (such as IP address) when your browser loads fonts.

We do not use any third-party analytics services, advertising networks, or tracking pixels. All analytics are first-party and stored in our own database.

5. Data Retention

5.1 Website Visitor Data

Contact form submissions and demo booking records are retained for up to 24 months so we can follow up on inquiries, unless you ask us to delete them sooner. Server request logs are retained on a short, rolling basis by our hosting provider.

5.2 Analytics Data

Widget analytics events are retained based on the merchant's subscription plan:

• Standard plan: 30 days
• Pro plan: 90 days
• Enterprise plan: 365 days

5.3 Configuration Sessions

Widget configuration sessions are available for restoration for 7 days. Session records are retained for analytics purposes within the plan's retention period.

5.4 Account Data

Merchant account data is retained for the duration of the subscription. For Shopify merchants, uninstalling the app immediately revokes access tokens, and all merchant data is permanently deleted within 48 hours in accordance with Shopify's data protection requirements. For standalone dashboard accounts, you can request account closure at any time by emailing support@guidecom.io, and your data will be permanently deleted within 30 days.

5.5 Rate Limiting Data

IP addresses used for rate limiting are stored in Redis with a maximum lifetime of one minute and are automatically purged.

6. Data Security

We implement the following security measures to protect your data:

• Encryption in transit: All data is transmitted over HTTPS/TLS.
• Encryption at rest: Our database provider (Supabase) encrypts all data at rest.
• Password hashing: Merchant passwords are hashed using bcrypt with a cost factor of 12.
• API key hashing: Widget API keys are hashed using SHA-256.
• Webhook verification: All Shopify webhooks are verified using HMAC-SHA256 with timing-safe comparison to prevent tampering.
• Content Security Policy: The embedded app restricts framing to Shopify admin domains only.
• Rate limiting: API endpoints are protected against abuse with per-visitor and global rate limits.

7. Your Rights (GDPR and Global Privacy)

We provide the same privacy rights to all users regardless of location. You have the right to:

• Access: Request a copy of the data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data.
• Data portability: Request your data in a structured, machine-readable format.
• Objection: Object to certain types of data processing.
• Restriction: Request restricted processing of your data.

7.1 For Website Visitors

If you have submitted our contact form or booked a demo, you can request access to or deletion of your information at any time by emailing support@guidecom.io. We will respond within 30 days.

7.2 For Merchants

You can access and update your account information at any time through the Guidecom dashboard (app.guidecom.io or within the Shopify admin). To request data export or account deletion, contact us at support@guidecom.io. We will respond within 30 days.

7.3 For Shoppers

Because we do not collect personally identifiable information from shoppers, we generally cannot identify individual shopper records. If you are a shopper and wish to exercise your rights, please contact the merchant whose store you visited. Merchants can request data deletion on your behalf through Shopify's privacy tools, which triggers our automated data redaction process.

7.4 GDPR Compliance

We comply with Shopify's mandatory GDPR webhooks:

• Customer data request: When a customer requests their data through a Shopify merchant, we compile and provide all associated session and order data within 30 days.
• Customer data erasure: When a customer requests data deletion, we anonymize all associated configuration sessions and delete linked analytics events.
• Shop data erasure: When a merchant uninstalls the app, we permanently delete all associated data within 48 hours.

8. International Data Transfers

Our services are hosted in the United States. If you are accessing our services from outside the United States, your data may be transferred to, stored, and processed in the United States. By using our services, you consent to this transfer. We ensure that our service providers maintain appropriate safeguards for data protection.

9. Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify merchants through the Guidecom dashboard and update the published version on guidecom.io at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates when this policy was last revised.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: support@guidecom.io
• Company: Guidecom Inc