Privacy Policy

We use the collected information for the following purposes:

• Service Delivery: To provide and maintain our flash sale and marketing campaign services
• Campaign Management: To create, manage, and optimize your promotional campaigns
• Analytics: To provide you with performance insights and recommendations
• Communication: To send service updates, security alerts, and support messages
• Improvement: To enhance our features, develop new functionality, and improve user experience
• Security: To detect, prevent, and address fraud, abuse, and security issues
• Market Intelligence: To analyze anonymized sales data (products, prices, order timing) and provide merchants with insights on sales velocity, product performance, and revenue patterns. This analysis uses only aggregate transaction data - no customer personal information is processed.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

We may share your information in the following limited circumstances:

• Service Providers: With trusted third-party vendors who help us operate our service (hosting, analytics, customer support)
• Platform Partners: With Shopify/WooCommerce as necessary to integrate with your store
• Legal Requirements: When required by law, court order, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets (you will be notified)
• With Your Consent: When you explicitly authorize us to share specific information

We implement industry-standard security measures to protect your data:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Strict role-based access controls and authentication requirements
• Infrastructure: Data is hosted on secure, compliant cloud infrastructure (Supabase, Vercel)
• Monitoring: Continuous security monitoring and regular security audits
• Backups: Regular automated backups with secure storage
• Incident Response: We maintain a security incident response policy with defined procedures for detecting, responding to, and notifying affected parties of any data breaches within 72 hours as required by GDPR.

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but continuously work to improve our security practices.

We retain your personal data only as long as necessary for the purposes outlined in this policy:

• Active Account Data: Retained while your account is active
• Campaign Data: Retained for 24 months after campaign ends (for analytics and reporting)
• Order Analytics Data: Anonymized transaction data is retained for up to 24 months for Market Intelligence analytics, then automatically deleted or further anonymized.
• Legal Requirements: Some data may be retained longer to comply with legal obligations
• Account Deletion: Upon request, we will delete or anonymize your personal data within 30 days (except where legal retention is required)

Under the General Data Protection Regulation (GDPR), you have the following rights:

To exercise any of these rights, please contact us at support@heartly.io. We will respond to your request within 30 days.

We use cookies and similar tracking technologies to enhance your experience:

• Essential Cookies: Required for authentication and security (cannot be disabled)
• Analytics Cookies: Help us understand how you use our service (can be disabled). This includes Google Analytics, which collects anonymized usage data such as pages visited, session duration, and general location.
• Marketing Cookies: Used for advertising and retargeting purposes (can be disabled). This includes the Meta Pixel (Facebook), which helps us measure the effectiveness of our advertising and deliver relevant ads.
• Performance Cookies: Improve service speed and reliability

You can control cookie preferences through our cookie consent banner or your browser settings. Analytics and marketing cookies, including Google Analytics and Meta Pixel, are only activated after you give explicit consent. Note that disabling certain cookies may limit functionality.

We use the following third-party services that may collect your data:

• Supabase: Database and authentication services (GDPR-compliant, EU hosting available)
• Vercel: Application hosting and CDN (GDPR-compliant)
• Shopify/WooCommerce: E-commerce platform integration (subject to their privacy policies)
• Google Analytics: Website analytics and usage statistics. Google Analytics uses cookies to collect anonymized data about how visitors interact with our website, including pages visited, time spent, and general geographic location. This data helps us improve our service. Google Analytics is only activated after you consent to analytics cookies. For more information, see Google's Privacy Policy.
• Meta Pixel (Facebook): Advertising and conversion tracking. The Meta Pixel helps us measure the effectiveness of our advertising campaigns and enables us to show relevant ads to visitors who have interacted with our website. It collects data such as pages visited and actions taken. The Meta Pixel is only activated after you consent to marketing cookies. For more information, see Meta's Privacy Policy.
• Microsoft Clarity: We use Microsoft Clarity to understand how you use and interact with our website through behavioral metrics, heatmaps, and session replays. Usage data is captured to improve our products/services and for marketing purposes. Microsoft Clarity uses cookies and other tracking technologies to collect this data. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
• Sentry: Error tracking and monitoring (data anonymization enabled)

Each third-party service has its own privacy policy. We recommend reviewing their policies to understand how they handle your data.

Your data may be transferred to and processed in countries outside your country of residence. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all third-party processors
• Compliance with EU-U.S. Data Privacy Framework (where applicable)

We do not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you (as defined in Art. 22 GDPR).

Our AI-powered features (such as carousel suggestions and market intelligence) are used as recommendations only and do not make binding decisions without your explicit action. You always retain full control over whether to act on any suggestions.

Heartly is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we discover that we have collected data from a child, we will delete it immediately. If you believe a child has provided us with personal data, please contact us at support@heartly.io.

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new policy on this page
• Updating the "Last Updated" date
• Sending you an email notification (for significant changes)

Your continued use of our service after any changes indicates your acceptance of the updated policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

We will respond to all requests within 30 days as required by GDPR.