Spectrum Privacy Policy

This policy covers personal data we process about:

• Site visitors (getspectrum.ai).

• Prospects and customers engaging with sales, support, or demos.

• Users of Spectrum products (e.g., merchant admins).

• End-customers of our merchants whose data we process to deliver our services (under our customers’ instructions).

A. Data You Provide

• Account and contact info: name, business email, phone, role, company.

• Merchant account setup: store URL, Shopify org ID, billing info (handled by our payment processor), usage preferences.

• Support and content: tickets, call recordings (where permitted), feedback, attachments.

B. Data We Collect Automatically

• Device/usage data: IP address, user-agent, time zone, pages visited, product features used, events (clicks, conversions), session diagnostics, performance logs.

• Cookies and similar technologies for session authentication, preferences, and analytics (see Section 11).

• Storefront interaction data: When our app is active on a merchant’s store, we collect browsing behavior (pages viewed, clicks), cart and purchase activity, session identifiers, and IP-derived approximate geolocation (city/region level) from the merchant’s shoppers. This data powers features the merchant has enabled (personalization, A/B testing, analytics). We do not place third-party advertising cookies on merchant storefronts.

C. Data from Integrations and Partners

Shopify and other platforms (per access scopes granted by the merchant): store metadata, products/collections, orders, carts, customers, discounts, webhooks, app events.

We request only the Shopify API access scopes necessary for our app to function. The specific data fields we receive depend on the scopes your admin approves during installation and can be reviewed or adjusted in Shopify’s app settings at any time. We comply with Shopify’s protected customer data requirements and do not attempt to circumvent PII access restrictions.

A. For Site Visitors, Prospects, and Product Users (Controller)

• Provide and secure the service; create/administer accounts; authenticate sessions.

• Billing and account communications; respond to inquiries; provide support.

• Improve product performance and features; debug and prevent abuse.

• Marketing with consent or where permitted by law (opt-out anytime).

B. For Merchant Shoppers (Service Provider / Processor)

We process shopper personal data strictly under the merchant’s instructions to power storefront speed, personalization, experimentation, analytics, pricing, and growth features.

We do not use shoppers’ personal data for our own marketing or for cross-context behavioral advertising.

C. Aggregated and De-Identified Data

We may use data that has been aggregated and de-identified so that it can no longer reasonably identify any individual or merchant to improve our products, conduct research, and build benchmarks. This data is not "personal information" under applicable privacy laws. We maintain and use de-identified information only in a de-identified fashion and take reasonable measures to prevent re-identification.

D. Automated Decision-Making

We may use automated systems to personalize storefronts or recommend products on behalf of merchants. You can request human review of significant automated decisions by contacting support@tectonic.so.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined by the California Privacy Rights Act (CPRA). If this changes, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link.

The following disclosures supplement the rest of this policy for California residents, as required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").

Categories of Personal Information Collected

The table below describes the categories of personal information we have collected in the preceding 12 months, the sources, the purposes for collection, and the categories of third parties with whom we disclose each category for a business purpose.

Sensitive personal information: We may collect IP-derived geolocation (city/region level). We do not use precise geolocation or any other sensitive personal information (as defined by the CCPA) to infer characteristics about consumers. We do not collect or process Social Security numbers, financial account credentials, racial or ethnic origin, genetic or biometric data, health information, sexual orientation, or contents of private communications.

Sale and sharing: We have not sold or shared (as those terms are defined by the CCPA) personal information in the preceding 12 months.

Retention: We retain each category of personal information for as long as described in Section 7 (Data Retention) below.

We retain personal data for as long as needed to provide the services, comply with legal obligations, resolve disputes, and enforce agreements. Merchant shoppers’ data retention is governed by the merchant’s settings and instructions (see DPA). When retention is no longer required, data is deleted or anonymized.

Upon app uninstallation by a merchant, we cease processing their store data and initiate deletion of store and associated shopper data within 30 days, unless a longer retention period is required by law, requested by the merchant under a valid agreement, or necessary to complete an in-progress transaction. Merchants may request earlier deletion by contacting support@tectonic.so.

We may disclose personal data to:

Service providers/sub-processors (cloud hosting, databases, email/SMS, analytics, support tools, payments) under contracts that require confidentiality and appropriate security. A list of our current sub-processors is available upon request.

We will provide merchants with reasonable advance notice of changes to our sub-processor list and an opportunity to object (see DPA for details).

Integrations at the merchant’s direction (e.g., Shopify, marketing and analytics platforms connected by the merchant).

Corporate transactions (merger, financing, acquisition); legal compliance (lawful requests); and to protect rights, safety, and security.

Our primary infrastructure is in the United States. If we transfer personal data outside the US (for example, to provide support or use sub-processors in other jurisdictions), we use appropriate safeguards as required by applicable law.

We implement technical and organizational measures designed to protect personal data, including encryption in transit and at rest, access controls, audit logging, and vulnerability management. If we become aware of a personal data breach impacting you, we will notify you and regulators as required by applicable law.

California Residents (CCPA)

If you are a California resident, you have the following rights under the CCPA:

Right to know / access: You may request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we disclosed it.

Right to delete: You may request deletion of personal information we collected from you, subject to certain exceptions.

Right to correct: You may request correction of inaccurate personal information.

Right to opt-out of sale/sharing: We do not sell or share your personal information. If this changes, we will provide an opt-out mechanism.

Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond what is needed to provide the services.

Right to non-discrimination: We will not discriminate against you for exercising your rights.

Other US State Privacy Laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others) have similar rights under their respective laws, including access, deletion, correction, opt-out, and the right to appeal a denial. To exercise these rights, contact support@tectonic.so.

For Merchant Shoppers

Where we process shopper data as a service provider on behalf of a merchant, the merchant is responsible for responding to consumer rights requests. We will assist the merchant in fulfilling those requests. If you contact us directly and we determine that the merchant is the appropriate party, we will direct you to them.

Request process and verification: To submit a rights request, email support@tectonic.so. We will acknowledge receipt and respond within the timeframes required by applicable law (generally 45 days, with a possible 45-day extension where necessary). We may need to verify your identity before processing your request.

Authorized agents: You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authorization and may still verify your identity directly.

We use cookies and similar technologies to keep you signed in, remember preferences, measure site and product usage, and improve performance.

Where required, we obtain consent via our banner and honor your choices. See our cookie policy for details and controls.

We use analytics and advertising tools such as Google Ads conversion tracking, Google Analytics, and (if enabled) Meta Pixel to measure campaign performance. These tools may set cookies or use device signals to understand how users interact with our site. You can opt out via your browser settings or applicable opt-out mechanisms (including the NAI opt-out at networkadvertising.org or the DAA opt-out at aboutads.info).

Our services are designed for businesses, not children. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal information from a child, we will delete it promptly.

When you install our app, you grant specific access scopes in Shopify. We only receive the data necessary for the app to function, and scopes can be reviewed or adjusted by your admin in Shopify. We follow Shopify's privacy requirements for apps, including the Shopify API License and Terms of Use.

Mandatory compliance webhooks: Our app subscribes to and responds to Shopify's mandatory compliance webhooks (customers/data_request, customers/redact, shop/redact), enabling us to process data access, deletion, and erasure requests initiated through the Shopify platform.

App uninstallation: When a merchant uninstalls Spectrum, we cease processing their store data and initiate deletion as described in Section 7. Merchants may request a copy of their data before uninstallation.

Protected customer data: We comply with Shopify's protected customer data access policies and only access PII for which we have approved scopes and a demonstrated need.

Our sites and dashboards may include links or integrations to third-party services. Their privacy practices are governed by their own policies, and we are not responsible for their content or practices.

We may update this policy to reflect changes in our practices or legal requirements. We will post updates here and revise the "Last updated" date. Material changes will be communicated through the service or by email where appropriate.

Tectonic Technologies Inc

26 Cathy Lane, Oakland, CA 94619

Email: support@tectonic.so

If you are not satisfied with our response to a privacy concern, you may contact the California Attorney General's office or the relevant regulator in your jurisdiction.