Privacy Policy
Code Magic: ProfitIQ — Last updated June 25, 2026
Code Magic: ProfitIQ ("we", "us", "our") is a Shopify application that provides net profit analytics for Shopify merchants. This Privacy Policy explains what data we collect, how we use it, and how you can control it.
1. Data We Collect
When you install Code Magic: ProfitIQ, we collect and store the following data from your Shopify store:
- Store information: Shop domain, plan name, currency, and installation timestamp.
- Order data: Order numbers, financial totals, discount amounts, financial status, and order creation dates. We also store customer email addresses and first/last names to support customer lifetime value calculations.
- Product and variant data: Product titles, handles, variant SKUs, prices, and weights.
- Attribution data: UTM parameters (source, medium, campaign, content) and landing site URLs parsed from order data, used to calculate marketing attribution.
- Configuration data: Your COGS rules, shipping rules, payment fee settings, custom cost definitions, ad spend entries, team member roles, and automation rules.
2. How We Use Your Data
- To calculate and display accurate net profit per order, product, and customer.
- To generate P&L reports, customer LTV rankings, and marketing attribution summaries.
- To power automation rules that alert you when profit thresholds are breached.
- To provide MCP Server access so AI tools can query your profit data.
- We do not sell your data to third parties.
- We do not use your data for advertising or profiling.
3. Data Retention
We retain your store data for as long as your Code Magic: ProfitIQ subscription is active. When you uninstall the app:
- Your Shopify session tokens are deleted immediately (within seconds of uninstall).
- All remaining store data (orders, products, configuration, team members, audit logs) is permanently deleted within 48 hours, in compliance with Shopify's GDPR requirements.
4. Customer Data & GDPR
Code Magic: ProfitIQ stores limited personal data about your customers (email address and name) for the purpose of calculating Customer Lifetime Value. We support the following GDPR rights:
- Right to Access: When Shopify forwards a customer data request, we log it for your action. We hold: order history (email, name, financial totals, UTM attribution).
- Right to Erasure: When Shopify forwards a customer erasure request, we automatically anonymise all personal identifiers (email, name, UTM fields) in that customer's order records within 24 hours.
- Shop Data Erasure: All data is deleted within 48 hours of app uninstall via Shopify's
shop/redact webhook.
5. Data Security
- Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS). No plaintext HTTP connections are used.
- Encryption at rest: Data is stored on Railway's managed PostgreSQL infrastructure, which encrypts all data at rest using AES-256.
- Backup encryption: Railway performs automated daily encrypted database backups with point-in-time recovery. Backups are encrypted using the same AES-256 standard as live data.
- Test / production separation: Development and production environments use entirely separate databases, Shopify stores, and credentials. No test data is ever mixed with live merchant data.
- Data loss prevention: In addition to automated backups, all order and product data can be fully re-synced from Shopify's API at any time, providing a second recovery path.
- Access tokens: Shopify access tokens are stored server-side only and are never exposed in client-side code or logs.
- Role-based access control: Team member roles (owner / admin / analyst) limit who can view or modify sensitive data within your store's account.
- API authentication: All API endpoints require either a Shopify session token or a Bearer API key generated by the merchant. Webhook authenticity is verified via HMAC before any business logic runs.
6. Security Incident Response
We maintain a security incident response policy covering detection, containment, recovery, and notification. In the event of a confirmed data breach affecting your store:
- We will notify you without undue delay once we confirm your data was affected.
- Where personal data is involved, we will notify the relevant supervisory authority within 72 hours of becoming aware, in line with GDPR requirements.
- To report a suspected vulnerability or security concern, contact us at info@mycodemagic.com. We respond to all security reports within 48 hours.
7. Third-party Services
We use the following third-party services to operate Code Magic: ProfitIQ:
- Railway (hosting): Runs our servers and PostgreSQL database. Data is stored in their AES-256 encrypted infrastructure under a data processing agreement. Railway Privacy Policy.
- Shopify API: Used to sync your orders and products — data originates from your own Shopify store.
- Resend (email delivery): Used only to deliver scheduled profit report emails you have configured. Only recipient addresses and profit summary figures are sent. Resend Privacy Policy.
- Slack / Google Sheets / Webhooks: Used only when you enable these integrations and provide your own webhook URL or Sheet URL. No data is sent to these services unless you configure them.
8. Your Rights
As a merchant, you have the right to request a copy of the data we hold about your store, request deletion of that data, or raise a complaint. Contact us at info@mycodemagic.com.
9. Changes to This Policy
We may update this policy from time to time. The updated date at the top of this page reflects when the latest revision was made. Material changes will be communicated via email to the store owner.
10. Contact
For privacy-related questions or GDPR requests, contact us at:
info@mycodemagic.com
© 2026 Code Magic: ProfitIQ. All rights reserved.