Sorae is now in early access. Join the waitlist

Sorae
Log inStart now

Effective February 25, 2026  ·  Last updated February 25, 2026

Privacy Policy

Sorae (“Sorae,” “we,” “our,” or “us”) provides referral marketing and affiliate attribution software for Shopify merchants. This Privacy Policy explains how we collect, use, share, and retain personal data when you install and use the Sorae Shopify application, access the merchant workspace at sorae.io, participate in the affiliate portal, or land on a merchant’s storefront through a Sorae-generated referral link.

Sorae acts as a data controller for information collected directly from merchants, affiliates, and visitors to sorae.io. For consumer data accessed through the Shopify API on a merchant’s behalf, Sorae acts as a data processor operating under the merchant’s instruction.

1. Data We Collect

1.1 Merchant Account Data (Controller)

  • Business name, email address, and billing contact details
  • Shopify shop domain and permanent shop identifier
  • Encrypted Shopify OAuth access token
  • Subscription plan, billing history, and payment method metadata — card details are handled exclusively by our payment processor and are never stored by Sorae
  • Campaign configuration settings, reward thresholds, and payout rules

1.2 Affiliate and Partner Data (Controller)

  • Affiliate name, email address, and contact details provided at onboarding
  • Unique referral share codes and campaign associations
  • Aggregated click, conversion, and earnings data attributed to the affiliate

1.3 Consumer Data (Processor on behalf of the Merchant)

When a consumer clicks a referral link and completes a purchase, Sorae processes the following data solely to provide attribution and reward services to the relevant merchant:

  • Shopify customer ID and order ID
  • Referral code embedded in the inbound link (arl query parameter)
  • Referral metadata: timestamp, campaign identifier, referring affiliate
  • Reward eligibility status and issued discount code identifier

Sorae does not collect consumer names, email addresses, payment information, or browsing history beyond what is strictly necessary to perform attribution. Consumers should consult the merchant’s own privacy policy for information about how the merchant handles their data.

1.4 Usage and Analytics Data (Controller)

  • Merchant dashboard interactions — page views and feature usage
  • API request logs including timestamps, endpoint paths, and response codes
  • Error and diagnostic events

1.5 Technical Data

  • IP addresses and approximate geolocation (country or region)
  • Browser type, operating system, and device category collected via server logs
  • Session identifiers and authentication tokens

2. Cookies and Tracking

Sorae uses strictly necessary session cookies on the merchant workspace to maintain authenticated sessions. We do not use advertising or cross-site tracking cookies.

The Sorae affiliate shopper widget embedded in merchant Shopify storefronts reads a URL query parameter (?arl=) to resolve referral attribution. No persistent cookies or device fingerprinting are used by the widget.

3. Legal Bases for Processing (GDPR)

For merchants, affiliates, and visitors in the European Economic Area, the United Kingdom, and Switzerland:

PurposeLegal Basis
Providing the App and core servicesPerformance of a contract (Art. 6(1)(b))
Billing and payment processingPerformance of a contract (Art. 6(1)(b))
Fraud prevention and securityLegitimate interests (Art. 6(1)(f))
Service improvement and analyticsLegitimate interests (Art. 6(1)(f))
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))
Marketing communications to merchantsLegitimate interests / consent (Art. 6(1)(a)/(f))

Consumer data processed via the Shopify API is processed on behalf of the merchant and under the merchant’s applicable lawful basis as data controller.

4. How We Use Data

We use collected data to:

  • Provide, operate, maintain, and improve the Sorae platform
  • Attribute referral conversions and calculate reward eligibility
  • Issue discount codes and manage reward fulfillment on behalf of merchants
  • Generate analytics and reporting for merchants and affiliates
  • Authenticate accounts and maintain the security of our systems
  • Process subscription billing through Shopify’s billing API
  • Detect, investigate, and prevent fraudulent or abusive activity
  • Comply with applicable law and Shopify’s API terms
  • Respond to support and privacy inquiries

We do not sell personal data. We do not use consumer data to build advertising profiles or retarget consumers on behalf of ourselves or third parties.

5. Data Sharing

Sorae shares personal data only in the following circumstances:

Service Providers

We engage trusted third-party processors — including hosting infrastructure, payment processors, and error monitoring services — who process data on our behalf under contractual data processing agreements that require them to protect your data.

Shopify

The App operates within the Shopify Partner ecosystem. Data accessed via the Shopify API is governed by Shopify’s Developer Terms of Service and our agreement with Shopify.

Merchants

Referral attribution data, consumer order identifiers, and reward status information are surfaced to the relevant merchant through the Sorae dashboard. Consumers should review the merchant’s own privacy policy for further information.

Legal Compliance

We may disclose data when required by law, court order, or a lawful request from a governmental authority, or to protect the rights, property, or safety of Sorae, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of substantially all of our assets, personal data may be transferred as part of the transaction. We will provide notice before data is transferred and becomes subject to a different privacy policy.

6. Data Retention

Data CategoryRetention Period
Merchant account dataActive subscription + 90 days after termination
Billing and payment records7 years (tax and accounting obligations)
Affiliate partner dataActive partnership + 90 days
Consumer referral recordsDuration of merchant’s active subscription
API and server logs90 days rolling
Anonymised / aggregated analyticsIndefinitely

Upon termination of a merchant’s subscription, all associated consumer referral data is deleted or anonymised within 90 days unless Sorae is required by law to retain it for a longer period.

7. Shopify GDPR Mandatory Webhooks

Sorae complies with Shopify’s mandatory privacy webhook requirements:

  • customers/data_request — Upon receipt of a request for customer data, Sorae will respond within Shopify’s required timeframe by providing the relevant attribution and reward records associated with the customer’s Shopify ID.
  • customers/redact — Upon receipt of a customer redaction request, Sorae will delete or anonymise all personal data associated with the specified customer within 30 days.
  • shop/redact — Upon receipt of a shop redaction request (issued 48 days after app uninstallation), Sorae will permanently delete all data associated with the shop and its customers.

8. International Data Transfers

Sorae’s infrastructure is based in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States. Sorae relies on Standard Contractual Clauses (SCCs) approved by the European Commission to provide appropriate safeguards for such transfers.

9. Your Rights

Depending on your location and applicable law, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete personal data
  • Delete your personal data, subject to legal retention obligations
  • Restrict or object to certain processing activities
  • Port your data to another service in a machine-readable format
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your local supervisory authority

California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect and how it is used, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. Sorae does not sell or share personal information as defined by the CCPA. Sorae will not discriminate against you for exercising any of these rights.

To exercise any of your rights, contact us at [email protected]. We will respond within the timeframe required by applicable law (generally 30 days).

10. Children’s Privacy

Sorae’s services are not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to Sorae, please contact us at [email protected] and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes via email or in-app notice at least 14 days before the change takes effect. Continued use of the Services after the effective date constitutes acceptance of the updated Policy. The current effective date is always shown at the top of this page.

12. Contact

For privacy questions, requests, or complaints, please contact our Privacy Team at [email protected].

Back to Sorae homepage.