Legal
Data Use Policy
Effective date: May 14, 2026
This Data Use Policy ("Policy") describes how Passo AI, Inc. ("Passo," "we," "us," or "our") processes data on behalf of the brand merchants ("Customers") who use our creator marketing platform. This Policy functions as our Data Processing Addendum and applies to all Customer data we access through our Shopify integration and the Passo platform. It supplements our Privacy Policy.
1. Roles and Relationship
Under applicable data protection laws (including the GDPR and CCPA), the Customer is the data controller(or "business" under CCPA). Passo acts as a data processor(or "service provider" under CCPA), processing data solely on the Customer's behalf and in accordance with the Customer's documented instructions.
Passo installs into each Customer's Shopify store as a per-merchant Custom Distribution app (not a public App Store listing). Shopify is the Customer's primary processor for their e-commerce operations; Passo operates as a downstream processor for the specific data flows described in this Policy.
2. Scope of Processing
OAuth scopes requested
We request only the minimum Shopify OAuth scopes needed to deliver the Passo platform:
read_products— read product and variant catalog data (IDs, titles, prices, inventory state) for catalog browsing and selecting items for creator shipments.read_orders,write_orders— create zero-cost, auto-fulfilled orders on the Customer's behalf to ship product to creators; read those orders back for status and audit.write_draft_orders— create draft orders during the creator-shipment flow.read_discounts,write_discounts— create and read discount codes for creator partnerships and affiliate links.write_content— write to the Customer's Shopify content surfaces as part of campaign workflows.
Categories of data we process
- Merchant catalog data— products, variants, prices, and inventory state.
- Orders— orders we create on the Customer's behalf, including order ID, line items, fulfillment status, and tracking information.
- Discount codes— codes we create, including code name, value, scope, and usage state.
- Shop metadata— shop domain, owner email, and plan information returned during OAuth.
- Creator PII— name, email address, shipping address, social media handles, and payment information for partnership fees. This data is collected by Passo from the creator at the Customer's direction and transmitted to Shopify only to fulfill creator shipments.
Data we do NOT process
- The Customer's general customer list or end-consumer PII.
- Payment card data (handled exclusively by Shopify).
- Any Shopify data outside the scopes listed above.
3. Sub-Processors
We use the following sub-processors to deliver the Passo platform. We maintain contractual data-processing terms with each sub-processor that are no less protective than this Policy.
Embedded in product
The following sub-processors directly process Customer data as part of delivering the Passo platform:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Shopify Inc. | E-commerce platform (Customer's primary processor) | Canada / US |
| Supabase Inc. | Database and authentication (Postgres, AWS US region) | US |
| Vercel Inc. | Application hosting and edge functions | US |
| Nylas Inc. | Email integration (reads/sends email on behalf of brand users) | US |
| Resend Inc. | Transactional email delivery | US |
| DocuSeal Inc. | E-signature for creator contracts | US |
| OpenAI, L.L.C. | AI features (content generation, creator matching) | US |
| Google LLC (Gemini) | AI features (content generation, analysis) | US |
| Mux Inc. | Video hosting and streaming for creator content | US |
| Sentry (Functional Software Inc.) | Error tracking and performance monitoring | US |
Internal tools
The following tools are used for internal operations and do not directly process Customer data, though they may contain incidental references (e.g., a Customer name in a support ticket):
| Tool | Purpose |
|---|---|
| Slack | Internal communications |
| Notion | Internal documentation |
| Linear | Issue tracking |
| Loom | Internal video recording |
| Zoom | Video calls (including Customer calls) |
| Grain | Call recording and transcription |
Sub-processor change notification
We will notify Customers at least 30 days before engaging a new sub-processor or materially changing how an existing sub-processor is used. Customers may object to a new sub-processor by contacting us at privacy@passo.co within the notice period. If we cannot reasonably accommodate the objection, either party may terminate the affected services.
4. Security Measures
- Encryption in transit— all data transmitted between Passo, Shopify, and our infrastructure is encrypted via TLS 1.2 or higher.
- Encryption at rest— all data stored in Supabase (Postgres) is encrypted at rest. Shopify OAuth access tokens receive an additional layer of application-level encryption.
- Tenant isolation— multi-tenant isolation is enforced via Postgres Row-Level Security (RLS). Customer data is logically isolated per merchant; we do not commingle merchant datasets.
- Access controls— access to production systems is restricted to authorized personnel on a least-privilege basis.
- OAuth scope minimization — we request only the Shopify scopes required for the platform's functionality and do not request scopes beyond those listed in Section 2.
5. Data Location and Cross-Border Transfers
Customer data is stored and processed in the United States (Supabase on AWS US region; Vercel US region). Where Customer data originates from the European Economic Area (EEA), United Kingdom, or Switzerland, transfers to the US are governed by the European Commission's Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs, as applicable
6. Data Subject Rights
Where a data subject (e.g., a creator) exercises rights under GDPR, CCPA, or other applicable law — including rights of access, rectification, erasure, restriction, portability, or objection — we will assist the Customer in fulfilling the request in accordance with applicable law.
Shopify GDPR webhooks
We subscribe to Shopify's mandatory compliance webhooks as required by the Shopify Partner Program:
- customers/data_request — we respond with any creator-side data tied to the corresponding Shopify customer record within 30 days.
- customers/redact— we delete the corresponding creator-facing records within 30 days.
- shop/redact— on merchant uninstall, we delete all data associated with that Customer's workspace within 48 hours of receiving the webhook, per Shopify's Partner Program requirements.
7. Breach Notification
In the event of a confirmed personal-data breach affecting Customer data, we will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include, to the extent available: the nature of the breach, the categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
8. Data Retention, Deletion, and Return
During the subscription
We retain Customer data for as long as the Customer's account is active and as needed to provide the Passo platform. Customers may request deletion of specific records at any time by contacting privacy@passo.co.
On termination or uninstall
- When a Customer uninstalls the Passo app from their Shopify store, we immediately revoke the stored OAuth access token and stop all data synchronization.
- Upon receiving the
shop/redactwebhook, we delete all Customer data within 48 hours. - Before deletion, the Customer may request an export of their data in a machine-readable format. Export requests must be submitted within 30 days of termination .
Retention exceptions
We may retain limited data beyond the deletion timeline where required by applicable law, regulation, or legitimate legal obligation (e.g., tax or accounting requirements). Any such retained data will remain subject to the protections in this Policy.
9. Audit Rights
Customers may audit our compliance with this Policy by requesting our most recent security assessment, penetration test summary, or applicable compliance report (e.g., SOC 2 Type II). Where a document-based review is insufficient, Customers may conduct or commission a third-party audit at their own expense, with reasonable advance notice of at least 30 business days and subject to reasonable confidentiality obligations. Audits will be limited to once per 12 months unless a data breach or regulatory investigation necessitates an additional audit.
10. Changes to This Policy
We may update this Policy from time to time. We will notify Customers of material changes by posting the updated Policy on this page, updating the effective date, and, where required, providing direct notice. Continued use of the Passo platform after the effective date constitutes acceptance of the updated Policy.
11. Contact
For questions about this Policy or to exercise any rights described herein, contact us at:
Passo AI, Inc.
privacy@passo.co