Back to UpsellShark

Privacy Policy

Effective date: 16 April 2026

Last updated: 16 April 2026

This Privacy Policy describes how UpsellShark ("we", "us", or "our") — a product and website operated by the organization SafeSale — collects, uses, discloses, and protects information when you visit our website (upsellshark.com) or use our Shopify apps, including Background Color Editor for Products and Easy Tickets & Events (each an "App", together the "Apps"). It also applies to customers of Shopify stores that use the Easy Tickets & Events App to sell event tickets (ticket buyers, attendees and waitlist sign-ups).

Scope

This policy applies to:

  • Merchants who install and use our Apps on their Shopify store.
  • Customers and visitors of Shopify stores that use the Easy Tickets & Events App (ticket buyers, attendees, waitlist sign-ups).
  • Visitors of the UpsellShark website.

Data processed under this policy is limited to what is necessary for each App and the website to function.

Information we collect

From merchants using our Apps

  • Store information: Shopify store domain (e.g. example.myshopify.com), store name and store owner email address (from the Shopify session).
  • App settings & preferences: branding (logo, colors, sender name), feature configuration and enabled page types.
  • Product data (Background Color Editor): Product images and metadata necessary to apply background color filtering. Images are processed client-side in the browser; we do not permanently store product images on our servers.
  • Third-party API credentials (Easy Tickets & Events): credentials the merchant voluntarily enters for integrations such as Zoom, Klaviyo or Mailchimp — stored encrypted at rest.
  • Usage & installation data: features accessed, settings modified, date and time of App installation and uninstallation, and error logs generated by the Apps.

From ticket buyers and attendees (Easy Tickets & Events only)

When a customer purchases a ticket, or when a merchant's staff collects attendee information, we process:

  • First name and last name.
  • Email address.
  • Phone number (optional, if enabled by the merchant).
  • Shopify order ID and order number.
  • Custom fields the merchant has configured (e.g. dietary restrictions, emergency contact) — the content depends on the merchant's setup.
  • Selected event options or add-ons.
  • Check-in timestamps and status.
  • Waitlist sign-ups (name, email, phone) when an event is sold out.
  • Refund-protection opt-in status.

We do not collect or store customer payment card data, shipping addresses, or billing addresses. Payment is handled entirely by Shopify.

From website visitors

  • Technical information: IP address, browser type, device type and operating system.
  • Usage information: pages viewed, time spent on pages and navigation patterns.
  • Contact information: name and email address if you contact us via the website.

Automatically collected

  • Standard server logs (IP address, request path, timestamp, user agent) retained for debugging and security for up to 30 days.

How we use your information

We use personal data only for the purposes listed below. We do not sell personal data, and we do not use personal data to train AI or machine-learning systems.

  • Provide and maintain the Apps' functionality.
  • Process product images to apply the merchant's chosen background colors (Background Color Editor).
  • Create event tickets and attendee records (Easy Tickets & Events).
  • Deliver ticket confirmation and reminder emails.
  • Generate PDF and mobile wallet passes.
  • Verify attendees at check-in (QR code, POS, web).
  • Allow ticket transfers and bundle claims.
  • Process waitlist sign-ups (based on customer consent).
  • Sync attendees to the merchant's marketing list (Klaviyo, Mailchimp) when the merchant enables the integration.
  • Create Zoom meetings for online events (event metadata only, not customer data).
  • Respond to support requests and communications.
  • Improve, optimize and secure our Apps and services.
  • Detect and prevent fraud or abuse.
  • Comply with legal obligations.

Our legal bases are contract performance (to deliver the Apps the merchant installed), legitimate interest (to operate, improve and secure the Apps), consent (for customer-facing opt-ins such as waitlist sign-ups and marketing sync), and legal obligation where applicable.

Data storage & security

  • Hosting & database: Our Apps, website and PostgreSQL database are hosted on Railway with industry-standard security measures.
  • Encryption: All data transmission is encrypted using SSL/TLS. Sensitive data (including third-party API credentials) is encrypted at rest.
  • Backups: Encrypted and retained for up to 30 days for disaster recovery.
  • Access control: Database access is restricted using role-based access controls and, where applicable, Row Level Security (RLS) policies. Access to production data is limited to authorized staff and requires two-factor authentication. Access to personal data is logged.
  • Environments: Strict separation between development, staging and production.
  • Image processing: Product images (Background Color Editor) are processed client-side in the browser; we do not permanently store them on our servers.
  • Incident response: A security incident response policy is maintained. Affected merchants and customers will be notified within 72 hours of confirming a reportable breach.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Data sharing & sub-processors

We do not sell, trade, or rent your personal information. We share personal data only with the sub-processors below, solely to deliver the Apps' functionality. Each sub-processor is bound by a data processing agreement.

  • Shopify — App platform, merchant authentication and source of merchant and customer data.
  • Railway — Application hosting, PostgreSQL database and backups.
  • Resend — Transactional email delivery (ticket confirmations, reminders).
  • Zoom (merchant-initiated) — Online meeting creation for virtual events.
  • Klaviyo (merchant-initiated) — Marketing list sync, only if the merchant enables this integration.
  • Mailchimp (merchant-initiated) — Marketing list sync, only if the merchant enables this integration.
  • Apple Wallet / Google Wallet (optional) — Mobile wallet pass generation.

We do not share personal data with any other third party except:

  • When required by law, court order, or regulator.
  • To defend our legal rights or investigate fraud.
  • In connection with a merger, acquisition or sale of assets, with notice to affected parties.

International transfers

Personal data may be transferred to and processed in countries outside the European Economic Area, the United Kingdom, and Switzerland, including the United States. Where required, we rely on Standard Contractual Clauses and equivalent safeguards to protect your personal data during these transfers.

Data retention

  • Merchant data: retained for the duration of the App installation.
  • Customer data (attendees, waitlist): retained while the merchant has an active App installation, or until the merchant deletes the event or customer record.
  • On App uninstall: all shop data is removed within 48 hours via Shopify's shop/redact compliance webhook.
  • On customer redaction request: personal fields (name, email, phone, custom field values) are redacted within 30 days via Shopify's customers/redact compliance webhook. Ticket records may be retained in anonymized form for the merchant's accounting and audit purposes.
  • Backups: encrypted and retained for up to 30 days.
  • Server logs: retained for up to 30 days.
  • Legal requirements: some data may be retained longer if required by law.

Your data rights (GDPR & CCPA)

Depending on where you live, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data ("right to be forgotten").
  • Data portability: request your data in a machine-readable format.
  • Objection and restriction: object to or limit certain processing.
  • Withdraw consent: where processing is based on consent.
  • Opt-out of the sale of personal data: we do not sell personal data; this right is inherently respected.
  • Lodge a complaint with your local data protection authority.

How to exercise your rights

  • Ticket buyers and attendees: contact the merchant whose store you purchased from. Shopify provides a built-in request flow at the store page, which forwards the request to us via Shopify's compliance webhooks. We act on these requests within 30 days.
  • Merchants and anyone else: email support@upsellshark.com.

Shopify customer data

If a customer requests their data from a store using our Apps:

  1. We will provide any data we have about that customer within 30 days.
  2. We only process customer data as necessary to provide App functionality.
  3. For the Background Color Editor App, we do not collect end-customer personal information.
  4. For the Easy Tickets & Events App, we process the ticket and attendee data described in "Information we collect".

If a customer requests deletion, we will delete or redact customer-related data within 30 days. Merchants can also request customer data deletion by contacting us at support@upsellshark.com.

Cookies & tracking

Our website uses:

  • Essential cookies: required for website functionality.
  • Analytics cookies: to understand how visitors use our website (e.g. Google Analytics).
  • Preference cookies: to remember your settings and preferences.

You can control cookies through your browser settings. Disabling cookies may limit website functionality.

Automated decision-making

We do not use personal data to make automated decisions that produce legal or similarly significant effects.

Children's privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at support@upsellshark.com and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. We will notify you of material changes by posting the updated policy on our website, updating the "Last updated" date above, and — for significant changes — notifying merchants through the App or via email.

Contact us

For questions, concerns, or to exercise your data rights, contact us at:

Compliance

This Privacy Policy is intended to comply with the following laws and requirements: GDPR, CCPA, Shopify App Store Requirements and PIPEDA (Canada).