Privacy Policy
Last updated: 10/02/2026
This Privacy Policy (the "Privacy Policy") explains how CLYRO SOLUTIONS LTD, a company incorporated in the Republic of Cyprus ("Clyro", "Company", "we", "us", or "our"), collects, uses, discloses, and otherwise processes personal data when you access or use our website: https://www.clyro.com/ (the "Website"), applications, browser extensions, Shopify app(s), dashboards, and all other services we may provide therein from time to time, including any updates (collectively, the "Services").
For the purposes of these Terms, the term "User", "you", or "your" refers solely to the entity or individual subscribing to or using the Service and does not include the User's own customers, clients, or end-users. To the extent the Company processes any personal data relating to the User's customers, clients, or end-users on the User's behalf in connection with the provision of the Service, such processing is carried out subject to these Terms and the Company's Privacy Policy. Individuals whose personal data is processed through the User's use of the Service should refer to the privacy policies, terms of service, or other notices of the User with whom they have a direct relationship for information regarding how that User engages service providers, including the Company, to process personal data on its behalf. To the fullest extent permitted by applicable law, such individuals shall not rely on any representations made by the Company or on these Terms or this Privacy Policy as creating any direct rights or obligations between such individuals and the Company.
For the purposes of this Privacy Policy, "personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, online identifier, location data, account credentials, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Personal data may include, without limitation, names, email addresses, phone numbers, usernames, account identifiers, billing information, IP addresses, device identifiers, cookie identifiers, Shopify store administrator details, information contained in store content or customer records, order-related data, communications submitted through support channels, prompts or instructions that contain personal information, images or files that include identifiable individuals, and any other information that can reasonably be linked to an individual either alone or when combined with other data. Personal data also includes information that may not directly identify a person on its own but that can reasonably be used, in combination with other information available to us or to third parties, to identify an individual. Aggregated or de-identified information will not be considered personal data where it has been irreversibly anonymized in such a way that individuals can no longer be identified.
If you do not agree with this Privacy Policy, you must not access or use the Service.
Disclaimer Clarification (Controller vs Processor)
This Privacy Policy primarily describes our privacy practices where the Company acts as a data controller of personal data. It does not govern or describe how Users of the Services may process personal data when using the Services, nor does it fully address situations where the Company processes personal data solely on behalf of Users in accordance with their instructions, in which case the Company acts as a data processor. Individuals whose personal data is processed through a User's use of the Services should refer to the privacy policies, notices, or terms of the relevant User with whom they have a direct relationship for information regarding how that User collects personal data and engages service providers, including the Company, to process personal data on its behalf. To the fullest extent permitted by applicable law, the Company may not be in a position to respond directly to requests relating to personal data processed solely on behalf of a User and such requests should be directed to the relevant User (the data controller).
1. Roles of the Company Regarding Your Personal Data
When a User uses the Services in connection with their Shopify store, the User may input or make available information that relates to the User's own customers, clients, or end-users (for example, information contained in a Shopify store, orders, or customer records). In those situations, the User is the controller for such end-user personal data and Clyro acts as a processor (or sub-processor) processing that data only on behalf of and under the instructions of the User, in order to provide the Services.
For the avoidance of doubt, the term "User" does not include the User's own customers, clients, or end-users. Individuals whose personal data may be processed through a User's use of the Services should refer to the privacy notices, terms, or policies of the relevant User with whom they have a direct relationship for information regarding how that User collects and uses personal data and engages service providers (including Clyro) to process personal data on its behalf. To the fullest extent permitted by applicable law, this Privacy Policy does not create any direct rights or obligations between Clyro and a User's customers, clients, or end-users.
2. Personal Data We Collect
We may collect personal data from (a) you, (b) your device/browser, (c) Shopify and other integrations you connect, and (d) third parties such as payment processors and analytics providers. The categories of personal data we may collect include:
2.1 Account and profile data. Name, email address, username, authentication data, business name, country/region, and account preferences.
2.2 Billing and transaction data. Subscription plan details, payment status, invoices/receipts, billing address, VAT information, and limited payment instrument information as provided by our payment processors (for example, last four digits and expiry date). We do not typically store full card numbers.
2.3 Shopify and store integration data. If you connect the Services to Shopify, we may collect and process identifiers and data necessary to connect and operate the integration, such as Shopify store information, theme identifiers, theme files and code, store configuration, product and page content, and other data that you choose to make available through Shopify APIs and the Shopify Admin.
2.4 Prompts, instructions, generated outputs, and content. We process the instructions, prompts, and requests you submit to the Services, as well as the outputs generated by the Services (including code, sections, blocks, templates, layouts, copy, and images). This may include content that you submit or that exists within your Shopify store.
2.5 Usage and device data. IP address, device identifiers, browser type, operating system, referral URLs, pages viewed, time stamps, clickstream data, and logs relating to your use of the Services.
2.6 Support and communications. Information you provide when you contact us (for example, via email, chat, or ticketing), including message content and attachments.
2.7 Cookies and similar technologies. Cookie identifiers and related information as described in Section 8.
2.8 Security and fraud prevention data. Information used to secure accounts and prevent abuse, including logs, audit trails, and signals indicating suspicious activity.
3. How We Use Personal Data
We process personal data for the following purposes:
3.1 Provide, operate, and maintain the Services. This includes enabling account creation, authentication, access control, plan management, integrations with Shopify, generating or modifying store assets, and delivering functionality.
3.2 Improve and develop the Services. This includes troubleshooting, analytics, product improvement, and developing new features.
3.3 Personalize the experience. For example, remembering preferences and presenting relevant information.
3.4 Customer support. Responding to inquiries and providing technical support.
3.5 Billing and payments. Processing transactions, managing subscriptions, accounting, tax compliance, and preventing payment fraud.
3.6 Security, safety, and abuse prevention. Protecting the Services, our users, and others from fraud, misuse, unauthorized access, and harmful activity.
3.7 Legal compliance and enforcement. Complying with legal obligations, responding to lawful requests, protecting our rights and property, and enforcing our Terms of Service.
3.8 Communications and marketing. Sending service-related communications (for example, transactional emails, security notices, product updates) and, where permitted by law, marketing communications. You can opt out of marketing at any time.
4. Legal Bases for Processing (GDPR)
Where GDPR applies and Clyro acts as controller, we rely on one or more of the following legal bases:
4.1 Performance of a contract. Processing necessary to provide the Services and perform our contract with you (for example, account management, integration enablement, and billing).
4.2 Legitimate interests. Processing necessary for our legitimate interests, such as improving the Services, ensuring security, preventing fraud, and running our business, provided those interests are not overridden by your rights.
4.3 Legal obligations. Processing necessary to comply with legal obligations (for example, tax and accounting, responding to lawful requests).
4.4 Consent. Where required, we process certain data based on your consent (for example, some marketing communications or certain cookies). You can withdraw consent at any time, without affecting processing performed before withdrawal.
Where Clyro acts as processor for a User, the User is responsible for identifying the lawful basis for processing end-user personal data and providing appropriate notices to its customers in accordance with all applicable data protection legislation.
5. Disclosure of Personal Data
We may disclose personal data to the following categories of recipients:
5.1 Service providers (processors/subprocessors). Cloud hosting providers, infrastructure providers, database providers, analytics providers, customer support tools, communication tools, payment processors, and security providers that help us operate the Services.
5.2 Shopify and integrations you choose. When you connect Shopify or other third-party services, we may exchange data with those providers as necessary to provide the Services.
5.3 Professional advisors. Lawyers, auditors, accountants, and insurers as necessary for professional services.
5.4 Corporate transactions. If we are involved in a merger, acquisition, financing, due diligence, reorganization, bankruptcy, or sale of assets, personal data may be disclosed as part of that process, subject to appropriate protections.
5.5 Legal and safety disclosures. We may disclose personal data if we believe in good faith that disclosure is necessary to comply with law, regulation, legal process, or governmental request, to protect the rights, property, and safety of the Company, Users, or the public, or to prevent fraud or security issues.
We do not sell personal data as that term is commonly understood.
6. International Transfers
Clyro is based in Cyprus, and we may process personal data in the European Economic Area (EEA) and other jurisdictions where our service providers operate. Where personal data is transferred outside the EEA/UK to a country not recognized as providing an adequate level of protection, we implement appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), and other lawful transfer mechanisms.
7. Data Retention
We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and protect our legal rights.
Retention periods vary depending on the type of data and purpose of processing. For example:
7.1 Account data is generally retained for the duration of the account and for a reasonable period thereafter.
7.2 Billing records may be retained for longer periods as required by tax, accounting, and legal obligations.
7.3 Logs and security records may be retained for shorter periods unless required for investigating incidents, security events, or compliance.
Where feasible, we may anonymize data so it can no longer be linked to an identifiable person.
8. Cookies and Similar Technologies
We use cookies and similar technologies (such as pixels and local storage) to operate our website and Services, to remember preferences, to provide security, and to analyze usage.
8.1 Essential cookies. Necessary for the Services to function and cannot be switched off in our systems.
8.2 Functional cookies. Enable enhanced functionality and personalization.
8.3 Analytics cookies. Help us understand usage and improve performance.
8.4 Marketing cookies. Used to deliver and measure advertising and marketing effectiveness, where permitted.
You can control cookies through browser settings and (where applicable) our cookie banner/management tools. Disabling certain cookies may affect functionality.
9. Security
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, destruction, and loss. Security measures include access controls, encryption where appropriate, logging and monitoring, and policies and procedures designed to safeguard data.
No method of transmission or storage is completely secure. You are responsible for maintaining the confidentiality of your login credentials and for securing your own systems and Shopify account.
10. Your Rights
Where GDPR applies and Clyro acts as controller, you may have the right to request:
- Access to your personal data
- Rectification
- Erasure
- Restriction
- Portability
- Objection to processing
- The right not to be subject to certain automated decision-making
You may also have the right to withdraw consent at any time where processing is based on consent.
If you wish to exercise your rights, contact us using the details in Section 14. We may need to verify your identity before responding. Where we process end-user personal data on behalf of a User, requests should usually be directed to that User (the controller). We may assist the User as required by applicable law.
11. Communications
11.1 Service communications. We may send you administrative or service-related communications, such as confirmations, invoices, security notices, and product updates. You cannot opt out of essential service communications.
11.2 Marketing communications. Where permitted by law, or upon your consent we may send marketing communications. You may opt out at any time by using the unsubscribe link or contacting us directly.
12. Children's Privacy
The Services are not intended for individuals under 18, and we do not knowingly collect personal data from children.
13. Third-Party Links and Services
The Services may include links to third-party websites or services. We are not responsible for the privacy practices of third parties. Please review their policies before providing personal data.
14. Contact Us
If you have questions about this Privacy Policy or our processing of personal data, or if you wish to exercise your rights, contact us using the contact details made available on our website. If required by law, we may provide additional contact information for a data protection representative or data protection officer.
15. Complaints
If you are located in the EEA/UK, you have the right to lodge a complaint with your local supervisory authority. In Cyprus, this is the Office of the Commissioner for Personal Data Protection.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated version on our website and update the "Last Updated" date above. Continued use of the Services after the effective date of an updated Privacy Policy constitutes acceptance of the updated policy to the extent permitted by applicable law.
17. Allocation of Data Protection Responsibilities and Third-Party Rights
This Privacy Policy is intended solely to describe the Company's data protection practices and does not create any contractual or other enforceable rights in favor of any third party, including the customers, clients, or end-users of Users. To the fullest extent permitted by applicable law, individuals whose personal data is processed on behalf of a User shall not rely on this Privacy Policy as creating any direct obligations between such individuals and the Company.
Where the Company processes personal data on behalf of a User acting as data controller, the User remains solely responsible for ensuring the lawful collection, use, and disclosure of personal data, including providing required privacy notices, obtaining necessary consents, responding to data subject requests, and complying with applicable data protection laws.
The Company is responsible for implementing appropriate technical and organizational measures to protect personal data within the Company's own systems and infrastructure. Users are responsible for securing their own systems, credentials, integrations, and environments (including Shopify accounts and third-party applications) and for protecting the personal data they upload, manage, or control through the Services.
The Company shall not be responsible for breaches, incidents, or unauthorized disclosures arising from the User's own systems, integrations, personnel, instructions, or failure to implement appropriate security practices.
Where required by applicable law, the Company will provide reasonable assistance to Users to support their compliance obligations, including assistance relating to security incidents or data subject requests, subject to reasonable administrative, technical, and cost limitations.
Annex A: Processing Details (GDPR Information)
A.1 Subject matter and duration. Processing of personal data to provide the Services for the duration of the User's subscription and any additional retention period described in Section 7.
A.2 Nature and purpose. Hosting, accessing, modifying, generating, and managing Shopify store assets (including code and content), providing AI-assisted workflows and automation, providing support, and ensuring security and compliance.
A.3 Types of personal data. Depending on the User's use: account identifiers, contact details, store administration data, customer records made available via Shopify, order-related data, and any personal data included in prompts or store content.
A.4 Categories of data subjects. Users, authorized account administrators, and (where relevant) the User's customers, clients, and end-users.
A.5 Subprocessors. The Company may use subprocessors as described in Section 5.1.
A.6 Technical and organizational measures. The Company maintains measures described in Section 9.
B. Where the Company processes personal data on behalf of Users in connection with the Services, such processing is carried out strictly in accordance with the User's documented instructions and applicable data protection laws. In these circumstances, the User acts as the data controller and is responsible for determining the purposes and legal bases of the processing of personal data, including providing any required notices to data subjects and obtaining all necessary consents.
C. The Company does not control the categories of personal data submitted by Users through the Services and does not independently determine the purposes for which such data is processed. Accordingly, the Company generally does not have a direct relationship with the individuals whose personal data is processed on behalf of Users and may not be in a position to respond directly to requests from such individuals regarding their personal data. Where the Company receives a request relating to personal data processed on behalf of a User, the Company may direct the requesting individual to the relevant User or may notify the User of the request so that the User can respond in accordance with applicable law.
D. The Company may engage third-party service providers and subprocessors to support the delivery of the Services, including hosting providers, infrastructure providers, analytics providers, payment processors, and support platforms. Such subprocessors are authorized to process personal data only to the extent necessary to perform services on behalf of the Company and are subject to contractual obligations requiring them to implement appropriate security measures and maintain the confidentiality of personal data.
E. The Company may create, use, and disclose aggregated, statistical, or de-identified information derived from the use of the Services for purposes such as analytics, product improvement, research, benchmarking, and operational reporting, provided that such information does not reasonably identify any individual and cannot be re-identified.
F. The Company does not sell personal data provided through the Services and does not retain, use, or disclose personal data processed on behalf of Users for any purpose other than providing, maintaining, improving, securing, and supporting the Services, or as otherwise permitted or required by applicable law.
G. To the extent required by applicable law, the Company may provide reasonable assistance to Users to enable them to comply with their data protection obligations, including obligations relating to responding to data subject requests, security incident notifications, data protection impact assessments, and international transfer assessments, subject to reasonable administrative or technical limitations and, where applicable, reimbursement of reasonable costs.