New

A/B Testing is live on Advanced & Enterprise plans.

SortLab

Legal

Privacy Policy

Effective Date: March 25, 2026 · Last Updated: March 25, 2026

This Privacy Policy describes how Hyperion Apps LLC ("Company", "we", "our", or "us") collects, uses, and protects information when you use SortLab (the "App"), a Shopify application available at sortlab.ai. Our registered address is 1309 Coffeen Avenue STE 19519, Sheridan, Wyoming 82801, United States.

By installing or using SortLab, you agree to the collection and use of information in accordance with this policy. This policy should be read alongside our Terms of Service.

1. Information We Collect

When you install SortLab from the Shopify App Store, we receive access to certain Shopify store data as authorized by you during the OAuth installation flow. This includes:

  • Shop information: Store URL, store name, currency, timezone, and plan type
  • Product and collection data: Product titles, types, tags, vendors, prices, inventory levels, and collection membership
  • Order data: Anonymized order line item data (product IDs, quantities, revenue) used to calculate sorting scores. We do not access or store customer names, emails, or other personally identifiable information from orders.
  • Storefront behavioral signals: Anonymized customer interactions on your storefront (product impressions, clicks, add-to-cart events, and pageviews) captured via Shopify's Web Pixel API. These events are associated with a Shopify-assigned browser identifier (ClientId) — a pseudonymous token that is not linked to any customer's name, email, or personal identity.
  • App usage data: Which features you use, sorting strategy configurations, and A/B test settings
  • Technical data: IP addresses and standard server log data generated when your browser or the Shopify Admin contacts our servers. IP addresses are used for security, rate limiting, and abuse prevention, and are not linked to merchant identity in our application database.

We do not intentionally collect, and do not store, customer names, customer email addresses, payment card data, shipping addresses, or other personally identifiable information (PII) about your customers.

Website visitors (sortlab.ai): When you visit the SortLab marketing website without installing the App, we may collect standard server log data (IP address, browser type, referring URL, and pages visited) and anonymized usage analytics via PostHog to understand how visitors interact with the site. We do not use cookies for advertising or cross-site tracking. IP addresses collected in this context are not linked to merchant identity in our application database.

2. How We Use Your Information

We collect only the data reasonably necessary to provide the SortLab service. We use the information we collect to:

  • Provide and operate the SortLab sorting service
  • Calculate optimized product rankings for your collections using sales data, inventory signals, and behavioral metrics
  • Power analytics and A/B testing features within the App
  • Send transactional emails (billing receipts, service notices, and subscription-related communications)
  • Diagnose technical issues and improve App performance
  • Send product update announcements and feature release notices (you may unsubscribe at any time via the unsubscribe link in any such email; transactional emails cannot be opted out of while your subscription is active)
  • Comply with applicable laws and regulations

We do not sell your data to third parties. We do not use your store or customer data for advertising, cross-merchant profiling, or to train any artificial intelligence or machine learning models (see Section 9).

3. Pixel Tracking and Behavioral Analytics

SortLab uses Shopify's native Web Pixel API to install a lightweight JavaScript pixel on your storefront. This pixel collects anonymized behavioral signals to power sorting algorithms. Specifically, it captures the following event types:

  • Impressions: When a product is rendered visible on a collection page
  • Clicks: When a shopper clicks a product listing from a collection page
  • Add-to-cart events: When a shopper adds a product to their cart
  • Product pageviews: When a shopper views a product detail page
  • Collection pageviews: When a shopper loads a collection page

Each event includes a unique event identifier, a timestamp, relevant Shopify entity IDs (product ID and/or collection ID), and a ClientId — a pseudonymous, Shopify-assigned browser identifier. ClientId is not linked to a customer's name, email address, Shopify account, or any other personally identifiable information. It exists solely for deduplication (counting unique interactions per product per day) and is retained in our systems for no more than 24 hours before being aggregated and discarded.

Events are batched client-side before being sent to our servers. No raw event data is shared with any third party for independent use; API traffic transits through Cloudflare's network as a conduit (see Section 5), but Cloudflare does not store or process event data beyond standard network transit. Raw event data is not used for any purpose other than computing sorting scores for your store.

The pixel operates within Shopify's Customer Privacy API and consent framework. Event collection is classified as analytics-only and does not constitute marketing or sale of data. Merchants remain responsible for ensuring their own storefront privacy notices and consent mechanisms accurately reflect SortLab's pixel data collection. If a visitor has indicated opt-out preferences — including via the Global Privacy Control (GPC) signal — Shopify's Customer Privacy API will suppress or restrict event collection accordingly; SortLab does not override these consent states.

Our service does not respond to browser Do Not Track (DNT) signals, as there is no industry-standard interpretation of the DNT header. We do, however, honor the Global Privacy Control (GPC) signal as described above.

4. Data Storage and Security

Your data is stored on Google Cloud Platform (GCP) servers located in the United States. We implement security measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls limiting data access to authorized personnel only
  • Encryption keys are managed via a dedicated key management service with access logging
  • Periodic internal security reviews
  • Shopify API tokens stored in encrypted form
  • Rate limiting and deduplication for behavioral event ingestion

No security system is infallible. In the event of a confirmed data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, except where prohibited by applicable law or a lawful court order. We will report to the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable law. We will also notify Shopify of any confirmed breach involving Shopify store data within 24 hours of confirmation, as required by the Shopify Partner Program Agreement.

5. Third-Party Services

We use the following third-party services to operate SortLab. Each service operates under its own privacy policy.

  • Google Cloud Platform (GCP): Primary database and server infrastructure (United States). All application data, including store data, product data, and order data, is stored on GCP.
  • Cloudflare: CDN and reverse proxy for our backend API. All API traffic from the SortLab App is routed through Cloudflare's network as a network conduit. Cloudflare does not store your store or customer data beyond standard network transit logs.
  • Paddle.com Market Limited: Payment processing for subscription billing. Paddle acts as Merchant of Record and handles all payment card data and transaction records independently under their own privacy policy. We do not store payment card information.
  • PostHog: Product analytics for App interactions (anonymized usage events about feature usage only — no store, product, or customer data is sent to PostHog).
  • Sentry: Error monitoring and crash reporting. Only anonymized error context is sent; email addresses and personal data are configured to be scrubbed from all Sentry events before transmission.
  • Crisp: Customer support chat, available within the SortLab App dashboard and documentation site. When you visit the support section of the App, your store domain is shared with Crisp to identify your account in support conversations. Support messages are sent to Crisp only when you initiate a chat.
  • FeatureOS: Feature request and product feedback platform, accessible within the SortLab App and documentation site. If you submit a feature request, the content of your submission is sent to FeatureOS.

We do not share your store data, product data, order history, or customer behavioral data with any of these services except as described above.

6. Data Retention

We retain your store data for as long as your SortLab subscription is active. Specific retention periods:

  • App usage data (feature usage, configuration settings, A/B test records): retained for the duration of your active subscription and deleted as part of shop/redact processing described below.
  • Behavioral metrics (click-through rates, impression counts, and other aggregated signals): retained on a rolling basis while your subscription is active, then automatically purged on a regular schedule. These metrics are fully deleted as part of shop/redact processing described below.
  • Billing records: Records of your subscription status and billing correspondence may be retained for up to 7 years for legitimate business and accounting purposes. Payment card and transaction data is held exclusively by Paddle.com Market Limited and is not retained by us.

When you uninstall SortLab from your Shopify store, the following occurs:

  • Access revoked: Your Shopify access token is cleared and all active sorting strategies are deactivated upon receiving the app/uninstalled webhook.
  • All operational data deleted: Shopify sends a shop/redact webhook approximately 48 hours after uninstallation. Upon receiving this webhook, we permanently delete all operational data associated with your store — including products, order history, behavioral metrics, sorting configurations, and A/B test data — within 30 days.

We respond to all three mandatory Shopify GDPR compliance webhooks:

  • customers/data_request: Upon receiving this webhook, we compile and provide records of any data we hold relating to the specified customer within one calendar month.
  • customers/redact: Upon receiving this webhook, we delete order line item records associated with the specified customer's orders within 30 days.
  • shop/redact: Upon receiving this webhook (sent by Shopify approximately 48 hours after uninstallation), we permanently delete all operational data for the shop within 30 days.

7. GDPR Compliance (European Merchants)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have certain rights under the General Data Protection Regulation (GDPR) or UK GDPR, as applicable:

  • Right of access: Request a copy of the data we hold about your store
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your data ("right to be forgotten")
  • Right to data portability: Request your data in a structured, commonly used, and machine-readable format
  • Right to restriction: Request that we limit processing of your data in certain circumstances
  • Right to object: Object to processing based on legitimate interests

To exercise any of these rights, email privacy@hyperionlab.co. We will respond within one calendar month. You also have the right to lodge a complaint with your local supervisory authority — for EEA merchants, this is the data protection authority in your EU member state; for UK merchants, this is the Information Commissioner's Office (ICO).

Our lawful bases for processing under GDPR are as follows:

  • Performance of a contract (Article 6(1)(b)): Core service delivery — processing your shop information, product data, order data, and sorting configurations to provide the SortLab service; and sending transactional emails required to administer your subscription.
  • Legitimate interests (Article 6(1)(f)): App security and error monitoring (Sentry), internal product analytics (PostHog), processing of anonymized storefront behavioral signals (pixel data), customer support (Crisp), and product improvement feedback (FeatureOS). For behavioral signal processing, our legitimate interest is delivering an accurate sorting service; the data is pseudonymous, used solely for your store's benefit, and does not materially impact individual rights.
  • Legal obligation (Article 6(1)(c)): Retention of billing records required by applicable tax and accounting law.

For cross-border data transfers from the EEA to the United States, we rely on Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR, as executed with our infrastructure and service providers including Google Cloud Platform, Cloudflare, PostHog, and Sentry. For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs as required by the Information Commissioner's Office (ICO).

As a small and medium-sized enterprise with no establishment in the EEA or UK and whose processing activities are not large-scale or high-risk, we rely on the Article 27 GDPR SME exemption and have not designated an EU or UK representative at this time. If you are an EEA or UK supervisory authority and require a point of contact, please email privacy@hyperionlab.co.

In this relationship, you (the merchant) are the data controller of your store and customer data, and Hyperion Apps LLC acts as a data processor on your behalf.

EEA and UK merchants who require a Data Processing Agreement (Article 28 GDPR) may contact privacy@hyperionlab.co. Our Terms of Service and this Privacy Policy together form the basis for data processing under Article 28; a formal DPA addendum is available upon request.

As required by Article 28(3)(h) GDPR, we will make available to you all information necessary to demonstrate compliance with our obligations as data processor, and allow for and contribute to audits and inspections conducted by you or an auditor mandated by you, upon reasonable written notice and subject to appropriate confidentiality undertakings.

We will notify you of any proposed additions or replacements among our sub-processors at least 14 days in advance. If you object to a new sub-processor, please notify us at privacy@hyperionlab.co within that period and we will work with you to address your concern.

8. CCPA Compliance (California Merchants)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you, the sources, the purposes for which it is used, and the categories of third parties with whom it is shared.
  • Right to delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
  • Right to correct: You may request that we correct inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out action is required.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights, except as permitted by applicable law.

Personal information we may hold about California merchants includes: store URL and domain, store owner name and email address (as provided through Shopify), IP addresses recorded in server logs, and billing correspondence records. We do not sell any of this information.

To submit a CCPA request, contact us at privacy@hyperionlab.co. We will respond within 45 days. If we need additional time (up to 90 days total), we will notify you within the initial 45-day period and explain the reason for the extension.

9. Artificial Intelligence and Machine Learning

We do not use your store data, product data, order data, customer behavioral data, anonymized or aggregated derivatives of such data, or app usage patterns to train, fine-tune, evaluate, benchmark, or improve any artificial intelligence or machine learning models — whether proprietary to us or operated by a third party. Your data and any data derived from it is used exclusively to provide the SortLab service to your store and for no other purpose.

10. Shopify API Scopes

SortLab requests the following Shopify API permissions during installation. Each scope is used only for the purpose stated:

  • read_products: Read product titles, types, tags, vendors, prices, and variants to build sort inputs
  • write_products: Update product position within collections to apply sort results
  • read_orders: Read historical order line items (product IDs, quantities, revenue) to compute revenue-based sorting scores. Customer PII from orders is not accessed or stored.
  • read_inventory: Read current inventory levels to power inventory-based sorting rules (e.g., push out-of-stock items down)
  • read_analytics: Read Shopify store analytics as an additional sorting signal
  • write_pixels: Install and manage the SortLab Web Pixel on your storefront to collect anonymized behavioral signals (see Section 3)
  • read_customer_events: Read storefront customer interaction events (impressions, clicks, add-to-cart, pageviews) via the Web Pixel API to improve sorting accuracy

We comply with the Shopify API Terms of Service and the Shopify Partner Program Agreement.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email (to the store owner address on record) and by posting the updated policy at this URL with a new effective date. For material changes, we will provide at least 14 days' advance notice.

12. Governing Law

This Privacy Policy is governed by the laws of the State of Wyoming, United States, without regard to conflict of law principles, and subject to any mandatory requirements of applicable data protection law in your jurisdiction (including GDPR, UK GDPR, and CCPA).

13. Contact Us

For privacy-related questions, data requests, or to exercise your rights:

  • Email: privacy@hyperionlab.co
  • Mailing address: Hyperion Apps LLC, 1309 Coffeen Avenue STE 19519, Sheridan, Wyoming 82801, USA