Legal

Privacy Policy

Last updated: June 18, 2026

The short version

BigBox is a Shopify app for build-a-box offers. It's a tool for merchants, not a consumer service.
From your store, we store your shop details, app settings, bundle configuration, and aggregate analytics.
From your shoppers, we collect only anonymous, aggregated usage counts - no names, emails, IP-linked profiles, cookies, or cross-site tracking.
We use only two sub-processors: Shopify and Cloudflare. We never sell your data.
Uninstalling the app permanently deletes your data.

This Privacy Policy explains how EvoLabs ("BigBox," "we," "us") handles information in connection with the BigBox build-a-box application for Shopify (the "App"). It applies to merchants who install the App and, to the limited extent described below, to shoppers who interact with a BigBox offer on a merchant's storefront.

1. Our role

BigBox plays two different roles depending on the data involved:

As a controller - for the account data we need to provide the App to you as a merchant (such as your store domain and the email tied to your store). We decide how this data is used to operate, secure, and bill the App.
As a processor - for storefront and order-derived information we handle on your behalf to power your bundle offers and analytics. You, the merchant, are the controller of your store's data; we act on your instructions.

2. Information we collect

Merchant and store information

When you install the App, we collect and store:

Your store domain and Shopify store ID;
Your store name and the contact email associated with your store;
Store settings relevant to the App, such as timezone and currency;
Your BigBox plan, trial status, and billing cycle dates.

Authentication credentials

To connect to your store's Shopify APIs, we store the access and refresh tokens that Shopify issues when you approve the App. These are secrets that authorize the App to act within the permissions you granted; they do not give us access to anything outside those permissions.

App settings

Your drawer customization (colors, typography, button text) and any notification email addresses you enter are stored in your store's Shopify app metafields. Notification addresses are business contacts you choose for App-related alerts.

Storefront usage analytics (anonymous & aggregate)

When a shopper interacts with a BigBox offer on your storefront, the App records aggregate event counts - for example, how many times an offer was viewed, opened, had products added, or was added to cart - grouped by bundle, product or variant, and day. These metrics are stored as running totals. They are not linked to any individual shopper, and the App provides no way to identify or single out a shopper from them.

Order-derived analytics

After an order is paid, the App reads the order through the Shopify Admin API to calculate the performance of bundles it contains (such as units sold, gross and net sales, and realized discounts). We store only the resulting aggregate totals. We do not store order IDs, customer IDs, customer details, or line-item-level personal data.

Cart properties

When a shopper adds a box to their cart, the App attaches descriptive properties to the cart lines (such as the bundle name and a randomly generated bundle-instance reference). This reference is generated fresh for each cart addition so that an order can be attributed to a bundle. It is not a persistent or cross-site identifier and is not used to track shoppers.

Technical and operational logs

Like any web service, our infrastructure generates operational logs to keep the App secure and reliable. These may transiently include request metadata such as IP address and, where Shopify provides it, a logged-in customer identifier. This information is used only for security, debugging, and abuse prevention; it is short-lived and is not combined with, or stored alongside, the analytics described above.

3. What we do not collect

To be explicit, the App does not:

collect shopper names, email addresses, phone numbers, or shipping/billing addresses;
set or read cookies, localStorage, or sessionStorage on your storefront;
build shopper profiles or track shoppers across sites or sessions;
use advertising pixels or share data with ad networks;
process payment card data (payments are handled entirely by Shopify);
sell or rent personal information to anyone.

4. How we use information

To provide and operate the App - displaying eligible bundles, applying tiered rewards through Shopify Functions when a cart qualifies, and adding selections as real cart lines;
To calculate and display the analytics that help you understand which bundles perform;
To provide support and respond to your requests;
To secure the App, prevent abuse, and debug issues;
To manage your plan and billing;
To comply with legal obligations.

5. Legal bases for processing (EEA/UK)

Where the EU or UK GDPR applies, we rely on: performance of a contract (to provide the App you installed); our legitimate interests (to secure, maintain, and improve the App, and to produce aggregate analytics); legal obligation (to meet record-keeping and compliance duties); and consent where specifically required. For data we process on your behalf as a processor, your own lawful basis as the controller governs that processing.

6. Cookies and similar technologies

The BigBox storefront experience sets no cookies and uses no browser storage. The embedded admin interface runs inside Shopify's admin, which uses Shopify's own session cookies to keep you signed in; those are governed by Shopify's policies. We do not use analytics or advertising cookies anywhere.

7. How information is shared

We do not sell personal information and we do not share it except with the service providers ("sub-processors") that we rely on to run the App, and where required by law. Our sub-processors are:

Sub-processor	Purpose	Data involved
Shopify	Platform, APIs, billing & content delivery	Store, product, discount, and order data accessed via the Shopify Admin API; subscription status via the Partner API.
Cloudflare	Hosting, database & processing	Runs the app (Workers) and stores merchant settings, bundle configuration, and aggregate analytics (D1, KV, Queues). Processed on Cloudflare's global network.

We may also disclose information if required to do so by law, or to protect the rights, safety, and security of BigBox, our merchants, or the public.

8. International data transfers

Our infrastructure provider, Cloudflare, operates a global network, and Shopify operates internationally, so your information may be processed in countries other than your own. Where required, transfers of personal data out of the EEA or UK are protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses.

9. Data retention

Merchant account, settings, and bundle data are retained for as long as the App is installed.
Aggregate analytics are retained for a limited reporting window and older records are automatically purged.
Operational logs and caches are short-lived.
When you uninstall the App (or your store is closed and Shopify sends a shop-redaction request), all of your shop's records - settings, bundles, analytics, sessions, and logs - are permanently deleted.

10. Deletion and Shopify compliance requests

BigBox honors Shopify's mandatory data-protection webhooks:

App uninstalled / shop redaction - we permanently delete all data associated with your store.
Customer data request / customer redaction - because the App stores no personal data about individual shoppers, there is no shopper personal data for us to return or erase in response to these requests.

Merchants can also delete specific analytics records from within the App.

11. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, to object to certain processing, and - under laws such as the California CCPA/CPRA - to opt out of the "sale" or "sharing" of personal information (note that we do not sell or share personal information). You also have the right not to be discriminated against for exercising these rights, and to lodge a complaint with your local data protection authority.

To exercise any right relating to data we control, contact us at privacy@usebigbox.com. If your request concerns a shopper's interaction with a specific store, the merchant operating that store is the controller of that data, and we will support them in responding to your request.

12. Security

We protect information with measures including encryption in transit (HTTPS/TLS), scoped API access limited to the permissions you grant, access controls on our systems, and reputable infrastructure providers. No method of transmission or storage is completely secure, but we work to protect your information and to address vulnerabilities promptly.

13. Children's privacy

BigBox is a business tool for Shopify merchants and is not directed to children. We do not knowingly collect personal information from children.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify merchants through the App or by email. Your continued use of the App after an update means you accept the revised policy.

15. Contact us

If you have questions about this Privacy Policy or our data practices, contact:

EvoLabs
privacy@usebigbox.com

← Back to BigBox