Privacy Policy

Last updated: February 9, 2026

1. Introduction

Varr Labs ("we", "us", or "our") provides TermStack (the "App") for merchants using Shopify. This Privacy Policy explains how information is collected, used, and protected when you install or use the App.

2. Information We Collect and Use

We collect the minimum data required to operate TermStack and provide its features for Shopify Plus B2B stores.

  • Store and account details: store domain, Shopify shop ID, store owner contact information, app install state, and basic account information provided by Shopify during installation.
  • Billing and subscription data: subscription status, plan selection, billing period dates, and trial eligibility as managed through Shopify's App Billing API.
  • Configuration and operations data: rules, conditions, outcomes, priority order, draft and published versions, rollback history, and audit activity.
  • Support and diagnostics data: logs, webhook delivery records, and technical events used to keep the App reliable and resolve support issues.

We do not sell personal data. We do not use merchant data for behavioral advertising.

TermStack is designed to configure payment-term logic. We do not collect payment card numbers or process payments directly through this App. All payment processing is handled by Shopify.

3. How We Use Information

  • Operate and maintain App functionality.
  • Apply and manage B2B payment-terms configuration at checkout.
  • Enable publishing, rollback, and audit history features.
  • Manage subscription billing and plan entitlements.
  • Provide customer support and troubleshooting.
  • Improve reliability, performance, and security.
  • Meet legal obligations and enforce platform terms.

We don't use merchant data to build unrelated profiles or to train advertising models.

4. Shopify Data Access

The App accesses Shopify data through the permission scopes you approve at install time. These scopes are limited to:

  • Payment customization access: reading and writing payment customization configuration, including the metafields that store compiled rule data used at checkout.
  • Company data access: reading B2B company and company location information to support rule conditions such as company-based or location-based terms.

We do not request access to customer personal data, order history, product catalogs, or other Shopify data beyond what is required for the App's core functionality.

5. Data Sharing

We share data only when necessary:

  • With infrastructure and service providers who help us run the App, such as cloud hosting and monitoring services.
  • To comply with law, legal process, or lawful requests.
  • To protect our rights, security, and platform integrity.
  • In a business transfer (such as merger or acquisition), subject to appropriate confidentiality protections.

6. Cookies and Similar Technologies

TermStack runs as an embedded Shopify app. Session management and authentication within the Shopify Admin are handled by Shopify. We may use essential cookies or similar technologies for session continuity and basic performance monitoring. You can control cookies through your browser settings, but some features may not work correctly if essential cookies are disabled.

7. Data Retention and Deletion

We keep data only for as long as needed to provide the App and meet legal or contractual obligations.

  • After uninstall: your rules and configuration are retained for 30 days to support reinstallation. After 30 days, this data is permanently deleted unless retention is legally required.
  • Audit logs: retained based on your subscription plan (ranging from 30 to 365 days) and automatically removed after expiry.
  • Diagnostic and webhook logs: retained for up to 180 days for debugging and support, then automatically removed.

You may request earlier deletion of your data by contacting us.

8. Data Security

We use technical and organizational safeguards to protect information from unauthorized access, loss, misuse, or alteration. Access tokens are encrypted at rest, and all data in transit is encrypted. No online system is fully risk-free, but we continuously improve our controls and monitoring.

9. Your Privacy Rights

Depending on your location, you may have rights to request access, correction, deletion, portability, or restriction of processing. We support Shopify's mandatory privacy webhooks for data access requests, data erasure requests, and shop redaction. To exercise these rights, contact us using the details below.

10. International Transfers

Your data may be processed in countries outside your own, including the United States. Where required, we apply appropriate safeguards for cross-border transfers.

11. Changes to This Policy

We may update this policy periodically. Updates will be published on this page and the "Last updated" date will be revised.

12. Contact Us

If you have privacy questions or requests, contact termstack@varrlabs.com.

Varr Labs
Website: https://varrlabs.com