SECRETHERO

Games

Rewards

Leaderboard

Quests

Dashboard

Get Free Demo

SECRETHERO

Privacy Policy

Jun 3, 2025

Last Update:

Introduction

SecretHero (“we,” “us,” or “our”) respects your privacy and is committed to protecting any personal information you provide when using our Shopify App (“App”). This Privacy Policy explains what information we collect, why we collect it, how we use it, and what choices you have regarding your data. By installing or using our App, you agree to the collection and use of information as described here. We strive to comply with applicable global privacy laws, including GDPR, CCPA, and any other regional regulations that apply to our processing of personal data.


1. What Personal Information Does SecretHero Collect?

1.1. Merchant (Store Owner) Information

When you install the SecretHero App on your Shopify store, we collect:

  • Shopify Store Data: Your store’s domain, Shopify store ID, and installation timestamp.

  • Merchant Contact Information: Your name, email address, and billing information (if any) required to process payments for our subscription (note: we rely on Shopify’s billing API and do not store raw credit card data ourselves).

This information is necessary to configure our App for your store, handle billing, and send you important updates regarding your SecretHero account.

1.2. End-User (Shopper/Player) Information

When a shopper interacts with our embedded games on your storefront, we may collect:

  • Unique Identifiers: Shopify customer ID (if the user is logged in), a pseudonymous player ID generated by SecretHero to track game performance.

  • Gameplay Data: Game scores, levels reached, timestamps, and any coupon or discount codes issued based on game performance.

  • Device & Usage Data (from server logs):

    • IP address (anonymized when possible)

    • Browser type and version

    • Operating system

    • Device model (mobile/desktop)

    • Referrer URL (the page the shopper came from before interacting with a game)

We do not collect or store payment card details, full names (unless explicitly provided), or other sensitive personal data from end users. Any order or payment information remains within Shopify’s checkout flow and is not accessible to us.


2. How We Collect Data

  • Shopify APIs When a merchant installs SecretHero, Shopify’s OAuth flow provides our servers with a store access token. We use that token to read and write your store settings (e.g., enabling/disabling game embeds, retrieving product or customer data if explicitly authorized).

  • Embedded Game Scripts Our App injects a lightweight JavaScript bundle into your storefront (through a Theme App Extension). That script captures gameplay events (e.g., start, level complete, score) and sends them back to SecretHero’s backend over HTTPS. No personally identifiable information beyond a pseudonymous player ID (or Shopify customer ID if the shopper is logged in) is included unless the shopper explicitly opts in (e.g., by submitting an email to claim a reward).

  • Server Logs Standard web-server logs (e.g., request timestamps, anonymized IPs, user agents) are stored temporarily for monitoring, debugging, and security audits. We aggregate this data and do not use it to identify individual players beyond combating fraud.


3. Why We Collect This Information & How We Use It

  • To Enable Game Functionality & Issuance of Discounts We need gameplay data (scores, levels, completion times) to determine eligibility for coupon codes and discounts. When a player achieves a threshold score, we generate a one-time coupon code and associate it with their pseudonymous ID (or Shopify customer email if they are logged in) so that they can redeem it at checkout.

  • To Personalize Player Experience Device and usage data help us optimize game performance (e.g., adjusting graphics settings for slow connections) and show relevant game suggestions.

  • To Support Merchant Dashboards & Reporting Merchants can view aggregate metrics (e.g., total games played, total coupons issued, redemption rates). We use store and gameplay data to generate these analytics, but individual end-user details remain pseudonymized unless they voluntarily provide identifying information.

  • To Communicate Important Notifications We’ll send you (the merchant) emails or in-App notifications about critical App updates, billing invoices, security alerts, or significant changes to our Privacy Policy or Terms of Service.

  • To Comply With Legal Obligations If required by law (e.g., a valid court order or regulatory inquiry), we may be compelled to share certain data with authorities. We will comply with such obligations but will notify you unless legally prohibited.


4. Cookies & Similar Technologies

  • What We Use We use cookies, local storage, and other browser-based tracking technologies on the merchant’s Admin Dashboard and within embedded gameplay.

    • Session Cookies: To keep you logged in during a configuration session in our merchant dashboard.

    • Persistent Cookies or Local Storage: To remember your preferences (e.g., default game placement settings, language preferences).

    • Analytics Cookies: To aggregate usage metrics (e.g., how many merchants enable a particular game) in a way that does not identify individual end users.

  • Why We Use Them

    • To ensure that your Admin session remains secure and uninterrupted.

    • To provide a smoother user experience by remembering your preferences.

    • To collect aggregate data on App usage to improve features and performance.

  • Opt-Out Merchants can clear or block cookies through their browser settings, but certain features (like staying logged into our merchant dashboard) may not function properly. End users (shoppers/players) can clear cookies via their browser(s), which may reset their game progress or require them to replay a game to earn a discount.


5. Third-Party Disclosure & Data Sharing

  • Service Providers We share data with third-party vendors who assist us in operating our App and delivering services, for example:

    • Firebase Analytics (if enabled) for anonymous event analytics.

    • AWS (or similar cloud provider) for hosting our backend and database.

    • Email Service Providers (e.g., SendGrid) for sending transactional emails (e.g., merchant notifications or coupon codes, if merchants choose to email coupons to players). All third-party vendors are contractually obligated to keep your data confidential and use it solely for the purpose of providing their service.

  • Shopify Shopify may access store-level data as permitted by its own Privacy Policy and Terms of Service. We do not resell or share your store’s data outside of normal Shopify API usage.

  • Legal & Safety We may disclose your information if required by law (e.g., compliance with a subpoena) or to protect our rights, property, or safety (e.g., investigating fraud, responding to security incidents).

  • No Sale of Personal Data We do not sell, trade, or otherwise transfer your Personally Identifiable Information (PII) or your end users’ PII to outside parties for marketing or advertising purposes.


6. How Long We Retain Your Data

  • Merchant Data We retain merchant account data (installation timestamp, store ID, billing history) as long as your SecretHero subscription is active plus 1 year after cancellation to comply with potential audit or billing disputes.

  • End-User Data We retain aggregated gameplay data (pseudonymized player IDs, scores, timestamps) for up to 2 years to generate long-term analytics reports. If an end user voluntarily provides an email to claim a coupon, we store that email only as long as necessary to fulfill the coupon redemption—no more than 30 days—unless the merchant requests deletion sooner.

  • Log Files & Security Records Web server logs (IP addresses, request timestamps) are anonymized and retained for up to 90 days for security monitoring and troubleshooting. Beyond that, they are purged or irreversibly anonymized.

  • If you uninstall the app, your configuration and store-related data will be retained in our system in case you decide to reinstall the app later. This allows for a seamless experience without needing to reconfigure settings. You may request permanent deletion of your data at any time by contacting us at [email protected].


7. Your Rights & Choices

7.1. Merchants (Data Controllers)

As the controller of your store’s data, you may at any time:

  • Access, Rectify, or Delete your merchant account details by contacting us at [email protected].

  • Request a Copy of all data we hold about your store in a machine-readable format.

  • Object to Processing for direct marketing purposes by clicking “unsubscribe” in our emails or contacting us directly.

7.2. End Users (Data Subjects)

If you’re an end user playing one of our games and would like to:

  • Access or Delete your personal gameplay record (i.e., score history) or request pseudonym removal, please contact the merchant of the store where you played, and we will assist under their instruction.

  • Opt-Out of Analytics Tracking by clearing cookies or blocking local storage for our domains. Note that doing so may reset your game progress.

If you reside in the EU/EEA (GDPR) or California (CCPA), you may also:

  • Request Portability of your personal data in a structured, machine-readable format.

  • Withdraw Consent at any time for non-essential processing (e.g., analytics).

  • Lodge a Complaint with a supervisory authority if you believe your data has been mishandled.


8. How We Protect Your Information

We implement a combination of organizational, technical, and administrative safeguards to keep your data secure:

  • Encryption in Transit and at Rest All data exchanged between Shopify, the merchant dashboard, and SecretHero’s servers is encrypted using TLS/HTTPS. Sensitive data (e.g., email addresses for coupon redemption) is stored in encrypted form.

  • Access Controls Only authorized SecretHero personnel may access production databases, and even then, only on a strict “need-to-know” basis. Access is authenticated via multi-factor authentication (MFA).

  • Regular Security Audits We conduct periodic vulnerability scans and penetration tests to identify and remediate security holes. In the event of a breach, we will notify affected merchants and any end users whose personal data was compromised, in compliance with applicable breach notification laws.

  • Vendor Due Diligence All third-party service providers (e.g., Firebase, AWS, email providers) are vetted for compliance with relevant data security standards (e.g., ISO 27001, SOC 2).


9. Cookies & Similar Tracking (End Users)

When end users play embedded games, our scripts may set cookies or use localStorage to:

  • Remember a temporary player session (e.g., current level, score) so that if they navigate away and return, they can resume without losing progress.

  • Prevent fraud by limiting how many games can be played per device/IP in a given timeframe.

  • Collect anonymous analytics (e.g., total plays, bounce rates) so we can improve game performance.

End users can disable or delete these cookies via their browser settings. However, disabling cookies may require reloading the game or starting a new session and will not prevent you from playing.


10. Third-Party Links & Integrations

  • Our App may integrate with:

    • Shopify (for store data, billing, and coupon issuance).

    • Firebase Analytics (optional, for anonymous usage metrics).

    • Third-Party Game Providers (if you choose to enable additional game modules developed by partners; see your dashboard for a list of active providers).

We are not responsible for the privacy practices of any third parties you choose to enable. We encourage you to review their respective privacy notices before enabling integrations.


11. Children’s Privacy

Our App is not directed at children under 13 years of age. We do not knowingly collect personally identifiable information from anyone under 13. If we become aware that we have inadvertently collected such data without parental consent, we will promptly delete it. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].


12. International Data Transfers

SecretHero operates globally, but our primary servers are located in the European Union. If you reside outside the EU, please be aware that any information you provide to us will be transferred to and processed on servers within the EU. We take steps to ensure that appropriate safeguards (e.g., Standard Contractual Clauses) are in place to protect your data in compliance with applicable laws.


13. Updates to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our business, legal requirements, or feedback from merchants and end users. When we post substantial changes, we will update the “Last updated” date at the top of this document. For material changes, we will also notify existing merchants via email or in-App notification at least 30 days before the changes take effect. Your continued use of the SecretHero App after any updates indicates your acceptance of the revised policy.


14. How to Contact Us

If you have any questions or concerns about this Privacy Policy or the handling of your data, please contact our Privacy Officer at:

Email: [email protected]
Address: Ortabayir Mah. Sair Celebi Sok. Gurtas Is Merkezi No: 1/3 Kagithane Istanbul Turkiye