Legal

Privacy Policy

How SplitLayer collects, uses, and protects your data.

Last updated: 16 May 2026

SplitLayer ("we", "us", or "our") is a Shopify application that provides automated revenue-splitting and partner payout services to Shopify merchants. This Privacy Policy explains what information we collect when you install and use SplitLayer, how we use it, and the rights you have over it.

By installing SplitLayer from the Shopify App Store, you agree to the collection and use of information as described in this policy.

1. Information We Collect

1.1 Shopify Store Data

When you install SplitLayer, Shopify grants us access to your store via OAuth. We collect and store:

  • Your Shopify store domain and store name
  • The OAuth access token required to receive webhooks and read order data
  • Your store's primary contact email address
  • Your active Shopify subscription plan (to determine feature access)

1.2 Order and Transaction Data

SplitLayer registers webhook listeners on your store to process orders automatically. For each order we receive, we collect:

  • Order ID, order number, and creation timestamp
  • Line items (product IDs, quantities, prices, discount applications)
  • Refund and adjustment events linked to processed orders
  • Financial amounts used to compute revenue splits

We do not collect or store customer names, addresses, payment card details, or any personally identifiable information about your buyers. Order data is processed at the line-item level for split calculations only.

1.3 Partner (Actor) Data

Within SplitLayer you can add partners (creators, agencies, collaborators). For each partner you create, we store:

  • The name or label you assign to that partner
  • Any payout account identifiers you attach (e.g. a Stripe Connect account ID)
  • Per-partner allocation rules as defined in your policies

This data is entered by you as the merchant. Partners are not required to create an account with SplitLayer.

1.4 Policy and Configuration Data

We store the revenue-sharing policies you create, their version history, and any campaign-level overrides. This data belongs to you and exists solely to operate the split engine correctly.

1.5 Usage and Log Data

We collect server-side logs for operational purposes, including:

  • API request timestamps, endpoint paths, and HTTP status codes
  • Error traces and job queue processing records
  • Webhook delivery attempts and retry counts

Logs do not contain order financial data and are retained for up to 30 days.

1.6 Billing Data

All subscription billing is handled directly by Shopify via their Billing API. We do not collect, store, or process your payment card information. We receive confirmation from Shopify when a subscription is created, upgraded, downgraded, or cancelled.

2. How We Use Your Information

  • To provide the service — processing orders through the policy engine, generating ledger entries, executing payout batches, and delivering reports.
  • To send transactional emails — operational notifications such as payout confirmations or error alerts. We use Resend (resend.com) as our email delivery provider. We do not send marketing emails without your explicit consent.
  • To improve the service — aggregated, anonymised usage patterns help us understand which features are most valuable. No individual store data is used for this purpose.
  • To comply with legal obligations — we may retain certain data as required by applicable law or to resolve disputes.

3. Data Sharing and Sub-processors

We do not sell your data. We share data only with the third-party sub-processors required to operate SplitLayer:

  • Shopify (shopify.com) — required platform. Data is exchanged via Shopify's Webhook and REST/GraphQL APIs under Shopify's own privacy terms.
  • Amazon Web Services (AWS) — cloud infrastructure for hosting, database (Amazon RDS), and container orchestration (Amazon ECS). Data is stored in the EU West (Ireland) region.
  • Resend (resend.com) — transactional email delivery for operational notifications.
  • Payout providers — if you use SplitLayer's payout rails, partner payout account identifiers are transmitted to the applicable payment processor to initiate disbursements. No more data than necessary is shared.

All sub-processors are contractually required to handle data in accordance with applicable privacy law.

4. Data Retention

We retain your data for as long as your SplitLayer account is active. If you uninstall SplitLayer:

  • Your store's OAuth access token is revoked immediately.
  • Operational data (orders, ledger entries, policies, partners) is retained for 90 days to allow for re-installation and data recovery, then permanently deleted.
  • Logs are deleted on their normal 30-day rolling schedule.

You can request immediate deletion at any time by emailing [email protected].

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about your store.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention obligations).
  • Portability — receive your data in a machine-readable format.
  • Restriction — ask us to limit how we process your data.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected and the right to opt out of its sale. We do not sell personal information. To submit a CCPA request, contact [email protected].

6. Cookies

The SplitLayer marketing website (splitlayer.app) does not use tracking cookies, advertising pixels, or third-party analytics. Any session state is stored in memory only and is not persisted across visits.

7. Data Security

We implement industry-standard security measures including:

  • All data in transit encrypted via TLS 1.2+
  • Database encryption at rest (AWS RDS)
  • Shopify webhook HMAC signature verification on every inbound webhook
  • Principle of least privilege applied to all internal service credentials
  • Regular dependency and security audits

8. Children's Privacy

SplitLayer is a business application intended for Shopify merchants aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has provided data, contact us at [email protected] and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you via the email address associated with your Shopify store. Continued use of SplitLayer after changes are posted constitutes acceptance of the revised policy.

10. Contact

If you have questions or concerns about this Privacy Policy or how we handle your data, please contact us:

This policy applies to the SplitLayer Shopify application and the splitlayer.app marketing website. It does not apply to Shopify's own data practices — please review Shopify's Privacy Policy separately.