Privacy Policy

1. Overview

Hyperion Apps LLC ("Hyperion Lab," "we," "us," or "our") operates SortLab and other applications available on the Shopify App Store (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard information from merchants who install our applications ("Merchants") and their customers.

By installing or using any Hyperion Lab application, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of our Services.

2. Information We Collect

2.1 Information from Shopify

When you install our apps, Shopify grants us access to the following store data (depending on the permissions your app installation authorizes):

• Store information (shop domain, name, email, timezone, currency)
• Product and collection data (IDs, titles, handles, tags, vendor, product type)
• Order data (order IDs, line items, revenue, timestamps; no customer PII)
• Inventory level data (quantity on hand per location)
• Billing information (handled entirely by Shopify; we do not receive payment card data)

2.2 Usage Data

We collect information about how you use our Services, including:

• Feature interactions (which sorting strategies are selected, how often re-sorts run)
• Error logs and performance metrics
• Session data (browser type, IP address, timestamps)

2.3 Communications

If you contact us via email or our support channels, we retain that correspondence to provide support and improve our Services.

2.4 What We Do Not Collect

We do not collect:

• Personal information of your customers (names, email addresses, payment data)
• Browsing behavior of your store visitors beyond aggregate analytics
• Payment card numbers or bank account information

3. How We Use Your Information

We use the information collected to:

• Provide and operate the Services (collection sorting, A/B testing, analytics)
• Process and display your store's product and sales data within the app
• Communicate with you about your account, the Services, and support requests
• Improve, develop, and debug our Services
• Comply with legal obligations
• Detect and prevent fraudulent or unauthorized use of the Services

We do not sell, rent, or share your store data with third parties for their marketing purposes.

4. Data Storage and Security

4.1 Storage

Merchant data is stored on Google Cloud Platform (GCP) infrastructure located in the United States. We use PostgreSQL databases for operational data and Redis for ephemeral session data.

4.2 Security

We implement the following security measures:

• Encryption at rest for all stored Shopify access tokens (using GCP Cloud KMS)
• Encryption in transit for all data (TLS 1.2+)
• Role-based access controls limiting employee access to production data
• Regular security reviews and vulnerability assessments

No security system is impenetrable. We cannot guarantee absolute security, but we maintain industry-standard practices and will notify affected Merchants of any confirmed data breach as required by applicable law.

4.3 Retention

We retain your store data for as long as your app subscription is active. Upon uninstallation of our apps, we delete your store's data within 30 days, except where we are required by law to retain it longer.

5. Third-Party Services

We use the following third-party services in operating our platform:

• Shopify: App distribution, billing, and API access. Subject to Shopify's privacy policy.
• Google Cloud Platform (GCP): Infrastructure hosting. Subject to Google's data processing terms.
• PostHog: Product analytics (aggregated usage data only). Subject to PostHog's privacy policy.
• Sentry: Error tracking and monitoring. Subject to Sentry's privacy policy.
• Paddle: Payment processing for any direct billing. Paddle is the Merchant of Record where applicable.

Each of these services has its own privacy policy governing their handling of data. We recommend reviewing their policies independently.

6. GDPR Compliance (EU/EEA Merchants)

If you are a Merchant located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to your use of our Services.

6.1 Legal Basis for Processing

We process your data on the following legal bases:

• Contract performance: Processing necessary to provide the Services you have purchased
• Legitimate interests: Security, fraud prevention, and service improvement
• Legal obligation: Compliance with applicable laws

6.2 Your Rights

Under GDPR, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@hyperionlab.co. We will respond within 30 days.

6.3 International Data Transfers

Your data may be transferred to and stored in the United States. We ensure adequate protection through Standard Contractual Clauses (SCCs) as approved by the European Commission where applicable.

7. CCPA Compliance (California Merchants)

If you are a Merchant located in California, the California Consumer Privacy Act (CCPA) grants you additional rights regarding your personal information.

• Right to Know: Request disclosure of what personal information we collect and how it is used
• Right to Delete: Request deletion of your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
• Right to Opt-Out of Sale: We do not sell personal information. No opt-out is needed.

To exercise your CCPA rights, contact us at privacy@hyperionlab.co.

8. Shopify App Store Requirements

As a Shopify app developer, we comply with Shopify's Partner Program Agreement and API Terms of Service. Specifically:

• We access only the Shopify API scopes necessary to provide the Services
• We do not use Merchant or customer data for purposes other than providing the Services
• We honor all GDPR data subject requests in connection with Shopify customer data
• We provide this privacy policy at a publicly accessible URL as required by Shopify

9. Children's Privacy

Our Services are not directed to children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will delete such information promptly.

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will notify Merchants of material changes by posting the updated policy on this page with a new "Last Updated" date. We recommend reviewing this page periodically. Continued use of the Services after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions, data requests, or concerns, contact us at:

• Email: privacy@hyperionlab.co
• Mailing Address: Hyperion Apps LLC, 1309 Coffeen Avenue STE 19519, Sheridan, Wyoming 82801, United States