Privacy Policy

Who we are

Stitchmap is a product discovery platform that connects shoppers with independent boutiques in London. This privacy policy explains how we collect, use, and protect information when you use our website and services.

For any privacy-related questions, contact us at [email protected].

Information we collect

From merchants

• Email address and account credentials (via email/password or Google sign-in)
• Organisation name and shop preferences (active locations, collections, product visibility settings)
• Shopify store data synced via the Shopify API: products, variants, pricing, inventory levels, locations, collections, and order data for attribution
• Shopify OAuth access token (used to sync your store data)
• Billing is handled entirely by Shopify (we never collect or store any payment or card details)

From shoppers

• Anonymous click events: product views, checkout redirects, directions requests, and search impressions. These do not contain any personally identifiable information.
• Gender preference (stored as a cookie on your device)
• Itinerary data (saved products and starting point, stored locally on your device only)
• Geolocation data, only when you explicitly grant permission via your browser. This is used to show nearby shops and is not stored on our servers.

How we use your information

• To provide and operate the Stitchmap platform, including syncing your Shopify store and displaying products to shoppers
• To attribute orders and calculate billing charges for merchants
• To display analytics and conversion data in the merchant dashboard
• To bill commission on attributed orders through Shopify Billing
• To send transactional emails (email verification, password resets)
• To classify and categorise products for search and filtering
• To monitor platform health and debug issues via logging
• To identify merchants who use Stitchmap by name and logo in our marketing, for example on our website, unless the merchant opts out

Lawful basis for processing

We process personal data on the following bases under the UK GDPR:

• Contract: to provide our services to merchants who register an account
• Legitimate interest: to operate the platform, track anonymous usage for billing and analytics, improve the service, and identify our merchants in our marketing (a merchant can object to this at any time)
• Consent: for geolocation access and optional cookies

Third-party services

We share data with the following third parties to operate the platform:

• Google: provides Maps (directions, location search) and authentication (Google sign-in). See Google's privacy policy.
• Shopify: provides store data via their API when merchants connect their shop. See Shopify's privacy policy.

We also use additional service providers to operate the platform (hosting, email delivery, logging, product classification). These providers act as data processors on our behalf and do not use your data for their own purposes.

Cookies and local storage

• Authentication cookies: used to maintain your login session (essential, no consent required)
• Gender preference cookie: remembers your browsing preference for one year
• Local storage: stores your shopping itinerary and starting point on your device. This data is never sent to our servers.

We do not use advertising cookies, tracking pixels, or third-party analytics tools.

Data storage and security

Your data is stored on servers located in the United Kingdom and European Union. We use encrypted connections (TLS) for all data in transit and industry-standard security practices to protect data at rest. Payment information is handled entirely by Shopify and never touches our servers.

Data retention

We retain merchant account data for as long as your account is active. If you uninstall the Stitchmap app from your Shopify store, we keep different categories of data for different reasons:

• Deleted shortly after uninstall: your Shopify access tokens, product catalogue, inventory, collections, and store locations. None of these have ongoing business value once you've left, so we drop them within 48 hours of Shopify's compliance notification.
• Anonymised: references to individual Shopify orders are stripped so they no longer link to your customers. The order amounts and click identifiers stay so our accounting records stay accurate.
• Retained: your contact email, organisation record, commission earnings, and billing history. We keep these so we can support you if you reinstall and meet our tax-record obligations (HMRC requires 6 years for financial records).

If you'd like us to delete all of your data, including the retained categories above, email [email protected] and we'll comply within 30 days as required by UK GDPR.

Anonymous click events and order attribution data are retained indefinitely for billing and analytics purposes.

Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Request deletion of your personal data
• Object to or restrict processing of your personal data
• Request portability of your data in a machine-readable format
• Withdraw consent at any time where consent is the basis for processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Changes to this policy

We may update this privacy policy from time to time. We will notify registered merchants of material changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.