OverlayIQ LogoOverlayIQ

Privacy Policy

Last updated: March 28, 2026

This Privacy Policy explains how OverlayIQ ("OverlayIQ," "we," "us," or "our") collects, uses, discloses, and protects Personal Information (defined below) in connection with our website at overlayiq.com, our Shopify application, and related services (collectively, the "Services"). By using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

Scope

This policy applies to Personal Information we process in our business, including when you visit our Site, install or use the OverlayIQ app, communicate with us, or interact with us as a merchant or prospective merchant. Individuals who process Personal Information on our behalf are expected to comply with this Privacy Policy and our instructions. Where applicable, we aim to describe our practices in a way that aligns with major frameworks including the EU GDPR, UK GDPR, and the Australian Privacy Act 1988 (and its Australian Privacy Principles).

What personal information we collect

We collect Personal Information in the following ways:

  • Account and contact. When you register, request a demo or promo leakage audit, or contact us, we may collect name, email address, company or store name, job title, Shopify store URL, and similar identifiers.
  • Communications. We may collect email, phone, or mailing address when you request support, subscribe to updates, or otherwise communicate with us.
  • Data you provide through the Services. We process information you or your store provides or that is made available through Shopify and checkout, including order-related data, discount codes, and data needed to evaluate repeat use (e.g., device or session signals, IP address, shipping or billing address fields, and related metadata). This may include Personal Information about your end customers.
  • Technical and usage data. We may collect IP address, browser type, device identifiers, approximate location derived from IP, log data, timestamps, and information about how you use our Site and the app.
  • Cookies and similar technologies. See our Cookies section below.

How we use personal information

We process Personal Information for purposes including:

We may process pseudonymized or "hashed" versions of Personal Information to perform identity verification while minimizing the exposure of raw data. We apply the same safeguards and standards to pseudonymized and hashed data as we do to raw Personal Information when we use it in connection with the Services.

  • Providing the Services — including checkout validation, repeat-discount detection, reporting, audits, and customer support.
  • Operating and improving the Services — including research and development, internal analytics, quality control, and troubleshooting.
  • Security and fraud — including verifying identity, detecting abuse of the Services, and protecting our systems and users. Device-related signals (including techniques sometimes described as device fingerprinting, where used) are processed under this category because they are strictly necessary for the security and integrity of the merchant's checkout process and related fraud prevention—not for unrelated advertising or cross-site tracking.
  • Communications — including service-related notices, responses to your requests, and updates to our terms or policies.
  • Legal and compliance — including complying with law, responding to lawful requests, and enforcing our Terms of Service.
  • De-identified and aggregated information — we may create de-identified or aggregated data that does not identify you, your store, or natural persons, and use it for analytics, benchmarking, product development, and other lawful purposes. Benchmarks, industry statistics, or similar outputs we derive from such data will not identify any merchant, store, or end customer; they reflect patterns at an aggregated level only.

We do not sell your personal information. We do not use Personal Information to build cross-context behavioral advertising profiles unrelated to the Services.

Sensitive personal information

You should not provide sensitive or special-category Personal Information (e.g., health, biometric data used to identify you, racial or ethnic origin, political opinions, religious beliefs) through the Services unless required by law and with appropriate consent. If you provide such information voluntarily, you consent to our processing only as needed to provide the Services or as described at collection.

With whom we share personal information

We may disclose Personal Information:

  • Shopify — as necessary to provide the app and integrate with Shopify Checkout and your store admin.
  • Service providers — we may use vendors for hosting, infrastructure, email, analytics, customer support, or payment processing. As of the "Last updated" date above, we do not use third-party subprocessors for marketing or advertising beyond what is described here; we may engage additional subprocessors as we scale the Services and will update this policy or provide notice as required by law or contract. Subprocessors are permitted to use Personal Information only to perform services for us and in line with this policy.
  • Legal and safety — we may disclose information when we believe in good faith that disclosure is required by law, legal process, or government request; to enforce our agreements; to protect rights, property, or safety; or in connection with investigations of fraud or illegal activity.
  • Business transfers — in connection with a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction.

Information we process on behalf of merchants

When you use a merchant's store, that merchant decides how and why certain Personal Information is collected. OverlayIQ processes some Personal Information about end customers on behalf of the merchant (as a processor or service provider) to provide the Services the merchant configured. The merchant is typically the data controller (or business) for your customers' data. If you are a shopper and have questions about how a store uses your data, contact that merchant. We will assist merchants in responding to requests as required by our contract and applicable law.

Cookies, analytics, and similar technologies

We and our vendors (when engaged) may use cookies, pixels, local storage, and similar technologies on our Site to operate the Services, remember preferences, measure traffic and usage, and improve security. You can control cookies through your browser settings; blocking cookies may affect Site functionality.

In the Shopify app and checkout context, device or session signals (including techniques sometimes described as fingerprinting) are used for the purposes described under Security and fraud in How we use personal information—namely, security and integrity of checkout—not for unrelated cross-site advertising.

Do Not Track. There is no consistent industry standard for DNT signals; we do not currently respond to DNT browser signals.

Third-party websites and Shopify

Our Site may link to third-party websites. We do not control those sites; review their privacy policies before providing information. Use of Shopify is also subject to Shopify's own terms and privacy policies.

International data transfers

We may process and store Personal Information in the United States or other countries where we or our service providers operate. If we transfer Personal Information from the EEA, UK, Switzerland, or Australia, we will use appropriate safeguards (such as Standard Contractual Clauses, the UK International Data Transfer Addendum or UK-approved mechanisms, or other lawful transfer tools) where required by applicable law.

For individuals in Australia, we handle Personal Information in line with the Australian Privacy Act 1988 (including the Australian Privacy Principles) where that law applies to our processing. For individuals in the UK or EEA, we aim to process Personal Information consistently with the UK GDPR and EU GDPR, as applicable. Contact us for more information about transfers and safeguards.

Your choices and rights

Depending on where you live, you may have rights to access, correct, delete, or restrict processing of your Personal Information, to object to certain processing, to data portability, or to withdraw consent. These rights may arise under laws such as the EU GDPR, UK GDPR, the Australian Privacy Act 1988, or other local privacy laws, subject to exceptions. To exercise rights, contact us as described below. We may need to verify your identity before fulfilling your request. You may also have the right to lodge a complaint with a supervisory authority (for example, in the EEA or UK) or with the Office of the Australian Information Commissioner (OAIC) where applicable.

California residents

If you are a California resident, you may have additional rights under the CCPA/CPRA, including the right to know what categories of Personal Information we collect, the right to delete certain Personal Information, and the right to opt out of "sale" or "sharing" (we do not sell Personal Information as defined in those laws). We will not discriminate against you for exercising rights. To submit a request, contact us as set forth below.

Data retention

We retain Personal Information for as long as necessary to provide the Services, fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods may vary by data type and context.

Upon termination of the Services or a written request from a Merchant, we will delete Customer Data or render it irreversibly de-identified within sixty (60) days, except where we must retain specific information to comply with law, respond to valid legal process, or resolve disputes (in which case we will retain only what is necessary and for no longer than required). We do not retain Customer Data after such deletion or de-identification for unrelated purposes such as training unrelated global models; de-identified or aggregated outputs that cannot reasonably identify a merchant or natural person may be retained as described elsewhere in this policy.

Security

We implement reasonable technical and organizational measures designed to protect Personal Information. No method of transmission or storage is 100% secure. If we become aware of a breach that materially affects your Personal Information, we will notify you as required by applicable law.

Children

The Services are not directed at children under 13 (or the age required by local law). We do not knowingly collect Personal Information from children. If you believe we have collected such information, contact us and we will take steps to delete it.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. Where required by law, we will provide additional notice. Continued use of the Services after the effective date constitutes acceptance of the revised policy, except where your consent is required.

Definitions

"Personal Information" means information that identifies, relates to, or could reasonably be linked with an identifiable individual, as described in this policy, consistent with applicable law.

"Process" or "Processing" means any operation performed on Personal Information, such as collection, storage, use, disclosure, or deletion.

Contact us

For questions about this Privacy Policy or to exercise your rights, contact us via the intake or contact options on our website at overlayiq.com.

This Privacy Policy is provided for informational purposes and does not constitute legal advice. You should have counsel review it for your jurisdiction and business practices.

← Back to Home