Privacy Policy — Sonar by CXPEQ

Last updated: April 5, 2026

Introduction

Sonar ("we," "our," or "the App") is a Shopify application developed and operated by CXPEQ. This Privacy Policy explains how we collect, use, and protect information when merchants install Sonar on their Shopify store and when customers interact with the Sonar review widget.

Information We Collect

From Merchants (Shopify Store Owners)

When a merchant installs Sonar, we access the following through Shopify's API:

• Store information: Shop name and domain, used to identify the merchant's account within our system.
• Order IDs: Used solely to link reviews to specific transactions and prevent duplicate submissions. We do not access order contents, amounts, or product details.

We also store merchant preferences including review prompt text and widget settings.

From Customers (Shoppers)

When a customer submits a Sonar review on the post-purchase thank-you page, we collect:

• Review scores: Ratings from 1 to 10 across five dimensions (Connection, Ease, Trust, Value, Delight).
• Optional comment: Free-text feedback provided voluntarily by the customer.
• Order ID: Used to associate the review with a transaction and prevent duplicates.

What We Do NOT Collect from Customers

• No names
• No email addresses
• No phone numbers
• No physical addresses
• No payment or financial information
• No browsing or tracking data
• No cookies or device identifiers

Customer reviews are anonymous. We do not collect, store, or process any personally identifiable information from shoppers.

How We Use Information

We use the information collected to:

• Display aggregated review scores and individual feedback on the merchant's Sonar dashboard within Shopify Admin.
• Compute the overall Sonar Score and dimension-level averages for the merchant's store.
• Enable merchants to understand and improve the emotional quality of their customer experience.

We do not use collected data for advertising, profiling, or any purpose unrelated to providing the Sonar review service.

Data Sharing

We do not sell, rent, or share data with third parties, except:

• Shopify: As required for the App to function within the Shopify platform, in accordance with Shopify's API Terms of Service.
• Infrastructure providers: Our application is hosted on Gadget.dev, which processes data on our behalf to provide the service. Gadget.dev acts as a data processor and does not use merchant or customer data for its own purposes.
• Legal requirements: We may disclose information if required by law, regulation, or legal process.

Data Retention

• Merchant data: Stored for as long as the App is installed. When a merchant uninstalls Sonar, all associated data (reviews, settings, and store information) is deleted within 30 days.
• Customer reviews: Stored for as long as the merchant's App installation is active. Reviews are deleted when the merchant uninstalls the App.

Data Security

We implement industry-standard security measures to protect stored data, including encrypted connections (HTTPS/TLS), secure authentication via Shopify's OAuth protocol, and access controls limiting data access to authorized systems.

GDPR Compliance

For merchants and customers in the European Economic Area (EEA) and United Kingdom:

• Legal basis: We process data based on the merchant's legitimate interest in understanding customer experience quality, and on the customer's voluntary act of submitting a review.
• Data subject rights: Merchants can access, export, or delete their data at any time by contacting us. Customers who wish to have a review removed can contact the merchant, who can request deletion through us.
• Data processing location: Data is processed and stored on infrastructure provided by Gadget.dev (hosted on Google Cloud). Data may be transferred to and processed in countries outside the EEA, with appropriate safeguards in place.

We comply with Shopify's mandatory GDPR webhooks for customer data requests, customer data erasure, and shop data erasure.

Shopify API Usage

Our use of Shopify merchant and customer data complies with Shopify's API License and Terms of Use, including the requirements for protected customer data access. We request only the minimum API scopes necessary for the App to function (read_orders and read_checkouts).

Children's Privacy

Sonar is not directed at individuals under the age of 16. We do not knowingly collect information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the App after changes constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

CXPEQ
Email: hello@cxpeq.com
Website: cxpeq.com