Legal
Privacy Policy
1. Introduction
This Privacy Policy explains how Byteex Ltd, a company registered in Cyprus, trading as Redspot ("Redspot", "we", "us"), collects, uses and protects personal data in connection with:
- this website, getredspot.com (the "Site");
- the Redspot application for Shopify, which provides session recordings, heatmaps and revenue attribution to merchants (the "Service").
Two roles matter throughout this policy. For data about merchants who use the Service and visitors to this Site, we act as the data controller. For data about a merchant's own store visitors ("End Users") that the Service records on the merchant's behalf, the merchant is the controller and we act as their processor.
2. Information We Collect
2.1 From merchants
- Account information provided by Shopify when you install the Service: store name and domain, your name and email address, and store configuration needed to operate the app.
- Billing status and plan information (billing itself is handled by Shopify).
- Support communications you send us.
2.2 From Site visitors
- Usage data collected through cookies and similar technologies (see Section 5).
- Information you submit, such as an email when requesting access.
2.3 From End Users, on behalf of merchants
When a merchant enables the Service on their store, we record:
- Session interactions: page structure, clicks, scroll depth, mouse movement, viewport size, and page navigation.
- Commerce events provided by Shopify's pixel platform: products viewed, cart activity, checkout steps and order totals.
- Technical context: browser type, device class, country (derived from the network request), acquisition source, and pseudonymous identifiers (a random session identifier and Shopify's first-party visitor identifier).
What we deliberately do not collect: text typed by End Users is masked in their browser before anything is transmitted (typed values are replaced with bullets and sensitive fields are redacted); clipboard contents are never recorded; payment card details are never recorded. Recording is gated on the consent state exposed by Shopify's Customer Privacy API, so where consent is required and not given, the Service does not record.
3. Data From Your Shopify Store
The Service accesses your store through Shopify's APIs using the scopes approved at install time (for example, web pixel activation and order data used for revenue attribution). We use this data only to provide the Service to you. We do not sell it, and we do not use it to train third-party AI models.
When you uninstall the Service, Shopify notifies us and your store's data is deleted as described in Section 10. A Data Processing Agreement reflecting GDPR Article 28 terms is available on request at help@getredspot.com.
4. How We Use Information
- To provide the Service: session replay, heatmaps, funnels, revenue attribution and AI-generated session summaries.
- To operate, secure and debug the Service, including fraud and abuse prevention.
- To provide support and communicate service updates.
- To improve the Service using aggregated, de-identified usage patterns.
- To comply with legal obligations.
5. Cookies and Tracking
5.1 On this Site
We use, or may introduce, analytics and advertising technologies such as Google Analytics and Meta Pixel to understand Site traffic and measure campaigns. Where required by law, these load only after you consent.
5.2 In the Service
The app inside the Shopify admin uses strictly necessary cookies for authentication and session management only.
5.3 On merchants' storefronts
The Service stores a pseudonymous session identifier in the End User's browser storage to stitch a browsing session together. It is first-party to the storefront, is not used for cross-site advertising, and recording remains consent-gated as described in Section 2.3.
6. Legal Basis for Processing (GDPR)
- Contract: providing the Service a merchant installed.
- Legitimate interests: securing and improving the Service, preventing abuse, and marketing our own services.
- Consent: non-essential cookies on the Site, and End User recording where consent is the applicable basis.
- Legal obligation: record-keeping and lawful requests.
For End User data processed on behalf of merchants, the merchant determines the legal basis; we process on their documented instructions.
7. How We Share Information
We never sell personal data. We share it only with the sub-processors needed to run the Service:
- Shopify — platform, billing, and the pixel/event infrastructure.
- Vercel — application hosting.
- Cloudflare — event ingestion and recording storage.
- Supabase — application database.
- Tinybird — analytics processing.
- Anthropic — AI session summaries (behavioral summaries only, never raw recordings; API data is not used to train their models).
- Google, Meta — Site analytics and advertising measurement (Site only).
We may also disclose information where required by law, or as part of a merger, acquisition or asset sale with equivalent protections.
8. International Transfers
Our sub-processors operate in the EU and the United States. Where personal data leaves the EEA/UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
9. Data Security
- Sensitive input is masked in the End User's browser before transmission.
- Data is encrypted in transit; writes to our ingestion service are authenticated per store.
- Recordings are retrievable only through short-lived signed URLs.
- Access to production systems is restricted and credential-controlled.
10. Data Retention
- End User recordings and analytics are retained for the duration of the merchant's subscription. When a merchant uninstalls the Service or uses the in-app deletion control, the store's recordings, analytics and derived data are deleted promptly across our systems.
- Merchant account data is kept while the account is active and for a short period afterwards for reactivation and dispute resolution, unless law requires longer (for example, tax records).
- We honor Shopify's mandatory privacy webhooks: End User data requests, End User erasure, and full store erasure.
11. Your Rights
If you are in the EU/EEA or UK, you may request access, rectification, erasure, restriction, portability, or object to processing, and you may lodge a complaint with your supervisory authority (for us, the Office of the Commissioner for Personal Data Protection in Cyprus).
If you are a California resident, you have the right to know, delete and correct personal information, and to opt out of "sharing" for cross-context behavioral advertising.
End Users: if you were recorded while visiting a store that uses Redspot, the store is the data controller — please contact the merchant directly. We support merchants in fulfilling such requests through Shopify's privacy tooling.
To exercise any right against us, email help@getredspot.com.
12. Children's Privacy
The Site and Service are not directed at children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us personal data, contact us and we will delete it.
13. Changes to This Policy
We may update this policy from time to time. The effective date above reflects the latest revision; material changes will be communicated to merchants through the app or by email.
14. Contact Us
Byteex Ltd (trading as Redspot), Cyprus
help@getredspot.com