Privacy Policy

Effective date: April 25, 2026

Last updated: April 25, 2026

0. Scope and availability

LazyInsight is available to Shopify merchants globally. Our primary support focus and product localisation are for merchants operating in Hong Kong, Taiwan, and other Asia-Pacific regions; support for merchants in other regions is provided on a best-effort basis.

LazyInsight is not intentionally marketed to, or designed for, merchants whose Shopify stores primarily serve customers in the European Economic Area, United Kingdom, or Switzerland. We have not appointed a representative under Article 27 of the EU GDPR or the UK GDPR. Merchants whose customer base is primarily located in those regions should evaluate whether our Service meets their specific regulatory needs before installation.

Where personal data originating in the European Economic Area, United Kingdom, or Switzerland is nevertheless transferred to LazyInsight (for example, an EEA resident purchasing from an APAC-based merchant’s store), such transfers are safeguarded by the Standard Contractual Clauses, the UK International Data Transfer Addendum, and Swiss adaptations as incorporated into our Data Processing Agreement (see DPA §12).

1. Who we are

LazyInsight (“LazyInsight”, “we”, “us”, or “our”) operates a Shopify-embedded application that helps merchants recover abandoned carts and send email marketing campaigns.

For the purposes of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), we are a “data user” and comply with the six Data Protection Principles in Schedule 1 to the PDPO.

Contact: privacy@lazyinsight.com

2. Our two roles: controller and processor

LazyInsight processes personal information in two capacities:

As a data controller — when we process information about our own merchant accounts (registration, billing, support, product usage, visitors to lazyinsight.com).

As a data processor — when we process information about the merchant’s end customers (shoppers, subscribers, email recipients) on the merchant’s behalf. In this role, the merchant is the data controller and determines purposes and means of processing; we act only on the merchant’s documented instructions.

Shopify Inc. is a separate processor engaged by the merchant directly; LazyInsight is not a sub-processor of Shopify.

3. Information we collect

3.1 From Shopify merchants (controller role)

  • Shop domain, shop ID, shop owner name and email, country, currency, timezone, plan
  • OAuth access tokens issued by Shopify for granted scopes
  • App configuration, email templates, workflow settings, billing status
  • Usage data about how you interact with the LazyInsight dashboard (pages viewed, actions taken, errors)

3.2 From the merchant’s Shopify store (processor role, read-only)

  • Abandoned checkout data: customer email, cart line items, cart total, checkout URL, timestamps
  • Customer records: name, email, phone, marketing consent status, order history metadata
  • Orders, discounts, products, inventory, analytics, and marketing event data permitted by the access scopes granted during install

We receive end-customer data indirectly from the merchant’s Shopify store via the Shopify Admin API, Storefront API, and webhooks. We do not collect from the customer directly.

3.3 From end customers (processor role)

  • Email opens, clicks, and delivery events generated by recovery emails sent through the Service
  • UTM parameters and referrer data when a recovery link is followed back to the merchant’s store
  • Unsubscribe preferences

3.4 What we do NOT collect

LazyInsight does not collect:

  • Payment card numbers, bank details, or payment credentials (Shopify and its payment providers handle these directly)
  • Passwords or login credentials
  • Government identifiers (national ID, passport, tax ID)
  • Special categories of data under GDPR Art. 9 (race, religion, health, biometric, etc.)
  • Data from children under 16

4. How we use information (purposes and legal bases)

PurposeLegal basis (EEA/UK)
Operate and provide the Service to merchantsContract (GDPR Art. 6(1)(b))
Generate and deliver abandoned cart recovery emails on behalf of merchantsContract + processor role
Personalize email content with cart details and discount codesProcessor, on merchant’s documented instructions
Billing, invoicing, and payment processingContract + legal obligation
Product security, fraud prevention, abuse detectionLegitimate interests (GDPR Art. 6(1)(f))
Product analytics and improvementLegitimate interests
Customer support and communications with merchantsContract + legitimate interests
Marketing LazyInsight to existing merchantsLegitimate interests (opt-out available)
Comply with legal obligations, respond to valid legal requestsLegal obligation (Art. 6(1)(c))

For Hong Kong merchants, we process personal data in accordance with PDPO Data Protection Principle 3 (use for the purpose of collection or a directly related purpose).

5. Artificial intelligence

LazyInsight uses generative AI to help merchants draft and personalize marketing emails (subject lines, body copy, product recommendations). AI-assisted features are clearly labeled in the app.

AI service provider. Our AI features are powered by Google’s Gemini API (provided by Google LLC). See Annex 3 of our Data Processing Agreement for processing location and transfer safeguards. If we engage additional AI providers in the future, we will update this notice and our DPA subprocessor list with 30 days’ advance notice in accordance with DPA §8.3.

What data is sent. To generate or personalize an email, we may transmit to our AI service provider(s):

  • Prompts and instructions entered by the merchant
  • Merchant store metadata (store name, product catalogue, brand voice settings)
  • A limited set of end-customer fields needed for personalization (first name, recent purchase, segment label)

We do not send payment information, passwords, Shopify access tokens, or special categories of data to any AI service provider.

No training on your data. We contractually require our AI service provider(s) not to use data submitted through LazyInsight to train, fine-tune, or otherwise improve their AI or machine-learning models. Consistent with the Shopify Partner Program Agreement, we do not use Merchant Data or Customer Data to develop or train any AI or machine-learning system.

Retention by AI service provider. Our AI service provider(s) may retain API inputs and outputs for a limited period (typically up to 30 days) for abuse and security monitoring, after which the data is deleted, subject to longer retention only where legally required.

Human oversight. All AI-generated content is presented as a draft for merchant review; no email is sent to an end customer without merchant approval. LazyInsight does not use AI to make solely automated decisions that produce legal or similarly significant effects on any individual.

Merchant controls. Merchants can disable AI features in Settings → AI.

6. How we share information

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA) as amended by CPRA, and we do not engage in cross-context behavioral advertising.

We share personal information only with the following categories of recipients:

  • Shopify — to authenticate merchants, read store data you have authorized, and honor Shopify privacy webhooks
  • Infrastructure providers — cloud hosting, database, logging, and error-monitoring vendors that process data on our behalf under confidentiality and data-processing agreements
  • Email delivery providers — to transmit recovery emails to end customers
  • AI service providers — to generate email content (see Section 5)
  • Professional advisors — lawyers, accountants, and auditors, under confidentiality
  • Authorities — if required by law, subpoena, or to protect rights, property, and safety
  • Successors — in connection with a merger, acquisition, financing, or sale of assets, with notice to affected merchants

A detailed list of our sub-processors, together with their processing location and data transfer safeguards, is set out in Annex 3 of our Data Processing Agreement.

7. Data retention

Data categoryRetention period
Active merchant account & shop configurationDuration of subscription + 30 days
Shopify customer records, orders, abandoned checkoutsDuration of subscription; deleted within 30 days of shop/redact or customers/redact webhook
Email delivery logs, opens, clicks, bounces24 months, then deleted or anonymized
Suppression list entries (unsubscribed, bounced, complained)Retained indefinitely to prevent re-sending (GDPR Art. 17(3)(b) exception)
AI prompts and outputs (our side)90 days
Billing and tax records7 years (Hong Kong tax law requirement)
Encrypted backupsRolling 30 days
Security and access logs12 months
Aggregated, anonymized analyticsIndefinite

8. Shopify GDPR compliance webhooks

We subscribe to and honor Shopify’s three mandatory privacy webhooks:

  • customers/data_request — We compile all personal data we hold about the identified customer and return it to the merchant within 30 days.
  • customers/redact — We delete the identified customer’s personal data from production systems within 30 days. Residual copies in encrypted backups are overwritten within our rolling 30-day backup cycle.
  • shop/redact — Sent by Shopify 48 hours after uninstall. We delete all personal data relating to the shop within 30 days.

End customers should direct data-rights requests to the Shopify merchant whose store they interacted with; the merchant acts as the data controller and will trigger the applicable webhook.

9. International data transfers

LazyInsight is established in Hong Kong. Personal information may be processed in countries other than the one in which it was collected, including the United States (where most of our sub-processors operate).

For transfers from Hong Kong: We follow the Hong Kong Privacy Commissioner’s 2014 Guidance on Cross-border Data Transfer. Although section 33 of the PDPO (restricting cross-border transfers) is not yet in force as of April 2026, we voluntarily apply contractual safeguards consistent with the PCPD’s Recommended Model Contractual Clauses (May 2022) when engaging overseas processors. Under section 65 of the PDPO, we remain responsible for the acts of our overseas data processors.

For transfers of personal data originating in the EEA, UK, or Switzerland: We rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as incorporated by reference into our Data Processing Agreement (see DPA §12). Where a US-based sub-processor is self-certified under the EU-US Data Privacy Framework, we additionally rely on that framework as a supplementary safeguard.

10. Security

No online service can be guaranteed 100% secure, but we implement administrative, technical, and organizational measures to protect personal data:

  • Encryption in transit: TLS 1.2 or higher for all traffic
  • Encryption at rest: AES-256 or equivalent in our database (Supabase) and hosting provider (Vercel), managed by those providers
  • Access control: Shopify OAuth access tokens stored encrypted; least-privilege access to production; strong authentication (including MFA) for staff
  • No sensitive data: We do not store payment card data, bank details, or passwords
  • Secure development: Code review, dependency scanning, timely patching
  • Vendor security: Reliance on reputable sub-processors that maintain recognized certifications (SOC 2 Type II, ISO 27001) and publish their own security documentation
  • Monitoring: Application activity logged and monitored for anomalies; documented incident response procedure

LazyInsight does not currently hold an independent SOC 2 Type II or ISO 27001 certification. We will update this notice if that changes.

11. Your rights

Depending on your jurisdiction, you may have rights to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion, subject to legal retention obligations
  • Restriction — limit certain processing
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests, or to direct marketing
  • Withdraw consent — where processing is based on consent
  • Lodge a complaint with a supervisory authority

Where to send requests:

  • Merchants: email privacy@lazyinsight.com. We respond within 30 days (or 40 days for PDPO requests).
  • End customers: contact the Shopify merchant you interacted with; the merchant is the controller and will relay applicable requests.
  • Hong Kong residents (PDPO): you may lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) at https://www.pcpd.org.hk
  • California residents (CCPA/CPRA): we do not sell or share personal information. See Section 6. You may designate an authorized agent.

12. Age restriction

The Service is intended for users aged 18 and over only. We do not knowingly collect or process personal data relating to individuals under 18, and the Service is not directed to anyone under 18. Merchants warrant that they will not use LazyInsight to collect, import, or process personal data relating to any individual under 18.

If you become aware that personal data of an individual under 18 has been provided through the Service, contact privacy@lazyinsight.com and we will take steps to delete it.

13. Cookies and similar technologies

The LazyInsight merchant dashboard operates within the Shopify admin and uses only strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies, analytics cookies with cross-site tracking, or fingerprinting.

Recovery emails sent through LazyInsight may contain tracking pixels and UTM-tagged links used to measure delivery, opens, clicks, and conversions. Merchants are responsible for disclosing email tracking to their end customers in the merchant’s own privacy policy and for obtaining any consent required under applicable law (such as EU ePrivacy / PECR where applicable).

Note on Apple Mail Privacy Protection: Email opens reported from Apple Mail users may be inflated, because Apple preloads email content on proxy servers. This data should not be treated as a reliable indicator of a human open.

14. Email marketing compliance

Every marketing email sent through LazyInsight includes:

  • A functioning unsubscribe link
  • The sender’s physical mailing address (merchant’s, as required by CAN-SPAM)
  • Truthful sender identification
  • RFC 8058-compliant List-Unsubscribe headers for one-click unsubscribe in Gmail, Yahoo, and Apple Mail

Unsubscribe requests are processed within 2 business days and in all cases within 10 business days.

When a recipient unsubscribes, hard-bounces, is marked invalid, or reports a message as spam, we add the address to the merchant’s suppression list. Suppressed entries are retained indefinitely for the sole purpose of ensuring we do not send further commercial email to that address.

Merchant responsibility: Merchants warrant they have a valid lawful basis for each marketing email (consent, soft opt-in under PECR Reg. 22, or legitimate interest as applicable) and maintain consent records where required (e.g. 3 years under Canadian CASL).

15. Data breach notifications

If we become aware of a confirmed or reasonably suspected breach of security leading to unauthorized access to, or disclosure, loss, or alteration of, personal data processed through LazyInsight, we will:

  • Notify affected merchants without undue delay and in time for the merchant to meet its own 72-hour supervisory authority notification timeline under GDPR Article 33
  • Provide available information about the nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken
  • Voluntarily consider notifying the Hong Kong PCPD in accordance with its June 2023 Guidance on Data Breach Handling and Data Breach Notifications

Direct notification of affected end customers is generally the merchant’s responsibility as controller; we will assist where appropriate.

16. Changes to this policy

We may update this policy from time to time. Material changes will be notified through the LazyInsight dashboard or by email to the merchant’s contact address at least 14 days before they take effect. The “Last updated” date at the top reflects the latest version.

17. Contact

Email: privacy@lazyinsight.com