Privacy Policy

Last updated: 12 June 2026

Commish (“we”, “us”), provided by Ophir Technologies, is a Shopify app that helps merchants run an affiliate, influencer, and referral program and pay their partners through licensed payment providers. This policy explains what personal data we process and why. Commish is non-custodial: we instruct a licensed provider to move money from the merchant to their partner; we never hold or take custody of funds.

Who is responsible for your data

The Shopify merchant who installs Commish is the data controller for their store’s and partners’ data. We act as a data processor on the merchant’s behalf, and as a controller for the limited account data needed to operate the app.

What we process

• Merchant / store data: your myshopify domain, Shopify access token (stored encrypted), program and payout settings.
• Partner (affiliate) data: name, email, a hashed login password, payout details (e.g. bank account or a Stripe connected-account id) stored encrypted at rest, and any tax identifier the partner provides.
• Order data from the store: order id, order name, order total, currency, and the buyer’s email address. The buyer email is used only to detect self-referrals and fraud. We do not store shoppers’ names, addresses, or phone numbers.
• Referral activity: referral-link clicks with a one-way hashed IP address (never the raw IP), user agent, referral code, and timestamp.

How we use it

• Attribute orders to the referring partner and calculate commissions.
• Process and reconcile payouts to partners through payment providers.
• Detect self-referrals and suspicious activity before paying.
• Send transactional emails (partner approval, invitations, payout notices).
• Provide reporting and operate the app.

Customer consent

Our storefront pixel and referral cookie respect the store’s customer-privacy (consent) signals: where analytics consent is required and not given, we do not capture or report referral data.

Who we share data with (sub-processors)

We never sell personal data. We share only as needed to run the service:

• Shopify — the platform the app runs on.
• Payment providers (e.g. Stripe, Paystack) — to execute payouts to partners.
• Email delivery (e.g. Resend) — to send transactional emails.
• Hosting & database (Railway, PostgreSQL) — to run and store app data.

Security

Sensitive data — payment-provider credentials and partner payout details — is encrypted at rest (AES-256-GCM); data is transmitted over TLS. Access is restricted, and payout actions are recorded in an audit log.

Retention & deletion

We keep data while the app is installed. On uninstall, Shopify’s shop/redact request triggers deletion of the shop’s data, and we honour customers/redact and customers/data_request for individual shoppers. Merchants and partners may request access or deletion at any time.

Your rights

Depending on your location (e.g. GDPR, CCPA), you may have rights to access, correct, delete, or restrict processing of your personal data, and to data portability. To exercise these, contact us at the address below.

International transfers

Data may be processed in countries other than yours. Where required, we rely on appropriate safeguards for international transfers.

Children

Commish is not directed to children and we do not knowingly collect their data.

Changes

We may update this policy; we’ll revise the “Last updated” date above when we do.

Contact

Questions or requests: privacy@ophirtechnologies.com.