Privacy Policy

Last updated: May 5, 2026

Lolipop ("Lolipop", "we", "us") is an ecommerce ops audit product operated by Yummy, MB (yummygrow.com). It helps online merchants understand store performance by pulling data from Shopify and third-party analytics platforms, then generating insight reports. This policy explains what we collect, why, and what we do with it.

What we collect

When you connect a data source to Lolipop, we access:

• Shopify shop data — orders, products, customers, inventory, discounts, price rules, fulfillments, locations, and returns. Accessed via read-only scopes you approve at install.
• Google Analytics 4 — sessions, users, conversions, on-site search terms, funnels. Read-only via theanalytics.readonly scope you grant via OAuth.
• Google Search Console — clicks, impressions, CTR, average position, top queries and pages. Read-only via thewebmasters.readonly scope you grant via OAuth.
• Meta Ads — spend, ROAS, CPM, CTR, frequency, ad and creative metadata. Read-only via the ads_read andbusiness_management scopes you grant via OAuth.
• Shop profile — your shop domain, name, and the timestamp at which the shop first appeared in Lolipop.

What we do not collect

We do not collect or store individual customer PII (names, emails, addresses, payment details) as a product feature. Any customer-level data surfaced by Shopify's APIs is used transiently to compute aggregated reports and is not persisted in a customer-identifiable form.

How we use it

• Generate reports and audits you view inside Lolipop.
• Send aggregated data to Anthropic's Claude API for analysis. Anthropic does not retain customer data submitted via the API for model training (reference).
• Operate the service — authentication, billing, error monitoring.

How we store it

Data is stored in a managed PostgreSQL database hosted on Railway (US region). Third-party OAuth tokens are encrypted at rest. Traffic between your browser, our app, and third-party APIs is encrypted in transit (TLS).

Who we share with

We do not sell your data. We share data only with subprocessors strictly necessary to operate the service:

• Railway — hosting and database.
• Anthropic — report generation (Claude API).
• Shopify / Google / Meta — read-only API access to data you authorize.

Retention & deletion

• Disconnect: when you disconnect a data source in Lolipop, we revoke the relevant token and stop accessing that source.
• Shopify uninstall: when you uninstall the Shopify app, we stop accessing your Shopify data. Shopify sends us a shop/redact webhook ~48 hours later; at that point we hard-delete all your shop's data from our database.
• On request: email juras@yummygrow.com to request earlier deletion.
• Customer data requests: Shopify's customers/data_request and customers/redact webhooks are received and logged; we process them per GDPR/CCPA requirements.

Your rights

If you are a resident of the EU, UK, or California, you have the right to access, correct, delete, and port your data, and to object to or restrict processing. Contact juras@yummygrow.com.

Changes to this policy

If we materially change this policy, we will notify users in-app and via email before the change takes effect.

Contact

Privacy questions: juras@yummygrow.com
Data controller: Yummy, MB (operator of Lolipop)

Terms of Service