Privacy Policy
Last updated: May 27, 2026
1. What We Collect
We collect the following categories of information:
- Account information: Name, email address, phone number, and organization name (for brands). Collected during registration via Clerk.
- Profile information (athletes): Social media handles (Instagram, TikTok, YouTube, Twitter), bio, profile photo, and niche categories. Provided during onboarding.
- Brand information: Company name, Shopify store URL, program details (commission rates, terms and conditions), and billing information managed via Stripe.
- Financial data: Commission amounts, payout history, and ledger entries. Stored as integer cents. We do not store credit card numbers, bank account numbers, or SSNs -- Stripe handles all sensitive financial data.
- Tracking data: Click events (timestamp, hashed IP address, user agent, referrer URL, tracking link ID). IP addresses are hashed with a daily-rotating salt before storage and cannot be reversed to identify individuals.
- Order data: Order ID, total amount, line items, refund status, and timestamps. Received from Shopify via webhooks for attribution purposes only.
2. How We Collect It
- Directly from you: Account registration, profile setup, program creation forms.
- From authentication provider (Clerk): Email verification, phone verification, session management.
- From Shopify webhooks: Order and refund data sent automatically when events occur on connected stores.
- From our tracking service: When a consumer clicks a tracking link on shrr.app, we record a click event with hashed IP, user agent, and timestamp.
- From automated analysis: Public social profile URLs you provide may be analyzed by our quality scoring system (powered by Anthropic) to generate a relevance score visible to brands.
3. Third-Party Processors
We share data with the following service providers to operate the Platform. We do not sell your data to any third party.
| Provider | Data Shared | Purpose |
|---|---|---|
| Clerk | Email, phone number, name | Authentication and account management |
| Stripe | Legal name, tax ID (via Connect KYC), bank account details | Payouts, identity verification, tax reporting (1099-NEC) |
| Shopify | Order data (order ID, total, line items, timestamps) | Sale attribution and commission calculation |
| Anthropic | Public social profile URLs | Athlete quality scoring |
| Resend | Email address | Transactional emails (invites, payout notifications) |
| Cloudflare | IP address (hashed, not stored in raw form), user agent | Click tracking and redirect service |
| Sentry | Error context (stack traces, request metadata) | Error monitoring and debugging |
| Vercel | Server request logs | Application hosting and performance monitoring |
4. Cookies
We use one first-party cookie:
| Name | Domain | Duration | Purpose |
|---|---|---|---|
| shrr_ref | shrr.app | 30 days | Click attribution. Links a product purchase back to the athlete whose tracking link was clicked. Contains only a random click ID -- no personal information. |
We do not use third-party tracking cookies, advertising pixels, or cross-site tracking of any kind. Clerk and Stripe set their own cookies for authentication and payment processing on their hosted pages.
5. How We Use Your Data
- Attribution: Connecting clicks on tracking links to purchases on brand stores.
- Commission calculation: Computing earned commissions, refund reversals, and platform fees.
- Payouts: Processing athlete payments via Stripe Connect.
- Quality scoring: Generating relevance scores from public social profiles to help brands evaluate athlete applications.
- Platform operation: Account management, email notifications, error monitoring, and security.
6. Data Sharing
We never sell your personal information. We share data only with the third-party processors listed above, and only to the extent necessary to provide the Platform's services. We may disclose information if required by law, subpoena, or court order.
7. Your Rights (CCPA) [LAWYER REVIEW NEEDED]
This section requires review by a qualified attorney to ensure compliance with the California Consumer Privacy Act and other state privacy laws. It should address: right to know what data is collected, right to delete personal information, right to opt out of sale (we do not sell data, but the disclosure is still required), right to non-discrimination for exercising privacy rights, specific request procedures and response timelines (45 days under CCPA), and verification procedures for requests.
8. Data Retention [LAWYER REVIEW NEEDED]
This section requires review by a qualified attorney. Currently, ledger entries, click events, and audit logs are append-only (retained indefinitely for financial integrity and dispute resolution). A lawyer should confirm appropriate retention periods for each data category, and whether indefinite retention of hashed click data is defensible under state privacy laws.
9. Security
We protect your data through multiple layers:
- All data is encrypted in transit (TLS) and at rest (database encryption provided by Neon Postgres).
- Row-Level Security (RLS) policies enforce tenant isolation at the database level -- brands cannot access other brands' data, and athletes cannot access other athletes' data, even if application code has a bug.
- Sensitive financial data (card numbers, bank accounts, SSN) is handled entirely by Stripe. We never store, process, or have access to this information.
- Shopify access tokens are encrypted with a 256-bit key before storage.
- IP addresses are hashed with a daily-rotating salt before storage.
- Webhook endpoints verify cryptographic signatures from each provider (Stripe, Clerk, Shopify) before processing any data.
10. Children
The Platform is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or platform notification at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Questions about this Privacy Policy should be directed to privacy@harmonia.llc.