Privacy Policy — Top Fans

Last updated: May 20, 2026

Top Fans (the “App”) is operated by Komercia360 (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, and protect personal information when a merchant installs and uses Top Fans on their Shopify store.

1. Data we collect

When a merchant installs Top Fans, we collect and process the following personal information about the merchant's customers, on behalf of the merchant:

• Customer email address
• Customer first and last name
• Order history aggregated metrics (total spent, order count, order dates)
• Shopify customer ID

We do not collect: addresses, phone numbers, payment information, date of birth, marketing consent details, or any other personal data beyond what is listed above.

2. How we use the data

We use the personal information described above solely for the following purposes:

• RFM scoring: calculating which customers belong to the merchant's top 20% based on Recency, Frequency, and Monetary value.
• Reward delivery: generating personalized discount coupons in Shopify and sending a thank-you email to top customers.
• Analytics: showing the merchant aggregate metrics about their customer base in the admin dashboard.

We do not use the data for advertising, profiling beyond RFM, automated decision-making with legal effects, or any purpose unrelated to the App's core functionality.

3. Third parties

To operate the App, we share data with the following sub-processors:

• Shopify (shopify.com): source of all customer and order data via the Admin API; recipient of discount code creation requests.
• Supabase (supabase.com): hosting for the PostgreSQL database that stores App data.
• Vercel (vercel.com): hosting for the App's backend functions.
• Resend (resend.com): email delivery service for transactional emails sent to customers.

We do not sell personal data to advertisers or any other party.

4. Data retention

Personal data is retained for as long as the App is installed on the merchant's store. When the merchant uninstalls Top Fans, we delete all related personal data within 48 hours via Shopify's mandatory shop/redact webhook.

If a customer requests deletion of their personal data directly to the merchant, the merchant can forward the request to us using Shopify's customers/redact webhook. Upon receipt, we permanently delete the customer's record from our database.

5. Customer rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion of your data.
• Opt-out: withdraw consent to receive marketing emails (each email includes opt-out instructions).
• Portability: request transfer of your data in a machine-readable format.

To exercise any of these rights, contact the merchant who owns the store, or write to us at info@komercia360.com.

6. Security

We use industry-standard security measures to protect personal data:

• All data in transit is encrypted via TLS 1.2+.
• All data at rest is encrypted by our database provider.
• Access tokens are stored encrypted and rotated periodically.
• Access to production databases is restricted to authorized personnel only.

7. International data transfers

Personal data may be transferred to and processed in countries other than the one in which the customer resides, including the United States. We rely on Standard Contractual Clauses (SCCs) and equivalent legal mechanisms to safeguard cross-border transfers.

8. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we update the “Last updated” date at the top of this page. Material changes will be communicated to merchants via email.

9. Contact

For any questions about this Privacy Policy or our data practices, contact us at:

Email: info@komercia360.com
Operator: Komercia360