Privacy Policy
Effective date: 15 July 2026 · Last updated: 15 July 2026
1. Introduction
This Privacy Policy describes how the operator of the SplitMere application and the website at https://splitmere.com (“SplitMere”, “splitmere.com”, “www.splitmere.com”, “we”, “us”, “our”) collects, uses, stores, shares, and protects information when you install or use the SplitMere application (the “App”) or visit our website (together, the “Service”).
This Policy applies to merchants who install the App on their Shopify store (“Merchants”, “you”, “your”) and describes our handling of personal data contained in Merchant store data, including limited personal data relating to a Merchant's customers (“Customers”) that appears in order records.
By installing or using the Service, you acknowledge that you have read and understood this Privacy Policy. This Policy forms part of our Terms of Service, available at https://splitmere.com/terms.
2. Who We Are and How to Contact Us
SplitMere is a consignment and vendor payout management application for Shopify stores, operated from New Zealand. For all privacy enquiries, requests, or complaints, contact us at:
Email: support@splitmere.com
3. Information We Collect
3.1 Information collected through Shopify's APIs
When you install the App, you authorise us to access certain data from your Shopify store through Shopify's APIs, limited to the scopes approved at installation. Depending on your use of the App, this includes:
- Store information: store name, myshopify domain, store email address, store owner name, currency, timezone, plan type, and store contact details
- Product data: products, variants, SKUs, vendor assignments, and cost fields
- Order data: orders, line items, quantities, prices, discounts, taxes, and order status, which may include limited Customer personal data contained in order records (such as Customer name and email address) where required for the App's payout attribution and record-keeping functions
- Refund and return data: refunds, restocks, and adjustments affecting payout calculations
- Billing data: subscription and charge status through the Shopify Billing API (we do not receive or store your payment card details; billing is processed entirely by Shopify)
We request only the API scopes necessary to provide the App's functionality, consistent with Shopify's protected customer data requirements and the principle of data minimisation.
3.2 Information you provide directly to us
- Configuration data: vendor and consignor records you create in the App (which may include vendor names, email addresses, commission rates, and payment terms), payout settings, commission rules, and statement preferences
- Account and contact information: your name, email address, and any information you provide when you contact support
- Support communications: the contents of emails and messages you send to us, including any attachments
3.3 Information collected automatically
- Usage and log data: we generate automated logs relating to your use of the App, including access times, pages and features used, actions performed (such as payout creation, voids, and statement generation), IP address, browser type, and device information
- Diagnostic data: error reports, sync health events, and performance metrics used to operate, secure, and improve the Service
- Website data: if you visit splitmere.com, standard server logs (IP address, browser type, pages visited, referring page)
3.4 Cookies and similar technologies
The App operates as an embedded application within the Shopify admin and uses strictly necessary cookies and session tokens required for authentication and security. The website at splitmere.com uses only strictly necessary cookies. We do not use advertising or cross-site tracking cookies, and we do not sell or share personal data for behavioural advertising.
4. How We Use Information
We use the information described above solely for the following purposes:
- To provide the Service: calculating, recording, and reporting consignment and vendor payout amounts; generating statements, reconciliation outputs, balances, and reports
- To operate and secure the Service: authentication, session management, fraud and abuse prevention, security monitoring, audit logging, and enforcement of cross-store data isolation
- To maintain data accuracy: synchronising data from your Shopify store and monitoring sync health
- To provide support: responding to your enquiries and resolving issues
- To bill for the Service: managing subscriptions through the Shopify Billing API
- To improve the Service: analysing aggregated, de-identified usage patterns to fix defects and improve features
- To comply with law: meeting our legal, regulatory, and tax obligations, and responding to lawful requests
We do not use personal data for advertising. We do not sell personal data. We do not use Customer personal data for any purpose other than providing the App's functionality to the Merchant.
5. Legal Bases for Processing
Where the General Data Protection Regulation (GDPR), UK GDPR, or similar laws apply, we process personal data on the following bases:
- Performance of a contract: processing necessary to provide the Service under our Terms of Service
- Legitimate interests: securing and improving the Service, preventing abuse, and maintaining business records, balanced against the rights of the individuals concerned
- Legal obligation: retention and disclosure required by applicable law
- Consent: where we rely on consent, you may withdraw it at any time by contacting support@splitmere.com
With respect to Customer personal data contained in a Merchant's order records, the Merchant is the controller and we act as a processor/service provider, processing that data only on the Merchant's behalf and instructions as described in this Policy and the Terms of Service.
6. How We Share Information
We do not sell, rent, or trade personal data. We share information only with:
- Infrastructure and service providers: cloud hosting, database, and email service providers that process data on our behalf under contractual confidentiality and data protection obligations, solely to operate the Service. These providers may be located outside New Zealand, including in the United States.
- Shopify: data is exchanged with the Shopify platform as an inherent part of the App's operation, governed by Shopify's own privacy policy
- Legal and safety: where required by law, regulation, court order, or lawful request, or where reasonably necessary to protect the rights, safety, or property of SplitMere, Merchants, or others
- Business transfers: in connection with a sale or restructuring of the business, in which case this Policy will continue to apply to the transferred data and affected Merchants will be notified
7. International Data Transfers
We operate from New Zealand, which has been recognised by the European Commission as providing an adequate level of data protection. Where data is transferred to service providers in other jurisdictions (including the United States), we take reasonable steps to ensure the data receives comparable protection, including contractual safeguards with those providers.
8. Data Retention
- Active subscriptions: Merchant Data is retained for as long as the App is installed and your subscription is active, so that payout records, statements, and reconciliation history remain available to you
- After uninstall: upon receipt of Shopify's shop/redact webhook (issued 48 hours after uninstall), store data is deleted from our production systems in accordance with the timelines below, except where retention is required by law
- Deletion timeline: personal data is deleted or irreversibly anonymised within 30 days of the applicable redaction event, with residual copies in encrypted backups purged within 90 days
- Logs: automated logs containing personal data (such as IP addresses) are retained for no more than 12 months for security and audit purposes
- Legal retention: records we are required to keep for tax, accounting, or legal compliance are retained for the period required by applicable law and then deleted
9. GDPR and Privacy Webhooks
We subscribe to and honour all of Shopify's mandatory privacy webhooks:
- customers/data_request: when a Customer requests their data through a Merchant, we provide the Merchant with the Customer personal data held in the App relating to that Customer
- customers/redact: when a Customer requests erasure, we delete or anonymise that Customer's personal data held in the App, subject to any legal retention obligations
- shop/redact: following uninstall, we delete the store's data as described in Section 8
10. Your Rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete personal data
- Delete your personal data
- Restrict or object to certain processing
- Data portability: receive your data in a structured, commonly used, machine-readable format (the App also provides built-in export features for your payout records)
- Withdraw consent where processing is based on consent
- Complain to a supervisory authority — in New Zealand, the Office of the Privacy Commissioner ( privacy.org.nz); in the EU/UK, your local data protection authority
To exercise any of these rights, contact support@splitmere.com. We will respond within the timeframe required by applicable law (and in any case within 30 days). We may need to verify your identity before acting on a request.
If you are a Customer of a Merchant using the App, please direct your request to that Merchant in the first instance, as they control your data; we will assist the Merchant in fulfilling it.
11. Security
We apply technical and organisational measures appropriate to the nature of the data we process, including:
- Encryption of data in transit (TLS) and at rest
- Authentication and session controls aligned with Shopify's embedded app security requirements
- Strict per-store data isolation, so that one Merchant's data is never accessible to another
- Access controls, audit logging, and monitoring of production systems
- Verification of webhook authenticity (HMAC validation) for all inbound Shopify webhooks
- Principle of least privilege for all system and API access
No method of transmission or storage is completely secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law, including the Privacy Act 2020 (NZ) notifiable privacy breach regime and GDPR breach notification requirements where applicable.
12. Children
The Service is a business tool offered to merchants and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact support@splitmere.com and we will delete it.
13. Third-Party Links and Services
The Service depends on the Shopify platform, and our website may contain links to third-party sites. This Policy does not apply to Shopify or any third party, whose own privacy policies govern their handling of your data.
14. Changes to This Policy
We may update this Privacy Policy from time to time. The current version will always be available at https://splitmere.com/privacy. For material changes, we will give notice by email or in-app notice before the change takes effect. The “Last updated” date at the top of this Policy indicates when it was last revised.
15. Contact
https://splitmere.com
support@splitmere.com
https://splitmere.com · support@splitmere.com