NciteIQ
Start Free Trial
← Home

Privacy Policy

Privacy Policy


NciteIQ CRM – Privacy Policy


Effective Date: March 31, 2026



1. Introduction


NciteIQ CRM ("NciteIQ," "we," "our," or "us") is operated by Emertech, LLC.


This Privacy Policy explains how we collect, use, store, disclose, and protect information when you use NciteIQ. That includes:


- Our Shopify application (installed through Shopify Admin), and

- Our web portal and related online surfaces you use with the same login (such as signup, onboarding, CRM, billing, reporting, team and support tools, and other merchant-facing features).


Together, these are the Services. By installing the Shopify application or otherwise using the Services, you agree to this Privacy Policy. If you disagree, discontinue use.



2. Who this policy applies to


Merchants. If you operate a Shopify storefront (or staff an account authorized by that merchant), we collect and use merchant account information and merchant-created content as described below.


End customers (consumers). When we receive personal information about shoppers from Shopify on behalf of merchants, merchants are generally responsible for privacy notices and consents relating to storefront collection. Our role is ordinarily that of service provider / processor, subject to Shopify's program rules and scopes.


Nothing in this policy overrides Shopify's terms or a merchant's separate obligations toward Shopify.



3. Information we collect


3.1 Information from Shopify


When merchants install NciteIQ or connect a store via Shopify APIs and webhooks, we may collect data made available through those integrations, subject to Shopify permissions, Shopify Protected Customer Data requirements, scope changes, API versions, feature configuration, and your plan. Examples:


- Store information (such as domain, store name or label, timezone, merchant preferences needed for syncing)

- Products (titles, variants, SKU/handles, descriptions or marketing copy as exposed, structured fields relevant to syncing, pricing, inventory references where enabled)

- Orders (identifiers, statuses, totals, fulfillment cues, timestamps, line items—or similar—as permitted by Shopify)

- Customers (names, emails, mailing or phone attributes as exposed, transactional history surfaced by Shopify integrations, subject to protected-data rules where applicable)

- Inventory quantities and identifiers where sync is enabled


The exact fields synced may evolve with product features.


3.2 Account, billing, workspace, app and portal usage data


Depending on Services you use:


- Merchant account and workspace details (identifiers, memberships, invitations, workspace metadata)

- Authentication data operated through third-party authentication and database infrastructure commonly provided by vendors such as Supabase, including signup/login events, MFA state where enabled, and session tokens aligned with HTTPS cookies

- Usage and diagnostics reflecting actions inside the workspace (audit-style activity, configurations you save, dashboards, segmentation rules where applicable), plus technical telemetry tied to uptime and troubleshooting (IPs, browser or device fingerprints as commonly logged via HTTP stacks, timestamps, correlating error payloads)


3.3 Billing payments (Stripe)


Subscription checkout, invoices, refunds, Stripe Customer Portal behavior, webhook-driven subscription state—all route through Stripe. Stripe processes payment card credentials in line with Stripe's documentation. We ordinarily retain Stripe object identifiers, subscription linkage, transactional payment status, invoices or checkout session references—not PAN track data retained on Emertech systems.


Where Emertech later swaps payment vendors, analogous statements apply unless contractually narrowed.


3.4 Bi-directional operations when enabled


Some features authorized by merchants propagate changes both Shopify to NciteIQ and NciteIQ to Shopify (inventory adjustments, edits to Shopify catalog fields authorized by scopes, outbound discount codes if enabled within product permissions, etc.). We use Shopify data strictly to fulfill merchant-visible automation—not resale of Shopify merchant content unrelated to powering NciteIQ.


3.5 Exports (when feature-enabled)


Export jobs may package mirrored records for download. Once you download a file, that copy is under your control—not ours.


3.6 Communications


We send transactional messages (email security checks, invites, billing notices, support-related mail) through providers such as Resend or equivalent infrastructure. Message metadata and message bodies needed to deliver these communications are processed accordingly.



4. How we use information


We process information to:


- Provide, secure, and improve the Services (authentication, multi-tenant isolation, row-level security patterns, synchronization jobs)

- Render CRM, segments, tasks, reporting, operations modules, discount-code consoles, wallboard or analytics where your plan enables them

- Bill via Stripe, enforce entitlements, manage trials, apply feature flags

- Detect abuse, debug failures, monitor security, preserve audit logs where appropriate

- Comply with law, enforce terms, and satisfy Shopify Mandatory Privacy Webhooks (see Section 8)


We do not sell personal information.



5. Storage, security, tenant isolation


We host application data in PostgreSQL cloud infrastructure (for example via Supabase), using account-based scoping and row-level safeguards engineered to separate merchant workspaces. Encryption in transit (HTTPS/TLS) applies to merchant interactions; production credential handling follows least-privilege patterns.


Absolute security guarantees are impossible—you must protect passwords, SSO tokens, MFA devices, invitations, exported downloads, backup exports you create.



6. Data sharing / subprocessors


We do not sell or rent Shopify merchant storefront data.


We disclose information only:


- To subprocessors, strictly supporting the Services (hosting/database/auth/email/payment gateways such as Stripe, Shopify API surfaces, transactional email infra). Contracts subject vendors to confidentiality, security diligence, onward-transfer limits when legally mandated. Current categories are available on request via support@nciteiq.com and may evolve.

- For legal reasons (subpoenas, regulatory demands) where obligated after internal review—we seek to minimize scope wherever lawful.

- In business transactions involving sale of assets—successor inherits duties consistent materially with Shopify partnership obligations absent contrary regulatory instructions.


Transfers outside originating regions rely on safeguards (for example SCCs or vendor DPAs) where GDPR-style laws apply materially—confirm exact instruments counsel-side.



7. Customer personal information & controller / processor framing


Merchant shoppers' personal details pulled from Shopify are processed chiefly on merchants' documented instructions, within Shopify programmatic constraints merchants accept. Merchant remains ordinarily business controller, NciteIQ processor, for storefront-origin personal datasets—consistent with Shopify App Store disclosures.


Merchant account admin identities you supply directly to Emertech (names, passwords, MFA phone numbers solely if you supply MFA, billing emails routed through Stripe) are processed jointly under contractual Terms of Service—you should inspect those concurrently.



8. Data retention & deletion pathways


Retention tracks:


- Merchant account lifetime (while subscription/trial active uninstall grace windows align with Shopify mandates) versus Shopify mandates triggering redaction timelines.

- Merchant-initiated delete-all flows inside workspace admin—subject to cryptographic backup rollover constraints (some anonymized residuals may linger temporarily purely for intrusion forensics—not consumer marketing).

- Immutable security logs, possibly shorter than indefinite business records—but never repurposed arbitrarily for contradictory processing.


Shopify's Mandatory Privacy Webhooks—including customers/data_request, customers/redact, and shop/redact—must be honored per Shopify published timing once installed.


Residual aggregate metrics stripped of identifiable rows may persist indefinitely for SLA analytics.


Permanent erasure confirmations or enterprise DPA artifacts: support@nciteiq.com.



9. Your privacy rights & requests


Regional laws (EU/UK GDPR-style rights, CCPA/CPRA categories, Quebec Law 25, etc.) confer varying access, rectify, erase, portability, objection, nondiscrimination, appeal rights—you must verify merchant vs consumer capacities.


Merchant workspace administrators may inquire at support@nciteiq.com verifying domain control.


End consumers ordinarily contact merchant storefront, then escalate via Shopify storefront privacy tooling—we cannot override merchant storefront decisions absent court order narrowing exceptions.


EU/UK individuals may escalate to supervisory authorities if unsatisfied materially after documented dialogue timelines.



10. International processing


Hosting may utilize United States—and possibly additional—regions pursuant to subcontractor footprints (Supabase region choices, Stripe data residency election). Appropriate transfer mechanisms execute when mandated.



11. Children


NciteIQ is not knowingly directed at children under 13 (U.S.) or analogous ages elsewhere. Children should not operate merchant accounts. Merchant storefront compliance with minors' regimes remains merchant-duty.


Parents believing accidental processing occurred should initiate via merchant storefront's published privacy escalation.



12. Security incidents


Suspected compromises undergo investigation triage materially. Notifications match legal duties and contractual Shopify escalation expectations when thresholds trigger.



13. Browser storage & UX continuity


Limited session/local storage snippets may stash purely non-secret UX flags (temporary onboarding breadcrumbs). They never replace secure secret storage—they're disposable per-browser.



14. Cookies & similar identifiers


Merchant portal sessions ordinarily rely HTTP cookies necessary for authenticated navigation (Supabase or equivalent session cookies). Blocking necessary cookies disables login practicality.


Separate marketing-site cookies/analytics disclosures govern marketing origins—merchant workspace cookies differ.



15. Automated decision-making


NciteIQ segmentation features surface rules merchants author—they do not create solely automated unlawful discrimination outcomes absent merchant orchestration—we provide tooling only.


Legal effect automated decisions devoid of merchant configuration do not materially exist today—should features evolve materially, revisiting disclosures becomes necessary.



16. Policy changes & notice


Updates revise Effective Date. Material alterations may utilize merchant email, critical in-app banners, Shopify Partners policy URLs, changelog posts—not every grammatical tweak triggers broadcasts.


Continuing to use the Services after the Effective Date may constitute acceptance unless applicable law requires a different consent mechanism.


Historical copies may be honored per enterprise SLA—request via support@nciteiq.com.



17. Contact


Company: NciteIQ · An Emertech, LLC company


Privacy: support@nciteiq.com