Effective date: [EFFECTIVE DATE] Last updated: [EFFECTIVE DATE]
Nevin Puri Ventures, LLC ("Linen", "we", "us") respects your privacy. This Privacy Policy explains what personal data we collect, how we use it, and the rights you have over it, in connection with our website (linen.so) and our email marketing platform for Shopify merchants (the "Service").
If you are an End Consumer — someone whose email address was collected by a Shopify merchant using the Service — please also see Section 8 below and refer to the privacy policy of the merchant whose store you interacted with. They are the data controller for that data; we process it on their behalf.
1. Data We Collect
1.1 Merchant account data
When you sign up and use the Service, we collect:
- Email address, name, and authentication identifiers (e.g. Google account ID if you sign in with Google)
- Business name, Shopify store domain, and store metadata you connect via Shopify OAuth
- Payment information (processed and stored by our payment processor Stripe; we do not store full card numbers)
- Communications you send us (support tickets, feedback)
- Product usage (features used, emails generated, campaigns sent)
- Technical data (IP address, user-agent, device type, log timestamps)
1.2 Store data (processed on your behalf)
When you connect a Shopify store, we access and store:
- Product catalog, collections, inventory
- Brand assets (logo, colors, images)
- Order history (aggregated, to improve generation)
- End Consumer email addresses and profile fields (opted-in contacts)
- Send and engagement history (opens, clicks, unsubscribes)
1.3 Cookies and similar technologies
We use first-party cookies and local storage to:
- Keep you signed in
- Remember preferences
- Measure product usage (via [ANALYTICS PROVIDER])
We do not sell personal data or use third-party advertising cookies.
2. How We Use Your Data
We process personal data to:
- Provide, maintain, and improve the Service
- Authenticate users and secure accounts
- Process payments and send billing-related communications
- Respond to support requests
- Send product announcements and critical security notices
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Aggregate and anonymize for analytics and model improvement
We do not sell personal data, and we do not use End Consumer data for our own marketing purposes.
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area, United Kingdom, or Switzerland, we process personal data on the following bases:
| Processing | Legal basis |
|---|---|
| Providing the Service to you | Performance of a contract (Art. 6(1)(b)) |
| Billing | Performance of a contract / legal obligation |
| Security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Product improvement | Legitimate interest |
| Marketing emails from us | Consent (where required) / legitimate interest |
| Compliance with law | Legal obligation (Art. 6(1)(c)) |
You may withdraw consent or object to legitimate-interest processing at any time — see Section 7.
4. Third-Party Subprocessors
We use the following third-party services to operate the platform. Each of these receives only the data necessary for its function and is bound by contract to protect it:
| Subprocessor | Purpose | Data region |
|---|---|---|
| Supabase | Database + authentication | US |
| Vercel | Hosting | US / global edge |
| Stripe | Payment processing | US |
| Resend | Transactional + marketing email delivery | US |
| Mux | Video hosting and playback | US |
| Trigger.dev | Background job runner | US |
| OpenAI / Anthropic | AI email generation | US |
| Google OAuth | Authentication | US / global |
| Shopify | Store integration | Varies |
| Cloudflare | CDN, DDoS protection | Global edge |
| [ANALYTICS PROVIDER] | Product analytics | [REGION] |
An up-to-date list is available at [SUBPROCESSOR PAGE URL]. We will provide at least 30 days' notice before adding or replacing a subprocessor that processes personal data.
5. International Transfers
If you are located outside the United States, your data will be transferred to and processed in the US. For transfers from the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses (and UK Addendum or Swiss equivalents where applicable).
6. Data Retention
- Account data: for the life of your account, then up to 30 days after termination unless required by law
- Payment records: 7 years (tax/accounting compliance)
- Store data and End Consumer data: for the life of your account; deleted within 30 days of account termination (with backups purged within 90 days)
- Logs and security records: up to 12 months
- Marketing opt-outs: retained indefinitely to honor unsubscribes
You can request earlier deletion at any time (see Section 7).
7. Your Rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Data portability — receive your data in a machine-readable format
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email [CONTACT EMAIL] from the address associated with your account. We will respond within 30 days (extendable to 90 days for complex requests).
8. End Consumer Data
When a Shopify merchant uses the Service to send email to its customers:
- The merchant is the data controller for that customer data
- Linen is a data processor, acting only on the merchant's documented instructions
- Our processing is governed by a Data Processing Agreement with the merchant, available at [DPA URL]
If you are an End Consumer (you received an email through the Service) and want to exercise any privacy right, please contact the merchant whose store you interacted with. They control the data. We will forward requests to them on a best-effort basis if you contact us at [CONTACT EMAIL].
All marketing email sent through Linen includes a working unsubscribe link, honored immediately and retained indefinitely to prevent re-emailing.
9. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell
- Request deletion of personal information
- Opt out of the "sale" or "sharing" of personal information (we do not sell personal information)
- Correct inaccurate personal information
- Limit use of sensitive personal information
- Non-discrimination for exercising these rights
To exercise CCPA rights, email [CONTACT EMAIL] with "CCPA Request" in the subject line. We may verify your identity before fulfilling.
10. Marketing Email Compliance (CAN-SPAM & CASL)
All marketing email we send — or that our merchant customers send through the Service — complies with the CAN-SPAM Act and, where applicable, the Canadian Anti-Spam Legislation (CASL). Every such message includes:
- Accurate sender identification
- A valid physical postal address
- A clear, one-click unsubscribe link that works for at least 30 days
Merchants using the Service agree to honor opt-outs within 10 business days and to obtain proper consent before adding contacts to their lists.
11. Children
The Service is not directed to children under 13 (or the equivalent minimum age in the relevant jurisdiction). We do not knowingly collect personal data from children. If we learn we have, we will delete it.
12. Security
We implement industry-standard technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase)
- Access controls and least-privilege principles for our team
- Secure password hashing (bcrypt/argon2 via Supabase Auth)
- Regular backups with encryption
- Logging and monitoring for anomalous activity
No system is 100% secure. If a breach occurs that affects your data, we will notify you without undue delay as required by law.
13. Changes
We may update this Privacy Policy. Material changes will be notified via email or prominent notice in the Service at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent change.
14. Contact
Questions about this Privacy Policy, or to exercise your privacy rights:
Nevin Puri Ventures, LLC Data Protection Contact: [CONTACT EMAIL] [STREET ADDRESS] [CITY, STATE ZIP]