Legal

Privacy Policy

Last updated 9 June 2026

This Privacy Policy explains how Harvest Sterling LLC (“Buy on Repeat”, “we”, “us”) collects, uses, shares, and protects personal data in connection with the Buy on Repeat Shopify application (the “App”) and the website at buyonrepeat.com (the “Site”). We are an EU-focused subscription-management tool and treat data protection as a first-class part of the product.

1. Who this applies to

This policy covers two groups: merchants who install the App on their Shopify store, and the customers (subscribers) of those merchants whose data we process on the merchant’s behalf. For subscriber data, the merchant is the data controller and Buy on Repeat acts as a data processor.

2. Information we collect

  • Merchant account data — store name, domain, contact email, and billing tier, provided by Shopify when you install the App.
  • Store and subscription data — products, selling plans, subscription contracts, orders, billing attempts, and related records, accessed through Shopify’s APIs to operate the App.
  • Subscriber data — name, email, shipping/billing address, order history, and payment-method references (tokens held by Shopify; we do not store full card numbers), to manage subscriptions and send lifecycle emails.
  • Usage and log data — technical logs, error reports, and aggregate analytics used to operate, secure, and improve the service.
  • Website data — session and usage analytics (via our analytics provider) when you visit buyonrepeat.com.

3. How we use data

We use data to provide and operate the App — creating and managing subscriptions, running the customer portal, processing dunning and retries, sending lifecycle emails in the buyer’s language, generating merchant analytics, importing migrations, and providing support. We also use it to bill merchants, secure the service, comply with legal obligations, and improve the product.

4. Legal bases (GDPR)

Where the EU/UK GDPR applies, we rely on: contract (to provide the App to merchants), legitimate interests (to secure and improve the service), legal obligation (to meet record-keeping and compliance duties), and consent where required. For subscriber data, the merchant determines the legal basis as controller; we process it under our data-processing terms.

5. Sub-processors & sharing

We do not sell personal data. We share data only with service providers that help us run the App, under appropriate data-processing agreements:

  • Shopify — the platform that hosts your store and the source of store/subscriber data and payment tokens.
  • Cloud hosting & database providers — to host the application and store operational data securely.
  • Email delivery provider — to send transactional and lifecycle emails on the merchant’s behalf.
  • Marketing platforms you connect — if a merchant connects an ESP (such as Klaviyo), subscription events are shared with that platform at the merchant’s direction.

We may also disclose data where required by law or to protect our rights, users, or the security of the service.

6. Data retention & deletion

We keep personal data only as long as needed to provide the App or as required by law. When a merchant uninstalls the App, we honor Shopify’s mandatory data-erasure webhooks (customers/redact, shop/redact, customers/data_request) and delete or anonymize associated data within the required timeframe. Merchants and subscribers may also request deletion directly (see Contact).

7. International transfers

We aim to process data within the EU/EEA where practical. Where data is transferred outside the EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses.

8. Your rights

Subject to applicable law, you may request access to, correction of, deletion of, or portability of your personal data, and may object to or restrict certain processing. Subscribers should contact the merchant they purchased from in the first instance; we will assist the merchant in fulfilling such requests. You may also contact us directly using the details below, and you have the right to lodge a complaint with your local data-protection authority.

9. Security

We use industry-standard measures including encryption in transit, access controls, and least-privilege practices. Payment card data is handled by Shopify and its payment processors; we reference payment methods by token and never store full card numbers.

10. Cookies & analytics

The Site uses third-party analytics providers — Eyepup (site-session and visitor-activity analytics) and Google Analytics 4 — to help us understand how buyonrepeat.com is used. This may involve cookies and similar technologies. For Google Analytics we use Google Consent Mode v2: analytics and advertising storage default to “denied,” so no analytics/ads cookies or identifiers are set until you opt in, and Eyepup does not load at all until you opt in. The App itself runs inside the Shopify admin and customer account and uses only the cookies/tokens necessary for authentication and core functionality. We ask for your consent before enabling the non-essential analytics described above, and you can change or withdraw your choice anytime via the “Cookie settings” link in our footer.

11. Changes

We may update this policy from time to time. Material changes will be reflected by the “Last updated” date above and, where appropriate, communicated to merchants.

12. Contact

Questions or data requests? Email caraulani@gmail.com. Data controller: Harvest Sterling LLC.