Privacy Policy

2.1 Information from Merchants (Shopify Store Owners)

When you install a CrushSuite app, we receive information from Shopify necessary to operate the app. This includes:

• Your Shopify store name, domain, and store ID
• Your account email address and contact information
• Your billing information (processed by Shopify — we do not store payment card data)
• Store configuration data, including product catalogs, inventory, and shipping settings
• Order data, including order IDs, line items, quantities, shipping destinations, and order status
• Customer records from your store (names, shipping addresses, email addresses, purchase history)
• App configuration settings you configure within CrushSuite

2.2 Information from Your Customers (End Users)

When your customers interact with CrushSuite features within your Shopify storefront or checkout, we may process:

• Name, shipping address, and email address (from Shopify checkout)
• Date of birth or age verification responses submitted through our age gate
• State of residence for shipping eligibility determination
• Order details sufficient to apply compliance rules and calculate fees

We process this data on behalf of you, the merchant, as a data processor. Your customers' relationship is with your store. We do not use your customers' data for our own marketing purposes.

2.3 CrushSuite Compliance — Additional Data

For merchants using CrushSuite Compliance, we additionally process:

• VinoShipper account credentials and license data (when VinoShipper integration is enabled)
• State-by-state DTC shipping license status and volume limits
• Compliance fee calculations applied per order
• Age verification records, including method of verification and outcome
• Cumulative shipping volumes per customer per state for volume limit enforcement

2.4 CrushSuite Clubs — Additional Data

For merchants using CrushSuite Clubs, we additionally process:

• Wine club membership records, including tier, join date, and status
• Release schedule data and member allocation preferences
• Recurring billing records, including billing cycle, amounts, and payment status
• Member customization preferences (e.g., build-a-box selections)
• Club cancellation and pause records

2.5 CrushSuite Seats — Additional Data

For merchants using CrushSuite Seats, we additionally process:

• Reservation records, including date, time, party size, and guest name
• Event and ticketing data, including event details, ticket types, and attendee information
• Guest contact information provided at booking
• Walk-in and waitlist records

2.6 Information Collected Automatically

When you use our website or apps, we automatically collect certain technical data:

• IP address and approximate geographic location
• Browser type, device type, and operating system
• Pages visited, time spent, and navigation patterns
• Referring URLs and exit pages
• App performance data and error logs

This technical data is used solely to operate, secure, and improve the Apps and the website. Application logs and error traces are retained for no longer than ninety (90) days. Aggregate analytics data may be retained indefinitely in anonymized or aggregated form. We do not use technical data to build advertising profiles or to identify visitors across sites.

3.1 Operating and Delivering the Apps

• Enforcing state-by-state shipping rules and compliance restrictions at checkout
• Calculating and applying alcohol compliance fees
• Running age verification and address validation
• Syncing data with VinoShipper and other integrated compliance partners
• Managing wine club memberships, billing cycles, and release fulfillment
• Processing tasting room reservations and event ticket sales
• Generating compliance reports required by state regulators

3.2 Account and Billing Management

• Creating and managing your CrushSuite merchant account
• Processing subscription payments via Shopify's billing API
• Sending billing confirmations, renewal notices, and payment failure alerts

3.3 Support and Communications

• Responding to support requests and technical inquiries
• Sending product updates, new feature announcements, and operational notices
• Providing onboarding guidance and setup assistance

3.4 Improvement and Analytics

• Analyzing usage patterns to improve app performance and features
• Identifying and fixing bugs and errors
• Developing new features based on merchant needs and feedback

3.5 Legal Compliance

• Complying with applicable laws, regulations, and legal process
• Enforcing our Terms of Service and other agreements
• Protecting against fraud, abuse, and security threats

3.6 Legal Bases for Processing (GDPR / UK GDPR)

Where applicable data protection law requires, we rely on the following legal bases to process personal data:

• Performance of a contract — to deliver the Apps to merchants under the Terms of Service, including billing, account management, and core feature operation.
• Compliance with legal obligations — to retain compliance records required by state alcohol regulations, tax law, and applicable consumer protection laws.
• Legitimate interests — to secure our systems against fraud and abuse, to detect and fix bugs, to develop new features based on aggregate usage patterns, and to communicate with merchants about operational matters. Where we rely on legitimate interest, we balance our interest against the rights and freedoms of data subjects.
• Consent — where consent is the appropriate basis (for example, certain optional analytics or marketing communications), we will request it and you may withdraw it at any time.

End customers' personal data is processed on behalf of the merchant under the merchant's own legal basis. We do not establish a direct relationship or processing purpose with end customers.

4.0 Our Role

For the purposes of EU and UK data protection law and the California Consumer Privacy Act, you (the merchant) are the data controller with respect to your customers' personal data, and CrushSuite acts as a data processor processing such data on your behalf and pursuant to your documented instructions, as further described in our Terms of Service.

4.1 Shopify

Our apps operate within the Shopify platform. Shopify processes data in connection with your store in accordance with Shopify's Privacy Policy.

4.2 VinoShipper and Compliance Partners

If you have enabled VinoShipper integration within CrushSuite Compliance, we share order data, customer shipping information, and compliance-relevant details with VinoShipper solely for the purpose of fulfilling compliance obligations. This data sharing is governed by your agreement with VinoShipper.

4.3 Subprocessors

We engage the following categories of third-party service providers ("subprocessors") who assist us in operating CrushSuite. Each is contractually required to handle data only as directed by us and in accordance with this policy and applicable law.

• Cloud hosting and database — Railway (United States), providing primary application hosting, PostgreSQL database, and Redis cache.
• Webhook and messaging infrastructure — Google Cloud Platform (United States/global), providing Pub/Sub delivery for Shopify order webhooks.
• Transactional email — Mailgun, an operating brand of Sinch (United States), providing email delivery for billing notices, support replies, and operational alerts.
• Marketing website hosting and analytics — Vercel (United States), providing crushsuite.com hosting and anonymous, aggregate Vercel Analytics.
• Public asset storage — Amazon Web Services S3 (us-west-2 region, United States), used only for non-personal marketing and product imagery.
• Customer support — Freshdesk, an operating brand of Freshworks (United States/global), providing the support ticketing system at crushsuite.freshdesk.com.
• Compliance partners — VinoShipper (United States) and other compliance partners you have explicitly enabled, processing order and customer data necessary for alcohol shipping compliance.
• Shopify — your platform of record. Shopify processes data in connection with your store under its own terms.

We will provide at least thirty (30) days' advance notice via email or in-app notice before adding a new subprocessor or changing the role of an existing one in a way that materially affects the processing of your data. A current subprocessor list is available at any time on request to admin@crushsuite.com.

4.4 International Data Transfers

CrushSuite is operated from the United States. Data we process — including merchant data and end-customer data — is stored and processed in the United States and other jurisdictions where our subprocessors operate. We protect transferred data with technical safeguards including encryption in transit (TLS), encryption at rest, and column-level encryption of particularly sensitive fields.

4.5 Legal Requirements

We may disclose information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of CrushSuite, our merchants, or the public.

4.6 Business Transfers

If CrushSuite is acquired by or merged with another company, your information may be transferred as part of that transaction. We will notify affected merchants before any such transfer occurs.

7.1 Merchants (GDPR / EEA)

If you are located in the European Economic Area, you have the right to access, correct, delete, or restrict processing of your personal data. You also have the right to data portability and the right to object to processing based on legitimate interests. To exercise these rights, contact us at admin@crushsuite.com.

7.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the right under the California Consumer Privacy Act and California Privacy Rights Act to know what personal information we collect about you, the sources from which we collect it, the business purposes for which we use it, and the categories of third parties with whom we share it. Section 2 of this policy describes the categories of personal information we process; Section 3 describes the purposes; and Section 4 describes the sharing arrangements.

You also have the right to delete personal information we hold about you, to correct inaccurate personal information, to limit the use of sensitive personal information, and to opt out of any sale or sharing of personal information. CrushSuite does not sell personal information and does not share personal information for cross-context behavioral advertising.

To submit a CCPA request, contact us at admin@crushsuite.com. We will verify your request and respond within forty-five (45) days, with a possible 45-day extension where reasonably necessary.

7.3 All Users

Regardless of location, you may contact us at any time to request access to, correction of, or deletion of personal data we hold about you, subject to applicable legal requirements.

CrushSuite Privacy Team

Email: admin@crushsuite.com

Subject line: "Privacy Request" for data subject requests.

Website: https://crushsuite.com