Products Pricing About Contact

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how CPG Labs (the operating entity behind Omnify) collects, uses, stores, and protects personal data when merchants use the Omnify Shopify application and related services.

1. Scope of This Policy

This policy applies to:

  • The Omnify Shopify embedded app
  • Omnify-hosted services at https://omnify.cpg-labs.io
  • All features including Local Delivery, Retail Sales goals, Footprint Expansion, Affiliates, Carrier Service integrations, and Analytics

Omnify acts primarily as a data processor on behalf of merchants. The merchant remains the data controller for their customer data.

2. Personal Data We Process

Merchant and app data

  • Shopify shop identifier
  • App installation metadata
  • Session and authentication tokens

Order and customer data (via Shopify API)

  • Order identifiers
  • Order totals and line items
  • Fulfillment method and delivery tags
  • Customer city, postal code, and country
  • Delivery address coordinates (derived via geocoding)

Location and mapping data

  • Fulfillment location coordinates
  • Retail candidate locations entered by merchants
  • Influence radius and geographic analytics

Technical and usage data

  • IP address
  • Browser and device metadata
  • Application logs and error reports

Omnify does not collect payment card numbers or sensitive personal data such as health information, biometric data, or government identifiers.

3. Google API Services User Data Policy Compliance

Omnify's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Omnify will not:

  • Sell Google user data to third parties under any circumstances.
  • Use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • Use Google user data to determine creditworthiness or for lending purposes.
  • Use Google user data for artificial intelligence or machine learning training purposes that are unrelated to providing or improving the user-facing features of the application.
  • Use Google user data for any purpose other than providing or improving user-facing features that are prominent in the application's user interface.
  • Transfer Google user data to third parties unless (a) necessary to provide or improve user-facing features, (b) required to comply with applicable law, (c) needed for security purposes (e.g., investigating abuse), or (d) as part of a merger, acquisition, or asset sale with prior user notice and consent.

Google data accessed by Omnify (such as geocoding results and mapping data from Google Maps APIs) is used exclusively to power the mapping, route planning, and location analytics features visible within the application.

4. How We Use Data

Personal data is processed strictly to:

  • Enable local delivery route planning and visualization
  • Analyze customer geography for retail expansion decisions
  • Compute sales, revenue, and performance analytics
  • Provide carrier rate quotations and delivery tracking
  • Operate, secure, and improve the Services
  • Comply with legal obligations

Data is never used for advertising, profiling, or resold to third parties.

5. Data Storage and Persistence

Data is stored using:

  • AWS RDS PostgreSQL (encrypted at rest with AES-256) for app configuration and analytics
  • Shopify order tags for route assignment persistence
  • AWS CloudWatch for application logs

All data is hosted in the AWS us-east-1 region. Data at rest is encrypted using AES-256, and all data in transit is encrypted using TLS 1.2 or later.

6. Legal Bases for Processing

We process personal data under the following legal bases:

  • Performance of a contract with merchants who install and use the app
  • Legitimate interest in operating, maintaining, and improving the Services
  • Compliance with legal obligations, including tax and commerce regulations
  • Consent, where specifically required by applicable law

7. Third-Party Services

Omnify integrates with the following third-party services to provide its features:

  • Shopify — for store data, orders, products, and authentication
  • Google Maps Platform — for geocoding, route visualization, and location analytics
  • Carrier services (e.g. Lalamove) — for delivery quotation and dispatch, when configured by the merchant
  • Amazon Web Services — for infrastructure hosting, database, and logging

Data shared with these services is limited to what is necessary for the specific feature being used. We do not share data with analytics or advertising platforms.

8. International Transfers

Personal data may be transferred and processed outside the user's jurisdiction, including in the United States (AWS us-east-1 region). CPG Labs applies appropriate safeguards including contractual data protection clauses, encryption in transit and at rest, and access controls consistent with industry best practices.

9. Data Retention

  • Order and customer analytics are retained while the merchant account is active
  • Cached analytics data is periodically refreshed and overwritten
  • Application logs are retained for up to 90 days for operational purposes
  • Upon app uninstallation, merchant data is deleted within 30 days, subject to legal retention requirements

10. Security Measures

Omnify applies:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption at rest for databases
  • Role-based access controls with least-privilege principles
  • Secure secret management via AWS SSM Parameter Store
  • VPC network isolation for production infrastructure
  • Continuous monitoring, logging, and alerting

11. User Rights

Depending on your jurisdiction (LGPD, GDPR, CCPA/CPRA, and other applicable privacy laws), you may have the right to:

  • Access the personal data we process about you
  • Request correction of inaccurate data
  • Request deletion of your personal data
  • Receive a copy of your data in a portable format
  • Object to or restrict certain types of processing
  • Withdraw consent at any time

To exercise any of these rights, contact us using the details in Section 14 below. We will respond within 30 days of receiving your request.

12. Children's Privacy

Omnify does not knowingly process personal data of children under 13 (or under 16 where applicable under local law). If we become aware that we have collected personal data from a child, we will delete it promptly.

13. Changes to This Policy

This Privacy Policy may be updated periodically to reflect changes in our practices or applicable law. We will update the last-updated date at the top of this page. Continued use of the Services after changes are posted constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: contact@cpg-labs.io

CPG Labs
São Paulo, Brazil