Privacy Policy
How Influencer Gift Form processes merchant and influencer data — our role, the Shopify permissions we request and why, who we share data with, and how we keep it secure.
1Introduction
Influencer Gift Form is a Shopify application built and operated by Magnuson Ventures LLC, a California LLC. The app helps merchants manage influencer gifting programs by collecting shipping and product information from influencers and automatically creating orders within the merchant's Shopify store.
2Our Role
Merchants using Influencer Gift Form are the data controllers. Influencer Gift Form (Magnuson Ventures LLC) acts solely as a data processor and, where applicable under the CCPA/CPRA, as a service provider — processing personal data only on behalf of and at the direction of the merchant, solely for the purpose of providing the service.
We do not combine personal data received from one merchant with data from another merchant, and we do not process merchant customer data outside of the direct business relationship between the merchant and Influencer Gift Form.
3Why We Request Specific Shopify Permissions
We request only the permissions necessary to deliver core app functionality. Below is a plain-English explanation of every scope requested at install:
| Shopify scope | Why we need it |
|---|---|
| read_products | We read your product catalog and variants so influencers can select items through the gifting form. |
| unauthenticated_read_product_listings | Allows the public-facing gifting form (which influencers access without logging in) to display your published product listings. |
| write_customers | Before creating an order we check whether a Shopify customer record already exists for the influencer (matched by email). If none exists, we create one so the order can be properly associated in your store. |
| write_draft_orders | We create a draft order in your store when an influencer submits a gifting form, staging it for review before fulfillment. |
| write_orders | We convert draft orders into live orders on your behalf once the gifting request is confirmed per your workflow. |
| write_order_edits | We may update order details (such as line items or shipping information) after creation if corrections are needed during the gifting workflow. |
| read_all_orders | Merchants run long-term influencer programs that span many months. Shopify's default order access is limited to 60 days, so we request extended history to check for existing orders and avoid duplicates regardless of when past orders were placed. |
| read_fulfillments | We read fulfillment status so merchants can track whether gifted orders have been shipped and surface that status inside the app. |
| write_discounts | We create and apply discount codes to gifting orders on behalf of the merchant, for example to enable $0 or reduced-price orders for influencers. |
We do not access payment card information, full customer purchase history (outside of influencer sample orders), or any other store data beyond what is listed above.
4Information We Process
On behalf of the merchant, we may process the following categories of personal data:
- Influencer name, email address, shipping address, and phone number (if provided)
- Product selections and form responses submitted by influencers
- Shopify customer ID and IGF user ID
- Draft orders and orders created through the app, including products, quantities, order dates, tags, notes, and discount codes
- Fulfillment status of gifting orders
- IP address, if collected during the order submission process
We do not process: payment card information, full customer purchase history (except influencer sample orders), or sensitive personal data of any kind.
5How We Use This Data
We process data solely to:
- Provide core app functionality (form collection, order creation, customer deduplication)
- Store influencer shipping addresses for re-gifting workflows
- Track fulfillment status of influencer orders
- Maintain app performance and reliability
- Provide merchant support
We do not use personal data for advertising, profiling, or any purpose outside of delivering the service. We do not combine data received from one merchant with data from any other merchant.
6Data Sharing and Sub-processors
We share data only with the following sub-processors, each bound by appropriate confidentiality and data protection obligations:
| Sub-processor | Role |
|---|---|
| Shopify | Core platform — all data processed through the app flows through Shopify's infrastructure. |
| Bubble.io | Application hosting platform (US-based, AWS infrastructure). |
| Cloudflare | Backend processing, serverless Workers, and data transport. |
We do not sell personal data. If we add a new sub-processor that will handle personal data, we will notify merchants by email before that sub-processor begins processing.
7Data Security
We maintain reasonable administrative, technical, and organizational security measures to protect personal data, including:
- Encryption in transit using TLS/SSL for all web access to the platform
- Encryption at rest using AES-256 or equivalent for archives and backups
- Access controls limiting data access to authorized personnel only
- Confidentiality obligations for all personnel with access to personal data
The app operates within Shopify's security infrastructure and complies with Shopify's Partner Program Agreement and Data Processing Addendum.
8Data Breach Notification
In the event of a personal data breach, we will notify affected merchants within 48 hours of becoming aware of the breach. We will cooperate with merchants in any post-breach investigation, remediation, and required communications to data subjects or authorities.
9Data Retention and Deletion
We retain data only as long as necessary to provide app functionality. When a merchant uninstalls the app, our access to their Shopify data is immediately revoked per Shopify's platform rules. Upon request, we will delete or return personal data in accordance with applicable law.
10Consumer Rights and Data Subject Requests
Because we act as a data processor and service provider, requests related to personal data (access, deletion, correction, opt-out) should be directed to the merchant who controls the data. We will notify the relevant merchant of any data subject request we receive within 48 hours and will provide reasonable assistance to help the merchant fulfill it. We will not respond to data subject requests directly on behalf of a merchant unless required by law.
11Updates
We may update this policy to reflect changes in legal requirements or app functionality. Updates will be posted at www.influencergiftform.com/privacy-policy with a revised effective date.