Legal

Privacy Policy

Last updated: March 2026

01 Who we are

marra is a Shopify referral app operated by Useful for Humans, based in the North East of England, United Kingdom.

02 What data we collect

Merchant data

• Store domain and shop name
• Merchant email address
• App settings and configuration
• Klaviyo API key (stored encrypted)
• Shopify access token (encrypted with AES-256-GCM)

Customer data (processed on behalf of merchants)

• Email address and name
• Shopify customer ID
• Referral activity (clicks, conversions, rewards)
• Device registration data for Apple Wallet passes

We do NOT collect: payment card information, passwords, or browsing history.

03 How we use data

We use the data we collect to:

• Operate the referral programme on behalf of merchants
• Send transactional emails (welcome, conversion notifications)
• Generate and update Apple Wallet passes
• Sync referral data to Klaviyo when enabled by the merchant
• Display referral statistics in the merchant dashboard

We do not sell data to third parties or use it for advertising purposes.

04 Data storage and security

• Data is stored on Railway (PostgreSQL, EU region)
• Shopify access tokens are encrypted using AES-256-GCM
• All API endpoints are protected by HMAC signature verification
• All connections use TLS encryption

05 Data retention

• Merchant data: deleted within 48 hours of app uninstall
• Customer referral data: retained for up to 2 years, or until deletion is requested
• Wallet registrations: deleted when the pass is removed from the device
• Webhook records: automatically deleted after 7 days

06 Third-party services

marra uses the following third-party services to operate:

• Shopify — e-commerce platform integration
• Resend — transactional email delivery
• Railway — application hosting and database
• Apple — Wallet pass push notifications (APNs)
• Klaviyo — marketing automation (optional, merchant-enabled only)

07 Your rights (GDPR — EEA and UK)

Under the General Data Protection Regulation, you have the right to:

• Access — request a copy of the personal data we hold about you
• Erasure — request deletion of your personal data
• Rectification — request correction of inaccurate data
• Portability — request your data in a machine-readable format
• Objection — object to the processing of your data

To exercise any of these rights, contact hello@getmarra.com. We respond to all requests within 30 days.

Customer deletion requests submitted through Shopify are handled automatically via GDPR webhooks within 48 hours.

08 Shopify data requirements

marra implements all mandatory Shopify GDPR webhooks:

• customers/data_request — returns all data held for the requested customer
• customers/redact — erases personal data for the requested customer
• shop/redact — erases all merchant data after app uninstall

09 Cookies

marra uses session cookies on the merchant storefront to store referral attribution codes (marra_ref_code, marra_ref). These cookies are used solely for referral tracking and are not used for advertising, analytics, or cross-site tracking.

10 Children's privacy

marra is not directed at individuals under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact hello@getmarra.com and we will delete it promptly.

11 Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated to merchants via the marra dashboard or email notification. Continued use of marra after changes constitutes acceptance of the updated policy.

12 Contact