Metigro

Privacy Policy

Last updated: February 7, 2026

1. Introduction

Metigro ("we", "us", "our") operates the DemandLoop application and related services. This Privacy Policy explains how we collect, use, store, and protect information when you use our products, whether you are a Shopify merchant ("Merchant") or an end customer ("Customer") interacting with a Merchant's store.

By using our services, you agree to the practices described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

2.1 Customer Data

When a Customer subscribes to restock notifications on a Merchant's store, we collect:

  • Email address
  • Browser push notification tokens (if web push is enabled)
  • Product and variant preferences (which items the Customer wants to be notified about)
  • Consent records (date, time, consent text, and method of consent)
  • Interaction data (notification clicks, tracked via encrypted tokens)

2.2 Merchant Data

When a Merchant installs DemandLoop, we collect:

  • Shopify store information (store name, domain, plan)
  • Shopify API access tokens (for product and inventory synchronization)
  • Product catalog and inventory data (synced via Shopify webhooks)
  • Order data related to attributed sales (order ID, amount, products purchased)
  • Billing information is handled entirely by Shopify and is not stored on our servers

2.3 Automatically Collected Data

We may automatically collect:

  • IP address (for security and abuse prevention)
  • Browser type and device information (for timezone detection and notification delivery)
  • Usage analytics within the Merchant dashboard

3. How We Use Information

We use collected information to:

  • Send restock notifications to Customers via email and web push
  • Track revenue attribution (linking purchases to notifications within a 7-day window)
  • Provide analytics and reporting to Merchants
  • Process billing through the Shopify Billing API
  • Maintain and improve our services
  • Prevent abuse and ensure security

We do not sell, rent, or share personal data with third parties for their marketing purposes.

4. Third-Party Services

We use the following third-party services to operate DemandLoop:

  • Shopify — platform integration, billing, and webhooks
  • Resend — email delivery service
  • Hetzner — server hosting (EU-based infrastructure)

If a Merchant enables optional integrations (such as Klaviyo or Twilio SMS), relevant data may be shared with those services according to the Merchant's configuration. These integrations are initiated and controlled by the Merchant.

5. Data Retention

  • Customer subscriptions: retained for as long as the Merchant's store has DemandLoop installed, or until the Customer requests deletion
  • Notification logs: retained for 90 days by default (configurable by the Merchant)
  • Attribution data: retained for up to 730 days for tax and compliance purposes
  • Event logs: retained for 90 days

Merchants may configure subscription expiry policies to automatically exclude inactive subscriptions from notifications. Subscription data is preserved in the database but may not be actively used after the configured expiry period.

6. Data Security

We implement industry-standard measures to protect your data:

  • All data in transit is encrypted via HTTPS/TLS
  • Customer email addresses are stored securely in an encrypted database
  • Shopify webhooks are verified using HMAC signatures
  • Attribution click tokens are encrypted to prevent tampering
  • Access to production systems is restricted and monitored

7. Your Rights

For Customers

You have the right to:

  • Unsubscribe from notifications at any time via the unsubscribe link in any email, or through the Customer preference center on the Merchant's store
  • Request data export of all personal data we hold about you
  • Request data deletion of all personal data, including subscriptions, notification history, and consent records

To exercise these rights, contact the Merchant whose store you subscribed on, or email us directly at [email protected].

For Merchants

You can access, export, and delete Customer data through the DemandLoop dashboard. Upon uninstalling the app, all associated Customer subscription data is deleted. Attribution data may be retained for up to 730 days for compliance purposes.

8. GDPR Compliance

For Merchants operating in the European Economic Area (EEA), DemandLoop provides:

  • Optional double opt-in for Customer subscriptions
  • Consent logging with full audit trail
  • Data export and deletion endpoints for GDPR Subject Access Requests
  • Regional privacy compliance settings (auto-enabled for EU markets)
  • One-click unsubscribe headers in all notification emails

Metigro acts as a Data Processor on behalf of the Merchant (Data Controller). We process Customer data only as instructed by the Merchant through their use and configuration of DemandLoop.

9. Cookies

The DemandLoop widget on Merchant storefronts does not use cookies for tracking. The Merchant dashboard uses essential session cookies required for authentication through Shopify. We do not use third-party advertising or tracking cookies.

10. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Merchant dashboard or via email. The "Last updated" date at the top indicates the most recent revision.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: