Scoreboard

Privacy policy

Effective date: 2026-05-12

Scoreboard ("we", "us", "the app") is a Shopify app that helps merchants run sales targets, commissions, incentives, and broadcasts for their POS staff. This policy explains what data we collect, how we use it, how long we keep it, and your rights.

What we collect

Scoreboard reads a deliberately narrow slice of your Shopify data. We never read or store customer personal information.

  • Shop metadata: myshopify domain, shop name, owner name, contact email, plan, currency, timezone — fetched once on install and refreshed periodically.
  • Locations: location ID, name, and active state for each storefront you import.
  • Staff: Shopify staff member IDs (not customer IDs), display names you enter or auto-discovered names from POS order events. Each staff is linked to a location.
  • Sales attribution: for each order processed through your store, we store: order ID and reference number, sale total, currency, occurred-at timestamp, location, the staff member who made the sale, and the line items (product/variant IDs, quantities, prices).
  • Settings: targets, commission strategies, incentives, broadcasts, payouts, audit logs of admin actions.
  • Subscription: your current plan and billing status, mirrored from Shopify Billing.

What we never collect: customer names, customer emails, customer phone numbers, customer addresses, customer payment details, or any other customer-identifying data from your orders. We don't request the protected-customer-data scopes that would grant access to those fields.

How we use it

  • To compute per-staff and per-location sales targets, progress, and commissions.
  • To run incentive engines that reward staff for hitting product or revenue thresholds.
  • To broadcast time-bounded commission boosts to your POS tiles.
  • To surface analytics, leaderboards, and weekly digests for managers.
  • To attribute admin actions in audit logs (who edited a target, who scheduled a broadcast).
  • To power the Scoreboard POS tile that staff see while they work.

We don't sell your data. We don't share it with advertisers. We don't use it to train ML models.

Where it's stored

  • Application data (locations, staff, sales, settings) is stored in a Postgres database hosted by Neon (us-east-1, AWS).
  • The application itself runs on Fly.io (primary region: iad).
  • Error tracking (when enabled) goes to a third-party error monitor; no customer data is sent.

Retention & deletion

  • We retain your data for as long as the app is installed on your shop.
  • On uninstall, we mark your shop as uninstalled and stop reading new data immediately.
  • When Shopify sends the shop/redact webhook (typically 48 hours after uninstall), we permanently delete your shop's records.
  • You can request immediate deletion before the 48-hour window by emailing info@askmario.co.za.

Roles under GDPR

For data within your Shopify shop, the merchant is the data controller and AskMario (via Scoreboard) is the data processor. We process your shop's data only on your documented instructions — installing the app and using its features constitutes that instruction — and only for the purposes described in “How we use it” above.

For EU/UK merchants whose data is transferred to the United States (our hosting subprocessors operate in us-east-1), we rely on the Standard Contractual Clauses (2021/914) for international data transfers. We can provide a signed Data Processing Addendum (DPA) on request — email info@askmario.co.za.

Your rights

Because Scoreboard does not store any customer personal information, the GDPR/CCPA “customer data request” and “customer redact” webhooks we receive from Shopify are no-ops — there's nothing customer-specific to return or delete. We acknowledge each request and confirm there's no data to act on.

For shop-owner data (your contact email, name, etc.) you may:

  • Request a copy of what we hold for your shop.
  • Request correction of any inaccurate field.
  • Request deletion (uninstall + the redact webhook handles this automatically; we can expedite on request).

Security

  • All traffic is HTTPS-only.
  • OAuth tokens from Shopify are stored encrypted at rest in the database.
  • Access to the production database is limited to the engineering team.
  • Webhooks are verified using Shopify's HMAC signature.

Cookies

Scoreboard runs as an embedded Shopify admin app. The cookies involved are the standard Shopify session cookies that authenticate you to your shop's admin. We don't set tracking cookies and don't use third-party analytics that cookie your visit.

Subprocessors

  • Shopify Inc. — source of order data, hosting of the embedded admin frame.
  • Neon — managed Postgres database hosting (us-east-1, AWS).
  • Fly.io — application hosting (primary region: iad).

Jurisdiction

AskMario is registered in the Republic of South Africa. Personal information processed under this policy is handled in line with the Protection of Personal Information Act (POPIA, 2013). International merchants' data is processed in the United States (Neon, Fly) — by using Scoreboard you consent to that cross-border transfer.

Changes to this policy

We'll update the effective date at the top of this page when this policy changes. Material changes will be communicated via the merchant contact email on file.

Contact

Privacy questions, deletion requests, or anything else — email info@askmario.co.za.