Privacy Policy - Hreflang Tags
Last updated: February 24, 2026
Data controller for the Hreflang Tags app: Unwrite, based in Australia. For privacy inquiries relating to this app, contact [email protected].
This privacy policy applies solely to the Hreflang Tags Shopify app. It does not apply to the unwrite.co website or any other Unwrite product or service.
The short version: Hreflang Tags has no ad pixels, no Google Analytics, no Microsoft Clarity, no Facebook tracking, and no third-party analytics scripts of any kind. We do not profile you, retarget you, or share your data with advertisers. Any internal analytics we collect are used solely by Unwrite to improve the app and are never shared outside the business. Unwrite makes money by building useful Shopify apps - not by harvesting or selling data.
This reflects how Unwrite operates across everything we build. Our free web tools (such as our PDF editor and image converter) process your files entirely in your browser - nothing is uploaded to our servers, and we cannot see, access, or track your content. We apply the same privacy-first principle to Hreflang Tags: we collect only what the app needs to function, nothing more.
This policy explains what data the Hreflang Tags app collects, how we use it, and your rights regarding that data. We wrote this in plain language because nobody should need a lawyer to understand how their data is handled.
Hreflang Tags is a Shopify app built by Unwrite. It manages hreflang tags across single and multi-store setups to help your international stores appear correctly in search engine results.
Given the nature and scale of the Hreflang Tags app's data processing, a Data Protection Officer has not been appointed for this app. Privacy inquiries relating to this app should be directed to [email protected].
Shopify Platform
Hreflang Tags operates within the Shopify platform. Shopify independently processes certain data - including billing, payments, platform analytics, and its own cookies - under Shopify's own privacy policy. This policy covers only what the Hreflang Tags app itself collects and processes.
What We Collect
Store Data (via Shopify OAuth)
When you install Hreflang Tags, Shopify grants us access to specific data based on the permissions you approve via Shopify's OAuth flow. We collect and store:
- Shop identifiers - your shop domain, myshopify domain, and shop name
- Access tokens - encrypted at rest and stored securely. These tokens let us read and write the data needed to manage your hreflang tags.
- Shopify Markets configuration - your regions, domains, and locale settings, so we can generate correct hreflang tags for each market
Resource Data (synced via Shopify API)
We sync a limited set of resource data via the Shopify Admin API to build hreflang tag mappings across your stores:
- Products - title, handle, SKU, and barcode only. We do NOT sync pricing, inventory levels, or full variant data.
- Collections - title and handle
- Pages, blogs, and articles - title and handle
- Metaobjects - type and handle (only web-page-enabled types)
- Theme files - we read and patch your theme layout file only, to inject hreflang tags. We create a backup before any modification and support full rollback.
Team Member Accounts (provided directly by you)
If you or your team members create an Unwrite account (for non-Shopify users who need access to the app):
- Email address - used for login and workspace invitations
- Password - securely hashed before storage. We never store plaintext passwords.
- Workspace membership and role - which workspace you belong to and your permission level (owner, admin, editor, or viewer)
- Session tokens - hashed before storage. The raw token is only stored in your browser cookie.
How Data Is Held
Data is stored on cloud infrastructure located in Singapore and the United States. See the Third-Party Services section for a breakdown by provider. Sensitive credentials (access tokens, passwords, session tokens) are encrypted or hashed before storage.
What We Explicitly Do NOT Collect
This is important, so we want to be clear:
- No customer data. We never access, store, or process your customers' names, email addresses, physical addresses, phone numbers, or payment information. Our Shopify access scopes do not include customer or order data.
- No order data. We have no access to orders, transactions, or financial information.
- No inventory or pricing data. We read product titles, handles, SKUs, and barcodes - nothing else.
- No tracking pixels or analytics on your storefront. We do not inject any tracking code, analytics scripts, or cookies into your online store. The only thing we add to your theme is the hreflang meta tags themselves.
- No data sold to third parties. We do not sell, rent, or trade your data.
How We Use Your Data
Everything we collect serves one purpose: generating and maintaining correct hreflang tags across your stores.
Processing Activities and Lawful Basis
Under UK GDPR, the Hreflang Tags app relies on Legitimate Interests (Article 6(1)(f)) as the lawful basis for all processing described in this policy. The legitimate interest is providing the hreflang tag management service you installed and authorised. We have assessed that this processing is necessary for the service, is expected by merchants who install the app, and does not override your rights or freedoms given the limited, non-sensitive nature of the data involved.
| Data | Purpose | Lawful Basis |
|---|---|---|
| Store data and access tokens | Authenticate API calls, read resources, publish hreflang metafields | Legitimate Interests |
| Resource data | Match resources across stores and compute correct hreflang alternate URLs | Legitimate Interests |
| Markets configuration | Determine language and region combinations for hreflang tags | Legitimate Interests |
| Theme files | Patch theme layout with hreflang rendering code and remove conflicting tags | Legitimate Interests |
| Team member accounts | Enable authorised team access without Shopify admin | Legitimate Interests |
| Session cookie | Authenticate team member login sessions | Legitimate Interests (also PECR-exempt as strictly necessary) |
Automated decision-making: We do not use your data for automated decision-making or profiling.
Cookies
We use one cookie:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie | Authenticates team member login sessions | 30 days (sliding window) | HttpOnly, Secure, first-party |
This cookie is strictly necessary for the app to function and is exempt from consent requirements under the UK Privacy and Electronic Communications Regulations (PECR).
We do not use third-party cookies, tracking cookies, or advertising cookies. Shopify may set its own cookies within the Shopify admin; those are governed by Shopify's privacy policy.
Third-Party Services
We use the following services to operate the app. Each service only receives the minimum data necessary for its function:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Shopify | Authentication and API access | Store data and resource data as described above | Global (per Shopify) |
| Cloud database provider | Primary data storage | All app data as described in this policy | Singapore |
| Cloud hosting provider | Application hosting | Data in transit during request processing | Singapore |
| Transactional email provider | Email delivery | Recipient email addresses, for workspace invitations and sign-in links only | United States |
| Crisp | Live chat support widget | Your email and name (if provided) when you open a support chat. Only loaded inside the app, never on your storefront. | EU |
Shopify independently processes billing and payment data under its own privacy policy. We do not receive or store your payment card details.
We do not use any analytics, advertising, or data broker services.
Data Retention
- Active stores - your data is retained for as long as the app is installed and your workspace is active
- Access tokens - retained only while the app is installed on your store
- Session tokens - expire after 30 days of inactivity
- Audit logs - retained for 30 to 365 days depending on your plan, then automatically purged
- After uninstall - when you uninstall the app, we immediately mark your shop as inactive and remove it from its workspace. Shopify then sends us a mandatory data deletion webhook, at which point we permanently delete all data associated with your shop. This deletion is irreversible.
- Team member accounts - if your account is no longer associated with any workspace (orphaned), it is retained until you request deletion by emailing us
Data Deletion
Automatic (on app uninstall)
When you uninstall Hreflang Tags from Shopify:
- We attempt to remove our theme patch from your published themes
- Your shop is removed from its workspace and marked as uninstalled
- Remaining stores in the workspace are republished to remove stale hreflang alternates pointing to your store
- Shopify sends a data deletion webhook, and we permanently delete all your shop data
On request
You can request deletion of your data at any time by emailing [email protected]. We will process your request within 30 days.
GDPR compliance
We handle all mandatory Shopify GDPR webhooks. We hold no customer personal data, so customer data requests and redaction requests are confirmed as having no applicable data. Shop data deletion requests trigger a complete removal of all associated data.
Data Security
We take the following measures to protect your data:
- Encryption at rest - sensitive credentials are encrypted before database storage
- Encryption in transit - all connections use HTTPS/TLS
- Password security - team member passwords are hashed using industry-standard algorithms before storage
- Session security - session tokens are hashed before storage. Raw tokens are only held in HttpOnly, Secure cookies.
- Rate limiting - all API endpoints are rate-limited to prevent abuse
- Tenant isolation - all data access is scoped to your workspace. One workspace cannot access another workspace's data.
- Webhook verification - all incoming Shopify webhooks are cryptographically verified
Your Rights
Depending on where you are located, you may have the following rights regarding the data the Hreflang Tags app holds about you:
General Rights (All Jurisdictions)
- Access - request a copy of the data we hold about you
- Correction - request correction of inaccurate data
- Deletion - request deletion of your data (or uninstall the app for automatic deletion)
- Portability - request your data in a portable format
- Objection - object to our processing of your data
- Restriction - request that we limit how we use your data
To exercise any of these rights, email [email protected]. We will respond within 30 days.
UK and EEA
- Right to withdraw consent - we currently rely on Legitimate Interests rather than consent for all processing, so this right does not apply in practice. If that changes, we will update this policy.
- Right to complain to a supervisory authority - you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local EEA data protection authority.
Australia
If you believe we have breached the Australian Privacy Principles, you may lodge a complaint:
- Email [email protected] with details of your complaint
- We will acknowledge your complaint within 7 days
- We will investigate and respond within 30 days
- If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
You have the right to request access to and correction of your personal information. If we refuse a request, we will provide written reasons.
California and United States
Do Not Sell or Share: We do not sell personal information. We do not share personal information for cross-context behavioural advertising. Because we never sell or share your data, no opt-out mechanism is required.
Categories disclosed for a business purpose (preceding 12 months): identifiers (shop domain, email address) and internet activity information (resource handles, session data), disclosed only to the service providers listed in the Third-Party Services section above.
- Right to know - you may request what data we collect and how we use it
- Right to delete - you may request deletion of your personal information
- Right to non-discrimination - we will not discriminate against you for exercising any privacy right
- Authorised agents - you may designate an authorised agent to make privacy requests on your behalf. We will require verification of the agent's authority.
- Do Not Track - the app does not respond to Do Not Track browser signals. However, we do not track users across third-party websites or services.
International Data Transfers
The app's infrastructure is hosted in Singapore and the United States. If you are located outside these countries, your data will be transferred to and processed in one or both of these locations. See the Third-Party Services section for a per-provider breakdown.
UK and EEA: We rely on the UK International Data Transfer Agreement (UK IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses, together with the data processing agreements of our infrastructure providers, for lawful transfer of data from the UK and EEA.
Australia: In accordance with Australian Privacy Principle 8, we take reasonable steps to ensure that overseas recipients in Singapore and the United States handle your personal information in accordance with the Australian Privacy Principles.
Children's Privacy
Hreflang Tags is a business tool for Shopify merchants. We do not knowingly collect data from anyone under 16. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it.
Changes to This Policy
We may update this privacy policy as the Hreflang Tags app evolves. When we do, we will update the "Last updated" date at the top. For significant changes that affect how the app processes your data, we will notify you via the app or by email.
Contact Us
The Hreflang Tags app is built by Unwrite, based in Australia. If you have questions about this privacy policy or how the app handles your data:
- Email: [email protected]
- Live chat: Available inside the Hreflang Tags app
- Website: unwrite.co
For jurisdiction-specific complaint procedures, see the Your Rights section above.