Effective date: April 27, 2026 Last updated: April 29, 2026
Nevin Puri Ventures, LLC ("Linen", "we", "us") respects your privacy. This Privacy Policy explains what personal data we collect, how we use it, and the rights you have over it, in connection with our website (linen.so) and our email marketing platform for Shopify merchants (the "Service").
If you are an End Consumer — someone whose email address was collected by a Shopify merchant using the Service — please also see Section 8 below and refer to the privacy policy of the merchant whose store you interacted with. They are the data controller for that data; we process it on their behalf.
1. Data We Collect
1.1 Merchant account data
When you sign up and use the Service, we collect:
- Email address, name, and authentication identifiers (e.g. Google account ID if you sign in with Google)
- Business name, Shopify store domain, and store metadata you connect via Shopify OAuth
- Payment information (processed and stored by our payment processor Stripe; we do not store full card numbers)
- Communications you send us (support tickets, feedback)
- Product usage (features used, emails generated, campaigns sent)
- Technical data (IP address, user-agent, device type, log timestamps)
1.2 Store data (processed on your behalf)
When you connect a Shopify store, we access and store:
- Product catalog, collections, inventory
- Brand assets (logo, colors, images)
- Order history (aggregated, to improve generation)
- End Consumer email addresses and profile fields (opted-in contacts)
- Send and engagement history (opens, clicks, unsubscribes)
1.3 Cookies and similar technologies
We use first-party cookies and browser storage to operate the Service. The specific items set on Customer storefronts (where End Consumers may encounter them) are:
| Name | Purpose | Lifetime |
|---|---|---|
_tk_anon | Anonymous visitor identifier (no PII) | 2 years |
_tk_cid | Identified-contact link, set after popup signup or email-link click | 2 years |
_tk_queue | localStorage queue of events captured before identification (no PII) | Cleared on identify or reset |
We honor the Global Privacy Control (GPC) signal as a request to opt out of any "sale" or "sharing" of personal information under U.S. state privacy laws. We also honor cookie/permission settings the merchant configures in their Shopify Customer Events panel.
We do not sell personal data and we do not use third-party advertising cookies.
1.4 Data sent to AI subprocessors
To generate email content from your store's brand and catalog, we send a limited set of metadata to OpenAI and Anthropic (listed in §4). We are explicit about what does and does not go to these providers:
Sent to AI providers
- Store name, description, brand voice and style preferences, brand-asset URLs (logo, hero images)
- Product titles, descriptions, tags, and pricing from your selected catalog
- Aggregated, store-level engagement metrics (e.g. average open rate)
- Email content drafts and merchant-supplied prompts
Never sent to AI providers
- End Consumer email addresses, names, phone numbers, or addresses
- Individual order history attributable to a specific person
- Any data that could identify a specific End Consumer
We have configured both OpenAI and Anthropic for zero data retention: data sent in API requests is not stored beyond the immediate request, is not used to train any model, and is not used by the provider for any other purpose. These configurations are reviewed annually.
1.5 Shopify scope justification
When a merchant installs our Shopify app, we request the following Admin API scopes. Each is the minimum needed for the corresponding feature:
| Scope | Used for |
|---|---|
read_customer_events | Receive Web Pixel checkout-completion events for cart-recovery dedup |
read_checkouts | Detect started-but-abandoned checkouts to trigger recovery |
read_customers | Look up existing Shopify customers by email; suppress duplicates |
write_customers | Push popup signups into the Shopify customer list with consent SUBSCRIBED (Shopify rule 5.6.2) |
read_discounts, write_discounts | Generate and read welcome / cart-recovery discount codes |
read_orders | Detect when an abandoned-cart customer has purchased; suppress recovery email |
read_products | Personalize emails with product context and recommendations |
read_pixels, write_pixels | Manage the Linen Web Pixel extension that captures storefront events |
2. How We Use Your Data
We process personal data to:
- Provide, maintain, and improve the Service
- Authenticate users and secure accounts
- Process payments and send billing-related communications
- Respond to support requests
- Send product announcements and critical security notices
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Aggregate and anonymize for analytics and model improvement
We do not sell personal data, and we do not use End Consumer data for our own marketing purposes.
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area, United Kingdom, or Switzerland, we process personal data on the following bases:
| Processing | Legal basis |
|---|---|
| Providing the Service to you | Performance of a contract (Art. 6(1)(b)) |
| Billing | Performance of a contract / legal obligation |
| Security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Product improvement | Legitimate interest |
| Marketing emails from us | Consent (where required) / legitimate interest |
| Compliance with law | Legal obligation (Art. 6(1)(c)) |
You may withdraw consent or object to legitimate-interest processing at any time — see Section 7.
4. Third-Party Subprocessors
We use the following third-party services to operate the platform. Each of these receives only the data necessary for its function and is bound by contract to protect it:
| Subprocessor | Purpose | Data region |
|---|---|---|
| Supabase | Database + authentication | US |
| Vercel | Hosting | US / global edge |
| Stripe | Payment processing | US |
| Resend | Transactional + marketing email delivery | US |
| Trigger.dev | Background job runner | US |
| OpenAI / Anthropic | AI email generation | US |
| Google OAuth | Authentication | US / global |
| Shopify | Store integration | Varies |
| Cloudflare | CDN, DDoS protection | Global edge |
We will provide at least 30 days' notice before adding or replacing a subprocessor that processes personal data. The list above is the current and authoritative version; updates appear here.
5. International Transfers
If you are located outside the United States, your data will be transferred to and processed in the US. For transfers from the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses (and UK Addendum or Swiss equivalents where applicable).
6. Data Retention
- Account data: for the life of your account, then up to 30 days after termination unless required by law
- Payment records: 7 years (tax/accounting compliance)
- Store data and End Consumer data: for the life of your account; deleted within 30 days of account termination (with backups purged within 90 days)
- Logs and security records: up to 12 months
- Marketing opt-outs: retained indefinitely to honor unsubscribes
You can request earlier deletion at any time (see Section 7).
7. Your Rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Data portability — receive your data in a machine-readable format
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email hello@linen.so from the address associated with your account. We will respond within 30 days (extendable to 90 days for complex requests).
For data portability specifically, on request we will export your account data, contacts, segments, flow definitions, and engagement history in CSV or JSON format and deliver it within 30 days. If you have an active account, you can also export contacts and engagement history directly from the dashboard at any time.
8. End Consumer Data
When a Shopify merchant uses the Service to send email to its customers:
- The merchant is the data controller for that customer data
- Linen is a data processor, acting only on the merchant's documented instructions
- Our processing is governed by a Data Processing Agreement with the merchant
8.1 What data we receive on the merchant's behalf
When you visit a merchant's Shopify storefront and our popup is loaded, we may set the cookies described in §1.3 and receive:
- Pageview metadata (URL, page title, referrer)
- Cart contents when you add to cart (product IDs, prices, quantities)
- Your email address if you submit our popup or click a tracked email link
- Your checkout completion via Shopify's Web Pixel sandbox (email, order ID, line items, totals) — only when the merchant has configured a Linen custom pixel in their Customer Events settings, and only when permitted by the merchant's pixel-permission settings and your Customer-consent state
We process this data exclusively for the merchant whose storefront you visited. We do not aggregate it across merchants and we do not use it for our own marketing. Data is partitioned per-merchant in our database.
8.2 Honoring Shopify's compliance webhooks
Linen automatically honors Shopify's GDPR compliance webhooks within the timelines required by Shopify and applicable law:
customers/data_request— we provide all data we hold for the identified customer to the merchant within 30 days of receiptcustomers/redact— we delete the identified customer's data within 30 days of receiptshop/redact— we delete all data for the shop within 30 days of receipt (Shopify sends this 48 hours after uninstall and 30 days without reinstall)
These webhook handlers run regardless of your Linen account's status — you do not need to do anything for them to be processed.
8.3 Direct requests from End Consumers
If you are an End Consumer (you received an email through the Service) and want to exercise a privacy right, please contact the merchant whose store you interacted with. They control the data. We will forward requests to them on a best-effort basis if you contact us at hello@linen.so.
All marketing email sent through Linen includes a working unsubscribe link, honored immediately and retained indefinitely to prevent re-emailing.
9. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell
- Request deletion of personal information
- Opt out of the "sale" or "sharing" of personal information (we do not sell personal information)
- Correct inaccurate personal information
- Limit use of sensitive personal information
- Non-discrimination for exercising these rights
To exercise CCPA rights, email hello@linen.so with "CCPA Request" in the subject line. We may verify your identity before fulfilling.
10. Marketing Email Compliance (CAN-SPAM & CASL)
All marketing email we send — or that our merchant customers send through the Service — complies with the CAN-SPAM Act and, where applicable, the Canadian Anti-Spam Legislation (CASL). Every such message includes:
- Accurate sender identification
- A valid physical postal address
- A clear, one-click unsubscribe link that works for at least 30 days
Merchants using the Service agree to honor opt-outs within 10 business days and to obtain proper consent before adding contacts to their lists.
11. Children
The Service is not directed to children under 13 (or the equivalent minimum age in the relevant jurisdiction). We do not knowingly collect personal data from children. If we learn we have, we will delete it.
12. Security
We implement industry-standard technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase)
- Access controls and least-privilege principles for our team
- Secure password hashing (bcrypt/argon2 via Supabase Auth)
- Regular backups with encryption
- Logging and monitoring for anomalous activity
No system is 100% secure. If a breach occurs that affects your data, we will notify you without undue delay as required by law.
13. Other Disclosures of Personal Data
In addition to the subprocessors listed in §4, we may disclose personal data in the following limited circumstances:
- Business transfers. If Linen is involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of its assets, or in the unlikely event of bankruptcy, personal data may be transferred to the surviving or successor entity. We will notify affected users by email or prominent notice in the Service before any data becomes subject to a different privacy policy.
- Legal compliance and enforcement. We may disclose personal data when we believe in good faith that disclosure is required by law (e.g., subpoena, court order), necessary to enforce our Terms of Service or other agreements, or appropriate to protect the rights, property, or safety of Linen, our users, or others. This includes exchanging information for fraud protection, abuse prevention, and security investigation.
- Professional advisors. We may share personal data with our lawyers, accountants, auditors, or insurers under written confidentiality obligations where reasonably necessary for the operation of our business.
- With your consent. We may share personal data with third parties when you direct us to or otherwise affirmatively consent.
Aggregated or de-identified information that cannot reasonably be used to identify an individual may be shared more broadly (e.g., with potential business partners, in marketing materials, or in industry benchmarks).
14. Changes
We may update this Privacy Policy. Material changes will be notified via email or prominent notice in the Service at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent change.
15. Contact
Questions about this Privacy Policy, or to exercise your privacy rights:
Nevin Puri Ventures, LLC Data Protection Contact: hello@linen.so 8 The Green, Suite 20632 Dover, DE 19901