PingLane

Privacy Policy

What personal data PingLane collects, why we need it, how long we keep it, and the rights you and your subscribers hold at every step.

Effective April 1, 2026Updated April 1, 2026

1. Introduction

Welcome to PingLane (“PingLane”, “we”, “our”, or “us”). PingLane is a web push notification platform that helps Shopify store owners (our “Customers”) send push notifications to their end users (“Subscribers”). This Privacy Policy explains what information we collect, how we use it, the legal bases we rely on, and your rights.

PingLane is available as an app on the Shopify App Store. You access PingLane by installing it on your Shopify store; there is no separate PingLane account registration. By installing and using the PingLane app, you agree to the practices described in this policy.

Controller identity (for GDPR / UK GDPR purposes): PingLane - [full legal entity name, registered address, and company number to be inserted]. Privacy Inbox: [email protected] (also handles EU/UK Article 27 inquiries).

2. Who This Policy Applies To

  • Customers are Shopify store owners who install PingLane.
  • Subscribers are end users who opt in to receive push notifications from a Customer’s website that uses PingLane.

For Subscriber Personal Data, the Customer is the data controller and PingLane is a data processor / service provider. If you are a Subscriber and have questions about how a specific website uses your data, please contact that website directly. We will forward any request we receive directly to the relevant Customer without undue delay.

For Customer account data, PingLane is the data controller.

3. Information We Collect

3.1 From Customers (Shopify Store Owners)

When you install PingLane on your Shopify store, your account is created automatically using information from your Shopify store. We collect:

  • Account information: Name, email address, website URL, and phone number.
  • Organization details: Organization name and websites you register on the platform.
  • Billing information: Subscription plan and billing cycle. Payments are processed entirely through Shopify’s built-in billing. We do not handle, store, or share payment card data.
  • Usage data: Notifications you create, automation workflows, segments, scheduled reminders, and other activity related to your account.
  • Communications: Any feedback or support requests you send us.
  • Technical data: Device and browser type, dashboard activity logs.

3.2 From Subscribers (End Users of Customer Websites)

When a visitor opts in to push notifications on a Customer’s website, PingLane collects the following on behalf of the Customer:

  • Push subscription token: A browser-generated identifier and encryption keys used only to deliver notifications. Not tied directly to a personal identity.
  • Device and browser type.
  • Approximate location: Country, state/region, and city, derived from the IP address at the time of subscription. We do not store raw IP addresses.
  • Timezone.
  • Tags: Labels assigned by the Customer to group Subscribers.
  • Customer identity: When a Subscriber is logged into the Customer’s website, we store identity information such as their email, phone number, or the Customer’s own customer ID, linked to the subscriber record, for targeting.
  • Behavioral data: Pages viewed and items added to cart, when the Customer has automation features turned on; product alert preferences (price drop, back-in-stock).
  • Engagement metrics: Whether a notification was delivered, clicked, or led to a purchase.

We do not process special category data (GDPR Art. 9) or “sensitive personal information” (CPRA §1798.140(ae)) for Customer or Subscriber accounts.

3.3 Category Mapping for CCPA/CPRA

CCPA/CPRA CategoryCollected for Customers?Collected for Subscribers?
Identifiers (name, email, phone, account ID)YesLimited (identity values if provided by the Customer)
Customer records (Cal. Civ. Code §1798.80(e))Yes (billing)No
Commercial informationYes (plans, invoices)Engagement/attribution
Internet/network activityYes (dashboard logs)Yes (notification events, pages viewed when automation is enabled)
Geolocation (approximate)YesYes
Professional or employment informationNoNo
InferencesLimited (product analytics)Segment membership as configured by Customer
Sensitive Personal InformationNoNo

4.1 For Customers

PurposeLegal basis (GDPR)
Setting up and running your account; delivering the ServiceArt. 6(1)(b) contract
Billing and tax recordsArt. 6(1)(b) contract and Art. 6(1)(c) legal obligation
Providing analytics and reporting on your notificationsArt. 6(1)(b) contract
Account alerts, billing notices, product updatesArt. 6(1)(b) contract
Product improvement, security, fraud preventionArt. 6(1)(f) legitimate interests (balanced against your rights)
Responding to legal requests, enforcing policiesArt. 6(1)(c) legal obligation and Art. 6(1)(f) legitimate interests

4.2 For Subscribers (on behalf of Customers)

We process Subscriber Personal Data on the Customer’s documented instructions and on the legal basis the Customer has established (typically consent under Art. 6(1)(a) obtained via the browser permission prompt). Our processing activities include:

  • Delivering push notifications on the Customer’s behalf.
  • Segmentation and targeted sends configured by the Customer.
  • Automation workflows (cart recovery, welcome, order updates) where the Customer has enabled them.
  • Aggregated analytics surfaced to the Customer.

We do not sell Subscriber data and do not use Subscriber data for advertising unrelated to the Customer’s own notifications.

4.3 No Automated Decision-Making

PingLane does not engage in solely automated decision-making, including profiling, that produces legal effects or similarly significantly affects Subscribers within the meaning of GDPR Art. 22.

5. Cookies and Tracking

PingLane uses cookies and similar technologies (like local storage) to ensure our Service works correctly, to maintain security, and to analyze how our dashboard is used.

5.1 Essential and Functional Technologies

We use strictly necessary cookies to manage your authenticated session, protect against cross-site request forgery (CSRF), and remember your dashboard settings. We also add UTM parameters to notification links so Customers can track engagement within their own analytics tools.

5.2 Product Analytics (Microsoft Clarity)

We use Microsoft Clarity on our website and customer dashboard to understand user behavior and improve our platform. Clarity is configured with PII masking and may record navigation patterns and clicks. For users in the EU/UK, these analytics are deployed only after obtaining your consent. For more details, see Microsoft Clarity Privacy and Security.

We do not use advertising cookies or third-party tracking for cross-context behavioral marketing on Subscriber devices.

6. Data Sharing and Recipients

Recipient typePurpose
CustomersSubscribers’ subscription data and analytics are shared with the Customer whose website they subscribed to.
Sub-processors (infrastructure, email)Running the Service. Current sub-processor list is published in our Data Processing Agreement Annex III.
Shopify (billing)Subscription billing. Payment card data never leaves Shopify’s infrastructure.
Legal and regulatoryWhere required by law, court order, or to protect the safety of PingLane, our Customers, or others.
Corporate transactionsIn a merger, acquisition, or asset sale. We will give appropriate notice and honour this policy to the extent legally required.

We do not sell Personal Information (as defined under the CCPA/CPRA) and do not share Personal Information for cross-context behavioural advertising.

7. Data Storage, Security, and International Transfers

7.1 Storage Location

All data is stored in the United States (Virginia). This applies to every Customer and every Subscriber regardless of where they are in the world.

7.2 No Data Residency

PingLane does not offer data residency options. If you or your Subscribers are in the EU, EEA, UK, or Switzerland, Personal Data will be transferred to and stored in the United States.

7.3 Transfer Mechanisms

To support lawful international transfers, we rely on:

  • EU Standard Contractual Clauses (Decision (EU) 2021/914), as incorporated in our Data Processing Agreement.
  • The UK International Data Transfer Addendum for transfers from the UK.
  • The Swiss FDPIC amendments to the SCCs for Swiss data.

Our DPA includes these clauses and, where required, we conduct Transfer Impact Assessments and apply supplementary measures.

7.4 Security

We protect Personal Data using encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls with MFA, network segmentation, centralized logging and monitoring, annual third-party penetration testing, and documented incident-response procedures. Further detail is provided in Annex II of our DPA. No system is 100% secure; please report any security concerns to [email protected].

7.5 Breach Notification

If a confirmed breach affects your data, we will notify you within 72 hours of becoming aware, with the information we have at that time, and will update you as the investigation progresses. Where required by law, we will also notify regulators and, if applicable, Subscribers.

8. Data Retention

DataRetention
Customer account dataFor the life of the account, then deleted or anonymised within 90 days of closure, except where we are required to retain longer (e.g., tax records, typically 7 years).
Subscriber subscription recordsFor the life of the subscription; marked inactive on unsubscribe; deletable by Customer via dashboard or API.
Notification engagement metrics24 months in raw form; longer in aggregated, anonymised form.
Support communications36 months from last interaction.
Security and audit logsUp to 24 months for security and compliance.

9. Your Rights

Subject to applicable law, you have the following rights:

9.1 Under GDPR / UK GDPR

  • Right of access (Art. 15).
  • Right to rectification (Art. 16).
  • Right to erasure / “to be forgotten” (Art. 17).
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object to processing based on legitimate interests (Art. 21).
  • Right to withdraw consent at any time, without affecting prior lawful processing.
  • Right to lodge a complaint with your supervisory authority (the EDPB maintains a list; UK users may complain to the ICO at https://ico.org.uk/make-a-complaint/).

9.2 Under CCPA / CPRA (California residents)

  • Right to know the categories and specific pieces of Personal Information collected.
  • Right to delete Personal Information.
  • Right to correct inaccurate Personal Information.
  • Right to opt out of the sale or sharing of Personal Information (we do neither).
  • Right to limit the use and disclosure of sensitive personal information (we do not process SPI for purposes that trigger this right).
  • Right to non-discrimination for exercising your rights.
  • “Shine the Light” (Cal. Civ. Code §1798.83) - we do not disclose Personal Information to third parties for their direct marketing.

9.3 How to Exercise Your Rights

  • Customers may access, update, or delete account data through the PingLane dashboard or by emailing [email protected].
  • Subscribers should contact the Customer (the website you subscribed to). You can also unsubscribe at any time through your browser:
    • Chrome: Settings > Privacy and Security > Site Settings > Notifications
    • Firefox: Settings > Privacy and Security > Permissions > Notifications
    • Safari: Preferences > Websites > Notifications
  • We will respond within the timeframes required by law (generally 30 days under GDPR; 45 days under CCPA/CPRA, extendable by 45 days with notice).
  • You may designate an authorised agent to submit a request, subject to verification.

10. Children’s Privacy

PingLane is available only through the Shopify App Store, which requires all store owners to be at least 18 years old. PingLane is not directed to, and must not be used to process the Personal Data of, children under 13 (US COPPA) or under 16 / the applicable digital-consent age in the user’s Member State (GDPR Art. 8). We do not knowingly collect Personal Data from minors. If you believe we have, please contact us at [email protected] and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Customers of material changes by email or in-dashboard notice at least 14 days before changes take effect. The “Last Updated” date at the top shows when it was last changed. An archive of prior versions is available on request.

12. Contact Us

If you have any questions about this Privacy Policy, Please contact us at:

  • Customer Support: For technical help or general questions, email [email protected].
  • Privacy & Legal: For data-protection matters, exercising your rights, or security inquiries, email [email protected].

For the purposes of Article 27 of the GDPR and UK GDPR, PingLane may be contacted directly at [email protected].

13. Supplemental Jurisdiction-Specific Notices

  • Nevada (NRS §603A.340): Nevada residents may opt out of the sale of certain covered information. We do not sell covered information.
  • Virginia / Colorado / Connecticut / Utah / Texas (and other US state privacy laws): Residents of these states may have rights analogous to those in Section 9.2. To exercise them, contact [email protected].
  • Brazil (LGPD) and Australia (Privacy Act 1988): Where applicable, we will honour equivalent rights on reasonable verified requests.

End of Privacy Policy.

Ready when you are

Every shopper who left is one push away from coming back.

Install PingLane free from the Shopify App Store. Every feature is included from day one. No credit card needed to get started.

Install Free on ShopifyView Pricing
Every feature from day oneNo credit card to get startedInstall from the Shopify App Store