← Back to homePrivacy Policy
Last updated: 13 March 2026
1. Who We Are
SweetRep is operated by Sweeteo Ltd (Company No. 17058907), registered at 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom.
SweetRep provides an ambassador management platform for Shopify merchants. In this context:
- When processing merchant and ambassador account data for platform operation, Sweeteo Ltd acts as the data controller — we determine the purposes and means of processing.
- When processing end customer order data on behalf of merchants for commission attribution, Sweeteo Ltd acts as a data processor — the merchant is the controller. This relationship is governed by our Data Processing Agreement.
For all privacy-related enquiries, contact us at admin@sweetrep.com.
2. Data We Collect
2.1 Merchant Data
- Email address, business name, and hashed password (registration)
- Shopify store domain and OAuth access token (encrypted at rest)
- PayPal credentials if configured (encrypted at rest)
- Billing and subscription status
Lawful basis: Contract performance (UK GDPR Article 6(1)(b)) — processing is necessary to provide the Service you have signed up for.
2.2 Ambassador Data
- Email address, name, and hashed password
- Bio and social media profile URLs (if provided)
- PayPal email (for payouts)
- Bank account details: account name, account number, and sort code (encrypted at rest)
- UGC submissions (photos, videos, thumbnails)
Lawful basis: Contract performance (UK GDPR Article 6(1)(b)) — processing is necessary to provide the ambassador programme services.
2.3 End Customer and Order Data
- Order amounts, discount codes used, currency, and financial status
- Customer email — collected temporarily for self-purchase fraud detection only
- IP address (truncated) and user-agent from referral click tracking
Lawful basis: Sweeteo Ltd processes this data as a processor on behalf of the merchant (controller), under the terms of our DPA. Where Sweeteo Ltd acts as controller (e.g., for fraud detection and click tracking), the lawful basis is legitimate interests (UK GDPR Article 6(1)(f)) — see our Legitimate Interest Assessments on file.
3. Purpose of Processing
- Commission attribution: Matching orders to ambassador discount codes and referral links to calculate commissions
- Fraud prevention: Comparing customer email against ambassador email to detect self-purchase fraud; customer email is never used for marketing
- Click tracking: Server-side recording of referral link clicks (truncated IP, user-agent, referral code, timestamp) for attribution
- Payouts: Processing ambassador payment details to facilitate commission and UGC bonus payouts
- Platform operation: Analytics aggregation, billing, email notifications, and support
4. Data Retention
We retain personal data only as long as necessary for the purpose it was collected:
| Data Type | Retention Period | Reason |
|---|
| Financial records (orders, commissions, payouts) | 6 years | HMRC record-keeping requirements |
| Bank account details | 6 years after last payout | HMRC record-keeping requirements |
| Order data (amounts, discount codes) | 6 years | HMRC record-keeping requirements |
| Click tracking data | 90 days | Attribution window |
| Customer email | 30 days (cleared at settlement) | Self-purchase fraud detection only |
| Merchant/ambassador profiles | Duration of account + 30 days | Account deletion processing |
| UGC content | Duration of account + 30 days | Mission lifecycle; deleted after account closure |
| Consent records | 6 years | Legal compliance and audit trail |
5. Security
- Encryption at rest: Sensitive fields (bank details, access tokens, PayPal credentials) are encrypted using AES-256-GCM with dedicated key management
- Encryption in transit: All data transmitted over HTTPS/TLS
- Password hashing: User passwords are hashed with bcrypt and never stored in plaintext
- Access controls: Role-based access control (RBAC); production database access restricted to authorised personnel
- Infrastructure: Hosted on AWS eu-west-2 (London) with managed database services
6. Data Sharing
We do not sell, rent, or share personal data with third parties for marketing purposes. Data is shared only with the following service providers (sub-processors) as necessary to operate the Service:
- Shopify: Via the Shopify API for store integration (order data, discount codes)
- PayPal: To process ambassador payouts when merchants use PayPal as their payout method
- Anthropic: UGC thumbnail images sent for AI content screening
- Resend: Email addresses and names for transactional email delivery (notifications, invitations)
- Amazon Web Services (AWS): Infrastructure, hosting, database, and storage services
A complete list of sub-processors and their roles is maintained in our Data Processing Agreement.
7. International Transfers
Our primary infrastructure is hosted in the UK (AWS eu-west-2, London). However, some of our sub-processors are located in the United States, meaning your personal data may be transferred outside the UK.
We protect international transfers using the following safeguards:
- UK-US Data Bridge: Where a sub-processor is certified under the EU-US Data Privacy Framework and the UK Extension, transfers rely on that certification.
- International Data Transfer Agreement (IDTA): Where a sub-processor is not DPF-certified, or where applicable, transfers are governed by the UK IDTA issued by the ICO, supplemented by a Transfer Risk Assessment.
You may request further details about the specific safeguards applied to any transfer by contacting us at admin@sweetrep.com.
8. Your Rights (UK GDPR)
If you are located in the UK or EU, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your personal data
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Restrict processing in certain circumstances
- Objection: Object to processing based on legitimate interests
- Automated decision-making: Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects
To exercise any of these rights, contact us at admin@sweetrep.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk / 0303 123 1113.
9. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information.
Categories of personal information collected
- Identifiers (name, email address, IP address)
- Financial information (bank account details, PayPal email, payout amounts)
- Commercial information (order data, commission records)
- Internet activity (referral click data, user-agent)
- Audio/visual information (UGC video content)
Purposes
Personal information is collected and used for the business purposes described in Section 3 of this Privacy Policy.
Third parties
Personal information is shared with the service providers listed in Section 6 for the sole purpose of operating the Service.
Do Not Sell
We do not sell personal information and have not sold personal information in the preceding 12 months.
Your California rights
As a California resident, you have the right to:
- Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
- Delete: Request deletion of your personal information, subject to legal exceptions
- Non-discrimination: Not receive discriminatory treatment for exercising your privacy rights
- Opt out of sale: We do not sell personal information, so this right is satisfied by default
To exercise these rights, contact us at admin@sweetrep.com. We will confirm receipt within 10 business days and respond substantively within 45 calendar days.
10. Cookies and Tracking
We use only essential cookies (e.g., session tokens stored in localStorage) required for authentication. We do not use tracking cookies or third-party analytics cookies.
Referral click tracking is performed entirely server-side. When a visitor clicks a referral link, we log the truncated IP address, user-agent, referral code, and timestamp on the server. No cookies are set on the visitor's device for this purpose.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related questions or data subject requests, contact us at:
Sweeteo Ltd
71-75 Shelton Street, London, WC2H 9JQ
Email: admin@sweetrep.com