Privacy

Culsin Privacy

Effective date: May 16, 2026

Culsin is an app studio operated by HELTRA LLC. We publish several Shopify apps, each handling a different kind of data: customer applications, sales aggregates, or anonymous storefront events. Because the data shapes differ, each app has its own privacy policy tailored to what it actually collects and stores.

This page is the index of those per-app policies. It also collects the commitments that apply across every Culsin app: who we are, how we handle data subject requests, how we notify merchants of changes, and the legal frameworks we operate under.

Per-app policies

  • B2B Registration Form & Approval →

    Collects named customer applications (name, email, company, VAT/tax ID, country, custom fields). Validates VAT/tax IDs against external registries. Closest data subject: wholesale applicant.

  • RankRobin →

    Aggregates order and product data into per-product daily sales totals for collection sorting. Stores no customer names, emails, addresses, or any other identifiable shopper information.

  • Simple Split Testing →

    Sets first-party cookies on the storefront to keep visitors in stable A/B variants. Forwards storefront events (page views, cart adds, checkout steps, orders) via a web pixel. No customer name or email is read or stored.

Who we are

HELTRA LLC
254 Chapman Rd, Ste 208 #17026
Newark, Delaware 19702, United States

Privacy inquiries: privacy@culsin.com

Shared sub-processors

The following sub-processors are used by every Culsin app to deliver the service. Each per-app policy may name additional sub-processors specific to that app.

  • Turso (ChiselStrike, Inc.) - primary database (LibSQL), hosted on AWS infrastructure. Stores app-specific data per shop. Encrypted at rest.
  • Cloudflare, Inc. - hosts the app backends and this website. Provides edge networking, request routing, and (for some apps) R2 object storage and KV.
  • Mantle (Charged Commerce, Inc.) - billing and subscription management for paid plans. Receives shop domain and plan identifiers; does not receive merchant-customer or shopper data.
  • Axiom, Inc. - application logging for debugging and incident response. Receives shop domains and request metadata; does not receive personally identifiable customer or shopper data.

Sub-processor changes

When we add a new sub-processor that processes merchant data, we update the relevant policy at least 7 days before the new processor begins handling data. Material changes are also surfaced inside the app admin where appropriate. Continued use of the app after a change constitutes acceptance.

Data retention

App data is retained for as long as the app is installed. When an app is uninstalled, all data for that shop is permanently deleted within 48 hours, in line with Shopify's GDPR requirements. Per-customer erasure requests are honoured within 30 days of receipt.

Data subject rights

Each Culsin app honours Shopify's three mandatory GDPR webhooks: customers/data_request, customers/redact, and shop/redact. The per-app policy describes how each is handled for that app's data model.

If you are a customer of a Shopify store using a Culsin app and want to exercise your rights (access, deletion, portability, restriction, objection), contact the merchant first. If you cannot reach them, contact us at privacy@culsin.com and we will respond within 30 days.

International transfers

HELTRA LLC is incorporated in Delaware, USA. Some of our sub-processors operate in multiple regions. Where we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss addenda. A Data Processing Addendum (DPA) incorporating the SCCs is available on request - email privacy@culsin.com.

California (CCPA / CPRA)

California residents have the right to know what personal information we hold about them, request its deletion, correct inaccurate information, and limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising. To exercise these rights, contact privacy@culsin.com. We do not knowingly collect personal information from minors under 16.

Security and incident response

We maintain administrative, technical, and physical safeguards proportionate to the sensitivity of the data we process. Data in transit is encrypted via TLS; data at rest is encrypted by our database and storage providers.

If we become aware of a security incident affecting merchant or shopper data, we will notify affected merchants without undue delay and, where required, within the statutory timeframes (72 hours under GDPR Article 33). The notification will describe the nature of the incident, the data involved, the steps we are taking, and any actions the merchant should consider.

Policy changes

We update these policies as our services evolve, sub-processors change, or regulation requires it. Material changes - new categories of data, new sub-processors, changes in retention - are announced at least 7 days in advance via the relevant policy page and, where appropriate, inside the app admin. The effective date at the top of each policy reflects the most recent update.

Contact

privacy@culsin.com