Privacy Policy

Last updated: 19 May 2026
Provider: Justino Ltd (t/a NOPE), a company registered in England and Wales (company number 17215901), with registered office at 66 Paul Street, London, EC2A 4NA.
Contact: nope@soarez.org

This Privacy Policy explains how NOPE ("the App", "we", "our") collects, uses, stores, and shares personal data when you install or use NOPE on your Shopify store. It also describes the rights of individuals whose data is processed by the App.

NOPE is developed and operated by Justino Ltd, a company registered in England and Wales. We take our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 seriously.

1. Who We Are and Our Role

NOPE is an independent Shopify app that filters and manages contact form submissions on behalf of merchants. In providing this service:

We act as a data processor in relation to personal data submitted through your store's contact forms (your customers' data). You, as the merchant, are the data controller for that data.
We act as a data controller in relation to the merchant account data you provide to us when installing and using the App.

This distinction is important. Where we act as your data processor, we only process customer data on your documented instructions and in accordance with the data processing terms incorporated by reference into the contractual relationship between Justino Ltd and the merchant via the Shopify App Store listing and the provisions set out in this Privacy Policy.

2. What Data We Collect

2a. Contact Form Submission Data (End-User Data)

When a visitor submits a contact form on your Shopify store, NOPE receives and processes the following data:

Data Field	Purpose	Stored?
Name	Spam classification input	Yes, up to 30 days
Email address	Spam classification input	Yes, up to 30 days
Phone number	Spam classification input (if present)	Yes, up to 30 days
Message body	Spam classification input	Yes, up to 30 days
Submission timestamp	Audit trail & filtering context	Yes, up to 30 days

2b. Merchant Store Data

To improve the accuracy of our spam classifier, we also access and process the following data from your Shopify store:

Data Field	Purpose	Stored?
Store owner name	Classifier context enrichment	Yes, up to 30 days
Store owner email	Classifier context enrichment	Yes, up to 30 days
Store owner phone	Classifier context enrichment	Yes, up to 30 days
Store physical address	Classifier context enrichment	Yes, up to 30 days
Product catalogue (names & descriptions)	Classifier context enrichment	Yes, up to 30 days

This context helps the classifier understand what your business does, so it can better distinguish genuine enquiries from spam.

3. How We Use Your Data

We process data for the following purposes and on the following legal bases under UK GDPR:

Purpose	Legal Basis
Classifying contact form submissions as spam or legitimate	Performance of contract (Art. 6(1)(b)) — necessary to provide the App's core service
Storing submissions for display in the merchant dashboard	Performance of contract (Art. 6(1)(b))
Enriching classifier context using merchant store data	Legitimate interests (Art. 6(1)(f)) — to improve accuracy of the service
Responding to support or deletion requests	Legal obligation / legitimate interests
Complying with applicable laws	Legal obligation (Art. 6(1)(c))

We do not use personal data for advertising, marketing profiling, or any purpose unrelated to spam filtering and the operation of the App.

4. How We Process Data: Our Technology

NOPE uses a combination of two in-house techniques to classify submissions:

Keyword rule-based filtering: a set of configurable rules that flag common spam patterns.
Large Language Model (LLM) inference: submission data is sent to one or more AI inference providers for classification. We use a rotating pool of providers including Groq, Cerebras, DeepInfra, OpenRouter, and Google Gemini.

When a submission is sent to an LLM inference provider for classification, it is transmitted securely over TLS. These providers act as sub-processors under our instructions. We do not permit them to use submission content to train their models (where contractually available) and we select only providers with appropriate data protection terms.

Please note that several of these providers are based outside the United Kingdom (primarily in the United States). See Section 7 for details on international data transfers.

5. Data Retention

We retain all personal data processed by the App (contact form submissions and associated merchant context) for a maximum of 30 days from the date of collection.

After 30 days, data is automatically and permanently deleted from our systems. This applies to both spam-classified and legitimate submissions.

If you uninstall the App, your data will be deleted within 30 days of uninstallation, or sooner upon request.

6. Data Storage and Security

All data is stored on servers hosted by Hetzner Online GmbH, located in Germany (European Economic Area). Hetzner acts as our infrastructure sub-processor.

We implement the following security measures to protect personal data:

All data in transit is encrypted using TLS 1.2 or higher.
Data at rest is stored on encrypted volumes.
Access to stored data is restricted to authorised systems only.
No human access to individual submission content except where strictly necessary for support purposes.

7. International Data Transfers

Our primary data storage is within the EEA (Germany via Hetzner), which is a recognised adequate country under UK GDPR. However, when processing submissions using LLM inference providers, data may be transferred to the United States or other countries outside the UK/EEA.

We rely on the following safeguards for such transfers:

Standard Contractual Clauses (SCCs) or equivalent mechanisms where required by the provider's data processing terms.
Selection of providers that participate in UK-approved or equivalent data transfer frameworks.

If you require a list of the specific transfer mechanisms in place for each inference provider, please contact us at nope@soarez.org.

8. Data Sharing and Sub-Processors

We share personal data only with the following categories of third parties, all acting as our sub-processors:

Sub-Processor	Category	Location	Purpose
Hetzner Online GmbH	Hosting provider	Germany (EEA)	Data storage and app infrastructure
Groq, Inc.	LLM inference provider	USA	AI-based spam classification
Cerebras Systems	LLM inference provider	USA	AI-based spam classification
DeepInfra	LLM inference provider	USA	AI-based spam classification
OpenRouter	LLM inference provider	USA	AI-based spam classification
Google LLC (Gemini)	LLM inference provider	USA	AI-based spam classification

We do not sell personal data. We do not share data with any third party for their own marketing or profiling purposes.

9. Your Rights

Merchant Rights

As a merchant, you have the following rights under UK GDPR:

Right of access — request a copy of data we hold about you or your store.
Right to rectification — request correction of inaccurate data.
Right to erasure — request deletion of your data at any time. We will process deletion requests within 30 days.
Right to restriction — request that we limit processing of your data.
Right to data portability — request your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interests.

To exercise any of these rights, contact us at nope@soarez.org. We will respond within 30 days.

End User (Contact Form Submitter) Rights

If you are an individual who submitted a contact form on a merchant's Shopify store, please be aware that:

The merchant whose store you contacted is the data controller for your submission.
NOPE acts only as their data processor.
Rights requests (access, deletion, etc.) should be directed to the relevant merchant in the first instance.
If a merchant asks us to delete your data on your behalf, we will do so promptly.

10. Cookies and Tracking

NOPE does not use cookies or any client-side tracking technologies on end users' browsers. The App operates entirely server-side.

11. Children's Data

NOPE is not directed at children under 13. We do not knowingly process personal data from children. Contact form submissions that appear to originate from children will be treated no differently to other submissions, but we do not take any additional steps to solicit or retain such data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the App's functionality, legal requirements, or sub-processors. When we make material changes, we will notify merchants via the Shopify admin interface or by email.

The most current version of this policy will always be available at the App's listing page on the Shopify App Store and/or our support website.

13. Contact and Complaints

For any privacy-related questions, requests, or concerns, please contact:

Data Controller: Justino Ltd (t/a NOPE)
Company number: 17215901
Registered office: 66 Paul Street, London, EC2A 4NA, United Kingdom
Email: nope@soarez.org

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Website: https://ico.org.uk
Telephone: 0303 123 1113