Privacy Policy

Last updated: April 1, 2026

We take privacy seriously and we keep this policy plain-language so you can actually read it. Here's what we collect, why, who we share it with, and how to exercise your rights.

On this page14 sections
  1. 01Overview
  2. 02What we collect
  3. 03How we use your data
  4. 04Legal bases for processing
  5. 05How we share data
  6. 06International transfers
  7. 07Data retention
  8. 08Your rights
  9. 09Shopper data we process
  10. 10Cookies and tracking technologies
  11. 11Security
  12. 12Children's privacy
  13. 13Changes to this policy
  14. 14Contact us

Effective date: April 1, 2026

Document version: 3.0

This policy supersedes any prior version. The current version always lives at quoli.io/privacy-policy. Cookie practices are covered in section 10. For GDPR-specific obligations, see our GDPR Compliance page.

1. Overview

Quoli, Inc. ("Quoli", "we", "us") provides a software platform that helps Shopify merchants collect and display customer reviews, photo and video user-generated content, and Questions. This Privacy Policy explains what personal data we collect, how we use it, and the rights you have over it.

Two distinct relationships are governed by this policy:

  • Merchants: Shopify store owners and their team members who use Quoli. We act as a controller for the personal data we collect about you directly.
  • Shoppers: End consumers of merchants who use Quoli. When a shopper submits a review, photo, or question on a merchant's storefront, we process that data as a processor on behalf of the merchant.

2. What we collect

From merchants directly

  • Account information: name, email address, store URL, phone number (if provided), billing details (handled by Shopify).
  • Usage data: dashboard activity, feature usage, support interactions, IP address, browser, device information.
  • Communications: emails, chat transcripts, and survey responses you send us.

From Shopify on behalf of merchants

  • Order data: order ID, fulfillment date, products purchased, customer email, customer name. We use this to send review request emails and to attribute reviews to verified buyers.
  • Product catalog: product titles, descriptions, images, SKUs, variants. We use this to render review widgets and to power AI-assisted features.
  • Theme metadata: required to deliver our Theme App Extension widgets.

From shoppers (on behalf of merchants)

  • Review content: star rating, review text, photos, videos, reviewer name, reviewer email, optional location.
  • Questions content: questions and answers submitted on product pages.
  • Engagement data: votes, helpful flags, replies, sharing actions.

3. How we use your data

  • To provide, maintain, and improve the Service.
  • To send transactional emails (review requests, reminders, replies, billing confirmations).
  • To respond to support requests and fix issues.
  • To prevent fraud, abuse, and security incidents.
  • To send marketing communications about Quoli (you can opt out at any time).
  • To comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.

We do not sell personal data. We do not share customer data with third parties for their own marketing purposes. We do not use shopper data to train cross-merchant AI models without explicit consent.

Where the General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:

  • Contract: processing necessary to provide the Service to merchants under our agreement.
  • Legitimate interest: processing to improve the Service, prevent fraud, secure our infrastructure, and conduct limited marketing to existing merchants.
  • Consent: processing of shopper review submissions, photo / video uploads, and any optional features the shopper opts into.
  • Legal obligation: processing required by law, court order, or regulatory request.

5. How we share data

We share personal data with a limited set of third parties, only where necessary:

  • Sub-processors: cloud infrastructure (AWS, Google Cloud, MongoDB Atlas, Cloudflare), email delivery (Amazon SES), AI inference (Anthropic), monitoring and analytics (Sentry), customer support (Intercom), partner program (Mantle), and commerce / billing (Shopify). The complete current list with each vendor's purpose, location, and the categories of data they process is published in section 9 of our GDPR Compliance page.
  • Integrations you enable: Klaviyo, Meta, Google, and other platforms you choose to connect via the Quoli Integrations panel. Data shared with these platforms is governed by their own privacy policies.
  • Legal compliance: when required by law, valid legal process, or to protect the rights, property, or safety of Quoli, our merchants, or others.
  • Business transfers: in connection with a merger, acquisition, or sale of assets. We will notify you and offer a way to delete your data before any transfer takes effect.

6. International data transfers

Quoli is headquartered in the United States. Personal data we collect is stored and processed in the United States and, in some cases, in the European Union or other regions where our sub-processors operate. When data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses approved by the European Commission and equivalent UK and Swiss mechanisms.

7. Data retention

We retain personal data only as long as needed for the purposes described in this policy, or as required by law. Our retention rules are deliberately short:

  • Active merchant data: retained for the duration of your subscription.
  • After uninstallation or cancellation: all merchant data, including orders, account information, reviews, photos, videos, Questions, and any associated personal data is permanently deleted from our systems within 30 days. This includes backups. We do not maintain any archive beyond 30 days. If you reinstall after the 30-day window, you will start with an empty Quoli account.
  • Review and UGC content: retained for as long as the merchant requires it to be displayed, or until the shopper requests deletion. Deleted on uninstallation per the rule above.
  • Billing and tax records: retained for the period required by applicable tax law (typically 7 years), in a separate financial system isolated from operational data.
  • Marketing site analytics: aggregated, anonymized data retained for up to 90 days; no personal data.

To export your data before the 30-day deletion window closes, email support@quoli.io within the 30-day window after uninstallation.

8. Your rights

Depending on where you live, you may have the following rights over your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: ask us to correct inaccurate or incomplete data.
  • Deletion: ask us to delete your data, subject to our legal retention obligations.
  • Portability: receive your data in a machine-readable format.
  • Object: object to processing based on legitimate interest, including marketing.
  • Withdraw consent: where we rely on consent, withdraw it at any time.
  • Lodge a complaint: with your local data protection authority.

To exercise any of these rights, email support@quoli.io. We will respond within 30 days. If you are a shopper, you should generally direct your request to the merchant whose store you submitted data to; we will assist the merchant in responding.

9. Shopper data we process for merchants

When a shopper submits a review on a merchant's storefront, we process the submission on behalf of the merchant under the merchant's privacy policy. Our role is that of a processor (GDPR) or service provider (CCPA). We do not use shopper data for our own marketing purposes and we do not sell shopper data.

If you are a shopper and want to access, correct, or delete a review you submitted, contact the merchant directly. The merchant can act on your request through their Quoli dashboard. If you cannot reach the merchant, email support@quoli.io and we will assist.

10. Cookies and tracking technologies

This section explains every cookie or similar technology (local storage, session storage, pixel tags) used on quoli.io and on merchant storefronts running Quoli widgets. We deliberately keep our cookie footprint minimal.

10.1 What are cookies?

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work, to remember user preferences, and to provide aggregated information to site operators. We treat similar technologies (local storage, pixel tags) the same way for purposes of this policy.

10.2 Cookies on quoli.io (the marketing site)

We use a small, deliberately limited set of cookies. We do not run third-party advertising cookies, retargeting pixels, or marketing trackers on quoli.io.

  • Strictly necessary: quoli_session (maintains your dashboard session, expires on logout or after 30 days inactivity) and quoli_csrf (protects form submissions from cross-site request forgery, session-only). These cannot be disabled.
  • Analytics: aggregated, anonymized usage events captured by Sentry, used for performance monitoring and conversion attribution. No advertising network cookies are present on quoli.io.

10.3 Cookies on merchant storefronts

Quoli widgets render on merchant storefronts via the Shopify Theme App Extension. By default, our widgets do not set tracking cookies on shoppers. Where a merchant explicitly enables an integration that requires cookies (for example, a Klaviyo signup form embedded inside a review widget, or a Meta Pixel triggered by a review submission), the cookies set by that integration are governed by the third party's own cookie policy and the merchant's privacy notice on its storefront.

10.4 How to manage cookies

  • Cookie banner: the first time you visit quoli.io from the EEA, UK, Switzerland, or California, you will see a cookie banner. Use it to accept, reject, or customize categories.
  • Browser settings: most browsers let you block or delete cookies. Blocking strictly necessary cookies may break parts of the site.

10.5 Do Not Track signals

Some browsers send a "Do Not Track" (DNT) signal. There is no industry consensus on how to interpret DNT, so we do not currently respond to it. We do honor explicit opt-out preferences expressed via our cookie banner.

11. Security

We take technical and organizational measures to protect your data, including encryption in transit and at rest, role-based access controls, regular security audits, and a documented incident response plan. Read our Security page for details.

12. Children's privacy

The Service is not directed to children under 13 (or 16 in the EEA / UK). We do not knowingly collect personal data from children. If we learn we have collected data from a child without verified parental consent, we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will notify you by email or through the Service and update the "Last updated" date at the top of this page.

14. Contact us

Questions about this policy or your data? Contact our Data Protection point of contact at support@quoli.io. For GDPR-specific requests, see our GDPR & DPA page.