Customer Data Privacy

How Quotient handles customer data.

This document outlines Quotient's comprehensive data handling practices, including data collection, security measures, and compliance procedures. While these policies govern all customer data we process, special attention is given to data sourced through our Shopify integration, as this represents a primary data source for many of our merchants.

In this document:

  • "Customer" refers to end users, i.e. individuals who receive marketing communications and whose data is processed by Quotient
  • "Merchant" refers to businesses using Quotient to manage and send marketing communications to their customers

Data Processing Overview

Scope of Processing

Quotient processes Shopify Customer Data strictly as a data processor on behalf of our Merchants (the data controllers). All data processing activities are conducted in accordance with applicable data protection laws, including but not limited to GDPR, CCPA, and other relevant privacy regulations.

Quotient processes only the minimum data necessary for app functionality, strictly for the purpose of providing our services, and never shares or sells Shopify Customer Data to third parties.

Legitimate Processing Purpose

Quotient processes Shopify Customer Data on behalf of Quotient customers for the following purposes:

  • Subscription list management and maintenance
  • Campaign segmentation and distribution
  • Campaign performance analytics and reporting
  • Automated, personalized marketing communications
  • Shopify Customer subscription preference management

Required Data Elements

To provide our core services, Quotient processes the Shopify Customer data model, including elements such as but not limited to:

  • Customer ID: Unique identifier used to sync customer data between Quotient and Shopify, particularly for preference updates
  • Email Address: Primary contact method used for sending marketing communications
  • First Name and Last Name: Used for email personalization to address customers by name
  • Phone Number: Used for SMS marketing communications when enabled
  • Location Data: Including address, city, state and country information for geographic segmentation and localized marketing
  • Order History: Used to enable personalized product recommendations and segmentation based on purchase behavior

Data Protection Measures

Technical Security

All data transmission occurs over TLS 1.3 encrypted connections to ensure secure data transfer between systems. Our databases employ industry-standard AES-256 encryption for all data at rest, including both live and backup data.

We maintain a robust key management system that regularly rotates encryption keys and securely stores them in an isolated environment. Our infrastructure includes automated disaster recovery with regular backups stored in geographically distributed locations.

While we maintain robust security measures, Merchants remain responsible for their use of our services and compliance with their local privacy laws. We recommend Merchants review their own privacy policies and ensure they have appropriate consent for data processing.

Organizational Security

Access to customer data is strictly controlled through role-based access control (RBAC) and is limited to essential engineering personnel who require access for platform maintenance and support.

We enforce comprehensive security policies including:

  • Mandatory strong password requirements with regular rotation
  • Multi-factor authentication for all system access
  • Detailed access logging and regular security audits
  • Automated monitoring and alerting for suspicious activities

Data Subject Rights

Customer Rights Management

Quotient provides comprehensive mechanisms to honor data subject rights, including the right to access personal data and the right to erasure ("right to be forgotten").

For Shopify-integrated merchants, we automatically process data subject requests through Shopify's standardized compliance webhooks. These webhooks ensure that when customers request their data or request deletion through Shopify:

  • Data access requests are fulfilled within the required timeframe
  • Data deletion requests are processed systematically
  • Shop data is properly handled upon app uninstallation

For customers not integrated through Shopify, data subject requests can be submitted directly to support@getquotient.ai. All requests will be processed in accordance with applicable privacy regulations.

Data Deletion Procedures

All customer data deletion is handled through automated processes. For Shopify-integrated accounts, deletion requests are processed immediately through Shopify's compliance webhooks. When a Quotient account is deleted, whether through Shopify uninstallation or direct account closure, all associated customer data is permanently removed from our systems through cascade deletion.

We retain customer data only for as long as necessary to provide our services. This means data is kept for the duration of an active Quotient account, as this data is essential for core marketing functionality.

Incident Response

Security Incident Management

In the event of a security incident, we follow a structured response protocol:

  1. Immediate Actions

    • Block suspicious activity
    • Log the incident
    • Notify affected customers
    • Preserve evidence

  2. Recovery Steps

    • Assess data exposure
    • Implement fixes
    • Document incident
    • Update procedures

Our incident response team actively monitors system activity and will respond promptly to any detected security anomalies. We strive to maintain clear communication with affected parties throughout any incident resolution process.

On This Page

Data Processing OverviewScope of ProcessingLegitimate Processing PurposeRequired Data ElementsData Protection MeasuresTechnical SecurityOrganizational SecurityData Subject RightsCustomer Rights ManagementData Deletion ProceduresIncident ResponseSecurity Incident Management