Privacy Policy

Last updated: 2026-04-07

Composable Type ("Composable Type," "we," "us," or "our") is a product developed and operated by Smalhaus, an independent software studio based in New York, NY.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when merchants install or use our Shopify app, visit our website, or otherwise interact with our services (collectively, the "Services").

1. Who We Are

Composable Type is owned and operated by Smalhaus, based in New York, NY.

For privacy-related questions or requests: privacy@smalhaus.com

2. Scope of this Policy

This Privacy Policy applies to personal information we process in connection with:

  • our Shopify app and related merchant-facing services;
  • our website and marketing pages;
  • onboarding, support, and communications;
  • analytics, security, and product improvement.

This Policy does not apply to information processed by Shopify or other third parties that have their own privacy policies.

3. Information We Collect

A. Information provided by merchants

When a merchant installs or uses the app, we may collect:

  • name
  • email address
  • store name and Shopify store URL
  • account and authentication information
  • support communications
  • preferences and settings
  • content created or uploaded through the app (e.g., blog posts, pages, images, templates)

B. Information from Shopify

When you install our app, we receive certain information from Shopify, such as:

  • store and account information
  • app installation and authorization details
  • store configuration and theme-related data
  • any data the merchant explicitly grants access to via Shopify permissions

We only access data that is necessary to provide the app's functionality.

C. Store visitor and customer data

If merchants use analytics or content features, we may process limited information about store visitors or customers on the merchant's behalf, including:

  • page views and interactions with content
  • referral and engagement data
  • device and browser information
  • IP address (used for analytics and security)
  • conversion or order attribution data where enabled

In these cases, the merchant is typically the data controller, and we act as a processor.

D. Automatically collected data

  • IP address
  • browser type and device information
  • operating system
  • pages viewed and interactions
  • timestamps and session data
  • performance and error logs

E. Cookies and tracking technologies

We use cookies and similar technologies to:

  • maintain sessions and authentication
  • store preferences
  • secure the platform
  • analyze usage and improve the product

Where required by law, we obtain consent before using non-essential cookies.

4. How We Use Information

  • provide and operate the Services
  • manage accounts and authentication
  • enable content creation, publishing, and analytics features
  • communicate with users about the service
  • detect and prevent fraud or misuse
  • improve product functionality and performance
  • comply with legal obligations

5. Legal Basis (GDPR)

  • Contract — to provide the Services
  • Legitimate Interest — to operate, secure, and improve the product
  • Consent — for optional features such as analytics or marketing
  • Legal Obligation — to comply with applicable laws

6. Data Sharing

We do not sell personal data.

We may share information with:

  • Shopify — to operate the app within the Shopify ecosystem
  • Service providers — such as hosting, analytics, and infrastructure providers
  • Analytics providers — such as Mixpanel (where enabled)
  • Legal authorities — when required by law

All third-party providers are required to protect personal data.

7. Shopify-Specific Privacy

Our app operates within the Shopify platform and uses Shopify APIs and webhooks.

If a merchant uninstalls the app or submits a data request through Shopify, we may process those requests in accordance with Shopify's required compliance workflows.

If you are a customer of a merchant using Composable Type, you should contact that merchant directly regarding your personal data.

8. Data Retention

We retain data only as long as necessary to:

  • provide the Services
  • comply with legal obligations
  • resolve disputes and enforce agreements

Retention periods vary depending on the type of data and usage context.

9. International Transfers

Your data may be processed in countries outside your own.

Where required, we implement safeguards such as contractual protections and data processing agreements.

10. Security

We use reasonable technical and organizational measures to protect data, including:

  • encrypted data transmission (HTTPS/TLS)
  • secure authentication practices
  • access controls
  • monitoring and logging
  • regular updates and security improvements

11. Your Rights

Depending on your location, you may have rights to:

  • access your data
  • correct inaccurate data
  • request deletion
  • restrict or object to processing
  • withdraw consent
  • request data portability

To exercise your rights, contact: privacy@smalhaus.com

If we process data on behalf of a merchant, we may direct your request to that merchant.

12. Children's Privacy

Our Services are intended for businesses and are not directed to children.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and, where appropriate, notify users of material changes.

14. Contact

For privacy-related inquiries:

privacy@smalhaus.com