Kodo Privacy Policy

Last updated: 6/10/2026 Effective date: 6/10/2026

1. Who we are

This Privacy Policy explains how Kodo ("Kodo," "we," "us," or "our") collects, uses, and shares personal information when you use our website at https://withkodo.com, our Shopify application, our WooCommerce plugin, our APIs, and related services (together, the "Service").

The Service is operated by Sunwoo Kim, an individual located at 2270 W El Camino Real, Mountain view.

For privacy questions, contact us at support@withkodo.com.

[REVIEW: If you process EU/UK personal data and are not established in the EU/UK, you may need to designate an Article 27 representative.]

2. Who this policy applies to

Kodo is a platform that connects Shopify merchants with creators (influencers) to run referral and discount-code campaigns. This policy describes how we handle information about:

• Enterprise Users — individuals who create or manage a merchant's Kodo account
• Creator Users — individuals who sign up to participate in campaigns and receive commission payouts
• End Customers — shoppers who purchase from an Enterprise's Shopify store using a Creator's discount code or referral link
• Website visitors — anyone who browses withkodo.com

For End Customer data, the Enterprise (the merchant whose store you purchased from) is the primary controller of the data, and Kodo processes the data on their behalf. Direct requests about End Customer data to the merchant first; we will assist where applicable.

3. Information we collect

3.1 From Enterprise Users

• Name, email address, password (hashed), profile photo (optional)
• Business name, website, billing address, tax ID
• Shopify store domain and OAuth access token (stored securely; used to call the Shopify Admin API on your behalf)
• Payment information — processed and stored by Stripe; we store only the last 4 digits and card brand
• Communications with our team

3.2 From Creator Users

• Name, email address, password (hashed), profile photo (optional)
• Social media handles and audience information (if you choose to provide it)
• Payout details (PayPal email and/or Stripe Connect account information, processed by the respective provider)
• Tax forms (Form W-9 for U.S. taxpayers, Form W-8BEN for non-U.S. taxpayers) where required by law
• Communications with our team

3.3 From End Customers (via Shopify webhooks)

When an End Customer purchases from a connected Shopify store, Shopify sends us order webhooks containing:

• Order ID, date, total amount, currency, line items
• Customer first name, last name, email address (used for fraud screening and refund attribution)
• Applied discount codes and referral attribution data
• Refund and chargeback information

We use End Customer data only to attribute purchases to Creators, calculate Commissions, and handle refunds. We do not market to End Customers.

3.4 Referral tracking data

When a shopper visits a merchant's storefront through a referral link (e.g., merchant.com/?ref=creator123), our embedded script stores the referral identifier in the browser's localStorage so we can attribute later purchases. This is not a cookie and is not used for cross-site tracking or advertising profiles.

3.5 Automatically collected

• IP address, browser type, device information, pages viewed, referring URL
• Server logs for security, debugging, and abuse prevention

4. How we use information

We use personal information to:

• Provide and operate the Service (accounts, attribution, Commission calculation, payouts)
• Process payments — collecting from Enterprises (via Stripe) and paying Creators (via PayPal Payouts or Stripe Connect)
• Send service emails (transactional notifications, invoices, payout confirmations) via SendGrid
• Send marketing emails to Enterprise Users (you can opt out at any time)
• Comply with legal obligations including tax reporting (1099-NEC issuance) and anti-fraud
• Improve and secure the Service

5. Legal basis for processing (EU/UK users)

For users in the EU, UK, or other GDPR-aligned jurisdictions, we rely on:

• Contract — to provide the Service you've signed up for
• Legitimate interest — to secure the Service, prevent fraud, and improve our product
• Legal obligation — for tax reporting and responding to lawful requests
• Consent — where required (e.g., marketing emails in certain jurisdictions)

6. Subprocessors and sharing

We share personal data with the following service providers under contractual safeguards:

We do not sell personal information.

We may also disclose information when legally required (subpoenas, court orders), to protect rights and safety, or in connection with a merger, acquisition, or sale of assets.

7. International data transfers

If you are located outside the United States, your personal information will be transferred to and processed in the United States and other jurisdictions where our subprocessors operate. Where required, we rely on Standard Contractual Clauses approved by the European Commission and the UK ICO.

8. Data retention

• Account data: retained while your account is active, and up to 3 years after closure for legal/tax purposes
• Transaction and payout records: retained for [7 years] to satisfy tax obligations
• Marketing data: retained until you unsubscribe
• Server logs: retained for [90 days]

When a Shopify store uninstalls Kodo, we honor Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact) within the timeframes Shopify requires (currently within 30 days for data requests, and shop data deleted within 48 hours of a shop/redact request received 48 hours after uninstall).

9. Your rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data (subject to legal exceptions)
• Object to or restrict certain processing
• Data portability (receive a copy in a structured, commonly used format)
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority

California residents (CCPA/CPRA): You have the rights above plus the right to know the categories of personal information we collect, sell, or share, and the right to non-discrimination for exercising your rights. We do not sell or share personal information for cross-context behavioral advertising.

To exercise any of these rights, email support@withkodo.com. We will respond within the timeframes required by applicable law.

10. Cookies and similar technologies

We use the following:

• Essential cookies — for login sessions, CSRF protection, and security
• Functional storage — localStorage to store referral attribution (the ref parameter) on merchant storefronts. Set only when a shopper visits a URL containing a ref query parameter; persists in the shopper's browser until cleared.
• Analytics — [LIST any analytics tools used, e.g., PostHog]

We do not use advertising cookies and do not participate in cross-site tracking.

11. Children's privacy

Kodo is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will delete it.

12. Security

We use industry-standard measures including TLS for data in transit, encryption at rest on our database, hashed passwords using bcrypt or equivalent, role-based access controls, and audit logging. No system is perfectly secure, but we work hard to protect your data.

In the event of a personal data breach, we will notify affected users and relevant authorities as required by applicable law.

13. Changes to this policy

We may update this Policy from time to time. Material changes will be communicated by email and/or via the Service at least 30 days before they take effect. The "Last updated" date at the top will reflect the most recent revision.

14. Contact

• Privacy questions: support@withkodo.com