Data deletion
This page explains how to have personal data held by sico erased. It supplements the privacy notice, which covers the full picture of what we collect and why. If you only want to know "how do I get my data deleted" — section 2 is the answer.
1. Who this applies to
"sico" is the trading name of Sico Software Ltd, registered in Scotland at Suite 2/3, 2nd Floor, 48 West George Street, Glasgow G2 1BP, United Kingdom. ICO registration ZC106029.
Three groups of people may hold data with us:
- Direct customers of our standalone products (e.g. affiliate-mgr account holders). We are the controller for your data.
- Shopify merchants using our embedded apps (Ops Console, Growth Layer). The merchant is the controller for their shoppers' data; sico is the processor.
- Shoppers whose personal data passes through one of our merchants' shops. Your direct relationship is with that merchant; we hold a copy as a processor and will action your request through them or directly, depending on which path is faster.
2. How to request deletion
Email privacy@sico.software from the address you want erased. Include:
- The product (Ops Console, Growth Layer, Affiliate Manager, or "I'm not sure").
- If you are a shopper of one of our merchants' shops, the shop domain (e.g.
example.myshopify.com) so we can find your record. - Whether you want partial erasure (specific data) or full account deletion.
We do not require account verification beyond proving control of the email address tied to the data. We respond within 30 days per Article 17 of UK/EU GDPR; in practice most requests complete within a few business days.
3. What gets deleted
When you exercise the right to erasure:
- Account data (email, name, password hash) — deleted.
- Identifying data linked to you (visitor records, hashed identifiers, click history) — deleted.
- Per-processor copies — we send a redact instruction to every named third-party processor (see privacy notice §8) so the same record is removed from Klaviyo, Meta, Google Ads, PostHog, Sentry, etc., wherever it was synced.
- OAuth tokens and connections we hold for you — revoked at the upstream provider and deleted from our database.
4. What we keep, and why
Two narrow categories are retained even after an erasure request, in line with what GDPR explicitly permits:
| Data | Retention | Reason |
|---|---|---|
| Order line items, invoices, payouts, refund amounts | 10 years from last order | UK/EU tax law (HMRC, VAT). Records are anonymised — the personal identifiers are stripped, the financial line items remain. |
| Compliance audit trail of the deletion itself | 7 years | Proof, on request from a regulator, that we honoured your request and when. |
Everything else is removed.
5. Automatic deletion triggers
You do not always have to ask. Several events fire deletion automatically:
- Shopify app uninstall. When a merchant uninstalls Ops Console or Growth Layer, we revoke our access token within seconds, generate a portability pack, and email the merchant a download link. The data is then held for 48 hours as a recovery window (in case of accidental uninstall) and then fully deleted. Shopify's
shop/redactwebhook 48 hours after uninstall is the final cue. - Disconnecting a third-party integration. Disconnecting Meta Ads, Google Ads, Klaviyo, or any other connected account from inside our app revokes the OAuth token at the upstream provider and deletes the cached metrics within 24 hours.
- Inactivity. Customer / visitor identifying data is deleted 30 days after last activity even without a request — see privacy notice §5 for the full retention table.
6. Meta-specific note
If you are a shopper whose hashed contact data was pushed to a Meta Custom Audience by one of our merchants, two things happen on a deletion request:
- We remove the record from our database and from the merchant's Customer Audience via the Marketing API
customaudience/usersremove endpoint. - You can also remove yourself directly via Meta at Off-Facebook Activity or Accounts Center → Your Information and Permissions; that removes you across all advertisers, not just the merchant in question.
7. Complaints
If you are dissatisfied with how we handled your request, you have the right to complain to your supervisory authority. In the UK this is the Information Commissioner's Office at ico.org.uk/make-a-complaint.