Growth Layer — Privacy notice

Last updated: 2026-04-27. Effective: 2026-04-27.

This notice covers data processing specific to the Growth Layer Shopify app. The sico-wide privacy notice applies in addition.

1. What data we collect

When you install Growth Layer, we receive and store:

  • Shop identity — shop domain, shop name, currency, timezone.
  • Klaviyo metrics — aggregated email send counts, open rates, click rates, and revenue figures pulled via your Klaviyo Private API key. We do not store individual subscriber email addresses or subscriber-level profile data.
  • Anomaly records — computed anomaly events (metric name, z-score, severity, detected timestamp) and AI-generated diagnoses (root-cause tag, narrative, suggested action). These are derived data — they reference campaign metrics but contain no end-customer personal data.
  • Action log — a record of actions you approve or dismiss within the app.

Your Klaviyo Private API key is stored encrypted at rest and is never logged in plaintext.

2. Legal basis

Processing is necessary to perform the contract you entered when installing the app (UK GDPR Art. 6(1)(b)). Connecting your Klaviyo account is voluntary; you may disconnect it at any time from Settings, which immediately revokes and deletes the stored key.

3. How we use the data

Solely to provide the Growth Layer features: anomaly detection on your email campaign metrics, AI-assisted root-cause diagnosis, and one-click remediation actions. Klaviyo metric data is not shared with third parties and is not used to train AI models beyond the single diagnostic call made per anomaly (prompts contain only aggregate metrics, never subscriber data).

4. Data retention

Store data is retained while the app is installed. On uninstall, Shopify sends us a GDPR erasure webhook within 48 hours and we purge all store-specific records within 30 days. Your Klaviyo API key is deleted immediately on uninstall or when you disconnect from Settings.

5. Sub-processors

  • Hetzner — VPS hosting; data stored in EU.
  • Stripe — billing for your Growth Layer subscription.
  • Resend — transactional email.
  • PostHog (EU) — product analytics (page-level only).
  • Anthropic — AI diagnosis of anomalies; prompts contain only aggregate metric values, no personal data. Anthropic does not use API inputs for training by default.

6. Contact

Privacy queries: privacy@sico.software.

© 2026 Sico Software Ltd · Suite 2/3, 48 West George Street, Glasgow G2 1BP · ICO ZC106029 · Contact