Effective date: April 22, 2026
This Privacy Policy explains how Vouch ("we", "us", or "our") collects, uses, and protects data processed through the Vouch Shopify app on behalf of merchants and their customers.
When a customer submits a review or participates in a referral or influencer programme through Vouch, we may collect:
When a merchant connects their Instagram Business account to Vouch, we also collect on the merchant's behalf:
When a merchant connects their TikTok account to Vouch, we also collect on the merchant's behalf:
We do not download or store Instagram media files. All Instagram images and videos continue to be served directly from Instagram's own CDN. Only the URL string is stored by Vouch.
Vouch does not sell, rent, or trade any customer personal data to third parties for their own marketing or commercial purposes. Full stop.
Vouch does not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.
Customer data is retained for as long as the merchant has the Vouch app installed. Completed review records are purged after the merchant-configured retention period (default: 2 years). When a merchant uninstalls Vouch, all data associated with their store is permanently deleted.
Customer email addresses may be forwarded to a merchant's own email marketing platform (such as Klaviyo or Braze) via API credentials provided and controlled by the merchant. Vouch does not operate these platforms and is not responsible for how merchants use their email service providers. Merchants should ensure their own privacy policies cover such processing.
Instagram / Meta: When a merchant authorises Vouch to connect to their Instagram Business account via OAuth, Vouch reads post metadata (captions, permalinks, CDN URLs) from that account using the Meta Graph API on the merchant's behalf. This access is governed by Meta's Platform Terms and Developer Policies. Vouch only accesses content from the merchant's own authorised account and does not access, store, or display content from any other Instagram accounts. Instagram CDN media URLs stored by Vouch may expire in accordance with Meta's policies; Vouch is not responsible for media becoming unavailable after URL expiry.
TikTok: When a merchant authorises Vouch to connect to their TikTok account via OAuth, Vouch reads video metadata (captions, cover images, embed links, and permalinks) from that account using the TikTok Display API on the merchant's behalf. This access requires the user.info.basic and video.list scopes. This access is governed by TikTok's Developer Terms of Service. Vouch only accesses content from the merchant's own authorised account and does not access, store, or display content from any other TikTok accounts. TikTok cover image URLs stored by Vouch may expire; Vouch will re-fetch them automatically using the stored refresh token.
All data is encrypted in transit via HTTPS. Sensitive fields (such as API keys and reward codes) are encrypted at rest using AES-256-GCM. Vouch is hosted on Fly.io infrastructure with access controls and audit logging in place.
End customers who wish to exercise data rights (access, correction, or deletion) should contact the merchant directly, as the merchant is the data controller.
If you submitted a photo, video, or review through a merchant's Vouch-powered submission form, you may withdraw your consent and request that your content be removed at any time. To do so:
Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal, including any public display of the content prior to your request.
Merchants who wish to exercise rights over their store's data, or who receive a data subject request they cannot fulfil independently, may contact us at privacy@vouch.hk.
For privacy-related enquiries, email us at privacy@vouch.hk.