Privacy Policy

1. Introduction

HLKonnect ("we", "our", "us") is a United States-based company that operates the HLKonnect platform. The HLKonnect platform includes all applications published by HLKonnect on the GoHighLevel (GHL) marketplace, the HLKonnect website (hlkonnect.com), and any related services (collectively, the "Service").

This Privacy Policy applies to all HLKonnect applications and services — including current and future apps we publish on the GHL marketplace — and describes how we collect, use, store, share, and protect your information.

By installing any HLKonnect application or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller

For the purposes of applicable data protection laws, HLKonnect is the data controller of the personal data we collect through the Service. You may contact us at:

• Email: privacy@hlkonnect.com
• Website: https://hlkonnect.com

3. Information We Collect

The specific data we collect depends on which HLKonnect application(s) you install and the features you enable. Below are the general categories:

3.1 Account & Authentication Information

• Your GoHighLevel location ID, company ID, and user email address provided through the GHL OAuth authorization process.
• OAuth access tokens and associated credentials for any third-party platforms you connect (e.g., Shopify, Stripe, WooCommerce).

3.2 Third-Party Platform Data

When you connect a third-party platform to GHL through one of our apps, we may access data from that platform as needed to perform the sync or integration. This may include:

• Customer/contact data: Names, email addresses, phone numbers, physical addresses, tags, and consent status.
• Transaction data: Orders, invoices, payments, refunds, subscriptions, and line items.
• Product/catalog data: Product titles, descriptions, variants, pricing, and inventory.
• Custom fields & metadata: Metafields, custom properties, and mapped field values as configured by you.

Each app's listing on the GHL marketplace specifies which third-party platform it connects and what data is accessed.

3.3 GoHighLevel Data

• Contact records, custom field values, opportunity/pipeline data, tags, and workflow trigger events within your GHL location, as needed to perform the integration.

3.4 Sync & Usage Logs

• Records of data synchronization events (timestamps, record counts, sync status, error messages).
• Feature usage data (which features are enabled, configuration settings).

3.5 Website & Contact Information

• If you contact us through our website or email, we collect your name, email address, and the content of your message.

4. Shopify-Specific Disclosures

The following section applies to any HLKonnect application that connects to Shopify.

4.1 Shopify API Scopes

Our Shopify-connected applications request only the API access scopes necessary to deliver the enabled features. Common scopes include:

The exact scopes requested are listed on each app's Shopify OAuth consent screen. We only request the minimum scopes necessary and do not access data beyond what those scopes permit.

4.2 Shopify Mandatory Data Privacy Webhooks

In compliance with Shopify's API Terms of Service, all HLKonnect Shopify-connected apps implement the following mandatory privacy webhooks:

• Customer Data Request (customers/data_request): When a store owner receives a data subject access request, Shopify notifies us. We respond with all personal data we hold for that customer within 30 days.
• Customer Data Erasure (customers/redact): When a store owner receives an erasure request, Shopify notifies us. We delete all personal data associated with that customer within 30 days.
• Shop Data Erasure (shop/redact): Within 48 hours of an app being uninstalled, Shopify notifies us. We delete all data associated with that shop within 30 days.

5. How We Use Your Information

We use the collected information strictly for the following purposes:

• Providing the Service: Synchronize and integrate data between your connected platforms and GoHighLevel as configured by you.
• Account management: Create, update, and manage contacts, opportunities, products, custom fields, and other records in your GHL account.
• Workflow automation: Fire GHL workflow triggers based on events from connected platforms.
• Service monitoring: Monitor sync health, diagnose errors, and improve reliability and performance.
• Communication: Send service-related notifications, support responses, and critical updates. We do not send marketing emails unless you explicitly opt in.

6. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Performance of a contract: Processing necessary to provide the Service you have requested by installing the app (Article 6(1)(b) GDPR).
• Legitimate interests: Processing necessary for our legitimate interests in improving and securing the Service, provided these interests are not overridden by your rights (Article 6(1)(f) GDPR).
• Consent: Where you have given explicit consent for specific processing activities, such as optional marketing communications (Article 6(1)(a) GDPR). You may withdraw consent at any time.
• Legal obligation: Processing necessary to comply with applicable laws (Article 6(1)(c) GDPR).

7. Data Storage, Location & Security

7.1 Data Location

All data is processed and stored on servers located in the United States.

7.2 Security Measures

• All OAuth tokens and sensitive credentials are encrypted at rest using AES-256-GCM encryption.
• All data is transmitted over HTTPS/TLS encrypted connections.
• We store the minimum data necessary to provide the Service (data minimization).
• Access to production systems is restricted to authorized personnel using multi-factor authentication.
• Regular security audits and dependency vulnerability monitoring.
• Application-level logging and monitoring for anomaly detection.

7.3 Data Minimization

We follow the principle of data minimization. We do not store full copies of your third-party platform databases. We process data in transit during sync operations and retain only the mapping references and sync metadata necessary to maintain the integration.

8. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to third parties for any purpose.

We only share your data in the following circumstances:

• Between connected platforms: Data is synced between the platforms you explicitly connect (e.g., Shopify to GHL) — this is the core function of the Service and only occurs as directed by you.
• Service infrastructure: We use US-based cloud infrastructure providers that process data on our behalf under strict data processing agreements.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety.

We do not use third-party analytics, advertising, or tracking services within our applications.

9. Data Retention

• Sync logs: Retained for 30 days and then automatically deleted.
• Account data: Retained as long as you have at least one HLKonnect app installed and your account is active.
• Post-uninstall: When you uninstall an app, we delete the associated OAuth tokens and deactivate the connection within 48 hours. Sync mapping records are retained for 90 days in case of reinstallation, then permanently deleted.
• Full account deletion: When you uninstall all HLKonnect apps, all account data is deleted following the retention periods above.
• Backup retention: Encrypted backups containing account metadata may persist for up to 30 days after deletion before being purged.

10. Your Privacy Rights

10.1 General Rights (All Users)

Regardless of your location, you have the right to:

• Access the personal data we hold about your account.
• Request correction of inaccurate or incomplete data.
• Request deletion of your data by uninstalling the app(s) and contacting us.
• Withdraw consent by disconnecting your third-party platforms or uninstalling the app(s).
• Receive a copy of your data in a structured, machine-readable format.

10.2 European Economic Area, UK & Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you additionally have the right to:

• Right of access: Request a copy of all personal data we process about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
• Right to restriction of processing: Request that we limit how we process your data in certain circumstances.
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint: Lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact privacy@hlkonnect.com. We will respond within 30 days.

10.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA and CPRA:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the categories of third parties with whom we share it.
• Right to delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt-out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising any of your rights.

Categories of personal information collected: Identifiers (name, email, phone), commercial information (order data, transaction history), internet activity (usage logs), and professional information (business name, GHL account data).

To exercise your rights, contact privacy@hlkonnect.com. We will verify your identity and respond within 45 days.

11. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the United States.

For users in the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
• Your explicit consent to the transfer when you install and authorize the application.

12. Children's Privacy

HLKonnect is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete that information promptly. If you believe we have collected data from a minor, contact us at privacy@hlkonnect.com.

13. Cookies & Tracking

We use only essential session cookies for authentication within the GoHighLevel iframe environment. These cookies are strictly necessary for the Service to function.

We do not use:

• Third-party tracking cookies
• Advertising or retargeting pixels
• Third-party analytics services within our applications

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you via email or in-app notification for significant changes.
• Where required by law, obtain your consent before applying material changes.

Continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data:

• Privacy inquiries: privacy@hlkonnect.com
• General support: support@hlkonnect.com
• Website: https://hlkonnect.com