Automatic Coupon Finder Extension Privacy Policy
Last updated: 20 March 2026
This policy covers the DontPayFull Automatic Coupon Finder browser extension (also published as Shopilo: Automatic Coupon Finder by DontPayFull). Available on the Chrome Web Store. For the DontPayFull.com website privacy policy, see Privacy Policy.
1. About This Policy
This Privacy Policy explains how DontPayFull SRL collects, uses, and protects personal data when you install and use the DontPayFull Automatic Coupon Finder Chrome extension (Chrome Web Store ID: jfoanacamkbfibjbidbmeobmnndfgpca). The extension is also published under the name Shopilo: Automatic Coupon Finder by DontPayFull.
This policy applies exclusively to the Chrome browser extension. It does not govern the DontPayFull.com website, which has its own Privacy Policy.
We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, "GDPR") and applicable national data protection legislation. For users in the United Kingdom, we also comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025.
By installing and using the extension, you acknowledge that you have read and understood this policy. Where processing requires your consent (Google Analytics, price alert emails), we will ask for it explicitly.
2. Data Controller
The data controller responsible for personal data processed through the extension is:
| Company name | DontPayFull SRL |
| Registration number | CUI RO35294618 |
| Registered address | Str. Zece Mese nr. 9, Ap. 1, 024061 Bucharest, Romania |
| US correspondence | 440 N Barranca Ave #2277, Covina, CA 91723 |
| Extension contact | [email protected] |
| Privacy contact | [email protected] |
3. Data We Collect
The table below lists every category of personal data processed by the extension, together with the purpose, legal basis under GDPR, and retention period. We collect only what is necessary for the purposes described.
| Category | Data | Purpose | Legal Basis (GDPR) | Retention |
|---|---|---|---|---|
| A. Personal Identification Data (PII) | Email address, name, country, date of birth. Collected only from users who have created a DontPayFull account and are logged in. Provided voluntarily at signup. | Account management, personalised offers. | Art. 6(1)(b) GDPR - performance of a contract to which the data subject is party. | Duration of account, plus 30 days after account deletion. |
| B. Authentication Information | Session token and authentication cookies for dontpayfull.com only, used to keep you logged in to the extension. | Maintaining your login session across browsing sessions. | Art. 6(1)(b) GDPR - performance of a contract. | Duration of session; cleared on logout. |
| C. Location Data | City and country derived from your IP address. No precise GPS geolocation is collected. Your IP address itself is not stored after derivation. | Displaying country-relevant offers; aggregate analytics. | Art. 6(1)(f) GDPR - legitimate interests of the controller (providing localised deals, improving service). These interests are not overridden by your fundamental rights, as processing is limited to city-level data and the IP is not retained. | 25 months (aggregate analytics only). |
| D. Web History (store domains only) | Domains of supported online stores that you visit (for example, "amazon.co.uk"). We do not collect full URLs, page content, or general browsing history outside supported stores. | Checking whether coupons are available for the current store. This is the core function of the extension. | Art. 6(1)(f) GDPR - legitimate interests (providing the core coupon-finding functionality). Only domains of stores in our supported list are processed; general browsing activity is not monitored. | 13 months. |
| E. User Activity | Clicks on extension elements; coupon codes applied and their success or failure; calculated savings; cart value at the time of checkout. | Service improvement, savings calculation, debugging. | Art. 6(1)(f) GDPR - legitimate interests (improving extension quality and demonstrating savings to users). | 25 months. |
| F. Technical Data | Extension version, browser type and version, user agent string. Your IP address is used solely to derive city and country (category C) and is not stored. | Compatibility, error diagnosis, service stability. | Art. 6(1)(f) GDPR - legitimate interests (maintaining a stable and compatible service). | IP address: not stored. User agent and version: 25 months. |
| G. Analytics (Google Analytics 4) | Extension usage behaviour collected via Google Analytics 4 (GA4). Data is transmitted to Google LLC (USA) under the EU-US Data Privacy Framework. | Understanding how users interact with the extension in aggregate, in order to improve it. | Art. 6(1)(a) GDPR - your consent, requested when you first install or launch the extension. | 14 months (GA4 default retention period). |
| H. Price Alerts | Email address provided voluntarily to receive price drop notifications for products you choose to track. | Sending price drop alerts per your request. | Art. 6(1)(a) GDPR - your consent, given when you subscribe to a price alert. | Until you unsubscribe from price alerts. |
Where we rely on legitimate interests (Art. 6(1)(f) GDPR), we have carried out a balancing test concluding that our interests in providing a functional, secure, and improving service are not overridden by your data protection rights, given the limited and proportionate nature of the data processed.
4. What We Do Not Collect
The following data is never collected by the extension:
- Payment card numbers, bank account details, or any financial credentials.
- Full content of web pages you visit.
- Passwords or authentication credentials for websites other than dontpayfull.com.
- Cookies set by merchants or affiliate networks (those cookies are set on the merchant's own domain by the merchant or the affiliate network acting as an independent controller; we do not access them).
- Sensitive personal data as defined in Art. 9 GDPR, including health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or trade union membership.
- General browsing history outside supported online stores (we process only the domains of stores in our supported list).
- Precise GPS or device-level location (we derive city and country from IP address only; the IP itself is not stored).
5. Chrome Permissions Explained
The extension requests the following Chrome permissions. Each permission is necessary for a specific function; we do not request permissions beyond what is needed.
| Permission | Why it is needed and what it does |
|---|---|
activeTab | We read the content of the active tab only when you are at a checkout page, in order to inject the coupon code into the discount field and calculate your savings. We do not read pages outside checkout flows on supported stores. |
storage | We store your preferences, found coupons for the current store, and extension settings locally in your browser using Chrome's extension storage API. This data does not leave your browser except as described in Section 7. |
webNavigation | We detect when you navigate to a domain in our list of supported online stores so that we can check coupon availability in the background and display a notification if coupons exist. Navigation events on unsupported domains are ignored. |
tabs | Allows the extension to display coupon notifications in the active tab and to open the extension popup with available coupons. We use this permission only for displaying relevant information to you. |
scripting | We automatically inject the best coupon code into the discount field at checkout on supported stores, so you do not have to type it manually. This script runs only on checkout pages of stores in our supported list; it does not run on any other pages. |
6. Affiliate Tracking - How It Works
DontPayFull earns affiliate commissions from merchants when users make purchases through our links. It is important to understand exactly how attribution works, because it differs from what many users expect.
Attribution is via URL redirect only - the extension does not itself set affiliate tracking cookies.
Here is the full sequence:
- You click "Get Deal" or activate the auto-apply function in the extension.
- The extension redirects your browser through a DontPayFull affiliate URL (a short-lived redirect link).
- The redirect lands you on the merchant's website.
- The merchant's website or the affiliate network (for example, AWIN, Rakuten, CJ Affiliate) sets its own tracking cookies on the merchant's domain in order to attribute the sale. Those cookies are placed by the merchant or network, acting as independent data controllers under their own privacy policies.
- If you complete the purchase, DontPayFull or Shopilo receives an affiliate commission.
What DontPayFull sets: a temporary affiliate redirect URL used for attribution.
What DontPayFull does not set: the affiliate tracking cookies. Those are set by the merchant or affiliate network on their own domain, under their own legal responsibility.
We have no access to, and do not process, the affiliate cookies placed by merchants or networks on their own domains.
7. Local Browser Storage
In addition to data transmitted to our servers, the extension stores the following data locally in your browser using Chrome's extension storage API. This local data is accessible only to the extension itself and is not shared with third parties unless otherwise stated in this policy.
| What is stored locally | Details |
|---|---|
| Your coupon preferences and settings | For example, whether auto-apply is enabled or disabled. |
| Coupons found for the current store | Cached temporarily so that the extension can display them without a new network request each time. |
| Extension settings | User interface preferences and feature toggles you have configured. |
| Session authentication token | If you are logged in to your DontPayFull account, your session token is stored locally so you remain logged in. It is cleared when you log out. |
You can delete all locally stored extension data at any time by:
- Opening Chrome, going to Settings > Extensions > DontPayFull Automatic Coupon Finder > Details, and clearing storage; or
- Uninstalling the extension, which removes all locally stored data automatically.
8. Google Analytics in the Extension
The extension uses Google Analytics 4 (GA4), provided by Google LLC (USA), to collect aggregate data about how users interact with the extension. This helps us understand which features are useful and where we can improve.
Legal basis: Art. 6(1)(a) GDPR - your consent. We ask for your consent when you first install or launch the extension. You can withdraw your consent at any time as described below.
Data transferred: GA4 usage data is transmitted to and processed by Google LLC in the United States under the EU-US Data Privacy Framework (see Section 9).
Retention: GA4 retains analytics data for 14 months (the GA4 default retention period), after which it is automatically deleted by Google.
Opt-out options:
- Install the Google Analytics Opt-out Browser Add-on to prevent GA4 from collecting data across all websites and extensions that use it.
- Withdraw your consent within the extension settings (where available) or contact us at [email protected].
Google LLC acts as a data processor on our behalf for GA4. For more information on how Google processes data, see Google's Privacy Policy.
9. International Data Transfers
DontPayFull SRL is established in Romania (EU). In the ordinary course of operating the extension, personal data may be transferred to the following third country:
| Recipient | Country | Purpose | Transfer mechanism |
|---|---|---|---|
| Google LLC | USA | Google Analytics 4 (extension usage analytics) | EU-US Data Privacy Framework (DPF), adopted by the European Commission as an adequacy decision on 10 July 2023 (Decision 2023/1795). Google LLC is certified under the DPF. |
UK users: For transfers from the United Kingdom, Google LLC is certified under the UK Extension to the EU-US Data Privacy Framework. Transfers from the UK to Google LLC are covered by the UK-US Data Bridge (Data Protection (Adequacy) (United States of America) Regulations 2023, in force 12 October 2023), not the EU-US DPF decision above.
No other transfers of personal data to third countries take place in connection with the extension. All other processing servers are located within the European Economic Area.
10. Your GDPR Rights
As a data subject under the GDPR, you have the following rights with respect to your personal data processed through the extension. We will respond to all requests within one month of receipt, in accordance with Art. 12(3) GDPR. In cases of complexity or a high number of requests, we may extend this period by a further two months and will inform you accordingly.
| Right | What it means |
|---|---|
| Art. 15 - Right of access | You have the right to obtain confirmation of whether we process personal data about you, and to receive a copy of that data together with information about the purposes, categories, recipients, retention periods, and your rights. |
| Art. 16 - Right to rectification | You have the right to have inaccurate personal data corrected without undue delay. You may also have incomplete data completed. |
| Art. 17 - Right to erasure ("right to be forgotten") | You have the right to request that we erase your personal data where, for example, it is no longer necessary for the purposes for which it was collected, you withdraw consent and there is no other legal basis, or you object and there are no overriding legitimate grounds. This right does not apply where processing is required for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims. |
| Art. 18 - Right to restriction of processing | You have the right to request that we restrict the processing of your personal data while, for example, the accuracy of data is contested, processing is unlawful and you oppose erasure, or we no longer need the data but you require it for legal claims. |
| Art. 19 - Right to notification of recipients | Where we have rectified, erased, or restricted personal data at your request, we will notify each recipient to whom that data has been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you of those recipients upon your request. |
| Art. 20 - Right to data portability | Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. |
| Art. 21 - Right to object | You have the right to object at any time to processing of your personal data that is based on legitimate interests (Art. 6(1)(f) GDPR). We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims. Where data is processed for direct marketing purposes, you have an absolute right to object at any time. |
| Art. 7(3) - Right to withdraw consent | Where processing is based on your consent (Google Analytics and price alert emails), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent for Google Analytics via the extension settings or via the Google Analytics Opt-out Add-on. You can withdraw consent for price alerts by unsubscribing from any alert email or by contacting us. |
How to exercise your rights: Send your request by email to [email protected]. Please include sufficient information to allow us to identify you (for example, your registered email address). We will respond within one month (Art. 12(3) GDPR). We do not charge a fee for requests unless they are manifestly unfounded or excessive.
11. Supervisory Authority
DontPayFull SRL is established in Romania. Our lead supervisory authority under the GDPR is:
| Authority | ANSPDCP - Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (Romanian National Supervisory Authority for Personal Data Processing) |
| Address | B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania |
| Website | www.dataprotection.ro |
You have the right to lodge a complaint with the ANSPDCP if you believe that we have processed your personal data in breach of the GDPR. You also retain the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement, in accordance with Art. 77 GDPR.
We would appreciate the opportunity to address any concerns before you approach the supervisory authority. Please contact us first at [email protected].
12. UK residents (UK GDPR)
If you are located in the United Kingdom, your personal data is processed under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), as amended by the Data (Use and Access) Act 2025 (in force 5 February 2026). DontPayFull SRL is not established in the United Kingdom, but as the extension is available to UK users, the UK GDPR applies to our processing of your personal data under Art. 3 UK GDPR.
Your rights under the UK GDPR are equivalent to those described in Section 10 of this policy (access, rectification, erasure, restriction, portability, object, withdraw consent). To exercise these rights, contact [email protected].
The supervisory authority for UK data protection is:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: www.ico.org.uk
Helpline: 0303 123 1113
13. Additional jurisdictions
The extension is available globally via the Chrome Web Store. In addition to the GDPR and UK GDPR provisions above, the following frameworks apply to users in the relevant jurisdictions. Because the extension collects minimal personal data (limited to optional GA4 analytics and a local session token if you are logged in), the practical impact is limited, but your rights are as follows:
California, USA (CCPA/CPRA). If you are a California resident, you have the right to know what personal information we collect through the extension, to request its deletion, and to opt out of any sale or sharing of personal information. The extension does not sell or share your personal information for advertising purposes. To exercise your CCPA rights, email [email protected] with the subject "CCPA Request". We will respond within 45 days. For full details on our CCPA practices, see the DontPayFull.com Privacy Policy.
Canada (PIPEDA / Quebec Law 25). If you are located in Canada, your personal data is handled in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, additionally in compliance with Quebec Law 25. You have the right to access and correct your personal information and to withdraw consent at any time. To exercise these rights, email [email protected]. For full details including supervisory authority contacts, see the DontPayFull.com Privacy Policy.
Australia (Privacy Act 1988). If you are located in Australia, your personal data is handled in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct your personal information and to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. To exercise your rights, email [email protected]. For full details, see the DontPayFull.com Privacy Policy.
14. Contact
For any questions, requests, or complaints specifically related to the extension and how it processes your personal data, please contact:
| Extension and Chrome Web Store matters | [email protected] |
| General privacy and GDPR rights | [email protected] |
| Postal address | DontPayFull SRL, Str. Zece Mese nr. 9, Ap. 1, 024061 Bucharest, Romania |
We will respond to all data subject requests within one month of receipt (Art. 12(3) GDPR). Where a request is particularly complex, we may extend this by a further two months; in that case we will notify you within the first month and explain the reason for the extension.
15. Changes to This Policy
We may update this Extension Privacy Policy from time to time to reflect changes in the extension's functionality, applicable law, or our data processing practices. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by applicable law, seek your renewed consent.
For significant changes that affect your rights or the way we process your personal data, we will notify you through the extension itself (for example, via an in-extension notice on first launch after an update) or by email to the address registered with your account, where applicable.
We encourage you to review this policy periodically. If you continue to use the extension after a policy update, we will take this as confirmation that you have reviewed the changes, subject to any renewed consent requirements under applicable law.
Previous versions of this policy are available on request by contacting [email protected].