Privacy Policy
Effective Date: December 19, 2025
Last Updated: December 19, 2025
This Privacy Policy explains how Back-in-Stock ("we," "us," or "our") collects, uses, stores, and protects merchant and customer data when you use our Shopify app. We are committed to transparency and compliance with privacy laws including GDPR, CCPA, and applicable data protection regulations.
1. Information We Collect
1.1 Merchant Data
When you install Back-in-Stock on your Shopify store, we collect and store:
- Store Information: Your shop domain (e.g., yourstore.myshopify.com), shop name
- Authentication Credentials: Shopify OAuth access tokens (encrypted) to communicate with your store's API
- Product Data: Product IDs, titles, variant IDs, variant titles, product images, and inventory levels for products you select in the app
- Subscription & Billing: Your subscription level (Free/Premium/Trial), Shopify subscription IDs, billing status, and invoice information
- App Configuration: Email template customizations, sender email address, delivery timing preferences (delay minutes, business hours settings), and minimum stock threshold settings
- Audit Logs: Installation/uninstallation events and configuration changes for security and troubleshooting
1.2 Customer Data
When your store's customers subscribe to back-in-stock notifications via the storefront widget, we collect:
- Email Address: The customer's email address provided when subscribing to restock alerts
- Product Interest: Shopify product ID, variant ID, product title, variant title for the item they want to be notified about
- Subscription Metadata: Timestamp of subscription, locale/language preference (if available)
- Notification Status: Whether notification has been sent and when
1.3 Technical Data
- Webhook Data: Inventory level updates, product updates from Shopify webhooks
- Email Queue Data: Email delivery attempts, success/failure status, error logs
- OAuth State Data: Temporary authentication tokens (automatically deleted after 10 minutes)
1.4 Data We Do NOT Collect
- ✗ Payment card information (processed by Shopify only)
- ✗ Customer passwords or authentication credentials
- ✗ Customer shipping addresses or phone numbers
- ✗ Customer purchase history or order details
- ✗ Customer browsing behavior or analytics tracking
2. How We Use Your Data
2.1 Primary Purpose: Back-in-Stock Notifications
- Restock Alerts: Send automated email notifications to customers when out-of-stock products become available again
- Inventory Monitoring: Track inventory levels via Shopify webhooks to detect when products are restocked
- Email Delivery: Queue and send emails using your configured email template and sender address
2.2 App Functionality & Support
- Authentication: Verify your store's identity and maintain secure API access
- Subscription Management: Track your Free/Premium subscription status and billing
- Personalization: Store your email template and delivery preferences to customize notifications
- Support & Troubleshooting: Use audit logs to diagnose issues or respond to support requests
2.3 Legal Compliance
- Respond to GDPR data requests (data access, deletion)
- Comply with Shopify's app policies and data protection requirements
- Maintain audit trails for security and compliance purposes
3. Data Sharing & Third Parties
3.1 Third-Party Services We Use
We share data with the following third-party services to provide app functionality:
| Service | Purpose | Data Shared |
|---|---|---|
| Shopify APIs | Product data, inventory updates | Shop domain, access tokens |
| SMTP Email Service | Send restock notification emails | Customer emails, email content |
| Database Hosting (Oracle/PostgreSQL) | Data storage and persistence | All app data (encrypted) |
Note: We use reputable third-party infrastructure providers with appropriate security certifications. We do not sell, rent, or share your data with third parties for marketing purposes.
3.2 We Do NOT Share Data With
- ✗ Advertising networks or data brokers
- ✗ Social media platforms
- ✗ Analytics or tracking services beyond operational needs
- ✗ Any third party without your explicit consent (except as required by law)
4. Data Retention & Deletion
4.1 Retention Periods
- Merchant Data: Retained while you have the app installed, plus 48 hours after uninstallation (to allow for reinstallation)
- Customer Subscriptions: Retained until notification is sent or merchant uninstalls the app
- Email Queue Data: Retained for 90 days after successful delivery or 30 days after final failed attempt
- Audit Logs: Retained for 1 year for security and compliance purposes
- OAuth State Tokens: Automatically deleted after 10 minutes
4.2 Automatic Deletion
Data is automatically deleted in the following scenarios:
- When you uninstall the app, your shop's data is deleted within 48 hours via Shopify's
shop/redactwebhook - When a customer's data is requested for deletion via GDPR
customers/redactwebhook - When email notifications are successfully delivered (after retention period)
- When OAuth tokens expire (10 minutes)
5. Data Security
We implement industry-standard security measures to protect your data:
5.1 Technical Safeguards
- Encryption in Transit: All data transmitted between your browser, our servers, and third parties uses TLS/SSL encryption (HTTPS)
- Encryption at Rest: Sensitive data (access tokens, emails) is encrypted in our database
- Authentication: OAuth 2.0 and Shopify session tokens for secure API access
- Webhook Verification: HMAC signature verification on all incoming Shopify webhooks
- Access Control: Role-based access controls and principle of least privilege
5.2 Operational Safeguards
- Regular security audits and updates
- Secure credential management (no hardcoded keys)
- Monitoring and logging of security events
- Incident response procedures
5.3 Limitations
While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security but commit to:
- Promptly notify you of any data breach affecting your data (within 72 hours)
- Cooperate with investigations and regulatory requirements
- Continuously improve our security posture
6. Your Rights (GDPR & CCPA)
6.1 Merchant Rights
As a merchant, you have the right to:
- Access: Request a copy of all data we store about your shop
- Rectification: Update incorrect data via the app's Settings page
- Deletion: Delete all your shop's data by uninstalling the app
- Portability: Export your data in a machine-readable format (JSON/CSV)
- Objection: Object to data processing by discontinuing use of the app
6.2 End Customer Rights (GDPR)
Customers who have subscribed to restock notifications have the right to:
- Access: Request what data we hold about them
- Deletion: Request deletion of their subscription data
- Unsubscribe: Stop receiving notifications (one-click unsubscribe in emails)
6.3 How to Exercise Your Rights
For Merchants: Contact us at [email protected] with your shop domain.
For Customers: Contact your merchant directly, or email us at [email protected].
GDPR Automated Compliance: We automatically respond to Shopify's GDPR webhooks
(customers/data_request, customers/redact, shop/redact) to fulfill
data access and deletion requests within required timeframes.
7. Children's Privacy
Back-in-Stock is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected].
8. International Data Transfers
Your data may be transferred to and processed in countries outside of your jurisdiction, including the United States and European Union. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) with third-party processors
- Compliance with GDPR Article 46 transfer mechanisms
- Adequacy decisions where applicable
9. Cookies & Tracking
Back-in-Stock uses minimal cookies and tracking:
- Session Tokens: Shopify App Bridge session tokens for embedded app authentication (expires when you close the browser)
- No Third-Party Cookies: We do not use advertising cookies or third-party tracking pixels
- Storefront Widget: Our widget script does not set cookies or track customer behavior
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- Changes in app functionality
- New legal or regulatory requirements
- Improvements to our security practices
Notification: We will notify you of material changes via email to your shop's billing email address or through an in-app notification at least 30 days before the changes take effect.
Effective Date: The "Last Updated" date at the top of this policy indicates when changes were last made.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email (General Inquiries): [email protected]
Email (Privacy & Data Requests): [email protected]
Response Time: We will respond to all privacy requests within 30 days (or as required by applicable law).
12. Legal Basis for Processing (GDPR)
Under GDPR, we process data based on the following legal grounds:
- Contractual Necessity: Processing merchant and customer data is necessary to provide the back-in-stock notification service
- Legitimate Interests: Improving app functionality, preventing fraud, ensuring security
- Legal Obligation: Compliance with Shopify policies, tax laws, and data protection regulations
- Consent: Customers explicitly consent by providing their email for restock notifications
13. Data Protection Officer
For EU/UK merchants and customers, you may contact our Data Protection Officer (DPO) at:
Email: [email protected]
Summary
What we collect: Shop info, customer emails, product subscriptions
Why: To send automated restock notifications
How long: Until you uninstall the app or customer data is deleted via GDPR request
Your rights: Access, delete, export your data anytime
Security: Encrypted storage, HTTPS, HMAC verification, regular audits