Privacy Policy
Last Updated: March 21, 2026
Introduction
This Privacy Policy describes how StockKoala ("the App", "we", "us", or "our") collects, uses, and shares information when you install and use our application through the Shopify platform.
By installing and using the App, you agree to the collection and use of information in accordance with this policy.
Information We Collect
Information from Shopify
When you install the App, we access certain information from your Shopify store through the Shopify API, using the permissions you grant during installation:
- Product and variant data: Product titles, variant names, SKUs, prices, tags, images, and metafields (specifically expiration date metafields)
- Inventory data: Inventory levels, available quantities, on-hand quantities, and committed quantities at your store locations
- Location data: Store location names and identifiers
- Order data: Order IDs and display names (e.g., "#1234"), line item variant IDs and quantities for batch allocation tracking during order fulfillment. We do not access or store customer names, emails, shipping addresses, payment information, or any other customer personal data from orders.
Information You Provide
- Employee names and badge IDs: When you create employee profiles within the App for inventory check-in and access control purposes
- Inventory audit actions: When employees perform inventory checks, we log the employee name, action type, quantities, and timestamp
- Purchase order details: Supplier names, contact information, product quantities, and pricing that you enter when creating purchase orders
- Configuration settings: Thresholds, preferences, and operational settings you configure within the App
Shopify Admin Session Data
When authorized Shopify admin users access the App, Shopify provides us with session information including:
- Shopify user ID
- First name, last name, and email address
- Account role (owner, collaborator)
- OAuth access tokens for API communication
This data is used solely for authenticating your access to the App and making authorized API calls to your Shopify store on your behalf.
How We Use Your Information
We use the information we collect to:
- Provide inventory management functionality: Track inventory levels, perform audit checks, generate purchase orders, and manage batch expiration dates
- Display reports and analytics: Generate inventory health scorecards, shrinkage analysis, sales velocity forecasts, and audit log reports
- Manage employee access: Authenticate employees via badge IDs and enforce page-level access controls
- Write metafield data: Update product expiration date metafields on your Shopify products to reflect current batch information
- Process webhooks: Respond to order fulfillment and cancellation events to maintain accurate batch allocation records
Data Storage and Retention
Where We Store Data
All data is stored in a PostgreSQL database hosted on Render.com, located in the United States (Virginia region). The App itself is also hosted on Render.com.
Data Retention
- Inventory snapshots: Retained for 180 days, then automatically deleted
- Dismissed alerts: Automatically expire and are deleted after 3 days
- Inventory audit logs: Retained indefinitely for historical reporting purposes
- Batch allocation records: Retained indefinitely for traceability
- Employee records: Retained until you deactivate or delete them
- Session data: Deleted when the App is uninstalled from your Shopify store
- Cached variant data: In-memory cache with a 5-minute time-to-live; database-level cache refreshed daily
Data Deletion on Uninstall
When you uninstall the App from your Shopify store, all Shopify session and authentication data is immediately deleted. To request deletion of all remaining data (audit logs, employee records, purchase orders, etc.), please contact us using the information below.
Data Sharing and Third Parties
We do not sell, rent, or share your data with any third parties. The App communicates exclusively with:
- Shopify: Via the authenticated Admin GraphQL API to read and write store data on your behalf
- Render.com: Our hosting and database provider, which processes data according to their own privacy and security policies
We do not use any third-party analytics, advertising, or tracking services within the App.
Cookies and Local Storage
The App does not set cookies directly. Shopify's App Bridge framework manages authentication cookies for admin session handling.
The App uses browser localStorage to persist the currently logged-in employee session (employee name and login timestamp) for convenience across page reloads. This data is cleared on employee logout or after a configurable inactivity timeout (default: 15 minutes).
Security
We implement the following measures to protect your data:
- All data is transmitted over HTTPS/TLS encryption
- Shopify API access tokens are stored securely in our database and are never exposed to the client
- Webhook payloads are verified using Shopify's built-in HMAC signature validation
- Employee settings PINs are hashed before storage
- The daily cron endpoint is protected by a secret key
- Employee access is controlled via configurable page-level permissions
Your Rights
You have the right to:
- Access: View all data the App stores about your store and employees through the App's interface
- Correction: Update or correct employee information, configuration settings, and other data at any time
- Deletion: Request deletion of your data by contacting us
- Data Portability: Export audit log data via the CSV export feature in the Reports section
Shopify Data Protection
The App complies with Shopify's API Terms of Service and data protection requirements. We only request the minimum API scopes necessary:
| Scope | Purpose |
|---|---|
| read_products | Fetch product and variant information for inventory tracking |
| write_products | Write expiration date metafields to product variants |
| read_inventory | Read inventory levels at store locations |
| write_inventory | Reserved for future inventory adjustment features |
| read_locations | Identify store locations for inventory tracking |
| read_orders | Process order fulfillment events for batch allocation |
GDPR and CCPA Compliance
For merchants and their customers located in the European Union or California:
- We process data as a data processor on behalf of the Shopify merchant (data controller)
- We do not directly collect or store end-customer personal information
- We support Shopify's mandatory GDPR webhooks for customer data requests, customer data erasure, and shop data erasure
- To exercise any data subject rights, please contact us at the address below
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the "Last Updated" date at the top of this policy. Continued use of the App after changes constitutes acceptance of the updated policy.
Contact Us
If you have any questions about this Privacy Policy, your data, or wish to request data deletion, please contact:
StockKoala
Email: support@stockkoala.com