Privacy Policy
Last updated: 2026-07-04
Storeroom ("the app", "we") helps Shopify retailers manage purchase orders, receiving, reorder points and stocktakes. This policy explains exactly what data we access, what we store, where it lives, and how to get rid of it. Our design principle is to store as little as the workflow needs - nothing more.
What we access from Shopify
-
Products and inventory (
read_products,read_inventory,write_inventory,read_locations): to sync your catalog, show stock levels, and adjust inventory when you receive stock or apply a stocktake. Every inventory adjustment carries an audit reference back to the purchase order or stocktake that caused it. -
Orders (
read_orders): we read line-item product, quantity and date only, and immediately aggregate them into daily per-product sales totals. We do not access, store, or display customer names, emails, addresses, phone numbers, or any other customer personal data. Individual orders are never stored.
What we store
- Your product and variant catalog (titles, SKUs, barcodes, prices, vendors) and inventory levels - a cache of what is already in your Shopify admin.
- Suppliers you create or that we bootstrap from your product vendors (name, email, phone, currency, terms).
- Purchase orders, receipts, stocktakes and reorder rules - the records the app exists to keep.
- Daily aggregated sales totals per product (units and revenue per day) - no order-level or customer-level records.
- The name of the staff member who received a delivery on POS, when your staff enter it - this is the only personal data of yours the app records, and it exists so your receipts have an audit trail.
- Your Shopify authentication session (shop domain and access token), as required for the app to talk to Shopify on your behalf.
- Published currency exchange rates (public ECB data, nothing about your shop).
Where it lives
The app runs on Fly.io (London) and data is stored in a managed Postgres database on Supabase (Ireland, EU). Both encrypt data at rest; all connections use TLS. Access to production data is limited to the operator of this app.
Data sharing and subprocessors
We do not sell or share your data with anyone, with one exception you control: when you email a purchase order, the PDF and your supplier's email address are passed to our email provider (Resend) for delivery. Our subprocessors are Fly.io (hosting), Supabase (database), and Resend (email) - each used solely to operate the app.
Retention and deletion
Data is retained while the app is installed. When you uninstall, your access token is
invalidated immediately. Shopify sends us a shop/redact request 48 hours after
uninstall, and we delete everything we hold for your shop when it arrives. You can also email
us at any time for immediate deletion. We respond to all three of Shopify's mandatory
compliance webhooks; because we hold no customer personal data,
customers/data_request and customers/redact have nothing to return
or remove.
Your rights
You can export your suppliers, reorder rules and reports as CSV from inside the app at any time. You can request a copy or deletion of everything we hold for your shop by emailing us. We will act on deletion requests within 30 days, and in practice much sooner.
Contact
Questions, export or deletion requests: support@getstoreroom.com.