On this page
1. Data processing roles
Under the GDPR, the merchant is the data controller for their store's data, and StockUrgify acts as a data processor, processing data only to provide the Service on the merchant's instructions. For our own account and billing records, StockUrgify is the controller. This page complements our Privacy Policy and Terms of Service.
2. What data we process
| Category | Examples | Source |
|---|---|---|
| Shop identity | Shop domain, name, email, plan, country, currency, timezone | Shopify OAuth |
| Catalog & inventory | Product titles, variants, IDs, images, stock levels | Shopify Admin API |
| App configuration | Thresholds, messages, colors, rules, alert channels | Merchant input |
| Badge telemetry | Anonymous impression/click events, product, timestamp | Storefront script |
We do not collect storefront shoppers' names, emails, addresses, or payment data. Badge analytics are aggregate.
3. Shopify Protected Customer Data
StockUrgify is built to require no access to Protected Customer Data. We do not request customer PII scopes, and our storefront telemetry is anonymous. We follow Shopify's Protected Customer Data requirements: minimizing data access, encrypting data in transit and at rest, limiting retention, and maintaining staff data-handling practices.
4. Legal bases (GDPR)
- Contract — to deliver the Service you installed and to bill for it.
- Legitimate interests — to secure, maintain, and improve the Service and prevent abuse, balanced against your rights.
- Legal obligation — to comply with Shopify's mandatory webhooks and applicable law.
- Consent — where required, e.g. non-essential communications.
5. Your rights (GDPR & CCPA)
Subject to applicable law, you may have the right to:
- Access the personal data we hold and receive a copy (portability).
- Correct inaccurate data and complete incomplete data.
- Delete your data ("right to be forgotten").
- Restrict or object to certain processing.
- Withdraw consent at any time, without affecting prior processing.
- (CCPA) Know what is collected, request deletion, and not be discriminated against for exercising rights. We do not sell personal information.
To exercise a right, email privacy@stockurgify.com. We respond within the timeframes required by law (generally 30 days under GDPR, 45 days under CCPA).
6. Mandatory privacy webhooks
As required for all Shopify apps, StockUrgify implements the three GDPR/privacy webhooks. Shopify sends these and we act on them automatically:
| Webhook | What we do |
|---|---|
customers/data_request | We hold no storefront customer PII, so we return a record confirming none is stored. Any merchant-facing data is provided on request. |
customers/redact | We delete any data associated with the identified customer (none is typically held). |
shop/redact | Sent ~48 hours after uninstall. We erase the shop's settings, cached products, and telemetry from our systems. |
7. Requesting deletion
The fastest way to delete your data is to uninstall StockUrgify from your Shopify admin — this triggers Shopify's shop/redact webhook and your data is erased (typically within 48 hours, and no later than 30 days). To request deletion without uninstalling, or to confirm erasure, email privacy@stockurgify.com.
8. Subprocessors
We use a small set of vetted subprocessors under data protection agreements:
| Subprocessor | Purpose | Location |
|---|---|---|
| Shopify | Platform, OAuth, billing, webhooks, Admin API | Global |
| Cloud hosting | Application servers & database | EU / US |
| Email provider | Transactional & digest email | EU / US |
| Slack / Discord | Optional alert delivery (merchant-configured) | US |
We provide notice of material changes to this list. Request the current version at privacy@stockurgify.com.
9. International transfers
Where data is transferred outside the EEA/UK, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and equivalent mechanisms offered by our subprocessors.
10. Cookies
The embedded admin uses only the session tokens needed for Shopify authentication. The storefront badge script does not set advertising or cross-site tracking cookies; impression and click events are anonymous and used solely for merchant analytics.
11. Data Processing Agreement
For merchants who require a signed Data Processing Agreement (DPA), we offer one incorporating the GDPR Article 28 terms and the Standard Contractual Clauses. Request a copy at privacy@stockurgify.com.
12. Contact & DPO
For any data protection or GDPR/CCPA matter, contact our privacy team at privacy@stockurgify.com. You also have the right to lodge a complaint with your local supervisory authority. See our Privacy Policy and Terms of Service for related information.