1) Who we are
2) What the App does
The App helps merchants generate AI images, optionally remove backgrounds, and create Shopify products with print‑ready 300 DPI PNG assets. It operates within the merchant’s Shopify admin.
3) Data we process
Merchant/store data (non-customer):
- Shopify shop domain and app session identifiers
- Admin user profile fields returned by Shopify OAuth (for example: first name, last name, email, locale) to operate sessions and authorization
- App configuration and subscription data (plan, limits/usage)
Product data:
- Product titles, descriptions, tags, media uploaded to the merchant’s Shopify store
Image processing data:
- AI-generated images provided by the merchant in the App and processed in memory or transiently to produce 300 DPI PNGs
We do not collect or process protected customer data (PCD) such as order, customer, contact, address, or phone information. The App does not query Customers, Orders, DraftOrders, Checkout, or similar PCD resources.
4) Purpose and legal basis
- Provide core functionality: image generation, image enhancement (300 DPI), background removal, and product creation
- Maintain sessions and enforce usage limits
- Improve reliability and prevent abuse (rate limiting and security logging)
Processing is necessary to perform the service the merchant requests by installing and using the App.
5) Protected customer data (PCD)
- The App is designed at Level 0 (no customer data) under Shopify’s protected customer data framework.
- We don’t request access to PCD or to PCD fields (name, address, email, phone).
- If future functionality needs PCD, we will request access through Partner Dashboard and meet the applicable Level 1/2 requirements before enabling such features for merchants. See Shopify’s guidance: Work with protected customer data.
6) Data minimization and retention
- We collect only the data needed to run the App.
- Session and subscription records are retained while the app is installed and for a limited period after uninstall (up to 30 days) for audit and billing reconciliation, then deleted.
- Image processing is performed in memory or via short‑lived uploads; we don’t keep permanent copies outside the merchant’s store unless explicitly necessary to deliver the feature.
- Logs are retained for a limited period for security and troubleshooting.
7) Security
- Encryption in transit (TLS) and at rest (platform-managed encryption).
- Role-based access controls; least privilege for operational staff.
- Database protections (row-level security enabled, server-side only access via service role).
- Protection against abuse (server-side rate limiting, input validation).
- Security incident response process; we will notify merchants of material incidents as required by law.
8) Subprocessors / data recipients
To operate the App, we use:
- Shopify Admin API and media storage (to create products and attach media)
- Vercel (application hosting)
- Supabase/Postgres (application database)
- Stability AI (optional image generation when merchant requests it)
We share only the minimum necessary data with these processors to provide the service.
9) International transfers
Data may be processed in data centers outside your jurisdiction by our hosting and database providers subject to their standard contractual safeguards and encryption.
10) Merchant/admin user rights
- Access, correction, deletion of App‑stored data related to your shop
- Uninstalling the App removes our access tokens; we delete residual data according to the retention schedule above
- Contact us at aliozgenc@hotmail.com for requests
11) Children
The App is intended for business use in Shopify admin and not directed to children.
12) Changes to this Policy
We may update this Policy as the App or laws evolve. Material changes will be communicated through the App or by email to the store owner on file.
13) Contact
Goa Digital Solutions
aliozgenc@hotmail.com