Data Protection

Data Protection Compliance

This page documents how PromoSync meets each of the 16 Shopify Protected Customer Data Access requirements. It serves as evidence for the Shopify compliance review process.

For our full privacy practices, see the Privacy Policy. For incident handling procedures, see the Security Incident Response Policy.

Level 1 Requirements

1. Data Minimization

PromoSync collects only the data necessary to operate:

  • Product data is written directly to the merchant’s Shopify store via the Admin API; PromoSync does not maintain a separate copy.
  • Order data (line items, shipping addresses) is accessed transiently during purchase order generation and is not persisted after processing.
  • Shop configuration (domain, OAuth tokens, app settings) is the only data stored in our database.

2. Merchant Transparency

  • A comprehensive Privacy Policy is published and accessible to all merchants.
  • The app dashboard shows all configuration settings, active suppliers, and sync status.
  • Data usage is described per data type in the Privacy Policy’s “How We Use Information” table.

3. Purpose Limitation

  • PromoSync does not use merchant or customer data for advertising, profiling, or analytics.
  • Each data type has a stated purpose (product sync, purchase order generation, app configuration) and is used exclusively for that purpose.
  • No data is repurposed or shared beyond the stated use cases.

4. Customer Consent

  • PromoSync is a B2B tool that operates on behalf of merchants, not end consumers.
  • Customer data (shipping addresses on orders) is accessed only via merchant-granted OAuth scopes.
  • Merchants explicitly approve API permission scopes during app installation.

5. Opt-Out Rights

  • Merchants can uninstall the app at any time from their Shopify admin, triggering automatic data deletion.
  • GDPR compliance webhooks (customers/redact, shop/redact) handle data removal requests from Shopify.
  • Merchants can contact us directly to request immediate data deletion.

6. Automated Decision-Making

  • PromoSync does not make automated decisions about customers.
  • Pricing is configured by the merchant through explicit rules (pricing strategies, markup percentages).
  • Product sync and inventory updates follow merchant-defined settings, not automated profiling.

7. Data Protection Agreements

8. Data Retention

  • Shop data and configuration: retained while the app is installed; deleted on uninstall.
  • Product sync data: written to Shopify, not stored separately.
  • Order and shipping data: transient, not persisted after purchase order creation.
  • OAuth tokens: revoked and deleted on uninstall.
  • The shop/redact webhook handler deletes all archived records (including UninstalledShop entries).

See the Data Retention table in our Privacy Policy.

9. Encryption

  • In transit: all traffic is encrypted via HTTPS, enforced at the infrastructure level with no option to downgrade.
  • At rest: database and application data reside on Fly.io encrypted volumes.
  • Database connections: PostgreSQL connections use TLS in production.
  • Secrets: all credentials and API keys are stored as encrypted platform secrets on Fly.io, never in source code.

Level 2 Requirements

10. Backup Encryption

  • PromoSync uses Fly.io managed PostgreSQL for production, which provides encrypted volumes for all data at rest, including backups.
  • Database backups inherit the same encryption-at-rest protections provided by the hosting platform.

11. Environment Separation

  • Development: SQLite database, ngrok tunnels, IN_DEV=1 flag, local Docker containers.
  • Production: PostgreSQL on Fly.io, production domain, DEBUG=0.
  • The IN_DEV environment variable explicitly separates development and production behavior throughout the codebase.
  • Development and production environments use separate Shopify app credentials.

12. Data Loss Prevention

PromoSync employs a layered data loss prevention strategy:

  • Minimal data collection — product data is written directly to Shopify; order data is transient.
  • Automatic data archival on uninstall — shop configuration is archived before deletion for auditable removal.
  • Environment-based secret management — credentials stored as encrypted platform secrets, not in source code.
  • Scoped API access — only minimum required Shopify permission scopes are requested.
  • Webhook signature verification — all incoming Shopify webhooks validated via HMAC-SHA256.
  • Containerized deployment — application runs as non-root user in isolated Docker containers.

See the Data Loss Prevention section of our Privacy Policy.

13. Access Controls

  • shopify_login_required decorator on all merchant-facing views ensures only authenticated merchants access their own data.
  • JWT session token validation for embedded app requests.
  • HMAC signature verification on all incoming Shopify webhooks prevents unauthorized data injection.
  • Scoped OAuth permissions limit API access to only the capabilities the app needs.

14. Strong Authentication

  • OAuth 2.0 for Shopify API authentication — PromoSync never handles or stores merchant passwords.
  • JWT session tokens with expiration for embedded app requests, validated on every API call.
  • HMAC-SHA256 signature verification on all webhook payloads.
  • Signed state tokens with expiry for OAuth callback verification (anti-CSRF).

15. Access Logging

  • PersonalDataAccessLogMiddleware logs all access to endpoints that handle protected customer data.
  • Each log entry includes: timestamp, shop domain, HTTP method, endpoint path, client IP address, and response status code.
  • Logging was added as part of Shopify Level 2 compliance (see commit 9c01efb).

16. Incident Response

  • A published Security Incident Response Policy documents:
    • Incident classification and severity levels
    • Response procedures and timelines
    • Notification obligations to affected merchants and Shopify
    • Post-incident review and remediation steps

Contact

If you have questions about our data protection practices:

Why PromoSync?Privacy Policy