Privacy Policy

Last updated: March 26, 2026

InventoryIntel provides inventory analysis and recovery tools for Shopify merchants.
This Privacy Policy explains what information we collect, how we use it, how we handle retention and deletion; and how merchants and staff users can contact us regarding privacy-related matters. We do not collect store customers' personal data in normal app operation.

1. Information We Collect

To run the app, we process merchant, store, staff-user and operational commerce data made available through Shopify, plus the settings merchants add inside InventoryIntel.

• Store and account information: shop domain, app plan and billing status, timezone, currency settings and store contact details made available through Shopify.
• Merchant and staff authentication data: Shopify session records and app authentication data, which may include the staff member's email address, collaborator and account-owner flags, locale and encrypted access tokens. We use this data for role-based access control, secure access, operational notices and to understand which staff member or merchant admin triggered certain admin or configuration actions in the app.
• Product, inventory and location data: product titles, variant titles, SKUs, barcodes, pricing, compare-at pricing, unit cost, inventory quantities, inventory item IDs, tags, product type, vendor, product images and location-level inventory facts used to detect stagnant stock and choose recovery actions.
• Order and campaign performance data: recent order-line facts and recovery performance records used to calculate velocity, demand decay, risk, attribution and recovery outcomes. This can include order IDs, product or variant IDs, quantities, prices, order timestamps, source channel, shipping country code, discount identifiers and campaign outcome data.
• Merchant-provided inputs: automation rules, AI context notes, storefront campaign settings, approval choices and other configuration data entered by the merchant in the app.

InventoryIntel's core operational database is designed to avoid storing customer names, email addresses, phone numbers, street addresses, or payment details as part of normal recovery workflows. We do not collect or store store customers' personal data for general app use. The only customer information that may enter our workflow is the email address and related request data that Shopify sends when it delivers a GDPR or privacy request. We process that information only to satisfy the request at issue and not for marketing or advertising.

2. How We Use Information

We use the information described above solely to provide and improve InventoryIntel's services.

• Analyze product movement and sales velocity over time.
• Calculate inventory velocity, risk scores and recovery opportunities for your catalogue.
• Generate AI-assisted recovery plans, recommendations and campaign copy.
• Create and track Shopify discount codes, bundles, tags and storefront campaign assets when you launch a campaign.
• Record merchant approvals, overrides, state transitions, sync attempts; and recovery outcomes for support, rollback and audit purposes.
• Send operational reminders, audit notices and privacy-response emails when needed.
• Process billing and subscription management through Shopify.
• Maintain service reliability, troubleshoot issues and improve store-specific recommendations.
• Use infrastructure and application telemetry for security, fraud prevention, cost control and service monitoring.
• Record GDPR webhook handling and operational access events so privacy requests and security incidents can be audited.

We never sell, rent, or share your store data with third parties for marketing or advertising purposes.

The embedded app does not use third-party advertising trackers. It is not on our roadmap. If we introduce product analytics tooling in the future, we will update this policy before using it for merchant-facing behaviour analysis.

3. AI Processing

InventoryIntel sends selected store-operational data to an AI service to generate recovery recommendations and merchant-facing copy. This may include product titles, variant titles, SKUs, prices, inventory levels, velocity metrics, campaign context, and merchant notes or preferences relevant to the recommendation.

This AI input is not fully anonymised because product and SKU data can identify items in a merchant's catalogue. It is intentionally limited to business and operational data. We do not send store customer names, email addresses, phone numbers, street addresses or payment details to the AI service.

We may also use store-level operational outcomes, such as which recommendations were accepted, campaign settings and revenue recovered, to improve future recommendations for that merchant.

4. Data Retention and Deletion

• InventoryIntel uses recent order history, typically the last 90 days, to power velocity calculations and stock-risk analysis. Records older than that are not needed for the core analysis workflow and may be pruned or rolled up into aggregate reporting.
• We retain merchant, store and operational data only for as long as it is needed to provide the service, maintain auditability, support rollback and billing workflows, and comply with Shopify or legal obligations. Where a shorter retention period is possible, we use it.
• If the app is uninstalled, we promptly remove Shopify session data and revoke app access tokens. When Shopify later sends the mandatory shop/redactwebhook, we delete the shop record and related app data from our database unless a longer retention period is required by law.
• Some raw attribution records may be pruned after they have been rolled up into longer-term reporting records, but audit and operational history needed to run and support the app may remain while the merchant uses the service.

5. GDPR & CCPA Compliance

InventoryIntel is designed with privacy by default. We comply with Shopify's mandatory GDPR webhooks. These are the only customer-data requests we handle:

• customers/data_request: when Shopify sends a customer privacy request, we review whether InventoryIntel holds any customer-specific data for that request and process it through our privacy workflow.
• customers/redact: when Shopify provides order IDs to redact, we delete matching order-line records from our database.
• shop/redact: we delete the shop record and cascading related app data from our database after Shopify sends this webhook.

6. Security & Infrastructure

• We implement reasonable administrative, technical and organisational safeguards to protect merchant, staff and request-handling data against unauthorised access, disclosure, alteration or destruction.
• Admin access to the systems we use for the service requires strong, unique passwords and MFA on the core control planes we rely on, including the secure cloud computing services, the hosting service for Git repositories, Shopify Partner access and shared mail or password-manager accounts.
• Customer-request data and merchant/staff data are separated from development data where possible. Production secrets are stored in Secret Manager rather than in source code.
• We use authenticated Shopify app sessions and protect access tokens and API credentials as sensitive data.
• Our structured application logs redact sensitive fields such as tokens, API keys and email addresses. We do not rely on logs as a source of customer-facing personal data.
• We use service providers to host the application and support email delivery, AI-assisted features and operational infrastructure telemetry.
• We maintain a documented security incident response process for containment, investigation, recovery and required notifications.

7. Privacy Rights

Merchants and customers may have rights under applicable privacy laws, including rights to request access to or deletion of personal data where applicable.

Merchants can contact us directly about app data. Store customers should usually submit privacy requests through the merchant or Shopify. We do not maintain a general customer contact database and only handle customer data when Shopify sends a privacy webhook.

8. Contact Us

For privacy-related requests, data deletion, or questions about this policy:

• Email: privacy@inventory-intel.app
• Response time: within 30 days for GDPR requests, 10 days for standard inquiries.