Privacy Policy

Last updated: August 23, 2025

This Privacy Policy explains how Digit Grove (“we,” “our,” “us”) collects, uses, and safeguards information in connection with the Easy Product Badge & Watermark Shopify app (“App”). This policy is designed for Shopify merchants (“Merchants”). We do not collect information about Merchants end-customers through this App.

Quick Summary

• We only store session and authentication details required for the App to function.
• We do not store products, orders, or customer data in our database.
• When you uninstall, we disable access and remove tokens and sessions within a reasonable window.
• We implement Shopify mandatory GDPR webhooks and HMAC verification for security.

Data We Store (Session Only)

We store a minimal set of session records in our database (Prisma) to authenticate and keep your App sessions working.

What are the fields used and What they mean and why we keep them :-

• shop (your myshopify.com domain) — identifies the store to authorize and route API requests.
• state — OAuth anti-forgery token used during authentication.
• isOnline, scope, expires — session properties that determine type, permissions, and expiry.
• accessToken — your Shopify Admin API access token used to make App requests. Stored securely and never shared with third parties for marketing.
• userId, firstName, lastName, email, locale, accountOwner, collaborator, emailVerified — optional user context that may be provided by Shopify for admin identification, support/audit logs, and to improve UX (e.g., locale). We do not use this for advertising.

We do not persist your store product, order, or customer data in our database. Any badge/watermark operations act on images in Shopify and return results to your store; we do not build a separate profile on you or your customers.

What We Do not Collect

• No end-customer personal data.
• No payment card numbers.
• No order or product catalogs stored outside Shopify (beyond ephemeral processing through the API).

How We Use Your Data

• Authenticate the App and make authorized Shopify API calls on your behalf.
• Maintain secure sessions and respect your granted scopes.
• Provide support and troubleshoot issues (using minimal admin user context).
• Comply with legal obligations and Shopify platform requirements.

Legal Bases (GDPR/UK GDPR)

• Performance of a contract — to provide the App you installed.
• Legitimate interests — to maintain security, prevent abuse, and improve reliability (balanced against your rights).
• Legal obligation — to meet compliance and audit requirements.

Retention

We retain session records and access tokens only as long as necessary to operate the App. When you uninstall the App, we revoke access and remove associated tokens/sessions within 30 days (often sooner), unless a longer period is legally required (e.g., audit logs).

Security

• All webhook and Admin API requests are verified using Shopify HMAC signatures.
• Access tokens are stored securely with restricted access.
• Transport security (HTTPS) is enforced for data in transit.

Your Rights

If you are in the EU/EEA/UK, you may have rights of access, rectification, erasure, restriction, objection, and portability with respect to personal data we process about you (as a Merchant admin). To exercise these rights, please contact us using the details below. We may ask you to verify your identity and Shopify store ownership.

Shopify as a Separate Controller

Shopify also processes data as a separate controller when you use the Shopify platform. See Shopify privacy policy for details on its practices. Requests regarding your end-customer personal data should generally be directed to Shopify and/or handled through your store built-in privacy tools.

GDPR/CCPA Webhooks

We support Shopify mandatory GDPR topics (e.g., data erasure and data access requests) and will act on them as required by the platform. If we receive a valid request via Shopify, we will process it in accordance with this Policy and applicable law.

International Transfers

Depending on your store location and our hosting/database region, your data may be processed in jurisdictions that may not provide the same level of data protection as your home country. We take steps consistent with applicable law to protect your information during such transfers.

Children

The App is for businesses and is not directed to children. We do not knowingly collect information from individuals under 16.

Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top. Continued use of the App constitutes acceptance of the revised Policy.

Contact

Questions or requests? Email us at support@digitgrove.com. If you prefer postal mail, please include your store myshopify.com domain and a reply email.