Privacy Policy
Last updated : 2026-04-14
This Privacy Policy describes how Back in Stock (the "App") collects, uses and protects personal data in connection with its operation on the Shopify platform.
1. Data Controller
Entreprise individuelle (régime micro-entrepreneur)
Bzh Corporate
SIRET: 893 264 564 00012
Address: 3 Allée des Patissiaux, 35510 Cesson-Sévigné
France
Contact: octane.reborn@pm.me
2. Data Collected
2.1 Merchant data (Shopify app users)
- Shop domain (
shop.myshopify.com) - Shopify OAuth access tokens (to call the Admin GraphQL API)
- Configuration settings: Resend API key (encrypted at rest), sender email, subject
- Usage counters (emails sent per day)
2.2 End-shopper data (merchant's customers)
- Email address voluntarily provided via the "Notify Me" button
- Shopify product and variant IDs associated with the notification request
- Signup date and status (active / notified / unsubscribed)
- Send log: sent date, status (delivered / failed / bounced)
No name, postal address, phone number, or payment data is collected.
3. Purposes and Legal Basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Send the back-in-stock notification requested | Explicit consent (Art. 6.1.a GDPR) given at signup |
| Provide the service to the merchant (install, dashboard) | Contract performance (Art. 6.1.b GDPR) |
| Fulfill Shopify compliance obligations (GDPR webhooks) | Legal obligation (Art. 6.1.c GDPR) |
| Minimal technical logging (server logs) | Legitimate interest (Art. 6.1.f GDPR) |
4. Retention
- Active subscriptions: retained until the shopper unsubscribes, or until the notification is sent.
- Unsubscribed subscriptions: automatically deleted within 30 days.
- Send logs: retained 13 months for dispute handling.
- Merchant data: deleted within 48 hours after app uninstall (
shop/redactwebhook).
5. Subprocessors
The following subprocessors process data on our behalf:
| Subprocessor | Purpose | Location |
|---|---|---|
| Shopify Inc. | Plateforme e-commerce (hôte de l'app) | Canada |
| Resend, Inc. | Envoi d'emails transactionnels | USA (clauses contractuelles types UE) |
| Hostinger | Hébergement (serveurs + base de données PostgreSQL) | Lituanie (UE) |
All are bound by a Data Processing Agreement (DPA) and comply with the EU Commission's Standard Contractual Clauses when data transfers outside the EU occur.
6. Transfers outside the EU
Some subprocessors (Resend, Shopify) are located outside the EU. These transfers are covered by:
- Standard Contractual Clauses adopted by the EU Commission
- The EU-US Data Privacy Framework for Resend, Inc.
7. Your Rights (GDPR)
Under Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access: obtain a copy of your data.
- Right to rectification: correct inaccurate data.
- Right to erasure: request deletion of your data.
- Right to restriction of processing.
- Right to object: unsubscribe at any time via the link in every notification email.
- Right to portability: receive your data in a structured format.
To exercise these rights: octane.reborn@pm.me. Response within 30 days maximum.
You may also lodge a complaint with your supervisory authority (CNIL in France: www.cnil.fr).
8. Security
- All communications use HTTPS/TLS
- OAuth tokens and API keys are encrypted at rest
- Shopify webhooks are verified via HMAC signature
- Database access restricted by strong authentication
9. Cookies
The App does not use tracking cookies. Only technical cookies required for Shopify embedded admin authentication are used.
10. Changes
This policy may be updated. The date at the top of the page reflects the latest change. Material changes will be notified in the App's admin dashboard.
11. Contact
For questions about this policy: octane.reborn@pm.me
Site: https://backinstock.fairfaxdev.site