Privacy Policy

Last updated: May 30, 2026

1. Overview

Shopbuilder ("we", "us") provides a mobile app builder service for Shopify merchants. This policy explains what data we collect, why we collect it, and how we handle it.

2. Information we collect

Merchant data. When you install the Shopbuilder Shopify app, Shopify grants us access to certain data about your store based on the OAuth scopes you approve. This includes product, inventory, and publication data, and may include customer records for the wishlist and newsletter features if you enable them.

Configuration data. Your mobile app design (themes, blocks, colors, copy, integrations configuration) is stored on our infrastructure so it can be rendered into your mobile storefront.

Buyer data via your mobile app. When a buyer uses your mobile application, they may authenticate via the Shopify Customer Account API. Authentication tokens are stored on the buyer's device. We do not persist buyer-keyed personal data on our servers beyond ephemeral session refresh tokens that are not linked to a customer identity on our side.

Operational data. We log standard request metadata (IP address, user agent, request paths, timestamps) for security, debugging, and abuse prevention.

3. How we use data

• To provide the Shopbuilder service: rendering your mobile storefront, syncing products from Shopify, processing checkout requests.
• To operate, secure, and improve the service, including diagnosing errors and preventing abuse.
• To communicate service-related updates to merchants on file.

We do not sell merchant or buyer data.

4. Third parties

We use the following sub-processors:

• Shopify — source of merchant store data and host of checkout.
• Supabase — database and storage for configuration and credentials.
• Cloudflare — application hosting, content delivery, and DDoS protection.
• Apple and Google — distribution platforms for the mobile applications you publish under your own developer accounts.

Integrations you choose to enable (such as Google Analytics 4 or Meta Pixel) send buyer analytics events to those providers under their own privacy policies, subject to buyer consent collected in your mobile app.

5. GDPR and buyer rights

Shopify forwards GDPR-mandated requests (data access, data deletion, shop redaction) to our webhook endpoints. We respond to these requests as required by the Shopify Partner Program Agreement and applicable law. Buyers can also contact the merchant directly to exercise their rights, since the merchant is the data controller for their customer data.

6. Data retention

Merchant configuration is retained for the duration of your use of Shopbuilder. When you uninstall the Shopify app, your access token is invalidated immediately. Shopify forwards a shop-redaction request 48 hours after uninstall, at which point we delete the merchant record; cascading deletes remove associated projects, configuration versions, and customer session data.

7. Security

Data in transit is protected with TLS. Access tokens and other sensitive credentials are stored encrypted at rest. We use HMAC verification on all Shopify webhooks and signed-query channel admin requests to prevent forgery.

8. Changes

We may update this policy from time to time. Material changes will be communicated through the Shopbuilder dashboard or by email.

9. Contact

Privacy questions: privacy@shopbuilder.online