Privacy Policy

Last updated: May 26, 2026

Overview

Stockcast ("we", "our") is a Shopify app that helps merchants forecast inventory and create purchase orders. We take privacy seriously and collect only what is strictly necessary to provide the service.

What we access

• Products, variants, inventory, locations — to show you stock levels and create purchase orders.
• Order line items (aggregated) — to compute sales velocity (units sold per day). We do NOT store customer names, emails, addresses, payment data, or any other personally identifiable information from orders.
• Store metadata — shop domain, currency, primary location, to scope all data to your store.

What we don't access

• Customer personal data (names, emails, addresses, IPs)
• Payment or transaction details
• Order notes or other free-form text fields

How we use the data

We use the data only to power Stockcast's features (inventory forecasting, reorder suggestions, purchase order management). We do not sell, share, or use your data for advertising, model training, or any other purpose.

Data retention

We retain your data only as long as Stockcast is installed on your store. When you uninstall the app:

• We receive an app/uninstalled webhook from Shopify and mark your data for deletion.
• All store data is removed within 48 hours of uninstall, unless required to be kept for legal compliance.
• If Shopify sends us a shop/redact webhook (typically 48 hours after uninstall), we delete everything immediately.

GDPR compliance

We handle Shopify's mandatory privacy webhooks:

• customers/data_request — since we don't store customer PII, we respond confirming no data is held.
• customers/redact — same as above (no PII to redact).
• shop/redact — we delete all store data immediately.

Security

• All data is encrypted in transit (TLS) and at rest (Postgres).
• Access tokens are stored encrypted and scoped to individual stores.
• We follow the principle of least privilege: read-only OAuth scopes where possible, write scopes only where required (inventory updates on PO receiving, product updates for supplier ↔ vendor sync).

Subprocessors

• Railway — application hosting (US data centers).
• Cloudflare — DNS and DDoS protection.
• Resend — transactional email (only for PO emails merchants explicitly send and low-stock digests they opt into).
• Shopify — source platform; data is mirrored from Shopify's APIs.

Contact

Questions? Email [email protected].