This Privacy Policy describes how our Shopify application collects, uses, stores, and protects information when you install and use our services. We are committed to protecting your privacy and complying with applicable data protection laws, including GDPR.
By installing and using this App, you agree to the collection and use of information in accordance with this policy.
Data Controller Information
App Provider: Infinite Fulfillment
Contact Email: admin@infinitefulfillment.cn
Service Domain: infinitefulfillment.cn
For any questions about this Privacy Policy or our data practices, please contact us at the email address above.
Table of Contents
1. Data We Collect
1.1 Shop Owner and Staff Information (Session Data)
When you install the App, we collect and store the following information through Shopify's OAuth authentication process:
- Shop Domain: Your Shopify store domain (e.g., yourstore.myshopify.com)
- Shop Owner/Staff Email: Email address of the person who installed the app
- Name: First name and last name of the installer
- OAuth Access Token: Secure token for API communication with your Shopify store
- Account Type: Whether the user is the account owner or a collaborator
- Scope: API permissions granted to the app
- Session Status: Whether the session is online or offline
Storage Location: This data is stored in our Session database table.
Purpose: This information is necessary for authenticating your shop, accessing your store data through Shopify's API, maintaining your app session, and providing app functionality.
1.2 Shop Configuration Data
We store configuration settings for your shop, including:
- Shop ID: Unique identifier for your Shopify store
- Tracking Page Settings: Customization options for order tracking pages
- Email Template Settings: Custom email notification templates
- Chat Widget Settings: Configuration for customer chat features
- Feature Toggles: Enabled/disabled features (e.g., chat enabled, virtual product auto-fulfillment)
Storage Location: This data is stored in our ShopData database table.
Purpose: To provide and customize app features according to your preferences.
1.3 Customer Interaction Data (Chat Widget)
When your customers use the Chat Widget feature:
- Order Numbers: Order numbers entered by customers for tracking
- Chat Context: Conversation history and context for AI assistance
- Shop Domain: Which store the customer is interacting with
- Client IP Address: IP address of the customer (forwarded for security purposes)
1.4 GDPR Export Requests
When a customer requests their personal data:
- Customer ID: Shopify customer ID
- Customer Email: Customer's email address
- Request Timestamp: When the data request was received
- Export File: JSON file containing all customer data stored by the app
- Download Token: Secure token for accessing the export file
- Download Status: Whether the export has been downloaded
Storage Location: Export files are stored temporarily (30 days) in our secure file system.
Purpose: To comply with GDPR "Right to Access" requirements.
2. How We Use Your Data
2.1 App Functionality
We use your data to:
- Authenticate and maintain your app session
- Access your Shopify store data through authorized API calls
- Display order tracking information to your customers
- Send order notification emails based on your templates
- Provide AI-powered customer support through the chat widget
- Store and apply your app configuration preferences
2.2 Service Improvement
We use aggregated, anonymized data to:
- Monitor app performance and reliability
- Identify and fix technical issues
- Improve user experience and features
2.3 Legal Compliance
We process data to:
- Comply with GDPR and other privacy regulations
- Respond to data subject requests (access, deletion)
- Maintain audit logs for security purposes
- Fulfill legal obligations
3. Data Storage and Security
3.1 Storage Infrastructure
- Database: SQLite database hosted on our secure servers
- Location: All data is stored on servers located in China
- Access Control: Restricted to authorized personnel only
- Encryption: Database connections and API communications use encryption
3.2 Security Measures
We implement industry-standard security practices:
- OAuth 2.0: Secure authentication with Shopify
- HMAC Verification: Webhook payload validation
- Access Tokens: Encrypted storage of OAuth tokens
- Secure File Storage: Export files protected by unique tokens
- Regular Updates: Security patches and dependency updates
- Audit Logging: Tracking of data access and modifications
3.3 Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Session Data | Until app uninstallation | Required for app functionality |
| Shop Configuration | Until app uninstallation | Required for feature delivery |
| Chat Context | Real-time only (not stored) | Processing only, no persistence |
| GDPR Export Files | 30 days | Legal compliance requirement |
| Audit Logs | 90 days | Security and compliance |
4. Data Sharing and Third Parties
4.1 No Third-Party Sharing
We do NOT share, sell, rent, or trade your data with third parties for marketing purposes.
4.2 Internal Processing Only
All data processing is performed by our own systems:
- AI Service: Hosted at infinitefulfillment.cn (our own infrastructure)
- Database: Self-hosted SQLite database
- File Storage: Local file system on our servers
4.3 Shopify Integration
We access your Shopify store data through official Shopify APIs using OAuth tokens. This integration is governed by Shopify's API Terms of Service, the specific API scopes you authorize when installing the app, and our secure OAuth implementation.
4.4 Legal Disclosure
We may disclose data only when:
- Required by law, regulation, or legal process
- Necessary to protect our rights, property, or safety
- Requested by law enforcement with proper authorization
5. Your Rights (GDPR Compliance)
5.1 Right to Access
You have the right to request a copy of all personal data we store about you.
For Shop Owners: Access your shop configuration through the app admin panel at any time.
For Customers: Submit a data access request through Shopify's customer portal. We will provide a complete export within 30 days.
5.2 Right to Deletion (Right to be Forgotten)
You have the right to request deletion of your personal data.
For Shop Owners: Uninstalling the app triggers automatic deletion of all your shop data within 48 hours via Shopify's shop/redact webhook.
For Customers: Submit a deletion request through Shopify's customer portal. We will delete your data immediately upon receiving the customers/redact webhook.
5.3 Right to Rectification
You can update your shop configuration at any time through the app admin panel.
5.4 Right to Restriction
You can disable specific features (e.g., chat widget, email notifications) through the app settings to restrict data processing.
5.5 Right to Data Portability
Data export requests are fulfilled in machine-readable JSON format, making it easy to transfer to other services.
5.6 Right to Object
You can object to data processing by uninstalling the app or disabling specific features.
6. GDPR Compliance Mechanisms
6.1 Mandatory Webhooks
We implement all three mandatory GDPR webhooks:
customers/data_request: When a customer requests their data, we automatically:
- Collect all stored customer information
- Generate a secure JSON export file
- Create a download link valid for 30 days
- Notify the shop owner through the app admin panel
customers/redact: When a customer requests deletion, we automatically:
- Delete all customer data from our database
- Remove any associated records
- Log the deletion for audit purposes
shop/redact: When you uninstall the app, we automatically (within 48 hours):
- Delete all shop sessions
- Delete all shop configuration data
- Remove all associated records
- Purge all temporary files
6.2 Data Export Access
Shop owners can view and download all GDPR data export requests through:
- Admin Panel: Navigate to Settings → Data Exports
- Direct URL: [Your App URL]/app/data-exports
Each export includes request timestamp, customer information, all stored data, 30-day download link, and expiry date.
7. Cookies and Tracking
7.1 Shopify Session Cookies
We rely on Shopify's session cookies for authentication. We do NOT set our own cookies for tracking purposes.
7.2 No Third-Party Analytics
We do NOT use third-party analytics services (e.g., Google Analytics) that track your users.
7.3 Chat Widget Context
The chat widget may store temporary context in browser memory during active conversations. This data is cleared when the chat is closed.
8. Children's Privacy
This App is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.
9. International Data Transfers
Our servers are located in China. If you are accessing the App from outside China, please be aware that your data will be transferred to and processed in China. By using the App, you consent to this transfer.
We ensure appropriate safeguards are in place for international data transfers in compliance with GDPR requirements.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, new features or services, and legal or regulatory requirements.
Notification: We will notify you of significant changes by updating the "Last Updated" date, sending an email notification to shop owners, and displaying a notice in the app admin panel.
Your Acceptance: Continued use of the App after changes constitutes acceptance of the updated policy.
11. Data Breach Notification
In the unlikely event of a data breach that affects your personal data, we will notify affected users within 72 hours of discovery. Notification will include the nature of the breach and steps we're taking. We will report to relevant supervisory authorities as required by law.
12. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or your personal data:
Email: admin@infinitefulfillment.cn
Subject Line: Privacy Inquiry - [Your Shop Domain]
Response Time: We aim to respond to all privacy inquiries within 5 business days.
For GDPR-specific inquiries, you may also contact your local data protection authority.
13. Legal Basis for Processing (GDPR Article 6)
We process your personal data under the following legal bases:
- Contractual Necessity: Processing shop owner data to provide app services you've requested
- Legitimate Interest: Processing customer interaction data to provide chat support features
- Legal Obligation: Processing GDPR requests to comply with privacy laws
- Consent: Processing optional features (e.g., email notifications) based on your settings
14. Automated Decision Making
The App uses AI-powered features for generating customer support responses in the chat widget and suggesting order tracking information.
User Control: All AI-generated responses are suggestions only. Shop owners control all app settings and can disable AI features at any time.
No Profiling: We do NOT use automated decision-making for profiling or decisions that significantly affect users.
15. Your Responsibilities
As a shop owner using this App, you are responsible for:
- Maintaining the security of your Shopify admin credentials
- Notifying your customers about the App's use (link to this policy)
- Complying with applicable laws in your jurisdiction
- Responding to customer data requests within required timeframes
- Downloading and providing GDPR export files to customers within 30 days