Privacy Policy
Last updated: May 13, 2026
Introduction
OpsBox ("we," "our," or "us") operates as a Shopify embedded application that provides order swap tools, catalog CSV recovery, and B2B buyer tools for Shopify merchants. This Privacy Policy describes how we collect, use, store, and protect your information when you install and use OpsBox.
Information We Collect
From Merchants (via Shopify APIs)
- Shop domain and store identification information
- Product data (titles, variants, IDs) for catalog operations
- Order data (order IDs, line items, fulfillment details) for order swap functionality
From Merchants (directly provided)
- B2B buyer records: email addresses, discount rates, and credit limits
- CSV files uploaded for catalog recycling
Automatically Collected
- Shopify session tokens for authentication
- Shop-to-tenant mapping identifiers
How We Use Your Information
- Order Swap:Read fulfillment order details and execute line-item replacement mutations on the merchant's store.
- B2B Portals: Store buyer records, cohort settings, discount rates, and credit limits for merchant operations.
- Catalog Recycler: Parse uploaded CSV files to update archived Shopify product listings via background processing.
- Authentication: Maintain OAuth sessions for secure access to your Shopify Admin APIs.
Data Storage and Security
Data is stored in a Nile-powered PostgreSQL database with native tenant isolation. Each Shopify store's data is logically separated by tenant ID. OAuth sessions are encrypted and stored in the database (not in browser local storage). All data is transmitted over HTTPS.
Data Retention
- Active installs: Data is retained for as long as the app remains installed on your Shopify store.
- After uninstall: When you uninstall OpsBox, all stored data for your shop is automatically deleted, including B2B buyer records, catalog data, session data, and shop-to-tenant mappings.
- Compliance requests: Shopify may send a shop redaction request 48 hours after uninstall. We process these requests and delete any remaining data.
Data Sharing
We share data with the following third-party services only as necessary to provide the app's functionality:
- Shopify: We read and write data via the Shopify Admin GraphQL API under the scopes you authorize during installation.
- Trigger.dev: Background processing of catalog CSV uploads. Job payloads include product data but no customer PII.
We do not sell, rent, or trade your data to any third party.
Your Rights
You have the right to:
- Access: Request a copy of all data we store about you or your customers.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your data at any time. Uninstalling the app automatically triggers full data deletion.
- Restriction: Request that we limit processing of your data.
We comply with GDPR, CCPA/CPRA, and other applicable privacy regulations. Shopify may forward data subject requests to us via mandatory compliance webhooks, which we process automatically.
Contact
For privacy inquiries, data requests, or questions about this policy, contact us at: privacy@opsbox.studio
Related Documents
Please also review our Terms of Service and Support page.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Your continued use of OpsBox after changes are posted constitutes acceptance of the revised policy.