Privacy Policy — Catalogist

Last updated: [Effective Date]

Draft note — delete this banner before publishing. Not legal advice. This document is a thorough, accurate starting point written around how Catalogist actually handles data. Have it reviewed by qualified legal counsel for your jurisdiction(s) before you publish or rely on it, and replace every [bracketed] placeholder (including the effective date — a dated, public policy is required by Shopify and by privacy law).

This Privacy Policy explains how Iscovici Labs – by Ori Iscovici (“Catalogist,” “we,” “us”) collects, uses, stores, and shares information when you install and use the Catalogist – Bulk Product Editor application (the “App”) on your Shopify store. By installing or using the App, you agree to this Policy. Where we process personal data on your behalf as a processor, the Data Processing Agreement also applies.

1. The short version

Catalogist is a catalog-editing tool. It accesses and edits your products, variants, inventory, and locations — nothing else.
Catalogist does not access, request, store, or process your customers’ personal data or your orders. We hold no customer/order Shopify scopes.
We store only what’s needed to operate the App: your store domain and plan, the access token Shopify issues us, and a history of the edits you make (so you can undo them).
We use a small number of infrastructure providers (§6) and do not sell or rent your data or use it for advertising.

2. Who this Policy covers

This Policy covers you, the merchant (the store owner and staff who use the App). It is separate from your own privacy obligations to your customers — see §9. We provide the same privacy rights to all users regardless of where you are located.

3. What we access, and what we deliberately don’t

Catalogist requests only these Shopify access scopes:

Scope	Why
`write_products`	Read and bulk-edit products, variants, prices, tags, status, type, vendor, SEO.
`write_inventory`	Read and edit inventory quantities.
`read_locations`	List your locations so you can choose where to edit inventory.

We do not request — and therefore cannot access — customer records, order data, payment data, fulfillment data, or any protected customer data. This is a deliberate design boundary.

4. What we store, and why

Data	Purpose	Where
Store identifier — your `.myshopify.com` domain and plan (free/Pro)	Operate the App; apply your subscription	Database (Neon)
Shopify access token (offline)	Make the edits you request, on your behalf, via the Shopify Admin API	Database (Neon) — see §8
Edit history (“changesets”) — a record of each edit: which products, the operation, and a capped sample of before→after values	Power the History / undo (“Time Machine”) feature (see Terms §5 for the scope and limits of undo)	Database (Neon)
Undo snapshots — the prior values needed to reverse a bulk edit	Reverse a change when you click Undo	Object storage (Cloudflare R2)
Operational metadata — job status, timestamps, idempotency keys, error context	Run background jobs reliably; debugging	Database (Neon)
Product analytics events (see §6) — e.g. “edit applied,” keyed to your store domain (not to individual staff)	Understand feature usage and improve the App	PostHog

This history and snapshot data is your catalog data (titles, prices, inventory numbers, tags, etc.) — not end-customer personal data. We do not collect device fingerprints, advertising identifiers, or browsing data outside the App.

5. How we use information

We use the data above only to: (1) provide the App’s features (bulk editing, preview, History, undo); (2) apply your plan and process billing through Shopify (we never see or store card details — Shopify handles payment); (3) operate, secure, debug, and improve the App; (4) communicate with you about support you request; and (5) comply with legal obligations. We do not use your data for advertising or for any purpose unrelated to operating the App.

Where you are a natural person (e.g. a sole trader), your store domain, access token, and related data may be personal data. We process it on these bases:

Performance of a contract (Art. 6(1)(b)) — store identifier, access token, edit history, undo snapshots, and operational metadata necessary to provide the App you installed.
Legitimate interests (Art. 6(1)(f)) — aggregate usage analytics, debugging, and security monitoring, where our interest in a secure, reliable, improving App is not overridden by your rights. You may object (§9).
Legal obligation (Art. 6(1)(c)) — limited data retained to meet tax, accounting, or regulatory requirements.

6. Service providers (subprocessors)

We share data only with the infrastructure providers needed to run the App. We rely on each provider’s data processing terms, which require them to process data only on our instructions, keep it secure, and assist with data-subject requests. We remain responsible for their performance. Our current subprocessors (also listed, with regions, in the DPA):

Provider	Role
Shopify	The platform the App runs on; OAuth, billing, compliance webhooks.
Neon	Managed PostgreSQL database (store id, token, edit history, metadata).
Cloudflare R2	Object storage (undo snapshots).
PostHog	Product analytics (events keyed to your store domain), when enabled.
[Hosting provider]	Runs the App server. (Fill in before publishing.)

We will give at least 30 days’ notice before adding a subprocessor that materially changes how data is handled, so you can object or uninstall.

Analytics note: product analytics is configured by us at the application level and, when enabled in production, is always on; it is keyed to your store domain (never to individual staff), is used only to understand feature usage and improve the App, and is never used for advertising or shared for others’ purposes. We rely on legitimate interests for it.

7. Data retention and deletion

While installed: we retain your edit history and undo snapshots for the life of your installation, because undo is available without expiry by design — that non-expiring safety net is a core feature. We minimize what we keep (a capped before/after sample plus the values needed to reverse a change).
When you uninstall: Shopify notifies us. We delete your access token immediately and delete your store record, edit history, and snapshots within [30] days, except where we must retain limited records to meet a legal obligation.
Shop redact: we erase a store’s data in response to Shopify’s shop/redact webhook (sent ~48 hours after uninstall) on the same schedule.
Customer data requests/redaction: Shopify also sends customers/data_request and customers/redact. Because Catalogist stores no customer personal data, we have none to return or erase; we acknowledge these requests as required.
On request: you may ask us to delete specific history or all data we hold for your store at any time (§11). (An in-app delete-history control is on our roadmap; until then, contact us.)

8. Security

We protect data with measures appropriate to its sensitivity: encryption in transit (TLS 1.2+); encryption at rest provided by our database and storage providers; scoped, least-privilege credentials; and access tokens treated as secrets that are never logged and are transmitted only to authenticate requests to the Shopify Admin API. (We are working to add application-level encryption of the stored access token; this Policy will be updated when that ships and will not imply protection we have not implemented.)

Breach notification. If a personal-data breach affects data we process for you, we will notify you without undue delay and within 72 hours of becoming aware, to the extent feasible, with the information you need to meet your own obligations. Notice goes to the email associated with your Shopify account.

No method of storage or transmission is 100% secure, but we work to protect your information and to address incidents in accordance with applicable law.

Roles: For your store and catalog data, you are the controller and Catalogist is a processor acting on your instructions, under the DPA. We process such data only to provide the App.
Your customers: Catalogist does not process your customers’ personal data, so we are not a processor of it. Your obligations to your customers under the GDPR, UK GDPR, CCPA/CPRA, or other laws are unaffected by Catalogist.
Your rights: depending on your location you may have rights to access, correct, export, restrict, or delete the data we hold about your store, and to object to processing based on legitimate interests. Contact us (§11) to exercise them. We do not sell or “share” personal information as defined by the CCPA/CPRA, and we do not discriminate against you for exercising your rights.
International transfers: our providers may process data in the United States and the European Union. Where personal data leaves the EEA or UK to a country without an adequacy decision, transfers rely on the EU Standard Contractual Clauses (2021/914) and, for the UK, the UK IDTA / Addendum, or on equivalent safeguards in our subprocessors’ DPAs.
Supervisory authority: Catalogist is operated by Iscovici Labs – by Ori Iscovici, based in [Country/State]. If you believe we have not handled your data lawfully, you may lodge a complaint with a supervisory authority in your country of residence, place of work, or where the issue arose (in the UK, the ICO).

10. Children

The App is a business tool for Shopify merchants and is not directed to children. We do not knowingly collect personal data from children.

11. Contact

Questions, requests, or complaints about this Policy or your data:

Email: [support / privacy email]
Entity: Iscovici Labs – by Ori Iscovici
Address: [Business Address]
Data Protection Contact: [name/role, if applicable]

12. Changes, severability, and entire agreement

We may update this Policy as the App or the law evolves. For material changes we will give at least 30 days’ notice through the App or by email before they take effect; if you object, you may uninstall before the effective date. The “Last updated” date above will change with each revision. If any provision of this Policy is found invalid, the rest remains in effect. This Policy, together with the Terms of Service and the DPA, is the entire understanding between you and Catalogist regarding data handling.