Privacy Policy

Effective date: 2025-08-01

Who we are

This Privacy Policy describes how the ROSE Integration app (the “App”) developed by Plenish (“we”, “us”, “our”) collects, uses, and protects information in connection with our app in the Shopify App Store.

What data we process

The App connects to your Shopify store via the Shopify Admin API using the access scopes you grant during installation. We strive to request the minimum scopes necessary for the App to function.

• Store data from Shopify (read-only or read/write depending on scope): products, variants, inventory levels, locations, orders and fulfillments, publications/markets, and basic shop information (for example, myshopify domain). We use this to import products, manage variant statuses, register metafields, and react to order/fulfillment webhooks.
• Customer data: We do not collect or store customer personal data (such as names, emails, or phone numbers).
• Merchant user (staff) data: We create and manage merchant admin accounts and related identifiers for access control (for example, user name, email and Cognito identifiers).
• Brand assets and operational data: We store brand-specific configuration and operational artifacts (for example, warehouse locations, product categories, and brand assets like photos) necessary for the App’s features.

How we use data

• To provide core functionality (product import, variant status management, and related workflows).
• To respond to Shopify webhooks (for example, orders/create, fulfillments/update, orders/cancelled).
• To operate merchant onboarding and authorization for your team members.
• To improve reliability, troubleshoot issues, and ensure security.

Legal bases

Where applicable, we rely on your consent (Shopify OAuth scopes), legitimate interests in operating and improving the App, and contractual necessity to provide the services you request.

Data storage and location

• Hosting and infrastructure: We use Amazon Web Services (AWS). Certain services (for example, Amazon EventBridge for webhooks) are configured in the ca-central-1 region.
• Media/brand assets: Stored in AWS S3 buckets provisioned for your brand.
• Operational database: Brand and operational data are stored in our managed database hosted in AWS.

Sub-processors

• Shopify Inc. – Shopify Admin platform and webhooks
• Amazon Web Services (AWS) – infrastructure (compute, storage, webhooks bus)
• Cloudflare (during development)

Data retention

We retain operational data for as long as your app is installed and as needed to provide the App. Upon uninstallation, we initiate cleanup workflows to remove brand-linked data that we control.

Your rights

Depending on your jurisdiction, you may have rights to access, correct, or delete your personal data. For customer data managed by Shopify (for example, end-customer information), Shopify remains the controller. We subscribe to the GDPR webhooks required by Shopify (customers/data_request, customers/redact, shop/redact) and will act accordingly.

No sale of personal information (CCPA/CPRA)

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Security

We implement administrative, technical, and physical safeguards appropriate for the data we process, including HTTPS in transit, access controls, and least-privilege design for our infrastructure and services.

Children’s privacy

Our App is intended for merchants and their staff and isn’t directed to children.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the “Effective date” above.

Contact

If you have questions about this Privacy Policy or our data practices, contact us at support@withplenish.com.