Privacy Policy
BulkFlow is an inventory-management tool that connects to your Shopify store. This page explains exactly what data we collect, why, where it lives, and what we delete.
1. Plain English summary
- We do not store or transmit customer personal data (names, emails, addresses, phone, IP).
- We do store merchant operational data: your product SKUs, bulk counts, pack-variant settings, and movement history.
- Data is scoped by Shopify shop domain and never shared across merchants.
- Uninstalling BulkFlow triggers automatic deletion of all your data within 48 hours.
2. What we collect when you install
The Shopify OAuth flow grants BulkFlow a long-lived access token for your store. With that token we read and write the following Shopify resources:
- products (read + write)
- inventory levels (read + write)
- orders (read only)
- locations (read only)
- merchant-managed fulfillment orders (read only)
- assigned fulfillment orders (read only)
The two fulfillment-order read scopes are required for the multi-location order-routing webhooks — they let BulkFlow know which of your warehouses Shopify selected to fulfill each line item, so we can deduct the right per-location pool. We never write to fulfillment orders; the access is strictly read-only.
We do not request scopes for customers, draft orders, gift cards, themes, or any other resource we don't strictly need.
3. What we collect while you use the app
- Product catalog — SKU, name, collection, pack sizes. Imported by you via CSV or pulled from your Shopify products.
- Bulk-unit counts — the loose-units-on-the-shelf number you manage. Entered by you.
- Movement history — a timestamped log of every count change (orders, refunds, adjustments, imports) so you have an audit trail.
- Order webhooks — Shopify sends us order/refund/cancel events. We extract only the line items that match your bound SKUs; the rest is discarded immediately.
- User account data — for admin users of the BulkFlow UI: email, hashed password (bcrypt), role, optional 2FA secret. Never shared with anyone.
4. What we do NOT collect
- Customer names, emails, addresses, phone numbers, or IP addresses.
- Payment card data — handled entirely by Shopify Billing API.
- Browser fingerprints, behavioural analytics, or third-party tracking.
- Anything from your Shopify store outside the four scopes listed above.
5. Where data is stored
All operational data lives in a MongoDB database hosted in the United States. Backups are encrypted at rest. We use TLS (HTTPS) for every connection. Database credentials are stored only as environment variables and never logged.
6. Who can see your data
- You and the BulkFlow user accounts you invite. Multi-tenant isolation means another merchant on BulkFlow cannot see your data, ever.
- The BulkFlow engineering team for support purposes, only with your written permission per incident.
- No advertisers, no data brokers, no AI training partners. Full stop.
7. Shopify's mandatory compliance webhooks
Per Shopify App Store requirements, BulkFlow registers and responds to three GDPR webhooks:
- customers/data_request — within 30 days we provide every piece of data we hold matching the requested customer. (Spoiler: usually nothing, since we don't store customer data.)
- customers/redact — fired 10 days after a customer requested deletion via Shopify. We permanently delete any data tied to them. (Again, usually nothing.)
- shop/redact — fired 48 hours after a merchant uninstalls BulkFlow. We permanently delete every piece of data scoped to your shop, with no recovery path.
8. Your rights
Under GDPR, CCPA, and other applicable laws, you have the right to:
- Access — request a copy of all data we hold about your shop. Email support@bulkflow.app.
- Correct — fix anything that's wrong. Most data is editable directly in the BulkFlow admin UI.
- Delete — uninstall the app, and within 48 hours every record is gone.
- Object — opt out of any non-essential data processing. (We don't do non-essential processing.)
9. Children's privacy
BulkFlow is a B2B tool. We do not knowingly collect data from anyone under 13.
10. Changes to this policy
If we change anything material, we'll update the date at the top, notify active merchants by email, and post a notice in the BulkFlow admin UI at least 30 days before the change takes effect.
11. Contact
Questions or requests: support@bulkflow.app. We aim to respond within 2 business days.