Shopify Data Policy
Last updated: 08 July 2026
This Shopify Data Policy explains how Syngulr AI (“Syngulr”, “we”, “us”) accesses, uses, and protects data from a merchant’s Shopify store when the merchant connects Shopify to the Service. It supplements our Privacy Policy and Terms of Service, which continue to apply.
1. What the app accesses
When you connect your store, Syngulr accesses the Shopify Admin GraphQL API using an access token granted through Shopify’s OAuth flow. We request only the following scopes, which cover reading and managing the parts of your store the assistant works with:
- Products & inventory – read/write_products, read/write_fulfillments
- Orders – read/write_orders. We do not request read_all_orders, so order reads are limited to Shopify’s trailing 60-day window unless the merchant later enables broader access.
- Customers – read/write_customers
- Content & store setup – read/write_content, read/write_metaobjects, read/write_metaobject_definitions, read/write_themes
For protected customer data, the app is configured to access customer name, email, and address only (not phone), and only for the purposes of store management and customer service.
2. How we use Shopify data
We access your store data only to fulfill your own requests – for example, listing orders, ranking best-selling products, reviewing abandoned checkouts, updating a product, or answering a question about your store. We do not:
- build or enrich customer profiles;
- sell or share your customers’ personal data;
- use it for advertising or cross-context behavioral targeting; or
- make automated decisions that produce legal or similarly significant effects on individuals.
3. How we protect it
- On-demand access.We call Shopify only when your request requires it – there is no bulk export or continuous background sync of customer data.
- Data minimization. Each request reads only the fields needed to answer it.
- No independent storage of customer PII. We store your encrypted connection token, not your customer records. Customer data that appears does so transiently in your own conversation history and is deleted when you delete that content, your brand, or your account.
- Encryption. Data is encrypted in transit (TLS) and at rest; access tokens are additionally encrypted with AES-256-GCM.
- Access logging.Every read of protected customer data is recorded in an audit log (which store, which operation, and when – never the data itself).
- Isolation. Data is scoped per brand and per connected store; there is no cross-tenant access.
4. Compliance & lifecycle webhooks
The app subscribes to Shopify’s mandatory webhooks at a single endpoint that verifies each request’s signature:
- customers/data_request and customers/redact– acknowledged; Syngulr holds no independent copy of your customers’ personal data to return or erase.
- shop/redact and app/uninstalled– Syngulr revokes the stored connection and its encrypted tokens, and the store is disconnected.
5. Retention & deletion
Uninstalling the app (or a shop/redactrequest) immediately revokes the stored connection and tokens. Your customers’ data is never independently retained – it is deleted with the conversation, brand, or account that surfaced it. Audit logs are kept for a limited security and audit window and then purged. You can disconnect Shopify at any time from Integrations → Shopify or by uninstalling the app from your Shopify admin.
6. Sub-processors
We share Shopify data only with sub-processors under contract: our hosting provider (application and database), and our AI model provider, which is contractually prohibited from training on your data. A current list of sub-processors is available on request.
7. Your responsibilities as the merchant
You are the controllerof your customers’ personal data and are responsible for having a lawful basis to process it and for your own privacy disclosures. Syngulr acts as a processor on your instructions.
8. Contact
Privacy: [email protected]
For questions about how Syngulr handles your Shopify data, or to exercise any right described in our Privacy Policy, contact us at the address above.
