Shopify App
Legal · Compliance

Privacy Policy

How Real-Time Cart Sync collects, uses, and protects your data — built in full compliance with Shopify's App Store requirements.

📅 Effective: May 4, 2026 🔄 Last Updated: May 4, 2026 🌍 Applies Globally
This Privacy Policy explains how Real-Time Cart Sync ("we," "our," or "the App") — a Shopify Public App developed by Born Techies Pvt. Ltd. — collects, uses, stores, and protects data obtained via the Shopify platform. This policy is compliant with Shopify's App Store requirements and applicable data protection laws including GDPR, CPRA, and related frameworks.
1

Overview

Real-Time Cart Sync is a Shopify public application that persists and synchronizes customer shopping cart data across devices and browsing sessions. It leverages Shopify Customer Metafields and a Theme App Extension to ensure a seamless shopping experience for logged-in customers.

The App accesses data only to deliver its core functionality: cross-device cart persistence. We do not sell, share, or monetize any merchant or customer data for advertising or any unrelated purposes.

Shopify API Scopes Used

  • read_customers — To associate cart metafields with the correct customer record
  • write_customers — To write and update customer metafields storing cart data
2

Data We Collect

Data Collected via Shopify APIs

Data Type Source Purpose
Customer ID (Shopify internal) Shopify Customer Object To associate cart data with the correct customer metafield
Cart line items (product IDs, variant IDs, quantities) Storefront via Theme App Extension To persist and restore the customer's cart across sessions
Merchant store domain & access token Shopify OAuth Installation To authenticate API calls and scope access to the correct store
Subscription / billing status Shopify Billing API To determine whether the merchant has an active or trial plan

Data Collected Directly from Merchants

  • Contact details (name, email) provided during onboarding or support requests
  • App configuration preferences set within the app admin panel
  • Automated usage logs (API call timestamps, error logs) for debugging and performance monitoring

Data Collected from Merchant Customers (Buyers)

  • Cart state (products added, updated, or removed) via the Theme App Extension JavaScript listener
  • Login/logout events detected on the storefront to trigger cart synchronization
  • Shopify session token (JWT) used temporarily to authenticate bridge proxy requests — never stored persistently
Important: We do not store raw customer Personally Identifiable Information (PII) such as names, email addresses, phone numbers, or payment details in metafields or our database. Only product/variant references and quantities are persisted.
3

How We Use Data

All data collected is used exclusively to provide and improve the Real-Time Cart Sync service. Specifically, we use data to:

  • Persist customer cart data in Shopify Customer Metafields for cross-device continuity
  • Restore cart state when a customer logs in on any device or browser session
  • Synchronize real-time cart mutations (add/update/remove) between the storefront and Shopify's backend
  • Authenticate and validate requests between the Theme App Extension and our bridge proxy using session tokens
  • Manage merchant billing, free trial status, and subscription lifecycle via Shopify Billing API
  • Monitor app performance, diagnose errors, and improve service reliability
  • Respond to merchant support requests

We do not use any data for advertising, profiling, resale, or any purpose beyond delivering the cart sync service.

4

Data Retention

Data Category Retention Period Deletion Trigger
Customer metafield (cart data) Until app is uninstalled Automatically deleted via app/uninstalled webhook
Merchant store credentials Duration of active install Purged on uninstall or upon merchant data deletion request
Shopify session tokens (JWT) Request lifetime only Never persisted — discarded after each API call
Application error / access logs Up to 90 days Rolling deletion after 90 days
Billing & subscription records Up to 7 years Required for financial compliance; deleted after legal hold period
5

Data Sharing & Third Parties

We do not sell, rent, or trade any personal data. We may share limited data only with the following service categories, solely to operate the App:

  • Cloud Hosting Providers — Our backend infrastructure runs on trusted cloud providers (e.g., AWS, Google Cloud, or equivalent). Data is stored within their secure infrastructure and subject to their data processing agreements.
  • Shopify — Cart and customer metafield data is stored within Shopify's own infrastructure via their APIs. Shopify's own privacy policy applies to this data.
  • Error Monitoring Tools — We may use application monitoring services (e.g., Sentry) to track and diagnose errors. Only anonymized technical error data is shared — no customer PII.

All third-party processors are bound by data processing agreements and are required to process data only for the purposes we specify.

6

Security Measures

  • All bridge proxy requests are authenticated using Shopify-issued session tokens (JWT) — requests without a valid token are rejected
  • All API communication is encrypted over HTTPS/TLS
  • Webhook payloads are verified using HMAC signatures provided by Shopify before processing
  • Metafield access is scoped exclusively to the installing merchant's store — no cross-store data access is possible
  • No raw PII is stored in metafields — only anonymous product/variant references
  • Access to production systems is limited to authorized developers following the principle of least privilege
7

Your Rights

Depending on your jurisdiction, you (as a merchant or buyer) may have the following rights regarding your data:

  • Right to Access — Request a copy of the data we hold about you
  • Right to Correction — Request correction of inaccurate or incomplete data
  • Right to Erasure — Request deletion of your data (subject to legal retention obligations)
  • Right to Restrict Processing — Request that we limit how we use your data
  • Right to Data Portability — Receive your data in a structured, machine-readable format
  • Right to Object — Object to processing of your data under certain circumstances

To exercise any of these rights, please contact us at the email address in the Contact section below. We will respond within 30 days. Buyers seeking to exercise rights should first contact the merchant who operates the Shopify store, as they control the data.

8

GDPR & International Data Transfers

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws, the following applies:

  • Our legal basis for processing personal data is the performance of the app service contract (Article 6(1)(b) GDPR) and our legitimate interest in operating a secure, functional service
  • Data may be stored or processed outside your country of residence (e.g., on servers in the United States). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs)
  • We subscribe to all mandatory Shopify GDPR webhooks: customers/data_request, customers/redact, and shop/redact, and we process these requests within 30 days
  • Merchants using this App are considered data controllers; we act as a data processor on their behalf
9

Mandatory Webhooks & Data Deletion

We comply with Shopify's mandatory privacy webhook requirements:

Webhook Topic What We Do
app/uninstalled Triggers deletion of all customer metafields and merchant store data within 48 hours
customers/data_request Compiles and provides all data held for the requested customer within 30 days
customers/redact Permanently deletes all stored data associated with the specified customer
shop/redact Purges all store-level data 48 hours after app uninstallation is confirmed
app/subscriptions/update Updates internal billing state on trial expiry or plan changes; no data deletion triggered
10

Cookies & Tracking Technologies

The Real-Time Cart Sync Theme App Extension runs JavaScript on the merchant's storefront. It does not set any third-party cookies or persistent tracking identifiers on buyer devices.

  • The extension uses Shopify's native customer session to identify logged-in customers — no additional cookies are created
  • No cross-site tracking, advertising pixels, or behavioral profiling technologies are used
  • The app backend does not use analytics cookies or similar tracking on merchants who access the app admin panel beyond what Shopify's platform itself sets
11

Children's Privacy

Real-Time Cart Sync is a B2B application intended for use by Shopify merchants. It is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child's data has been inadvertently collected, please contact us immediately for deletion.

12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify active merchants via email or an in-app notification where required by law
  • For significant changes, provide at least 14 days advance notice before the new policy takes effect

Continued use of the App after the effective date of any changes constitutes your acceptance of the updated policy.

13

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please reach out:

📬

Real-Time Cart Sync — Privacy Team

Developer: Born Techies Pvt. Ltd.
Email: jaydeep@borntechies.com
Support: shopify@borntechies.com