01 Information we collect
Only what's necessary to calculate your profit — no behavioral tracking, no fingerprinting.
| Data | Source | Why |
|---|
| Shop domain + OAuth access token |
Shopify install flow |
To read your orders via the Admin API |
| Order totals, fees, refunds |
Shopify Admin API (live) |
To calculate net profit per order |
| Product IDs and quantities |
Shopify Admin API (live) |
To apply your per-product cost settings |
| Your store email address |
You provide (optional, Pro plan) |
To send weekly + monthly profit digests |
| COGS percentages, per-product costs |
You configure in app |
To compute accurate margins |
| Aggregated daily profit totals |
Computed |
For trend comparisons and charts |
02 How we use your information
We use the data above for exactly three purposes:
- Calculate and display your profit metrics inside the Shopify admin embedded app.
- Send a weekly profit digest (every Monday 09:00 UTC) and a monthly P&L Excel attachment (1st of each month, Pro plan only) — but only if you've explicitly set an email address in Settings.
- Persist your COGS settings so they survive between sessions and don't have to be re-entered.
We do not use your data for advertising, sell it, or share it with anyone other than the sub-processors listed below.
03 Where your data is stored
All persistent data lives in Supabase (PostgreSQL, hosted on AWS in the US-East region). Order data is fetched live from Shopify's API on every dashboard load — we do not maintain a copy of individual orders. Only aggregated daily totals (revenue, profit, margin per day) are persisted, and only after they've been delivered in a weekly report.
Connections to Supabase use TLS 1.2+. Data at rest is encrypted using AES-256. Access is gated by a service-role API key stored as an encrypted environment variable on Vercel.
04 Sub-processors
We use these third-party services. Each is contractually bound by their own GDPR-compliant terms.
05 Retention and deletion
When you uninstall PocketNeto from your Shopify admin, Shopify sends us an app/uninstalled webhook. Within seconds, your store row and all associated data (sessions, COGS settings, product costs, weekly reports) are deleted from our database.
If you need immediate, verifiable deletion — for example to comply with an enterprise data audit — email privacy@pocketneto.com and we will purge your data and reply with a confirmation within 48 hours.
06 Your rights
Under GDPR, CCPA, and other applicable privacy laws, you have the right to:
Access your data
Correct inaccuracies
Delete your data
Export your data
Restrict processing
Object to processing
Lodge a complaint with a supervisory authority
To exercise any of these, email privacy@pocketneto.com. Most requests are fulfilled within 48 hours.
07 GDPR and Shopify compliance
PocketNeto complies with all of Shopify's mandatory webhooks for customer data privacy:
customers/data_request — when a customer requests their data, we confirm receipt within 30 days (we store no per-customer data, so the typical response is a notice that there is nothing on file).customers/redact — 48 hours after a customer-redact request, any matching data is purged.shop/redact — 48 hours after a store uninstalls our app, all shop data is purged.
All webhook receivers verify the HMAC signature provided by Shopify before processing.
08 Changes to this policy
If we change this policy in a way that affects how your data is used (adding a sub-processor, changing retention period, etc.), we will email registered Pro merchants and update the "Last updated" date at the top of this page. Material changes are also reflected in our App Store listing.
09 Contact us
For any privacy-related question or data deletion request:
privacy@pocketneto.com
General support: support@pocketneto.com — typical reply within 1 business day.