Privacy Policy for Flexible Nested Metafields

Effective Date: January 26, 2026

1. Introduction

This Privacy Policy describes how Raman Vyrkouski ("I", "me", or "the developer") collects, uses, and handles information when you install and use the Flexible Nested Metafields application (the "App") in connection with your Shopify store.

This App is developed and maintained by an independent developer, not a company. I am committed to protecting your privacy and ensuring your data is handled securely and transparently.

2. Information We Collect

To provide the core functionality of managing and nesting metafields, the App accesses specific data from your Shopify store via API and stores certain data in our secure database:

2.1 Shopify API Access

The App requests the following permissions to function properly:

• Products & Collections: Read and write access to products, collections, and their metafields (read_products, write_products, read_product_listings)
• Content: Read and write access to pages, blogs, articles, and their metafields (read_content, write_content)
• Files: Read and write access to upload and manage images and videos for metafields (read_files, write_files)
• Translations: Read and write access to manage multilingual metafield content (read_translations, write_translations)
• Navigation: Read and write access to menus for metafield management (read_online_store_navigation, write_online_store_navigation)
• Locales & Markets: Read access to display correct language options (read_locales, read_markets_home)
• Themes: Read access to understand storefront integration (read_themes)
• Storefront Access: Unauthenticated read access for displaying metafields on your storefront (unauthenticated_read_content, unauthenticated_read_product_listings)

2.2 Data Stored in the App's Database

The App maintains a secure database where the following data is stored:

• Session Data: Store domain, access tokens (encrypted), shop owner name and email, user preferences, and locale settings
• Template Definitions: Custom metafield templates you create, including field configurations, conditional logic rules, and display settings
• App Settings: Your preferences for the App, including namespace configuration, enabled resource types, and editor customizations
• Subscription Information: Plan type, billing status, trial period data (we do not store credit card details - these are handled by Shopify)

2.3 Data We Do NOT Collect

Important: The App does not collect or store:

• Your customers' personal information (names, addresses, phone numbers, email addresses)
• Payment or credit card information
• Order data or transaction history
• Customer behavior or analytics data

Metafield values you enter through the App are stored directly in Shopify's metafields system, not in our database.

3. How Your Information is Used

The data collected from your Shopify store is used strictly to:

• Enable the creation, editing, and organization of nested metafield templates
• Display your products, collections, pages, and other resources for metafield editing
• Sync translations and content across your store's resources and languages
• Upload and manage images and videos for metafield values
• Process and manage your subscription (if applicable)
• Provide technical support and troubleshoot issues specific to your store's configuration
• Improve app performance, fix bugs, and develop new features
• Send important updates about the App or changes to this Privacy Policy

4. Data Retention and Security

4.1 Data Storage

Metafield Values: Stored within Shopify's secure infrastructure via their Metafields API. We do not maintain a separate copy of your metafield values.

Templates & Settings: Stored in our secure database for as long as the App is installed on your store. Upon uninstallation, session data is deleted immediately, and other data is deleted within 48 hours or upon receiving Shopify's shop/redact webhook.

4.2 Security Measures

The App implements industry-standard security practices:

• All data transmissions use HTTPS/TLS encryption
• Access tokens are stored securely and encrypted
• Database access is restricted and monitored
• Regular security updates and vulnerability assessments
• Compliance with Shopify's security requirements

5. Third-Party Services and Data Sharing

Your data is never sold, traded, or transferred to third parties for marketing purposes.

The App only interacts with:

• Shopify: Via official Shopify APIs to perform the actions you trigger within the App
• Hosting Provider: Infrastructure services to maintain the App (your data is stored securely in compliance with GDPR and data protection regulations)
• Legal Authorities: Only when required by law

No individual or aggregated data is shared for advertising, analytics, or any other commercial purposes.

6. Your Rights (GDPR / CCPA Compliance)

6.1 Data Controller Relationship

Important: When you use this App, you (the merchant) are the Data Controllerfor any customer data stored in your Shopify store. The App acts as a Data Processor, processing data on your behalf according to your instructions when you use the App.

Since the App does not store your customers' personal information, most data subject requests should be handled through your Shopify Admin panel.

6.2 Your Rights as a Merchant

If you are located in the EEA, UK, or California, you have the following rights regarding your own data:

• Right to Access: Request a copy of the data stored about your store
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (exercised by uninstalling the App or requesting data deletion via GDPR webhooks)
• Right to Data Portability: Receive your template data in a structured, machine-readable format
• Right to Object: Object to certain data processing activities
• Right to Withdraw Consent: Uninstall the App at any time to revoke access

To exercise these rights, please contact me at vyramancom@gmail.com

7. GDPR Mandatory Webhooks Implementation

We have implemented all three mandatory Shopify GDPR webhooks as required by Shopify App Store guidelines:

7.1 Customer Data Request (customers/data_request)

When a store owner requests their data through Shopify, we compile and provide all data associated with your store within a reasonable timeframe. This includes:

• Session information (store domain, owner name and email, locale preferences)
• Template definitions and configurations
• App settings and preferences
• Subscription status and plan information (excluding payment details)

Note: Access tokens are excluded from data exports for security reasons.

7.2 Customer Data Erasure (customers/redact)

This webhook fires 48 hours after a store owner requests deletion of their personal data. Upon receiving this webhook, the App automatically:

• Anonymizes all personal information (first name, last name, email address, user ID)
• Removes locale preferences and session metadata
• Preserves non-personal data necessary for service integrity (templates without identifying information)

7.3 Shop Data Erasure (shop/redact)

This webhook fires 48 hours after your shop is permanently deleted or the App is uninstalled. Upon receiving this webhook, the App automatically:

• Permanently deletes all session data
• Permanently deletes all template definitions
• Permanently deletes all app settings
• Permanently deletes all subscription records

This deletion is irreversible. If you reinstall the App after this process, you will need to recreate all templates and configurations.

8. Data Retention Policy

• Active Installation: Data is retained as long as the App is installed on your store
• Upon Uninstallation: Session data is deleted immediately
• Grace Period: Template and settings data may be retained for up to 48 hours to allow for accidental uninstalls and reinstallation
• After 48 Hours or shop/redact Webhook: All data is permanently and irreversibly deleted

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. Appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws (GDPR, CCPA).

10. Children's Privacy

This App is intended for use by businesses and is not directed at individuals under the age of 16. The App does not knowingly collect personal information from children. If you believe such information has been inadvertently collected, please contact me immediately.

11. Changes to This Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in practices, legal requirements, or for other operational reasons. When material changes are made:

• The "Effective Date" at the top of this policy will be updated
• You may be notified through the App or via email (if applicable)
• A summary of key changes will be provided when significant

Your continued use of the App after any changes indicates your acceptance of the updated Privacy Policy.

12. Contact Information

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact me:

I will respond to your inquiry within 30 days in accordance with GDPR requirements.

13. Compliance Certifications

This App and Privacy Policy comply with:

• Shopify App Store Requirements: All mandatory privacy and security guidelines
• GDPR: European Union General Data Protection Regulation
• CCPA: California Consumer Privacy Act (where applicable)
• Shopify Partner Program Policies: All terms and conditions

This Privacy Policy is provided as part of my commitment to transparency, data protection, and compliance with international privacy regulations. Your privacy is taken seriously and your data is protected with care.

Last reviewed: January 26, 2026