Flex Bundles

Privacy Policy

Last updated: May 29, 2026

This Privacy Policy describes how Flex Bundles ("we", "us", or "our") collects, uses, stores, and shares information when you install and use our Shopify app.

Information We Collect

Merchant Account & Staff Information

When you install and authenticate Flex Bundles, Shopify provides and we store in our database:

  • Your Shopify store domain
  • Access and refresh tokens used for API communication
  • Identifying details for the Shopify staff user who authenticated, including user ID, first and last name, email address, locale, and account-owner/collaborator role flags

Onboarding & Demo Request Information

During setup you may optionally submit a demo request that includes:

  • Contact name and email
  • Business type (merchant, agency, developer, other)
  • What you want to achieve with bundles

This information is sent to us by email to provide personalized onboarding support. It is not retained in our application database and is not used for any purpose other than responding to your request.

Store Data Accessed Through Shopify's API

To create and manage bundles and report on their performance, the app requests permission to read and write the following types of store data through Shopify's API: products, inventory, orders, order edits, customers, files, cart transforms, and publications. We access this data only as needed to operate the app's features.

Order, Analytics & Bundle Data

When orders are placed or updated, we process order data to power bundle analytics and reorder features. The data we generate is stored within your own Shopify store as metafields — not in our database — and includes:

  • Aggregate bundle metrics (revenue, units sold, order totals, currency) saved to your shop metafields and pruned to a rolling 30-day window
  • Per-order bundle breakdowns saved to order metafields
  • Bundle component selections saved to a customer metafield (keyed by the Shopify customer ID, limited to the most recent 20 entries) so customers can easily reorder previous bundles

We do not store customer names, addresses, or payment details, and we do not copy this order or customer data into our own database.

How We Use Your Information

We use the information we collect to:

  • Authenticate your access to the app
  • Provide bundle creation, management, and reorder functionality
  • Display analytics on your bundle performance
  • Determine your plan tier from your Shopify subscription status
  • Communicate with you about your account and onboarding

Data Storage, Location & Retention

Session and staff-user data is stored securely in a PostgreSQL database hosted on Heroku. Bundle, analytics, and customer reorder data lives inside your own Shopify store as metafields and remains under your control. We retain session data for as long as the app remains installed; it is automatically removed on uninstall, and any remaining shop data is deleted no later than 48 hours after uninstall via Shopify's shop redaction webhook. Aggregate analytics are automatically pruned to the most recent 30 days.

Data Sharing & Subprocessors

We do not sell, rent, or share your personal information for marketing purposes. We rely on the following service providers to operate the app:

  • Shopify — the platform the app runs on and the source of store data
  • Heroku — application and database hosting
  • Resend — delivery of onboarding and notification emails

We may also disclose information if required by law or to protect our rights.

Your Rights

You may request access to, correction of, or deletion of your personal information by contacting us. We respond to data requests in compliance with GDPR and other applicable privacy regulations.

Shopify Data Compliance

We comply with Shopify's API terms and implement the mandatory privacy webhooks:

  • Customer data request — we hold no customer personal data in our own database and respond accordingly.
  • Customer redaction — we delete the customer's stored bundle-selection metafield.
  • Shop redaction — we delete the store's session records from our database.

Contact Us

For privacy questions or data requests, contact:
Email: robbie@handstand.codes